From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3A52F82146 for ; Thu, 23 Feb 2017 14:25:28 -0800 (PST) Received: by mail-it0-x236.google.com with SMTP id 203so2113249ith.0 for ; Thu, 23 Feb 2017 14:25:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zx0abSUN1E+TIQpOnwr1WJybG7nndNoQaBlv7k+uutA=; b=TQU1sKnfYXHQA/eXD71pFUPGe2y6OC3ijs3S/BdbTJrQ39k4GAaadw8h2PMGEXx4KJ gY6tXniwlulal0Im8bDvA/gqiN/dTU8udbHQ6PY8YjQN6BkMjbWP4TJZxhSpdq018Ckk T2GDe8ZpltyZ2CRmv7JUV5IowOM+1XCmPkiYg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zx0abSUN1E+TIQpOnwr1WJybG7nndNoQaBlv7k+uutA=; b=mONaccAyy2R8cH/tl93o7KVbWeQDVg2ZDX2OeH7/D4h8EQDJNCu23RQKus3RkYx2zE f10h79W3zb6wBbkuZEU0brtIAAWtCDKRHCTfjlE9h5Lf3QlbBTDbbZulWMG/0NyG976L EMnOneZ5hFI8OWZX/JZyq9On6+iHMxGNSCimnlhMNitCCW+n74ru6uUvA2DQFcNwWmrJ 7ADYUEBvOVWempy+VW0YRROhZgKiNAPOfBj/tmll+O+N6ho1Rk3Eop64KvUFKdXOQDGN njB2ATwua/dXyoRr8n6v+BuLU/vWAvloNyx2ZA5vt1iRFyOLorfXiTAD5R+nNGZEfM93 uCpQ== X-Gm-Message-State: AMke39kaivBSguigab875bCcj7Y1ofriOF1J+JzeOvXzv6cT16Jm+sEM1Wm2lqM9NRfzm617sqE48gsICwTY6ebG X-Received: by 10.36.207.212 with SMTP id y203mr4366899itf.63.1487888727381; Thu, 23 Feb 2017 14:25:27 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.198.134 with HTTP; Thu, 23 Feb 2017 14:25:26 -0800 (PST) In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> From: Ard Biesheuvel Date: Thu, 23 Feb 2017 22:25:26 +0000 Message-ID: To: Laszlo Ersek Cc: edk2-devel-01 , Gary Lin , Jiaxin Wu , Jordan Justen , Qin Long , Ruiyu Ni , Ting Ye , Tomas Hoger Subject: Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 22:25:28 -0000 Content-Type: text/plain; charset=UTF-8 On 23 February 2017 at 21:57, Laszlo Ersek wrote: > In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib > directly", 2016-12-14), we enabled libssl functionality in > CryptoPkg/OpensslLib unconditionally. > > While that's real convenient, it is also overkill for platforms (or > platform builds) that don't want TLS. The impact (beyond wasted build > time) is that when the next vulnerability comes out that affects the > libssl subset of OpenSSL, security teams all around will look at build > logs and INF files, see the libssl files being built, and get nervous -- > without a good reason for such builds that don't actually *use* TLS. > > Let's make this easier on them (and thereby on ourselves!), and > introduce an OpensslLibNoSsl instance, which excludes libssl. > I think it would be nicer to align with OpenSSL more closely, and split the functionality into a libcrypto and a libssl library, and include the latter only if TLS functionality is needed. However, I am not volunteering to do the work, and this approach comes down to the same thing, given that libssl depends on libcrypto, and so libcrypto and libcrypto+libssl are the only combinations that make any sense. > The edk2 integration script "process_files.sh" is updated to process > both INF files in the same invocation. > > If noone disagrees with the concept, I'd appreciate if we could review & > merge this series real fast. (Sorry about that, but a downstream > deadline looms close, and I consider this sort of a blocker for the next > rebase.) > > I updated the following platform packages: > - ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that > matter), > - Nt32Pkg, because it exposes the TLS_ENABLE build flag, > - OvmfPkg, because it exposes the TLS_ENABLE build flag. > > I didn't touch other packages because they don't expose TLS_ENABLE, and > I don't have time to figure out if they want TLS built-in. > > I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF. > > The series was formatted with "--find-copies-harder", which makes a real > difference for patch #2. > > Tomas: if you would like to comment on this series, please subscribe to > the edk2-devel list at > , and also wait for > your subscription request to complete, *before* responding. > > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Jiaxin Wu > Cc: Jordan Justen > Cc: Qin Long > Cc: Ruiyu Ni > Cc: Ting Ye > Cc: Tomas Hoger > > Thanks! > Laszlo > > Laszlo Ersek (5): > CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after > 32387e00 > CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance > ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl > Nt32Pkg: exclude libssl functionality from OpensslLib if > TLS_ENABLE=FALSE > OvmfPkg: exclude libssl functionality from OpensslLib if > TLS_ENABLE=FALSE > > ArmVirtPkg/ArmVirt.dsc.inc | 2 +- > Nt32Pkg/Nt32Pkg.dsc | 4 ++ > OvmfPkg/OvmfPkgIa32.dsc | 4 ++ > OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++ > OvmfPkg/OvmfPkgX64.dsc | 4 ++ > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + > CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55 ++------------------ > CryptoPkg/Library/OpensslLib/opensslconf.h | 6 --- > CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} | 8 +-- > CryptoPkg/Library/OpensslLib/process_files.sh | 27 +++++++--- > 10 files changed, 46 insertions(+), 69 deletions(-) > copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} (90%) > copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} (71%) > > -- > 2.9.3 >