* [PATCH 0/5] Make the MD5 disable as default setting
@ 2020-10-26 9:03 Gao, Zhichao
2020-10-26 9:03 ` [PATCH 1/5] NetworkPkg/Defines: Make iSCSI disable as default Gao, Zhichao
` (5 more replies)
0 siblings, 6 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel
Cc: Jordan Justen, Laszlo Ersek, Ard Biesheuvel, Sami Mujawar,
Leif Lindholm, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang,
Michael D Kinney, Kelly Steele, Zailiang Sun, Yi Qian, Liming Gao,
Maciej Rabeda, Jiaxin Wu, Siyuan Fu, Roger Feng
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
MD5 is deprecated, make it disable as default for security.
It required to set MD5 enable explicitly if the module is still
using MD5. List the modules that are still using it:
iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
This patch set would affact the platforms that are using iSCSI
function.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Roger Feng <roger.feng@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Zhichao Gao (5):
NetworkPkg/Defines: Make iSCSI disable as default
NetworkPkg: Enable MD5 while enable iSCSI
SecurityPkg/dsc: Explicitly enable MD5 for package build
CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
CryptoPkg: Make the MD5 disable as default for security
CryptoPkg/CryptoPkg.dsc | 3 +++
CryptoPkg/Driver/Crypto.c | 4 ++--
CryptoPkg/Include/Library/BaseCryptLib.h | 2 +-
CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +-
CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
NetworkPkg/Network.dsc.inc | 5 +++++
NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
SecurityPkg/SecurityPkg.dsc | 2 +-
8 files changed, 16 insertions(+), 8 deletions(-)
--
2.21.0.windows.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/5] NetworkPkg/Defines: Make iSCSI disable as default
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
@ 2020-10-26 9:03 ` Gao, Zhichao
2020-10-26 9:03 ` [PATCH 2/5] NetworkPkg: Enable MD5 while enable iSCSI Gao, Zhichao
` (4 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel
Cc: Jordan Justen, Laszlo Ersek, Ard Biesheuvel, Sami Mujawar,
Leif Lindholm, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang,
Michael D Kinney, Kelly Steele, Zailiang Sun, Yi Qian, Liming Gao,
Maciej Rabeda, Jiaxin Wu, Siyuan Fu
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
iSCSI is using the undeprecated function MD5. It is
better to make the default setting secure. If the platforms
want to use the iSCSI, they should enable it in the platforms'
dsc file and be aware they are using an unsafe function.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
index a442d1b157..18921d81f6 100644
--- a/NetworkPkg/NetworkDefines.dsc.inc
+++ b/NetworkPkg/NetworkDefines.dsc.inc
@@ -17,7 +17,7 @@
# DEFINE NETWORK_TLS_ENABLE = TRUE
# DEFINE NETWORK_HTTP_BOOT_ENABLE = TRUE
# DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
-# DEFINE NETWORK_ISCSI_ENABLE = TRUE
+# DEFINE NETWORK_ISCSI_ENABLE = FALSE
# DEFINE NETWORK_VLAN_ENABLE = TRUE
#
# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
@@ -101,7 +101,7 @@
# Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
# since libssl is not required for iSCSI.
#
- DEFINE NETWORK_ISCSI_ENABLE = TRUE
+ DEFINE NETWORK_ISCSI_ENABLE = FALSE
!endif
!if $(NETWORK_ENABLE) == TRUE
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/5] NetworkPkg: Enable MD5 while enable iSCSI
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
2020-10-26 9:03 ` [PATCH 1/5] NetworkPkg/Defines: Make iSCSI disable as default Gao, Zhichao
@ 2020-10-26 9:03 ` Gao, Zhichao
2020-10-26 9:03 ` [PATCH 3/5] SecurityPkg/dsc: Explicitly enable MD5 for package build Gao, Zhichao
` (3 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel; +Cc: Maciej Rabeda, Jiaxin Wu, Siyuan Fu
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
NetworkPkg/Network.dsc.inc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/NetworkPkg/Network.dsc.inc b/NetworkPkg/Network.dsc.inc
index 16f090a187..b761df900b 100644
--- a/NetworkPkg/Network.dsc.inc
+++ b/NetworkPkg/Network.dsc.inc
@@ -30,6 +30,11 @@
[LibraryClasses]
!include NetworkPkg/NetworkLibs.dsc.inc
+[BuildOptions]
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+ *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
!if $(PLATFORMX64_ENABLE) == TRUE
[Components.X64]
!include NetworkPkg/NetworkComponents.dsc.inc
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/5] SecurityPkg/dsc: Explicitly enable MD5 for package build
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
2020-10-26 9:03 ` [PATCH 1/5] NetworkPkg/Defines: Make iSCSI disable as default Gao, Zhichao
2020-10-26 9:03 ` [PATCH 2/5] NetworkPkg: Enable MD5 while enable iSCSI Gao, Zhichao
@ 2020-10-26 9:03 ` Gao, Zhichao
2020-10-26 9:03 ` [PATCH 4/5] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5 Gao, Zhichao
` (2 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Jian J Wang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
Hash2DxeCrypto.inf supports MD5. MD5 would be disable as
default setting for edk2. Explicitly enable MD5 thru
ENABLE_MD5_DEPRECATED_INTERFACES for package build.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
SecurityPkg/SecurityPkg.dsc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 36d15b79f9..7af0a8c7eb 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -342,5 +342,5 @@
[BuildOptions]
MSFT:*_*_IA32_DLINK_FLAGS = /ALIGN:256
INTEL:*_*_IA32_DLINK_FLAGS = /ALIGN:256
- *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
+ *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES -D ENABLE_MD5_DEPRECATED_INTERFACES
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 4/5] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
` (2 preceding siblings ...)
2020-10-26 9:03 ` [PATCH 3/5] SecurityPkg/dsc: Explicitly enable MD5 for package build Gao, Zhichao
@ 2020-10-26 9:03 ` Gao, Zhichao
2020-10-26 9:03 ` [PATCH 5/5] CryptoPkg: Make the MD5 disable as default for security Gao, Zhichao
2020-10-26 9:34 ` [PATCH 0/5] Make the MD5 disable as default setting Yao, Jiewen
5 siblings, 0 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
function. So explicitly enable MD5 while CRYPTO_SERVICES
are set PACKAGES and ALL.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 0490eeb7e2..30c4909397 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -285,3 +285,6 @@
[BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
+!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
+ *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 5/5] CryptoPkg: Make the MD5 disable as default for security
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
` (3 preceding siblings ...)
2020-10-26 9:03 ` [PATCH 4/5] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5 Gao, Zhichao
@ 2020-10-26 9:03 ` Gao, Zhichao
2020-10-26 9:34 ` [PATCH 0/5] Make the MD5 disable as default setting Yao, Jiewen
5 siblings, 0 replies; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-26 9:03 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
Make the deprecated MD5 disable as default setting for
security.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
CryptoPkg/Driver/Crypto.c | 4 ++--
CryptoPkg/Include/Library/BaseCryptLib.h | 2 +-
CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +-
CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index d9096ea603..26f280cd5d 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -243,7 +243,7 @@ DeprecatedCryptoServiceMd4HashAll (
return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
}
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
@@ -4494,7 +4494,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
DeprecatedCryptoServiceMd4Update,
DeprecatedCryptoServiceMd4Final,
DeprecatedCryptoServiceMd4HashAll,
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
/// Md5 - deprecated and unsupported
DeprecatedCryptoServiceMd5GetContextSize,
DeprecatedCryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index ae9bde9e37..496121e6a4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -72,7 +72,7 @@ typedef enum {
// One-Way Cryptographic Hash Primitives
//=====================================================================================
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
index b85e7f4d12..d670f17424 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
@@ -9,7 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "InternalCryptLib.h"
#include <openssl/md5.h>
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 3f14c6d262..8b43d1363c 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,7 +99,7 @@ CryptoServiceNotAvailable (
// One-Way Cryptographic Hash Primitives
//=====================================================================================
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
/**
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 0/5] Make the MD5 disable as default setting
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
` (4 preceding siblings ...)
2020-10-26 9:03 ` [PATCH 5/5] CryptoPkg: Make the MD5 disable as default for security Gao, Zhichao
@ 2020-10-26 9:34 ` Yao, Jiewen
2020-10-27 0:55 ` Gao, Zhichao
5 siblings, 1 reply; 9+ messages in thread
From: Yao, Jiewen @ 2020-10-26 9:34 UTC (permalink / raw)
To: Gao, Zhichao, devel@edk2.groups.io
Cc: Justen, Jordan L, Laszlo Ersek, Ard Biesheuvel, Sami Mujawar,
Leif Lindholm, Wang, Jian J, Lu, XiaoyuX, Jiang, Guomin,
Kinney, Michael D, Steele, Kelly, Sun, Zailiang, Qian, Yi,
Liming Gao, Maciej Rabeda, Wu, Jiaxin, Fu, Siyuan, Feng, Roger
Thanks Zhichao.
Can we remove MD5 from Hash2DxeCrypto ?
I don't see a strong reason to include.
It should only be used by iSCSI.
Also, if possible, I prefer to remove SHA1 from Hash2DxeCrypto as well.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Monday, October 26, 2020 5:04 PM
> To: devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>;
> Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
> Steele, Kelly <kelly.steele@intel.com>; Sun, Zailiang
> <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Maciej Rabeda
> <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>; Feng, Roger <roger.feng@intel.com>
> Subject: [PATCH 0/5] Make the MD5 disable as default setting
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
>
> MD5 is deprecated, make it disable as default for security.
> It required to set MD5 enable explicitly if the module is still
> using MD5. List the modules that are still using it:
> iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
>
> This patch set would affact the platforms that are using iSCSI
> function.
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Roger Feng <roger.feng@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
>
> Zhichao Gao (5):
> NetworkPkg/Defines: Make iSCSI disable as default
> NetworkPkg: Enable MD5 while enable iSCSI
> SecurityPkg/dsc: Explicitly enable MD5 for package build
> CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
> CryptoPkg: Make the MD5 disable as default for security
>
> CryptoPkg/CryptoPkg.dsc | 3 +++
> CryptoPkg/Driver/Crypto.c | 4 ++--
> CryptoPkg/Include/Library/BaseCryptLib.h | 2 +-
> CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +-
> CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
> NetworkPkg/Network.dsc.inc | 5 +++++
> NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
> SecurityPkg/SecurityPkg.dsc | 2 +-
> 8 files changed, 16 insertions(+), 8 deletions(-)
>
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/5] Make the MD5 disable as default setting
2020-10-26 9:34 ` [PATCH 0/5] Make the MD5 disable as default setting Yao, Jiewen
@ 2020-10-27 0:55 ` Gao, Zhichao
2020-10-29 3:01 ` Feng, Roger
0 siblings, 1 reply; 9+ messages in thread
From: Gao, Zhichao @ 2020-10-27 0:55 UTC (permalink / raw)
To: Yao, Jiewen, devel@edk2.groups.io
Cc: Justen, Jordan L, Laszlo Ersek, Ard Biesheuvel, Sami Mujawar,
Leif Lindholm, Wang, Jian J, Lu, XiaoyuX, Jiang, Guomin,
Kinney, Michael D, Steele, Kelly, Sun, Zailiang, Qian, Yi,
Liming Gao, Maciej Rabeda, Wu, Jiaxin, Fu, Siyuan, Feng, Roger
Let me prepare the V2 to remove them(MD5 and SHA1)。
Thanks,
Zhichao
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, October 26, 2020 5:35 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Steele, Kelly <kelly.steele@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Maciej Rabeda <maciej.rabeda@linux.intel.com>;
> Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Feng,
> Roger <roger.feng@intel.com>
> Subject: RE: [PATCH 0/5] Make the MD5 disable as default setting
>
> Thanks Zhichao.
>
> Can we remove MD5 from Hash2DxeCrypto ?
> I don’t see a strong reason to include.
> It should only be used by iSCSI.
>
> Also, if possible, I prefer to remove SHA1 from Hash2DxeCrypto as well.
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Gao, Zhichao <zhichao.gao@intel.com>
> > Sent: Monday, October 26, 2020 5:04 PM
> > To: devel@edk2.groups.io
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> > <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> > Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang,
> > Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>; Steele, Kelly <kelly.steele@intel.com>;
> > Sun, Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > Liming Gao <gaoliming@byosoft.com.cn>; Maciej Rabeda
> > <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu,
> > Siyuan <siyuan.fu@intel.com>; Feng, Roger <roger.feng@intel.com>
> > Subject: [PATCH 0/5] Make the MD5 disable as default setting
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> >
> > MD5 is deprecated, make it disable as default for security.
> > It required to set MD5 enable explicitly if the module is still using
> > MD5. List the modules that are still using it:
> > iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
> >
> > This patch set would affact the platforms that are using iSCSI
> > function.
> >
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Leif Lindholm <leif@nuviainc.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Kelly Steele <kelly.steele@intel.com>
> > Cc: Zailiang Sun <zailiang.sun@intel.com>
> > Cc: Yi Qian <yi.qian@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Roger Feng <roger.feng@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> >
> > Zhichao Gao (5):
> > NetworkPkg/Defines: Make iSCSI disable as default
> > NetworkPkg: Enable MD5 while enable iSCSI
> > SecurityPkg/dsc: Explicitly enable MD5 for package build
> > CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
> > CryptoPkg: Make the MD5 disable as default for security
> >
> > CryptoPkg/CryptoPkg.dsc | 3 +++
> > CryptoPkg/Driver/Crypto.c | 4 ++--
> > CryptoPkg/Include/Library/BaseCryptLib.h | 2 +-
> > CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +-
> > CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
> > NetworkPkg/Network.dsc.inc | 5 +++++
> > NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
> > SecurityPkg/SecurityPkg.dsc | 2 +-
> > 8 files changed, 16 insertions(+), 8 deletions(-)
> >
> > --
> > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/5] Make the MD5 disable as default setting
2020-10-27 0:55 ` Gao, Zhichao
@ 2020-10-29 3:01 ` Feng, Roger
0 siblings, 0 replies; 9+ messages in thread
From: Feng, Roger @ 2020-10-29 3:01 UTC (permalink / raw)
To: Gao, Zhichao, Yao, Jiewen, devel@edk2.groups.io
Cc: Justen, Jordan L, Laszlo Ersek, Ard Biesheuvel, Sami Mujawar,
Leif Lindholm, Wang, Jian J, Lu, XiaoyuX, Jiang, Guomin,
Kinney, Michael D, Steele, Kelly, Sun, Zailiang, Qian, Yi,
Liming Gao, Maciej Rabeda, Wu, Jiaxin, Fu, Siyuan, Zhang, Qi1
+Qi for review
-----Original Message-----
From: Gao, Zhichao <zhichao.gao@intel.com>
Sent: Tuesday, October 27, 2020 8:55 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Steele, Kelly <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Maciej Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Feng, Roger <roger.feng@intel.com>
Subject: RE: [PATCH 0/5] Make the MD5 disable as default setting
Let me prepare the V2 to remove them(MD5 and SHA1)。
Thanks,
Zhichao
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, October 26, 2020 5:35 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>;
> Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Steele, Kelly
> <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>;
> Qian, Yi <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>;
> Maciej Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Feng, Roger
> <roger.feng@intel.com>
> Subject: RE: [PATCH 0/5] Make the MD5 disable as default setting
>
> Thanks Zhichao.
>
> Can we remove MD5 from Hash2DxeCrypto ?
> I don’t see a strong reason to include.
> It should only be used by iSCSI.
>
> Also, if possible, I prefer to remove SHA1 from Hash2DxeCrypto as well.
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Gao, Zhichao <zhichao.gao@intel.com>
> > Sent: Monday, October 26, 2020 5:04 PM
> > To: devel@edk2.groups.io
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> > <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> > Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>;
> > Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang,
> > Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>; Steele, Kelly
> > <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>;
> > Qian, Yi <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>;
> > Maciej Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin
> > <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Feng, Roger
> > <roger.feng@intel.com>
> > Subject: [PATCH 0/5] Make the MD5 disable as default setting
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> >
> > MD5 is deprecated, make it disable as default for security.
> > It required to set MD5 enable explicitly if the module is still
> > using MD5. List the modules that are still using it:
> > iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
> >
> > This patch set would affact the platforms that are using iSCSI
> > function.
> >
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Leif Lindholm <leif@nuviainc.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Kelly Steele <kelly.steele@intel.com>
> > Cc: Zailiang Sun <zailiang.sun@intel.com>
> > Cc: Yi Qian <yi.qian@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Roger Feng <roger.feng@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> >
> > Zhichao Gao (5):
> > NetworkPkg/Defines: Make iSCSI disable as default
> > NetworkPkg: Enable MD5 while enable iSCSI
> > SecurityPkg/dsc: Explicitly enable MD5 for package build
> > CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
> > CryptoPkg: Make the MD5 disable as default for security
> >
> > CryptoPkg/CryptoPkg.dsc | 3 +++
> > CryptoPkg/Driver/Crypto.c | 4 ++--
> > CryptoPkg/Include/Library/BaseCryptLib.h | 2 +-
> > CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +-
> > CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
> > NetworkPkg/Network.dsc.inc | 5 +++++
> > NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
> > SecurityPkg/SecurityPkg.dsc | 2 +-
> > 8 files changed, 16 insertions(+), 8 deletions(-)
> >
> > --
> > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-10-29 3:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-26 9:03 [PATCH 0/5] Make the MD5 disable as default setting Gao, Zhichao
2020-10-26 9:03 ` [PATCH 1/5] NetworkPkg/Defines: Make iSCSI disable as default Gao, Zhichao
2020-10-26 9:03 ` [PATCH 2/5] NetworkPkg: Enable MD5 while enable iSCSI Gao, Zhichao
2020-10-26 9:03 ` [PATCH 3/5] SecurityPkg/dsc: Explicitly enable MD5 for package build Gao, Zhichao
2020-10-26 9:03 ` [PATCH 4/5] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5 Gao, Zhichao
2020-10-26 9:03 ` [PATCH 5/5] CryptoPkg: Make the MD5 disable as default for security Gao, Zhichao
2020-10-26 9:34 ` [PATCH 0/5] Make the MD5 disable as default setting Yao, Jiewen
2020-10-27 0:55 ` Gao, Zhichao
2020-10-29 3:01 ` Feng, Roger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox