Re: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Gao, Zhichao" <zhichao.gao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Gao, Zhichao" <zhichao.gao@intel.com>
Cc: "Justen, Jordan L" <jordan.l.justen@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>,
	Sami Mujawar <sami.mujawar@arm.com>,
	Leif Lindholm <leif@nuviainc.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
	"Jiang, Guomin" <guomin.jiang@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Steele, Kelly" <kelly.steele@intel.com>,
	"Sun, Zailiang" <zailiang.sun@intel.com>,
	"Qian, Yi" <yi.qian@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	"Wu, Jiaxin" <jiaxin.wu@intel.com>,
	"Fu, Siyuan" <siyuan.fu@intel.com>,
	"Feng, Roger" <roger.feng@intel.com>,
	"Liu, Zhiguang" <zhiguang.liu@intel.com>
Subject: Re: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support
Date: Fri, 13 Nov 2020 01:07:39 +0000	[thread overview]
Message-ID: <MWHPR11MB1647B0FB5D7F0F4F88EDA4D3F6E60@MWHPR11MB1647.namprd11.prod.outlook.com> (raw)
In-Reply-To: <1646361F135EC661.31324@groups.io>

I plan to catch the 202011 stable tag for this patch set. Please help to review this patch. I would like to request to extend time for review after feature freeze.
Make the default setting for security and let the user of edk2 aware of it if they are using unsecure functions make sense.
If you have any doubt or comment, please feel free to let me know.

Thanks,
Zhichao 

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao, Zhichao
> Sent: Wednesday, November 11, 2020 1:37 AM
> To: devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Sami
> Mujawar <sami.mujawar@arm.com>; Leif Lindholm <leif@nuviainc.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu,
> XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Steele, Kelly
> <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>; Qian, Yi
> <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Maciej Rabeda
> <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan
> <siyuan.fu@intel.com>; Feng, Roger <roger.feng@intel.com>; Liu, Zhiguang
> <zhiguang.liu@intel.com>
> Subject: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1
> support
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027
> 
> MD5 is deprecated, make it disable as default for security.
> It required to set MD5 enable explicitly if the module is still using MD5. List the
> modules that are still using it:
> iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
> 
> This patch set would affact the platforms that are using iSCSI function.
> 
> V2:
> Remove MD5 and SHA1 support of Hash2DxeCrypto.
> Remove the MD5 GUID defination in MdePkg.dec. SHA1 related GUIDs are still
> using in TPM2, so keep them.
> No requirement to add MD5 enable MACRO in SecurityPkg.
> 
> V3:
> Explicitly enable iSCSI for ArmVirtQemu, ArmVirtQemuKernel, OvmfPkgIa32,
> OvmfPkgIa32X64, OvmfPkgX64 and BhyveX64.
> And set the MD5 enable base on the new MD5 MACRO.
> Rejust the patch order.
> 
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Roger Feng <roger.feng@intel.com>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> 
> Zhichao Gao (12):
>   SecurityPkg/Hash2DxeCrypto: Remove MD5 support
>   SecurityPkg/Hash2DxeCrypto: Remove SHA1 support
>   CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
>   NetworkPkg: Enable MD5 while enable iSCSI
>   ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI
>   ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgIa32X64.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgX64.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/BhyveX64.dsc: Enable MD5 while enable iSCSI
>   NetworkPkg/Defines: Make iSCSI disable as default
>   CryptoPkg: Make the MD5 disable as default for security
> 
>  ArmVirtPkg/ArmVirtQemu.dsc                             | 8 +++++++-
>  ArmVirtPkg/ArmVirtQemuKernel.dsc                       | 8 +++++++-
>  CryptoPkg/CryptoPkg.dsc                                | 3 +++
>  CryptoPkg/Driver/Crypto.c                              | 4 ++--
>  CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
>  CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
>  CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
>  NetworkPkg/Network.dsc.inc                             | 5 +++++
>  NetworkPkg/NetworkDefines.dsc.inc                      | 4 ++--
>  OvmfPkg/Bhyve/BhyveX64.dsc                             | 7 ++++++-
>  OvmfPkg/OvmfPkgIa32.dsc                                | 5 +++++
>  OvmfPkg/OvmfPkgIa32X64.dsc                             | 5 +++++
>  OvmfPkg/OvmfPkgX64.dsc                                 | 5 +++++
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c            | 2 --
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf          | 4 +---
>  15 files changed, 51 insertions(+), 15 deletions(-)
> 
> --
> 2.21.0.windows.1
> 
> 
> 
> 
>

next      parent reply	other threads:[~2020-11-13  1:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1646361F135EC661.31324@groups.io>
2020-11-13  1:07 ` Gao, Zhichao [this message]
2020-11-13  6:25   ` 回复: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support gaoliming
2020-11-13  8:19     ` Yao, Jiewen
2020-11-13 20:04     ` 回复: " Laszlo Ersek
2020-11-16 16:00       ` 回复: " gaoliming
2020-11-17  5:33         ` Gao, Zhichao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MWHPR11MB1647B0FB5D7F0F4F88EDA4D3F6E60@MWHPR11MB1647.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox