From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web08.14357.1605229672071198821 for ; Thu, 12 Nov 2020 17:07:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=ZvbqvXWY; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: zhichao.gao@intel.com) IronPort-SDR: qhVeRFQk3U08RFUzp5v9hvDKa8rS1KlbU17i0ER/ADayrWXR1WLiKPSnE9zG43E5Ae/DjLBybZ QaMuMOSIpbdg== X-IronPort-AV: E=McAfee;i="6000,8403,9803"; a="157428140" X-IronPort-AV: E=Sophos;i="5.77,473,1596524400"; d="scan'208";a="157428140" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Nov 2020 17:07:43 -0800 IronPort-SDR: wJ5i71tyqUg+S0155rQY7eX6nWsWmFl+WUfbeDw42Megu3MQgyP9yJa9Fw3T/XGquI6DMK2T2r oTEgvv58cKDg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,473,1596524400"; d="scan'208";a="339601269" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga002.jf.intel.com with ESMTP; 12 Nov 2020 17:07:43 -0800 Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 12 Nov 2020 17:07:42 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Thu, 12 Nov 2020 17:07:42 -0800 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.174) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Thu, 12 Nov 2020 17:07:42 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oZmScXZaQLVK4+k0swNM9xSIHYEOH+lctB34fxsK8C+70oe087L6CtE8N1lov0EMzsCLsPMIMtF8U7RD+jO7Wz8xWzzanktEN0aGfs4l+AAomW60v4bMbhNKNvSojC0ZdpS+YREYfiXrqJbs4MEoGuZYe3umN2kQLGYCiS0XQXXrCoAb/FUYoQxbF6lPhuBk9YwG4sUAXDCuSEUW1bg1UBxYANoL4N+6v90FlXzWIMut1wQvULkpGsSHcqyUkgRCcwQjJgQI6xhgKMBGf+3sWLH/PSeXTER96KMkVrWWIqrlddARHANQwutSGdDuPQtfgbanyzen8ntgyAdq60HdHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Esg3eqRBMCi8SQ+r0Ro3ahDM0YE0a4rhPCYebU2+lW0=; b=bNxBXVWIfEDlle2FvQZOmIRMJpZ6Yyu0M2KZQbZYFK9uHvyycHIm3VsdNLPI1qDzQ5eTFCHSnUXHRoSWha80keYOHwyKnQWst871AJ4NPPk/4fi/DY/JTgoSGJzOu5sHW0IaqfnmZ49rhkzsGtzlgE9w0nq3IJ18v/YERbkj3CFIxEfiaXLRN/JK72Uix0gNwzTtvkm/ALJMCBX44euzdMpZmgZ7uSKBnxFpa/XYm1wm6sumcehxqzwaspbae2lRbb893vX35zvlfaUHPJNpteNkEm0ujo1gZqkF2YVm97ntI+1zyfMKVkuula5rSASXnP7YvQmR3/7+YuowHFZyCw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Esg3eqRBMCi8SQ+r0Ro3ahDM0YE0a4rhPCYebU2+lW0=; b=ZvbqvXWY6L5fZecnfKtHE2qxhAsZkmLctTU93eesafbK4Y50UUegHSgrg0UuyTEDUO+vjluV5PbtuOSefcK8wntkpBsrOGTCezvykiohnbx04y9N4FXGaVK8gu6a89c2VGftP/RyK3NpFoVcg0gG1D4xFnWXFWrkXOx52WwgnQs= Received: from MWHPR11MB1647.namprd11.prod.outlook.com (2603:10b6:301:d::12) by CO1PR11MB5028.namprd11.prod.outlook.com (2603:10b6:303:9a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Fri, 13 Nov 2020 01:07:40 +0000 Received: from MWHPR11MB1647.namprd11.prod.outlook.com ([fe80::419:ff51:cce7:b9d8]) by MWHPR11MB1647.namprd11.prod.outlook.com ([fe80::419:ff51:cce7:b9d8%11]) with mapi id 15.20.3541.026; Fri, 13 Nov 2020 01:07:40 +0000 From: "Gao, Zhichao" To: "devel@edk2.groups.io" , "Gao, Zhichao" CC: "Justen, Jordan L" , Laszlo Ersek , Ard Biesheuvel , Sami Mujawar , Leif Lindholm , "Yao, Jiewen" , "Wang, Jian J" , "Lu, XiaoyuX" , "Jiang, Guomin" , "Kinney, Michael D" , "Steele, Kelly" , "Sun, Zailiang" , "Qian, Yi" , Liming Gao , Maciej Rabeda , "Wu, Jiaxin" , "Fu, Siyuan" , "Feng, Roger" , "Liu, Zhiguang" Subject: Re: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support Thread-Topic: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support Thread-Index: AQHWt4g4OFIZ6f3Oa06OW27qP/Zh/qnFQh/w Date: Fri, 13 Nov 2020 01:07:39 +0000 Message-ID: References: <1646361F135EC661.31324@groups.io> In-Reply-To: <1646361F135EC661.31324@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.55.46.39] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1d2155e4-e699-4c3b-862b-08d88770846b x-ms-traffictypediagnostic: CO1PR11MB5028: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: BCyb8z+59RUDERnqEHlquqrnd3qqrH2jNPK5wDNxF40S1kfonUrj/gmCmwH+i/nCNaXqp+uvRvxWXARbuMliTJrBLkcs3eyQkSXJIKI9cU1n7+eFSl/oHiYkOT1ps0tDl/EDeAYWAkDoeD45yy87c7a6TkKAUw4RxnhhSK1IE4YESkFmGi6PFq8YWbr74V/JEva6urIpu14krTJOfxBN8qLfRABY6FeEd28yb435r2zwnVm9jDHLxTZV0XaVtkpCR8dE9QasUUqkOqJ24zfW4bL4dZ1671ygx3pJeJixriNqJii1fs3kHqFE5NJax6JCgl3dUVVfM+ca/Gav5xGBRNYB7lRYNOHmTdoBg0Lv/QawK4WyTyRKiJk1b1E40gomABzXEH9kS99VKOB7ggJl0g== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR11MB1647.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(346002)(376002)(136003)(396003)(39860400002)(33656002)(86362001)(4326008)(2906002)(8676002)(66476007)(478600001)(83380400001)(5660300002)(66446008)(66946007)(64756008)(19627235002)(186003)(66556008)(76116006)(9686003)(26005)(71200400001)(52536014)(316002)(110136005)(966005)(54906003)(7696005)(53546011)(6506007)(55016002)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: N3lizKQBwNh8jS9nD31/edBfhMYH9ju2zphlWR8Eo1Gv4fiD4ROY0Pqitn81g9yoEktkNDv4WQQJglx4KdVXPz4k0R1hlvM64IqthcspM6X63rdXxXVYyy6cXBGDCowzPDuw/7mJ7EOQja3Z3NETa5Cuv1Le4TdBlnzu+mQuFXJEnue1W4fOVd6st7mbJ6z9EAe3ZF3O/94DJSYifC4c7Dz4jqnS8PEUDk9QN15BFhKS/nL8wQNResd6Sy9mE4DayIQ7+kfTudMnP8SHxGhuu6J5D/0gknfr5P0LG2BgWF0tnENK0HHBO1wu5uIaxV/ksdoOI8jwUmV4+A6DO5C9NdH1k9nVenfY1QrTC+S9UpbmNdzhUgCymY3dsQIbRZBIsJFts0kv0QASA5LPbElCvptX0haWHg9FqhXc35MhWsbaIbPQ5hjUgROupF+32ejKCuxvY8ig9AwZ4EQrE2kCym2ANunLuYSo/VBfPd5Dsso9WZkJusYVaTWdAWVHywTts+qOmfevHCCpyLC20gBu/TB6WOv3z8P+E4h/KqJt4lqqQC83OtLpihNxJERiWIMg321Juz51GodA+jgMFewNFgapXQOpYkbGDrx70pOXhLD/4sgGZj7zlKDpc/y3SE5H4SYwrHShH4KzZ6NX7pqFtQ== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1647.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2155e4-e699-4c3b-862b-08d88770846b X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2020 01:07:39.9301 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ferAsUP20BSGbW8rbs49rEnemFxnWFJEUAQlfeSwibayoQbCD20iRWxocsBe/bXlOUPuFdhdaw9pOnD8sfgxrQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5028 Return-Path: zhichao.gao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I plan to catch the 202011 stable tag for this patch set. Please help to re= view this patch. I would like to request to extend time for review after fe= ature freeze. Make the default setting for security and let the user of edk2 aware of it= if they are using unsecure functions make sense. If you have any doubt or comment, please feel free to let me know. Thanks, Zhichao=20 > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Gao, Zhic= hao > Sent: Wednesday, November 11, 2020 1:37 AM > To: devel@edk2.groups.io > Cc: Justen, Jordan L ; Laszlo Ersek > ; Ard Biesheuvel ; Sami > Mujawar ; Leif Lindholm ; Yao, > Jiewen ; Wang, Jian J ; Lu, > XiaoyuX ; Jiang, Guomin ; > Kinney, Michael D ; Steele, Kelly > ; Sun, Zailiang ; Qian, = Yi > ; Liming Gao ; Maciej Rabed= a > ; Wu, Jiaxin ; Fu, S= iyuan > ; Feng, Roger ; Liu, Zhiguang > > Subject: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SH= A1 > support >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3003 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3021 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3027 >=20 > MD5 is deprecated, make it disable as default for security. > It required to set MD5 enable explicitly if the module is still using MD= 5. List the > modules that are still using it: > iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config). >=20 > This patch set would affact the platforms that are using iSCSI function. >=20 > V2: > Remove MD5 and SHA1 support of Hash2DxeCrypto. > Remove the MD5 GUID defination in MdePkg.dec. SHA1 related GUIDs are sti= ll > using in TPM2, so keep them. > No requirement to add MD5 enable MACRO in SecurityPkg. >=20 > V3: > Explicitly enable iSCSI for ArmVirtQemu, ArmVirtQemuKernel, OvmfPkgIa32, > OvmfPkgIa32X64, OvmfPkgX64 and BhyveX64. > And set the MD5 enable base on the new MD5 MACRO. > Rejust the patch order. >=20 > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Sami Mujawar > Cc: Leif Lindholm > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Guomin Jiang > Cc: Michael D Kinney > Cc: Kelly Steele > Cc: Zailiang Sun > Cc: Yi Qian > Cc: Liming Gao > Cc: Maciej Rabeda > Cc: Jiaxin Wu > Cc: Siyuan Fu > Cc: Roger Feng > Cc: Zhiguang Liu > Signed-off-by: Zhichao Gao >=20 > Zhichao Gao (12): > SecurityPkg/Hash2DxeCrypto: Remove MD5 support > SecurityPkg/Hash2DxeCrypto: Remove SHA1 support > CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5 > NetworkPkg: Enable MD5 while enable iSCSI > ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI > ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI > OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI > OvmfPkg/OvmfPkgIa32X64.dsc: Enable MD5 while enable iSCSI > OvmfPkg/OvmfPkgX64.dsc: Enable MD5 while enable iSCSI > OvmfPkg/BhyveX64.dsc: Enable MD5 while enable iSCSI > NetworkPkg/Defines: Make iSCSI disable as default > CryptoPkg: Make the MD5 disable as default for security >=20 > ArmVirtPkg/ArmVirtQemu.dsc | 8 +++++++- > ArmVirtPkg/ArmVirtQemuKernel.dsc | 8 +++++++- > CryptoPkg/CryptoPkg.dsc | 3 +++ > CryptoPkg/Driver/Crypto.c | 4 ++-- > CryptoPkg/Include/Library/BaseCryptLib.h | 2 +- > CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c | 2 +- > CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +- > NetworkPkg/Network.dsc.inc | 5 +++++ > NetworkPkg/NetworkDefines.dsc.inc | 4 ++-- > OvmfPkg/Bhyve/BhyveX64.dsc | 7 ++++++- > OvmfPkg/OvmfPkgIa32.dsc | 5 +++++ > OvmfPkg/OvmfPkgIa32X64.dsc | 5 +++++ > OvmfPkg/OvmfPkgX64.dsc | 5 +++++ > SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c | 2 -- > SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 4 +--- > 15 files changed, 51 insertions(+), 15 deletions(-) >=20 > -- > 2.21.0.windows.1 >=20 >=20 >=20 >=20 >=20