Re: [edk2-devel] Soft Feature Freeze starts now for edk2-stable202405

["Wenxing Hou" <wenxing.hou@intel.com>]

[-- Attachment #1.1: Type: text/plain, Size: 7846 bytes --]

Hi Liming and Mike,

For the PATCH: Add more crypt APIs based on Mbedtls (https://edk2.groups.io/g/devel/message/118772),
I have fixed the code based on Mike’s feedback
and added the platform integration test table in commit message.

Could you approve this PATCH to catch this table tag?


Thanks,
Wenxing
From: gaoliming <gaoliming@byosoft.com.cn>
Sent: Wednesday, May 15, 2024 8:49 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io; 'Andrew Fish' <afish@apple.com>; 'Leif Lindholm' <quic_llindhol@quicinc.com>
Cc: 'Ard Biesheuvel' <ardb@kernel.org>; sam.kaynor@arm.com; dougflick@microsoft.com; Mathews, John <john.mathews@intel.com>; Hou, Wenxing <wenxing.hou@intel.com>; Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
Subject: 回复: [edk2-devel] Soft Feature Freeze starts now for edk2-stable202405

Mike:
  Thanks for your comments. I update the status below.

Thanks
Liming
发件人: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
发送时间: 2024年5月15日 0:35
收件人: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; 'Leif Lindholm' <quic_llindhol@quicinc.com<mailto:quic_llindhol@quicinc.com>>
抄送: 'Ard Biesheuvel' <ardb@kernel.org<mailto:ardb@kernel.org>>; sam.kaynor@arm.com<mailto:sam.kaynor@arm.com>; dougflick@microsoft.com<mailto:dougflick@microsoft.com>; Mathews, John <john.mathews@intel.com<mailto:john.mathews@intel.com>>; Hou, Wenxing <wenxing.hou@intel.com<mailto:wenxing.hou@intel.com>>; Li, Yi1 <yi1.li@intel.com<mailto:yi1.li@intel.com>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
主题: RE: [edk2-devel] Soft Feature Freeze starts now for edk2-stable202405

Hi Liming,

My responses below in [Mike].

Mike


From: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>
Sent: Friday, May 10, 2024 8:29 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; 'Leif Lindholm' <quic_llindhol@quicinc.com<mailto:quic_llindhol@quicinc.com>>
Cc: 'Ard Biesheuvel' <ardb@kernel.org<mailto:ardb@kernel.org>>; sam.kaynor@arm.com<mailto:sam.kaynor@arm.com>; dougflick@microsoft.com<mailto:dougflick@microsoft.com>; Mathews, John <john.mathews@intel.com<mailto:john.mathews@intel.com>>; Hou, Wenxing <wenxing.hou@intel.com<mailto:wenxing.hou@intel.com>>
Subject: 回复: [edk2-devel] Soft Feature Freeze starts now for edk2-stable202405

Stewards:
  Now, there are several patches to catch this table tag. Could you give the comments for them?


1.     Adding support for verbose UEFI Table dumping to Dmem.c (https://edk2.groups.io/g/devel/message/118582)

[Liming] This patch set has been reviewed before soft feature freeze. It plans to catch this stable tag.



[Mike] I see this PR: https://github.com/tianocore/edk2/pull/5653 that is not passing CI and appears it will require additional code changes



[Mike] Reject for edk2-stable202405



2.  MdePkg/BaseLib: Fix AARCH64 compilation error (https://edk2.groups.io/g/devel/message/118690)

[Liming] This bug fix is reviewed in soft feature freeze phase. It plans to catch this stable tag.

[Mike] Approved for edk2-stable202405

[Liming] I add push label for https://github.com/tianocore/edk2/pull/5642



3.  MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount (https://edk2.groups.io/g/devel/message/118745)

[Liming] This security fix is reviewed in soft feature freeze phase. It plans to catch this stable tag.


[Mike] Approved for edk2-stable202405
[Liming] I add push label for https://github.com/tianocore/edk2/pull/5659



4.  NetworkPkg: CVE-2023-45236 and CVE-2023-45237 (https://edk2.groups.io/g/devel/message/118768)

[Liming] This security fix is still under code review. It plans to catch this stable tag.



[Mike] Is the code review complete?  Is there a link to the PR?

[Liming] NetworkPkg reviewer will review this patch set this week.



Thanks



5.  Add more crypt APIs based on Mbedtls (https://edk2.groups.io/g/devel/message/118772)

[Liming] This patch set passes code review in soft feature freeze phase. It plans to catch this stable tag.

[Mike] This patch series uses ‘..’ in INF to access source files in another component.  This is not legal.  I am surprised this was not caught in code review.

DEFINE OPENSSL_PATH            = ../OpensslLib/openssl
DEFINE BASE_CRYPT_PATH         = ../BaseCryptLib

[Mike] I see a reference to some “platform integration” testing.  Given that this patch series implements a number of
crypto service APIs and is a large number of new lines of code, it would be good to know if all of the newly added APIs
were tested in a platform integration. A table of the added APIs and the platform integration test status would be good to
know if there was any functional testing of each API.  If there are APIs that are not covered by any platform integration
testing, then I would be concerned with such a large change with limited testing.

Thanks
Liming
发件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> 代表 gaoliming via groups.io
发送时间: 2024年5月7日 9:25
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; announce@edk2.groups.io<mailto:announce@edk2.groups.io>
抄送: 'Michael D Kinney' <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; 'Leif Lindholm' <quic_llindhol@quicinc.com<mailto:quic_llindhol@quicinc.com>>
主题: [edk2-devel] Soft Feature Freeze starts now for edk2-stable202405

Hi, all

  We enter into Soft Feature Freeze phase now. In this phase,
the feature under review will not be allowed to be pushed. The feature
passed review can still be merged.

  The patch review can continue without break in edk2 community. If the
patch is sent before Soft Feature Freeze, and plans to catch this stable tag, the
patch contributor need reply to his patch and notify edk2 community. If the
patch is sent after Soft Feature Freeze, and plans to catch this stable tag,
please add edk2-stable202405 key words in the patch title and BZ, so the
community know this patch target and give the feedback.

  To avoid the unnecessary changes to be merged in edk2 stable tag release,
all edk2 maintainers' write access will be temporarily disabled until stable
tag is released on 05-24. That means edk2 maintainer can't set push label in
pull request after soft feature freeze starts.

  If the change wants to catch this stable tag 202405, please follow above
rules, then send the merge request to gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn> or
michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>.

  We will help merge the code change in soft feature freeze and hard feature
freeze phase.

Below is edk2-stable202405 tag planning Proposed Schedule
Date (00:00:00 UTC-8) Description

2024-02-23 Beginning of development
2024-05-06 Soft Feature Freeze
2024-05-10 Hard Feature Freeze
2024-05-24 Release

Thanks
Liming




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119050): https://edk2.groups.io/g/devel/message/119050
Mute This Topic: https://groups.io/mt/106155556/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #1.2: Type: text/html, Size: 35850 bytes --]

[-- Attachment #2: Type: message/rfc822, Size: 14570 bytes --]

From: "Hou, Wenxing" <wenxing.hou@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>, "Li, Yi1" <yi1.li@intel.com>, "Yao, Jiewen" <jiewen.yao@intel.com>
Subject: [edk2-devel] [PATCH v4 00/11] Add more crypt APIs based on Mbedtls
Date: Fri, 17 May 2024 10:26:30 +0000
Message-ID: <17D03FCC8DEA42A1.16299@groups.io>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Add AeadAesGcm/Pem(only RSA)/X509(only RSA)/More RSA/PKCS5/pKCS7/Authenticode/Timestamp
implementation based on Mbedtls.

The patch has passed the EDKII CI check:
https://github.com/tianocore/edk2/pull/5645

And the patch has passed unit_test in EDKII and integration test for platform.
And the patch hass passed the fuzz test:
https://github.com/tianocore/edk2-staging/commit/4f19398053c92e4f7791d468a184530b6ab89128


There are three types of newly implemented APIs.
1.	First type of APIs pass the platform integration test by some secure features, such as Secure Boot, RPMC, etc.These APIs are: 
Sm3GetContextSize/ Sm3Init/Sm3Duplicate/ Sm3Update/Sm3Final/Sm3HashAll/RsaGetPrivateKeyFromPem/AuthenticodeVerify
Pkcs5HashPassword/Pkcs7GetSigners/Pkcs7FreeSigners/Pkcs7Sign/Pkcs7Verify/VerifyEKUsInPkcs7Signature/Pkcs7GetAttachedContent
RsaGetKey/ImageTimestampVerify/X509GetCommonName/X509GetTBSCert/RandomBytes

2.	Second type of APIs pass the platform integration test by DevieSecurity. These APIs are: 
AeadAesGcmEncrypt/AeadAesGcmDecrypt/RsaGenerateKey/RsaCheckKey/RsaPkcs1Sign/RsaPssSign/X509GetSubjectName
X509GetOrganizationName/X509VerifyCert/X509ConstructCertificate/X509ConstructCertificateStackV/X509ConstructCertificateStack
X509Free/X509StackFree

3.	Third type of APIs don't have platform integration, but the API passed the EDKII uint_test. The API is:
Pcs1v2Encrypt

v2 changes:
 - Fix format variable name/hardcode number issue;
 - Fix Pkcs7 memory leak;

v3 changes:
 - Fix some issues form reviewer;
 - Add SHA3/SM3 implementation;
 - Update *.inf files;

v4 changes:
 - Delete SHA3 implementation;
 - Complete Sm3 by linking OopensslLib;
 - collection data for platform integration test for newly implemented APIs;

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
Reviewed-by: Yi Li <yi1.li@intel.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>

Wenxing Hou (11):
  CryptoPkg: Add AeadAesGcm based on Mbedtls
  CryptoPkg: Add rand function for BaseCryptLibMbedTls
  CryptoPkg: Add Pem APIs based on Mbedtls
  CryptoPkg: Add X509 functions based on Mbedtls
  CryptoPkg: Add Pkcs7 related functions based on Mbedtls
  CryptoPkg: Add Pkcs5 functions based on Mbedtls
  CryptoPkg: Add more RSA related functions based on Mbedtls
  CryptoPkg: Add AuthenticodeVerify based on Mbedtls
  CryptoPkg: Add ImageTimestampVerify based on Mbedtls
  CryptoPkg: Update *.inf in BaseCryptLibMbedTls
  Add SM3 functions with openssl for Mbedtls

 CryptoPkg/CryptoPkgMbedTls.dsc                |    1 +
 CryptoPkg/Include/Library/BaseCryptLib.h      |    4 +
 .../BaseCryptLibMbedTls/BaseCryptLib.inf      |   43 +-
 .../Cipher/CryptAeadAesGcm.c                  |  227 ++
 .../BaseCryptLibMbedTls/Hash/CryptSm3.c       |  235 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h    |   49 +
 .../BaseCryptLibMbedTls/PeiCryptLib.inf       |   23 +-
 .../BaseCryptLibMbedTls/Pem/CryptPem.c        |  138 ++
 .../Pk/CryptAuthenticode.c                    |  214 ++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c   |  278 +++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c |  100 +
 .../Pk/CryptPkcs7Internal.h                   |   29 +-
 .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c   |  635 ++++++
 .../Pk/CryptPkcs7VerifyBase.c                 |  113 +
 .../Pk/CryptPkcs7VerifyCommon.c               | 1354 ++++++++++++
 .../Pk/CryptPkcs7VerifyEku.c                  |  689 ++++++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c      |  352 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  |  140 ++
 .../Library/BaseCryptLibMbedTls/Pk/CryptTs.c  |  381 ++++
 .../BaseCryptLibMbedTls/Pk/CryptX509.c        | 1940 +++++++++++++++++
 .../BaseCryptLibMbedTls/Rand/CryptRand.c      |  114 +
 .../BaseCryptLibMbedTls/Rand/CryptRandTsc.c   |  114 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   27 +-
 .../BaseCryptLibMbedTls/SecCryptLib.inf       |    1 -
 .../BaseCryptLibMbedTls/SmmCryptLib.inf       |   32 +-
 .../SysCall/BaseMemAllocation.c               |  122 ++
 .../SysCall/DummyOpensslSupport.c             |  571 +++++
 .../SysCall/UnitTestHostCrtWrapper.c          |   63 +
 .../BaseCryptLibMbedTls/TestBaseCryptLib.inf  |   40 +-
 29 files changed, 7946 insertions(+), 83 deletions(-)
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPem.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticode.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRand.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/BaseMemAllocation.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/DummyOpensslSupport.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/UnitTestHostCrtWrapper.c

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119027): https://edk2.groups.io/g/devel/message/119027
Mute This Topic: https://groups.io/mt/106151214/6360182
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [wenxing.hou@intel.com]
-=-=-=-=-=-=-=-=-=-=-=-