[PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support

[PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

MD5 is deprecated, make it disable as default for security.
It required to set MD5 enable explicitly if the module is still using 
MD5. List the modules that are still using it:
iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).

This patch set would affact the platforms that are using iSCSI 
function.

V2:
Remove MD5 and SHA1 support of Hash2DxeCrypto.
Remove the MD5 GUID defination in MdePkg.dec. SHA1 related GUIDs
are still using in TPM2, so keep them.
No requirement to add MD5 enable MACRO in SecurityPkg.

V3:
Explicitly enable iSCSI for ArmVirtQemu, ArmVirtQemuKernel,
OvmfPkgIa32, OvmfPkgIa32X64, OvmfPkgX64 and BhyveX64.
And set the MD5 enable base on the new MD5 MACRO.
Rejust the patch order.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Roger Feng <roger.feng@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>

Zhichao Gao (12):
  SecurityPkg/Hash2DxeCrypto: Remove MD5 support
  SecurityPkg/Hash2DxeCrypto: Remove SHA1 support
  CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
  NetworkPkg: Enable MD5 while enable iSCSI
  ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI
  ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI
  OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI
  OvmfPkg/OvmfPkgIa32X64.dsc: Enable MD5 while enable iSCSI
  OvmfPkg/OvmfPkgX64.dsc: Enable MD5 while enable iSCSI
  OvmfPkg/BhyveX64.dsc: Enable MD5 while enable iSCSI
  NetworkPkg/Defines: Make iSCSI disable as default
  CryptoPkg: Make the MD5 disable as default for security

 ArmVirtPkg/ArmVirtQemu.dsc                             | 8 +++++++-
 ArmVirtPkg/ArmVirtQemuKernel.dsc                       | 8 +++++++-
 CryptoPkg/CryptoPkg.dsc                                | 3 +++
 CryptoPkg/Driver/Crypto.c                              | 4 ++--
 CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
 NetworkPkg/Network.dsc.inc                             | 5 +++++
 NetworkPkg/NetworkDefines.dsc.inc                      | 4 ++--
 OvmfPkg/Bhyve/BhyveX64.dsc                             | 7 ++++++-
 OvmfPkg/OvmfPkgIa32.dsc                                | 5 +++++
 OvmfPkg/OvmfPkgIa32X64.dsc                             | 5 +++++
 OvmfPkg/OvmfPkgX64.dsc                                 | 5 +++++
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c            | 2 --
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf          | 4 +---
 15 files changed, 51 insertions(+), 15 deletions(-)

-- 
2.21.0.windows.1

[PATCH V3 01/12] SecurityPkg/Hash2DxeCrypto: Remove MD5 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

Remove the deprecated MD5 support of Hash2DxeCrypto
driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
index d96bc136e2..50a6157bd9 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
@@ -120,7 +120,6 @@ typedef struct {
 } EFI_HASH_INFO;
 
 EFI_HASH_INFO  mHashInfo[] = {
-  {&gEfiHashAlgorithmMD5Guid,     sizeof(EFI_MD5_HASH2),    Md5GetContextSize,    Md5Init,    Md5Update,    Md5Final  },
   {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),   Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
   {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2), Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
   {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2), Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
index a0b57f0514..a65943056a 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
@@ -4,7 +4,7 @@
 #  This module will use EDKII crypto library to HASH2 protocol.
 #
 #  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-#  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -44,7 +44,6 @@
   UefiLib
 
 [Guids]
-  gEfiHashAlgorithmMD5Guid              ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
-- 
2.21.0.windows.1

[PATCH V3 02/12] SecurityPkg/Hash2DxeCrypto: Remove SHA1 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

Remove the deprecated SHA1 support of Hash2DxeCrypto
driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 1 -
 2 files changed, 2 deletions(-)

diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
index 50a6157bd9..c1c0470be9 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
@@ -120,7 +120,6 @@ typedef struct {
 } EFI_HASH_INFO;
 
 EFI_HASH_INFO  mHashInfo[] = {
-  {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),   Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
   {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2), Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
   {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2), Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
   {&gEfiHashAlgorithmSha512Guid,  sizeof(EFI_SHA512_HASH2), Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final },
diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
index a65943056a..6a456ed2a6 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
@@ -44,7 +44,6 @@
   UefiLib
 
 [Guids]
-  gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha512Guid           ## CONSUMES               ## GUID
-- 
2.21.0.windows.1

[PATCH V3 03/12] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021

CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
function. So explicitly enable MD5 while CRYPTO_SERVICES
are set PACKAGES and ALL.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 7e51f6fac5..8dac4b1614 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -308,3 +308,6 @@
 
 [BuildOptions]
   *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
+!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
-- 
2.21.0.windows.1

Re: [edk2-devel] [PATCH V3 03/12] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5

[Laszlo Ersek]

On 11/10/20 18:36, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> 
> CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
> function. So explicitly enable MD5 while CRYPTO_SERVICES
> are set PACKAGES and ALL.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 7e51f6fac5..8dac4b1614 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -308,3 +308,6 @@
>  
>  [BuildOptions]
>    *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
> +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> 

This does not take into consideration that different toolchain families
require different spelling for "-D" vs. "/D". I suggest using the
toolchain family prefixes, such as "GCC:", "INTEL:", "MSFT:", "RVCT:".

Thanks
Laszlo

[PATCH V3 04/12] NetworkPkg: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 NetworkPkg/Network.dsc.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/NetworkPkg/Network.dsc.inc b/NetworkPkg/Network.dsc.inc
index 16f090a187..b761df900b 100644
--- a/NetworkPkg/Network.dsc.inc
+++ b/NetworkPkg/Network.dsc.inc
@@ -30,6 +30,11 @@
 [LibraryClasses]
 !include NetworkPkg/NetworkLibs.dsc.inc
 
+[BuildOptions]
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 !if $(PLATFORMX64_ENABLE) == TRUE
 [Components.X64]
 !include NetworkPkg/NetworkComponents.dsc.inc
-- 
2.21.0.windows.1

Re: [edk2-devel] [PATCH V3 04/12] NetworkPkg: Enable MD5 while enable iSCSI

[Laszlo Ersek]

On 11/10/20 18:36, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
>
> There is a plan to make MD5 disable as default.
> The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
> would be introduced to enable MD5. Make the
> definition ahead of the change to avoid build
> error after the MACRO changed.
>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  NetworkPkg/Network.dsc.inc | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/NetworkPkg/Network.dsc.inc b/NetworkPkg/Network.dsc.inc
> index 16f090a187..b761df900b 100644
> --- a/NetworkPkg/Network.dsc.inc
> +++ b/NetworkPkg/Network.dsc.inc
> @@ -30,6 +30,11 @@
>  [LibraryClasses]
>  !include NetworkPkg/NetworkLibs.dsc.inc
>
> +[BuildOptions]
> +!if $(NETWORK_ISCSI_ENABLE) == TRUE
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> +
>  !if $(PLATFORMX64_ENABLE) == TRUE
>  [Components.X64]
>  !include NetworkPkg/NetworkComponents.dsc.inc
>

I was not CC'd on this patch.

Comment (2) in my review of

  [PATCH V3 05/12] ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI

actually relates to this patch. (I made that comment there because I was
not CC'd on the present patch, and I'm learning of the present patch
only now, after having reviewed the ArmVirtQemu patch.)

I'll repeat the same points here:


(2a) The patch should create the following file:

  NetworkPkg/NetworkBuildOptions.dsc.inc

with the following contents:

> # Network DSC include file for the [BuildOptions*] sections of all
> # Architectures.
> #
> # This file can be included in the [BuildOptions*] section(s) of a platform
> # DSC file by using "!include NetworkPkg/NetworkBuildOptions.dsc.inc", to
> # specify the C language feature test macros (eg., API deprecation macros)
> # according to the flags described in "NetworkDefines.dsc.inc".
>
> !if $(NETWORK_ISCSI_ENABLE) == TRUE
>   MSFT:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES
>   INTEL:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES
>   GCC:*_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
>   RVCT:*_*_*_CC_FLAGS = -DENABLE_MD5_DEPRECATED_INTERFACES
> !endif


(2b) The patch should append (or insert) the following section to
"NetworkPkg/Network.dsc.inc":

> [BuildOptions]
> !include NetworkPkg/NetworkBuildOptions.dsc.inc

Thanks,
Laszlo

[PATCH V3 05/12] ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
---
 ArmVirtPkg/ArmVirtQemu.dsc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 3f649c91d8..3be8448d0b 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -1,7 +1,7 @@
 #
 #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
 #  Copyright (c) 2014, Linaro Limited. All rights reserved.
-#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -40,6 +40,7 @@
   DEFINE NETWORK_SNP_ENABLE              = FALSE
   DEFINE NETWORK_TLS_ENABLE              = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS  = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE            = TRUE
 
 !if $(NETWORK_SNP_ENABLE) == TRUE
   !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only"
@@ -49,6 +50,11 @@
 
 !include ArmVirtPkg/ArmVirt.dsc.inc
 
+[BuildOptions]
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
-- 
2.21.0.windows.1

Re: [PATCH V3 05/12] ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI

[Laszlo Ersek]

On 11/10/20 18:36, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
>
> There is a plan to make MD5 disable as default.
> The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
> would be introduced to enable MD5. Make the
> definition ahead of the change to avoid build
> error after the MACRO changed.
>
> Enalbe iSCSI.

(1) Typo: should be "Enable".


>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> ---
>  ArmVirtPkg/ArmVirtQemu.dsc | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 3f649c91d8..3be8448d0b 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -1,7 +1,7 @@
>  #
>  #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
>  #  Copyright (c) 2014, Linaro Limited. All rights reserved.
> -#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
> +#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
>  #
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -40,6 +40,7 @@
>    DEFINE NETWORK_SNP_ENABLE              = FALSE
>    DEFINE NETWORK_TLS_ENABLE              = FALSE
>    DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS  = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE            = TRUE
>
>  !if $(NETWORK_SNP_ENABLE) == TRUE
>    !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only"
> @@ -49,6 +50,11 @@
>
>  !include ArmVirtPkg/ArmVirt.dsc.inc
>
> +[BuildOptions]
> +!if $(NETWORK_ISCSI_ENABLE) == TRUE
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> +
>  [LibraryClasses.common]
>    ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
>    ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
>

(2) Before this patch, please create a separate patch:

  NetworkPkg: add MD5-related build options include file for iSCSI


(2a) The patch should create the following file:

  NetworkPkg/NetworkBuildOptions.dsc.inc

with the following contents:

> # Network DSC include file for the [BuildOptions*] sections of all
> # Architectures.
> #
> # This file can be included in the [BuildOptions*] section(s) of a platform
> # DSC file by using "!include NetworkPkg/NetworkBuildOptions.dsc.inc", to
> # specify the C language feature test macros (eg., API deprecation macros)
> # according to the flags described in "NetworkDefines.dsc.inc".
>
> !if $(NETWORK_ISCSI_ENABLE) == TRUE
>   MSFT:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES
>   INTEL:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES
>   GCC:*_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
>   RVCT:*_*_*_CC_FLAGS = -DENABLE_MD5_DEPRECATED_INTERFACES
> !endif


(2b) The same patch should append the following section to
"NetworkPkg/Network.dsc.inc":

> [BuildOptions]
> !include NetworkPkg/NetworkBuildOptions.dsc.inc


(3) In the present patch, please insert the [BuildOptions] section as
follows:

> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 3f649c91d8d6..e93c129a5045 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -105,6 +105,9 @@ [LibraryClasses.common.DXE_DRIVER]
>  [LibraryClasses.common.UEFI_DRIVER]
>    UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
>
> +[BuildOptions]
> +!include NetworkPkg/NetworkBuildOptions.dsc.inc
> +
>  ################################################################################
>  #
>  # Pcd Section - list of all EDK II PCD Entries defined by this Platform

Because this way, the new [BuildOptions] section in
"ArmVirtPkg/ArmVirtQemu.dsc" will be aligned with the *existent*
[BuildOptions] section in "ArmVirtPkg/ArmVirtQemuKernel.dsc".

Thanks!
Laszlo

[PATCH V3 06/12] ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
---
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 9449a01d6e..714dc6cf89 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -1,7 +1,7 @@
 #
 #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
 #  Copyright (c) 2014, Linaro Limited. All rights reserved.
-#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -38,6 +38,7 @@
   DEFINE NETWORK_SNP_ENABLE              = FALSE
   DEFINE NETWORK_TLS_ENABLE              = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS  = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE            = TRUE
 
 !if $(NETWORK_SNP_ENABLE) == TRUE
   !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only"
@@ -47,6 +48,11 @@
 
 !include ArmVirtPkg/ArmVirt.dsc.inc
 
+[BuildOptions]
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
-- 
2.21.0.windows.1

Re: [PATCH V3 06/12] ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI

[Laszlo Ersek]

On 11/10/20 18:36, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
>
> There is a plan to make MD5 disable as default.
> The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
> would be introduced to enable MD5. Make the
> definition ahead of the change to avoid build
> error after the MACRO changed.
>
> Enalbe iSCSI.

(1) typo

>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> ---
>  ArmVirtPkg/ArmVirtQemuKernel.dsc | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 9449a01d6e..714dc6cf89 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -1,7 +1,7 @@
>  #
>  #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
>  #  Copyright (c) 2014, Linaro Limited. All rights reserved.
> -#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
> +#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
>  #
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -38,6 +38,7 @@
>    DEFINE NETWORK_SNP_ENABLE              = FALSE
>    DEFINE NETWORK_TLS_ENABLE              = FALSE
>    DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS  = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE            = TRUE
>
>  !if $(NETWORK_SNP_ENABLE) == TRUE
>    !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only"
> @@ -47,6 +48,11 @@
>
>  !include ArmVirtPkg/ArmVirt.dsc.inc
>
> +[BuildOptions]
> +!if $(NETWORK_ISCSI_ENABLE) == TRUE
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> +
>  [LibraryClasses.common]
>    ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
>    ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
>

(2) please locate the existent [BuildOptions] section in this file, and
add the !include directive instead of the open-coded flags. Like this:

> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 9449a01d6e40..c5f7e1c37b6f 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -84,6 +84,7 @@ [LibraryClasses.common.UEFI_DRIVER]
>    UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
>
>  [BuildOptions]
> +!include NetworkPkg/NetworkBuildOptions.dsc.inc
>    #
>    # We need to avoid jump tables in SEC modules, so that the PE/COFF
>    # self-relocation code itself is guaranteed to be position independent.

Thanks
Laszlo

[PATCH V3 07/12] OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 OvmfPkg/OvmfPkgIa32.dsc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 58d9f292f9..c0ddb0b375 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -42,6 +42,7 @@
   DEFINE NETWORK_IP6_ENABLE             = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
@@ -86,6 +87,10 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
 
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
   XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
-- 
2.21.0.windows.1

Re: [PATCH V3 07/12] OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI

[Laszlo Ersek]

On 11/10/20 18:36, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> 
> There is a plan to make MD5 disable as default.
> The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
> would be introduced to enable MD5. Make the
> definition ahead of the change to avoid build
> error after the MACRO changed.
> 
> Enalbe iSCSI.

(1) typo

> 
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> ---
>  OvmfPkg/OvmfPkgIa32.dsc | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 58d9f292f9..c0ddb0b375 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -42,6 +42,7 @@
>    DEFINE NETWORK_IP6_ENABLE             = FALSE
>    DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
>    DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
>  
>  !include NetworkPkg/NetworkDefines.dsc.inc
>  
> @@ -86,6 +87,10 @@
>    INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
>    GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
>  
> +!if $(NETWORK_ISCSI_ENABLE) == TRUE
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> +

(2) Please

!include NetworkPkg/NetworkBuildOptions.dsc.inc

instead.


>  [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
>    GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
>    XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
> 

(3) The two comments above apply to the subsequent OvmfPkg patches in
the series as well -- IA32X64, X64, Bhyve.


(4) You missed the following DSC file:

  OvmfPkg/OvmfXen.dsc

Please include a similar patch for that file too.

Thanks!
Laszlo

[PATCH V3 08/12] OvmfPkg/OvmfPkgIa32X64.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 OvmfPkg/OvmfPkgIa32X64.dsc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 3551f9710a..7ddb363d7d 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -41,6 +41,7 @@
   DEFINE NETWORK_IP6_ENABLE             = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
@@ -90,6 +91,10 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
 
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
   XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
-- 
2.21.0.windows.1

[PATCH V3 09/12] OvmfPkg/OvmfPkgX64.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 OvmfPkg/OvmfPkgX64.dsc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 7a8bdb8a86..b4b2eb718c 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -41,6 +41,7 @@
   DEFINE NETWORK_IP6_ENABLE             = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
@@ -90,6 +91,10 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
 
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
   XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
-- 
2.21.0.windows.1

[PATCH V3 10/12] OvmfPkg/BhyveX64.dsc: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Enalbe iSCSI.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 OvmfPkg/Bhyve/BhyveX64.dsc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index 16d2233d77..3820a01ca6 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -1,6 +1,6 @@
 #
 #  Copyright (c) 2020, Rebecca Cran <rebecca@bsdio.com>
-#  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
 #  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 #  Copyright (c) 2014, Pluribus Networks, Inc.
 #
@@ -41,6 +41,7 @@
   DEFINE NETWORK_IP6_ENABLE             = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE           = TRUE
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
@@ -83,6 +84,10 @@
   INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES
   GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
 
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
   GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
   XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
-- 
2.21.0.windows.1

[PATCH V3 11/12] NetworkPkg/Defines: Make iSCSI disable as default

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

iSCSI is using the undeprecated function MD5. It is
better to make the default setting secure. If the platforms
want to use the iSCSI, they should enable it in the platforms'
dsc file and be aware they are using an unsafe function.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
index a442d1b157..18921d81f6 100644
--- a/NetworkPkg/NetworkDefines.dsc.inc
+++ b/NetworkPkg/NetworkDefines.dsc.inc
@@ -17,7 +17,7 @@
 #   DEFINE NETWORK_TLS_ENABLE             = TRUE
 #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
 #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
-#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
+#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
 #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
 #
 # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
@@ -101,7 +101,7 @@
   #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
   #       since libssl is not required for iSCSI.
   #
-  DEFINE NETWORK_ISCSI_ENABLE = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE = FALSE
 !endif
 
 !if $(NETWORK_ENABLE) == TRUE
-- 
2.21.0.windows.1

Re: [PATCH V3 11/12] NetworkPkg/Defines: Make iSCSI disable as default

[Laszlo Ersek]

On 11/10/20 18:36, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> 
> iSCSI is using the undeprecated function MD5. It is

(1) I think you meant "deprecated"

> better to make the default setting secure. If the platforms
> want to use the iSCSI, they should enable it in the platforms'
> dsc file and be aware they are using an unsafe function.

(2) I suggest replacing "unsafe function" with "function with weak
cryptography".

> 
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
> index a442d1b157..18921d81f6 100644
> --- a/NetworkPkg/NetworkDefines.dsc.inc
> +++ b/NetworkPkg/NetworkDefines.dsc.inc
> @@ -17,7 +17,7 @@
>  #   DEFINE NETWORK_TLS_ENABLE             = TRUE
>  #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
>  #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
> -#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
> +#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
>  #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
>  #
>  # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> @@ -101,7 +101,7 @@
>    #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
>    #       since libssl is not required for iSCSI.
>    #
> -  DEFINE NETWORK_ISCSI_ENABLE = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE = FALSE
>  !endif
>  
>  !if $(NETWORK_ENABLE) == TRUE
> 

With the above commit message updates:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo

[PATCH V3 12/12] CryptoPkg: Make the MD5 disable as default for security

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021

Make the deprecated MD5 disable as default setting for
security.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                              | 4 ++--
 CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index d9096ea603..26f280cd5d 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -243,7 +243,7 @@ DeprecatedCryptoServiceMd4HashAll (
   return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
 }
 
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
@@ -4494,7 +4494,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceMd4Update,
   DeprecatedCryptoServiceMd4Final,
   DeprecatedCryptoServiceMd4HashAll,
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
   /// Md5 - deprecated and unsupported
   DeprecatedCryptoServiceMd5GetContextSize,
   DeprecatedCryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index ae9bde9e37..496121e6a4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -72,7 +72,7 @@ typedef enum {
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
index b85e7f4d12..d670f17424 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
@@ -9,7 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "InternalCryptLib.h"
 #include <openssl/md5.h>
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 3f14c6d262..8b43d1363c 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,7 +99,7 @@ CryptoServiceNotAvailable (
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
-- 
2.21.0.windows.1