From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5636181DED for ; Mon, 16 Jan 2017 19:15:19 -0800 (PST) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6A56483F46; Tue, 17 Jan 2017 03:15:20 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-110.phx2.redhat.com [10.3.116.110]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v0H3FH9R029181; Mon, 16 Jan 2017 22:15:18 -0500 To: "Wu, Jiaxin" , "edk2-devel@ml01.01.org" References: <1484569332-13440-1-git-send-email-jiaxin.wu@intel.com> <9d5d1d2a-01af-bdcc-65ca-338ae1142631@redhat.com> <895558F6EA4E3B41AC93A00D163B727416294199@SHSMSX103.ccr.corp.intel.com> <903fd117-7d01-fe09-6cb2-234a657c2cae@redhat.com> <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com> Cc: "Justen, Jordan L" , Gary Lin , "Long, Qin" , "Kinney, Michael D" From: Laszlo Ersek Message-ID: Date: Tue, 17 Jan 2017 04:15:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 17 Jan 2017 03:15:20 +0000 (UTC) Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 03:15:19 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 01/17/17 03:56, Wu, Jiaxin wrote: >> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg >> libraries >> >> On 01/17/17 02:08, Wu, Jiaxin wrote: >>> Laszlo, >>> >>> I don't think this patch makes OpenSSL must requirement for building >>> OVMF by default. >>> >>> As I note in the commit log that "no build performance impacts" if >>> OpenSSL related library is not consumed by any other modules. >> >> I saw that comment, and I didn't understand it. What do you mean by >> "performance impact"? How quickly the tree builds? Or how quickly the >> resultant firmware boots? My concerns aren't related to performance, but >> whether OVMF builds at all, or not. >> >>> That >>> also means "Including OpenSSL libraries unconditionally won't break >>> OVMF build by default since all dependent modules are controlled by >>> the defined flag with the false value." >> >> So practically the suggestion is to provide unconditional library >> resolutions for the OpenSslLib, IntrinsicLib and BaseCryptLib classes, >> regardless of whether those classes are actually used by any module. >> > > Yes. > I thought "build performance" should include the build result and time consumption during the OVMF build. Sorry for the misunderstanding due to the ambiguity of "build performance impacts", and I agree to refine the commit log. > > > >> I see the point, but then the commit message should be improved. It >> should also explain that unused lib class resolutions that refer to >> nonexistent INF files (for example when OpenSSL is missing from the >> tree) do not cause build failures, unless the lib class is actually used. >> >> The commit message could be >> >> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib >> > > I don't have the strong opinion for the commit message change. That's also fine to me since we can reach an agreement:). > > > >>> >>> Secure Boot feature is controlled by: >>> * DEFINE SECURE_BOOT_ENABLE = FALSE >>> >>> ISCSIv6 requires OpenSSL, which is controlled by: >>> * DEFINE NETWORK_IP6_ENABLE = FALSE >> >> That's not entirely right; currently you can build with -D >> NETWORK_IP6_ENABLE and without OpenSSL (i.e., without -D >> SECURE_BOOT_ENABLE, at the moment). It will use IScsiDxe from >> MdeModulePkg, rather than from NetworkPkg. >> >> Is your argument that such an IPv6 stack (that is, with IScsiDxe comes >> from MdeModulePkg) is incomplete in itself? In other words, that a >> complete IPv6 stack requires IScsiDxe from NetworkPkg, hence OpenSSL too? > > Yes, that's my point. > > > >> >> In that case, the relevant parts of the OVMF DSC / FDF files should be >> fixed in a separate patch, with a separate justification. Something like: >> >> OvmfPkg: correct the set of modules included for the IPv6 stack >> > > Ok, that's fine the separate patch. > > > >>> >>> IPsec is a mandatory part of IPv6, but is not an integral part of IPv4, then it >> should be controlled by: >>> * DEFINE NETWORK_IP6_ENABLE = FALSE >>> (For IPsec, I just notice it's not included in OVMF platform if IPV6 enabled, we >> should fix it.) >> >> Yes, it could be part of the above-suggested IPv6-oriented patch. >> >>> >>> HTTPS/TLS will also be controlled by: >>> * DEFINE TLS_ENABLE = FALSE >> >> Makes sense. >> >> (And then HTTP_BOOT_ENABLE should pull in different modules dependent on >> TLS_ENABLE.) > > No, we can keep the current modules included in HTTP_BOOT_ENABLE, and make the TLS_ENABLE independently since TLS feature should not be limit to HTTP(S) feature. > > As I explained to Gary, TLS can be treated as independent module, which can be leveraged by third part drivers/apps (e.g. EAP-TLS). No TLS means no HTTPS. > > > >> >>> Namely: >>> OpenSSL is required to follow Patch-HOWTO *only when needed*. >>> >>> Of course, as you propose, we can also add OPENSSL_ENABLE flag to >>> control all the OpenSSL libraries. But as I mentioned above, do you >>> think it's necessary? I don't have strong opinion for OPENSSL_ENABLE >>> flag, but makes the logic more complexity as you list below. >> >> No, with your explanation, it seems fine. I think in total we'll need >> four patches: >> >> * OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib >> >> Does what it says; commit message suggestions above. >> >> * OvmfPkg: correct the set of modules included for the IPv6 stack >> >> Fixes up IScsiDxe and IPSec, makes OpenSSL a hard requirement for >> IPv6. (And documents the fact in the commit message.) >> >> * OvmfPkg: pull in TLS modules with -D TLS_ENABLE >> >> Resolves the TLS-specific library classes, and pulls in TLS drivers >> (that are independent of HTTPS). >> >> * OvmfPkg: enable HTTPS boot under (HTTP_BOOT_ENABLE + TLS_ENABLE) >> >> Adds any TLS-specific customizations to existent HTTP_BOOT_ENABLE >> parts. >> >> What do you guys think? >> > > We can combine the last two patches instead: > > * OvmfPkg: Enable HTTPS/TLS feature under (HTTP_BOOT_ENABLE + TLS_ENABLE) Hm, okay. So I guess the presence of TLS-related protocols (provided by the drivers pulled in due to -D TLS_ENABLE) automatically enables HTTPS when the firmware runs, in the drivers that are pulled in by -D HTTP_BOOT_ENABLE? In that case, I suggest the subject OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) and explain in the commit message that TLS_ENABLE and HTTP_BOOT_ENABLE remain independent, but their intersection at build time produces HTTPS capability dynamically, when the firmware runs. Is this correct? Thanks! Laszlo >> I believe it would be preferable if one of you (Gary?) could submit the >> whole 4-part series, with the other one (Jiaxin?) helping out with the >> review. Would that work for you both? >> > I'm fine with the propose:). > > Thanks, > Jiaxin > > > > >> Thanks! >> Laszlo >> >>> >>> Thanks, >>> Jiaxin >>> >>>> -----Original Message----- >>>> From: Laszlo Ersek [mailto:lersek@redhat.com] >>>> Sent: Tuesday, January 17, 2017 4:33 AM >>>> To: Wu, Jiaxin ; edk2-devel@ml01.01.org >>>> Cc: Justen, Jordan L ; Gary Lin ; >>>> Long, Qin ; Kinney, Michael D >>>> >>>> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg >>>> libraries >>>> >>>> On 01/16/17 13:22, Jiaxin Wu wrote: >>>>> v2: >>>>> * Remove the flag for NetworkPkg/IScsiDxe >>>>> >>>>> This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for >>>>> the CryptoPkg librarie. >>>>> >>>>> Not only the secure boot feature requires the CryptoPkg libraries >>>>> (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS >>>>> features. Those modules can be always included since no build >> performance >>>>> impacts if they are not consumed. >>>>> >>>>> Cc: Laszlo Ersek >>>>> Cc: Justen Jordan L >>>>> Cc: Gary Lin >>>>> Cc: Long Qin >>>>> Contributed-under: TianoCore Contribution Agreement 1.0 >>>>> Signed-off-by: Wu Jiaxin >>>>> --- >>>>> OvmfPkg/OvmfPkgIa32.dsc | 17 ++++++----------- >>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++----------- >>>>> OvmfPkg/OvmfPkgX64.dsc | 17 ++++++----------- >>>>> 3 files changed, 18 insertions(+), 33 deletions(-) >>>> >>>> I disagree with this patch (assuming at least that I understand it >>>> correctly). >>>> >>>> Namely, >>>> - unconditionally resolving OpensslLib in the DSC files, and >>>> - unconditionally consuming OpensslLib in modules that are >>>> unconditionally included in the DSC files, >>>> >>>> makes OpenSSL a hard requirement for building OVMF. >>>> >>>> Given that OpenSSL is not distributed as part of the edk2 tree, and >>>> given that it's not even pulled in through an unmodified git submodule, >>>> this patch would prevent people, IIUC, from building OVMF without >>>> jumping through the hoops described in >>>> >>>> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >>>> >>>> That's a bad thing, forcing people to download and patch OpenSSL even if >>>> they don't care about any of the dependent features. (It is perfectly >>>> possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS boot, >>>> and iSCSI, in a virtual machine.) >>>> >>>> If OpenSSL were distributed as part of edk2, or if OpenSSL were >>>> presented as a plain (unmodified) git submodule in edk2, then I might agree. >>>> >>>> For now, perhaps we can introduce an OPENSSL_ENABLE build option. >>>> >>>> - Features that require OpenSSL no matter what, such as >>>> SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE. >>>> >>>> (I don't remember if the [Defines] section of the DSC file can set >>>> macros conditionally, dependent on other macros, but I hope so.) >>>> >>>> - Features that can utilize (but don't require) OpenSSL, such as >>>> NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide >> conditional >>>> DSC stanzas for both $(OPENSSL_ENABLE) == TRUE and == FALSE. >>>> >>>> - The libraries and drivers that provide the crypto stuff (directly on >>>> top of OpenSSL) should depend on OPENSSL_ENABLE. >>>> >>>> In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" with >>>> TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE >> should >>>> not be customized for OPENSSL_ENABLE, but for TLS_ENABLE. >>>> >>>> In summary: >>>> - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE. >>>> - TLS_ENABLE should auto-select OPENSSL_ENABLE. >>>> - NETWORK_IP6_ENABLE should be customized based on OPENSSL_ENABLE >>>> (for the ISCSI driver). >>>> - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE. >>>> - OPENSSL_ENABLE should control the CryptoPkg modules that directly >>>> wrap the OpenSSL functionality, for edk2. >>>> >>>> As a result, the following build option combinations would be valid >>>> (listing some examples): >>>> >>>> * -D SECURE_BOOT_ENABLE >>>> >>>> It would set OPENSSL_ENABLE. If OpenSSL is available, it would build >>>> fine, otherwise it would break, as it should. >>>> >>>> * -D NETWORK_IP6_ENABLE >>>> >>>> You get the IPv6 stack, but no secure ISCSI. >>>> >>>> * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE >>>> >>>> You get the IPv6 stack, with secure ISCSI. If OpenSSL is not >>>> available, the build breaks, as it should. >>>> >>>> * -D HTTP_BOOT_ENABLE >>>> >>>> You get HTTP boot, but not HTTPS boot. >>>> >>>> * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is >> useless >>>> >>>> Same, no change. >>>> >>>> * -D TLS_ENABLE >>>> >>>> Selects OPENSSL_ENABLE automatically. If OpenSSL is not available, >>>> the build breaks. Otherwise, the TLS drivers are included in the fw >>>> binary. They might not be used by any edk2 module, but some 3rd party >>>> UEFI application (launched from the shell, eg.) could. >>>> >>>> * -D HTTP_BOOT_ENABLE -D TLS_ENABLE >>>> >>>> HTTP and HTTPS boot becomes available. If OpenSSL is absent from the >>>> tree, the build breaks. >>>> >>>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D >>>> NETWORK_IP6_ENABLE >>>> >>>> You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS >>>> boot. >>>> >>>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \ >>>> -D NETWORK_IP6_ENABLE >>>> >>>> You get everything. >>>> >>>> My point is, if we touch these build flags, then we should go the whole >>>> way, and express their inter-dependencies precisely. >>>> >>>> Thanks! >>>> Laszlo >>>> >>>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc >>>>> index e97f7f0..6e53d9f 100644 >>>>> --- a/OvmfPkg/OvmfPkgIa32.dsc >>>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc >>>>> @@ -1,9 +1,9 @@ >>>>> ## @file >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform >>>>> # >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
>>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
>>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>>>>> # >>>>> # This program and the accompanying materials >>>>> # are licensed and made available under the terms and conditions of the >>>> BSD License >>>>> # which accompanies this distribution. The full text of the license may be >>>> found at >>>>> @@ -139,14 +139,15 @@ >>>>> >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf >>>>> >>>> >> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf >>>>> >>>> >> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD >>>> ebugPrintErrorLevelLib.inf >>>>> >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> - >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf >>>>> + >>>>> +!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> >>>> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM >>>> easurementLib.inf >>>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >>>>> !if $(NETWORK_IP6_ENABLE) == TRUE >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf >>>>> !endif >>>>> @@ -164,13 +165,11 @@ >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf >>>>> >>>> >> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib >>>> /BaseOrderedCollectionRedBlackTreeLib.inf >>>>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf >>>>> >>>>> [LibraryClasses.common] >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf >>>>> -!endif >>>>> >>>>> [LibraryClasses.common.SEC] >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf >>>>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) >>>>> @@ -256,13 +255,13 @@ >>>>> >>>> >> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf >>>>> !else >>>>> >>>> >> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i >>>> nf >>>>> !endif >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf >>>>> -!endif >>>>> + >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf >>>>> >>>>> [LibraryClasses.common.UEFI_DRIVER] >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf >>>>> @@ -698,16 +697,12 @@ >>>>> NetworkPkg/TcpDxe/TcpDxe.inf >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf >>>>> !else >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> -!endif >>>>> -!else >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> !endif >>>>> !if $(HTTP_BOOT_ENABLE) == TRUE >>>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc >>>>> index 8e3e04c..15db2d5 100644 >>>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc >>>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc >>>>> @@ -1,9 +1,9 @@ >>>>> ## @file >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform >>>>> # >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
>>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
>>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>>>>> # >>>>> # This program and the accompanying materials >>>>> # are licensed and made available under the terms and conditions of the >>>> BSD License >>>>> # which accompanies this distribution. The full text of the license may be >>>> found at >>>>> @@ -144,14 +144,15 @@ >>>>> >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf >>>>> >>>> >> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf >>>>> >>>> >> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD >>>> ebugPrintErrorLevelLib.inf >>>>> >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> - >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf >>>>> + >>>>> +!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> >>>> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM >>>> easurementLib.inf >>>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >>>>> !if $(NETWORK_IP6_ENABLE) == TRUE >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf >>>>> !endif >>>>> @@ -169,13 +170,11 @@ >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf >>>>> >>>> >> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib >>>> /BaseOrderedCollectionRedBlackTreeLib.inf >>>>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf >>>>> >>>>> [LibraryClasses.common] >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf >>>>> -!endif >>>>> >>>>> [LibraryClasses.common.SEC] >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf >>>>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) >>>>> @@ -261,13 +260,13 @@ >>>>> >>>> >> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf >>>>> !else >>>>> >>>> >> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i >>>> nf >>>>> !endif >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf >>>>> -!endif >>>>> + >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf >>>>> >>>>> [LibraryClasses.common.UEFI_DRIVER] >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf >>>>> @@ -707,16 +706,12 @@ >>>>> NetworkPkg/TcpDxe/TcpDxe.inf >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf >>>>> !else >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> -!endif >>>>> -!else >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> !endif >>>>> !if $(HTTP_BOOT_ENABLE) == TRUE >>>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >>>>> index 6ec3fe0..9c6bdc2 100644 >>>>> --- a/OvmfPkg/OvmfPkgX64.dsc >>>>> +++ b/OvmfPkg/OvmfPkgX64.dsc >>>>> @@ -1,9 +1,9 @@ >>>>> ## @file >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform >>>>> # >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
>>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
>>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>>>>> # >>>>> # This program and the accompanying materials >>>>> # are licensed and made available under the terms and conditions of the >>>> BSD License >>>>> # which accompanies this distribution. The full text of the license may be >>>> found at >>>>> @@ -144,14 +144,15 @@ >>>>> >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf >>>>> >>>> >> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf >>>>> >>>> >> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD >>>> ebugPrintErrorLevelLib.inf >>>>> >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> - >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf >>>>> + >>>>> +!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf >>>>> >>>> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM >>>> easurementLib.inf >>>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >>>>> !if $(NETWORK_IP6_ENABLE) == TRUE >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf >>>>> !endif >>>>> @@ -169,13 +170,11 @@ >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf >>>>> >>>> >> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib >>>> /BaseOrderedCollectionRedBlackTreeLib.inf >>>>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf >>>>> >>>>> [LibraryClasses.common] >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf >>>>> -!endif >>>>> >>>>> [LibraryClasses.common.SEC] >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf >>>>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) >>>>> @@ -261,13 +260,13 @@ >>>>> >>>> >> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf >>>>> !else >>>>> >>>> >> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i >>>> nf >>>>> !endif >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> + >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf >>>>> -!endif >>>>> + >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf >>>>> >>>>> [LibraryClasses.common.UEFI_DRIVER] >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf >>>>> @@ -705,16 +704,12 @@ >>>>> NetworkPkg/TcpDxe/TcpDxe.inf >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> -!if $(SECURE_BOOT_ENABLE) == TRUE >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf >>>>> !else >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> -!endif >>>>> -!else >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf >>>>> !endif >>>>> !if $(HTTP_BOOT_ENABLE) == TRUE >>>>> >>> >