From nobody Sat Nov 2 14:36:12 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487887076158286.42826548487176; Thu, 23 Feb 2017 13:57:56 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id E28BB82183; Thu, 23 Feb 2017 13:57:54 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id F22F98217E for ; Thu, 23 Feb 2017 13:57:53 -0800 (PST) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7747161D0B; Thu, 23 Feb 2017 21:57:54 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NLvmtB018936; Thu, 23 Feb 2017 16:57:52 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 23 Feb 2017 22:57:40 +0100 Message-Id: <20170223215744.7293-2-lersek@redhat.com> In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 23 Feb 2017 21:57:54 +0000 (UTC) Subject: [edk2] [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Ard Biesheuvel , Ting Ye , Jordan Justen , Jiaxin Wu , Gary Lin , Qin Long , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) removed the "no-queue" configuration option in "process_files.sh", plus it enabled "process_files.sh" to place all libssl source files into "OpensslLib.inf". However, the patch apparently failed to capture two changes originating from the above actions: - the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not removed from "opensslconf.h", - "ssl/ssl_conf.c" was not added to "OpensslLib.inf". Refresh these files, completing commit 32387e0081db. I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression. Cc: Ard Biesheuvel Cc: Gary Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Qin Long Cc: Ruiyu Ni Cc: Ting Ye Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + CryptoPkg/Library/OpensslLib/opensslconf.h | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar= y/OpensslLib/OpensslLib.inf index c14e36d341f7..42f523a611e5 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -516,6 +516,7 @@ [Sources] $(OPENSSL_PATH)/ssl/ssl_asn1.c $(OPENSSL_PATH)/ssl/ssl_txt.c $(OPENSSL_PATH)/ssl/ssl_algs.c + $(OPENSSL_PATH)/ssl/ssl_conf.c $(OPENSSL_PATH)/ssl/bio_ssl.c $(OPENSSL_PATH)/ssl/ssl_err.c $(OPENSSL_PATH)/ssl/kssl.c diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library= /OpensslLib/opensslconf.h index adcaa01d6b1d..e0054a45fc5f 100644 --- a/CryptoPkg/Library/OpensslLib/opensslconf.h +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h @@ -92,9 +92,6 @@ extern "C" { #ifndef OPENSSL_NO_POSIX_IO # define OPENSSL_NO_POSIX_IO #endif -#ifndef OPENSSL_NO_PQUEUE -# define OPENSSL_NO_PQUEUE -#endif #ifndef OPENSSL_NO_RC2 # define OPENSSL_NO_RC2 #endif @@ -263,9 +260,6 @@ extern "C" { # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO) # define NO_POSIX_IO # endif -# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE) -# define NO_PQUEUE -# endif # if defined(OPENSSL_NO_RC2) && !defined(NO_RC2) # define NO_RC2 # endif --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:36:12 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487887081275855.8243302770906; Thu, 23 Feb 2017 13:58:01 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 1CEF682187; Thu, 23 Feb 2017 13:57:58 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8CD1A82187 for ; Thu, 23 Feb 2017 13:57:56 -0800 (PST) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 18C0DC002421; Thu, 23 Feb 2017 21:57:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NLvmtC018936; Thu, 23 Feb 2017 16:57:54 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 23 Feb 2017 22:57:41 +0100 Message-Id: <20170223215744.7293-3-lersek@redhat.com> In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 23 Feb 2017 21:57:57 +0000 (UTC) Subject: [edk2] [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Ard Biesheuvel , Ting Ye , Jordan Justen , Jiaxin Wu , Gary Lin , Qin Long , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library instance unconditionally. If a platform doesn't include the TLS modules, such as - CryptoPkg/Library/TlsLib/TlsLib.inf - NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf - NetworkPkg/TlsDxe/TlsDxe.inf then the platform never actually uses the libssl functionality that gets built into "OpensslLib.inf". Tomas Hoger from Red Hat Product Security tells me that security evaluation is less demanding if we can actually *exclude* the libssl files from such OVMF builds that don't specify -D TLS_ENABLE (rather than just trust modules not to call libssl functions if we don't specify -D TLS_ENABLE). This patch introduces a parallel OpensslLib instance called "OpensslLibNoSsl" that is appropriate for platform builds without TLS enablement. It does not build C source files in vain, and it eases security review -- all libssl vulnerabilities can be excluded at once. "OpensslLibNoSsl.inf" is created as a copy of "OpensslLib.inf", modifying the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines. "process_files.sh" is extended to auto-generate the list of OpenSSL files for both library instances accordingly. This list is updated in "OpensslLibNoSsl.inf" at once. "OpensslLibNoSsl.uni" is introduced as a copy of "OpensslLib.uni", highlighting the difference. Cc: Ard Biesheuvel Cc: Gary Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Qin Long Cc: Ruiyu Ni Cc: Ting Ye Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- CryptoPkg/Library/OpensslLib/{OpensslLib.inf =3D> OpensslLibNoSsl.inf} | 5= 6 ++------------------ CryptoPkg/Library/OpensslLib/{OpensslLib.uni =3D> OpensslLibNoSsl.uni} | = 8 +-- CryptoPkg/Library/OpensslLib/process_files.sh | 27 = +++++++--- 3 files changed, 28 insertions(+), 63 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar= y/OpensslLib/OpensslLibNoSsl.inf similarity index 90% copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf index 42f523a611e5..d106989b9521 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf @@ -14,9 +14,9 @@ =20 [Defines] INF_VERSION =3D 0x00010005 - BASE_NAME =3D OpensslLib - MODULE_UNI_FILE =3D OpensslLib.uni - FILE_GUID =3D C873A7D0-9824-409f-9B42-2C158B992E69 + BASE_NAME =3D OpensslLibNoSsl + MODULE_UNI_FILE =3D OpensslLibNoSsl.uni + FILE_GUID =3D E29FC209-8B64-4500-BD20-AF4EAE47EA0E MODULE_TYPE =3D BASE VERSION_STRING =3D 1.0 LIBRARY_CLASS =3D OpensslLib @@ -474,56 +474,6 @@ [Sources] $(OPENSSL_PATH)/crypto/cmac/cmac.c $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c - $(OPENSSL_PATH)/ssl/s2_meth.c - $(OPENSSL_PATH)/ssl/s2_srvr.c - $(OPENSSL_PATH)/ssl/s2_clnt.c - $(OPENSSL_PATH)/ssl/s2_lib.c - $(OPENSSL_PATH)/ssl/s2_enc.c - $(OPENSSL_PATH)/ssl/s2_pkt.c - $(OPENSSL_PATH)/ssl/s3_meth.c - $(OPENSSL_PATH)/ssl/s3_srvr.c - $(OPENSSL_PATH)/ssl/s3_clnt.c - $(OPENSSL_PATH)/ssl/s3_lib.c - $(OPENSSL_PATH)/ssl/s3_enc.c - $(OPENSSL_PATH)/ssl/s3_pkt.c - $(OPENSSL_PATH)/ssl/s3_both.c - $(OPENSSL_PATH)/ssl/s3_cbc.c - $(OPENSSL_PATH)/ssl/s23_meth.c - $(OPENSSL_PATH)/ssl/s23_srvr.c - $(OPENSSL_PATH)/ssl/s23_clnt.c - $(OPENSSL_PATH)/ssl/s23_lib.c - $(OPENSSL_PATH)/ssl/s23_pkt.c - $(OPENSSL_PATH)/ssl/t1_meth.c - $(OPENSSL_PATH)/ssl/t1_srvr.c - $(OPENSSL_PATH)/ssl/t1_clnt.c - $(OPENSSL_PATH)/ssl/t1_lib.c - $(OPENSSL_PATH)/ssl/t1_enc.c - $(OPENSSL_PATH)/ssl/t1_ext.c - $(OPENSSL_PATH)/ssl/d1_meth.c - $(OPENSSL_PATH)/ssl/d1_srvr.c - $(OPENSSL_PATH)/ssl/d1_clnt.c - $(OPENSSL_PATH)/ssl/d1_lib.c - $(OPENSSL_PATH)/ssl/d1_pkt.c - $(OPENSSL_PATH)/ssl/d1_both.c - $(OPENSSL_PATH)/ssl/d1_srtp.c - $(OPENSSL_PATH)/ssl/ssl_lib.c - $(OPENSSL_PATH)/ssl/ssl_err2.c - $(OPENSSL_PATH)/ssl/ssl_cert.c - $(OPENSSL_PATH)/ssl/ssl_sess.c - $(OPENSSL_PATH)/ssl/ssl_ciph.c - $(OPENSSL_PATH)/ssl/ssl_stat.c - $(OPENSSL_PATH)/ssl/ssl_rsa.c - $(OPENSSL_PATH)/ssl/ssl_asn1.c - $(OPENSSL_PATH)/ssl/ssl_txt.c - $(OPENSSL_PATH)/ssl/ssl_algs.c - $(OPENSSL_PATH)/ssl/ssl_conf.c - $(OPENSSL_PATH)/ssl/bio_ssl.c - $(OPENSSL_PATH)/ssl/ssl_err.c - $(OPENSSL_PATH)/ssl/kssl.c - $(OPENSSL_PATH)/ssl/t1_reneg.c - $(OPENSSL_PATH)/ssl/tls_srp.c - $(OPENSSL_PATH)/ssl/t1_trce.c - $(OPENSSL_PATH)/ssl/ssl_utst.c =20 # Autogenerated files list ends here =20 diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/CryptoPkg/Librar= y/OpensslLib/OpensslLibNoSsl.uni similarity index 71% copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni index 0dffec1c98a3..52dfb70ab61c 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni +++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni @@ -1,7 +1,7 @@ // /** @file -// This module provides openSSL Library implementation. +// This module provides openSSL Library implementation without libssl. // -// This module provides OpenSSL Library implementation. +// This module provides OpenSSL Library implementation without libssl. // // Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.
// @@ -16,7 +16,7 @@ // **/ =20 =20 -#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library i= mplementation" +#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library i= mplementation without libssl" =20 -#string STR_MODULE_DESCRIPTION #language en-US "This module provi= des OpenSSL Library implementation." +#string STR_MODULE_DESCRIPTION #language en-US "This module provi= des OpenSSL Library implementation without libssl." =20 diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh b/CryptoPkg/Libr= ary/OpensslLib/process_files.sh index 6f069ce264ac..fe1b8a01776b 100755 --- a/CryptoPkg/Library/OpensslLib/process_files.sh +++ b/CryptoPkg/Library/OpensslLib/process_files.sh @@ -1,8 +1,8 @@ #!/bin/sh # -# This script runs the OpenSSL Configure script, then processes the -# resulting file list into our local OpensslLib.inf and also takes -# a copy of opensslconf.h. +# This script runs the OpenSSL Configure script, then processes the result= ing +# file list into our local OpensslLib.inf and OpensslLibNoSsl.inf, and also +# takes a copy of opensslconf.h. # # This only needs to be done once by a developer when updating to a # new version of OpenSSL (or changing options, etc.). Normal users @@ -10,6 +10,12 @@ # git repository for them. =20 OPENSSL_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]= *\)[[:space:]]*/\1/ p}' OpensslLib.inf) +OPENSSL_NOSSL_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]= *[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibNoSsl.inf) + +if [ "$OPENSSL_PATH" !=3D "$OPENSSL_NOSSL_PATH" ]; then + echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibNoSsl= .inf" + exit 1 +fi =20 if ! cd "${OPENSSL_PATH}" ; then echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\"" @@ -65,6 +71,8 @@ cd - =20 function filelist () { + SSL_SELECT=3D"$1" + echo '1,/# Autogenerated files list starts here/p' echo '/# Autogenerated files list ends here/,$p' echo '/# Autogenerated files list starts here/a\' @@ -76,18 +84,25 @@ function filelist () ;; LIBSRC=3D*) LIBSRC=3D$(echo "$LINE" | sed s/^LIBSRC=3D//) - for FILE in $LIBSRC; do + if [ "$RELATIVE_DIRECTORY" !=3D "ssl" ] || + [ "$SSL_SELECT" =3D "with-ssl" ]; then + for FILE in $LIBSRC; do if [ "$FILE" !=3D "b_print.c" ]; then echo -e ' $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\ fi - done + done + fi ;; esac done echo -e \\r } =20 -filelist < "${OPENSSL_PATH}/MINFO" | sed -n -f - -i OpensslLib.inf +filelist with-ssl < "${OPENSSL_PATH}/MINFO" \ +| sed -n -f - -i OpensslLib.inf + +filelist without-ssl < "${OPENSSL_PATH}/MINFO" \ +| sed -n -f - -i OpensslLibNoSsl.inf =20 # We can tell Windows users to put this back manually if they can't run # Configure. For now, until the git repository is fixed to store things --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:36:12 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487887085786907.8530826599986; Thu, 23 Feb 2017 13:58:05 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 55B0E82192; Thu, 23 Feb 2017 13:58:03 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D7DE68217E for ; Thu, 23 Feb 2017 13:58:01 -0800 (PST) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7130181226; Thu, 23 Feb 2017 21:58:02 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NLvmtD018936; Thu, 23 Feb 2017 16:58:01 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 23 Feb 2017 22:57:42 +0100 Message-Id: <20170223215744.7293-4-lersek@redhat.com> In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 23 Feb 2017 21:58:02 +0000 (UTC) Subject: [edk2] [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tomas Hoger , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The OpensslLibNoSsl library instance (which does not contain libssl functions) is sufficient for the Secure Boot feature. It would not be sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we don't even enable plaintext HTTP booting for the time being. Ease security analsysis by excluding libssl functionality from the OpensslLib instance we use. Cc: Ard Biesheuvel Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel --- ArmVirtPkg/ArmVirt.dsc.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 43699cb9bdd6..407b9b66dfe6 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -136,7 +136,7 @@ [LibraryClasses.common] # !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:36:12 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 14878870866191003.9132405691869; Thu, 23 Feb 2017 13:58:06 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 88BEF82195; Thu, 23 Feb 2017 13:58:05 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 841A282195 for ; Thu, 23 Feb 2017 13:58:03 -0800 (PST) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 230F83D957; Thu, 23 Feb 2017 21:58:04 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NLvmtE018936; Thu, 23 Feb 2017 16:58:02 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 23 Feb 2017 22:57:43 +0100 Message-Id: <20170223215744.7293-5-lersek@redhat.com> In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 23 Feb 2017 21:58:04 +0000 (UTC) Subject: [edk2] [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Ease security analsysis by excluding libssl functionality from the OpensslLib instance we use with TLS_ENABLE=3DFALSE. Cc: Ruiyu Ni Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- Notes: I can't build-test this. Nt32Pkg/Nt32Pkg.dsc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc index 47e37ecae134..c84bd71be408 100644 --- a/Nt32Pkg/Nt32Pkg.dsc +++ b/Nt32Pkg/Nt32Pkg.dsc @@ -159,7 +159,11 @@ [LibraryClasses] CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/C= puExceptionHandlerLibNull.inf LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:36:12 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487887088567589.9482657318603; Thu, 23 Feb 2017 13:58:08 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id BE56C82199; Thu, 23 Feb 2017 13:58:06 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2985A8217E for ; Thu, 23 Feb 2017 13:58:05 -0800 (PST) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A981483F44; Thu, 23 Feb 2017 21:58:05 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1NLvmtF018936; Thu, 23 Feb 2017 16:58:04 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Thu, 23 Feb 2017 22:57:44 +0100 Message-Id: <20170223215744.7293-6-lersek@redhat.com> In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> References: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 23 Feb 2017 21:58:05 +0000 (UTC) Subject: [edk2] [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jordan Justen , Gary Lin , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The OpensslLibNoSsl library instance (which does not contain libssl functions) is sufficient for the Secure Boot feature. Ease security analsysis by excluding libssl functionality from the OpensslLib instance we use with TLS_ENABLE=3DFALSE. Cc: Gary Lin Cc: Jordan Justen Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Gary Lin --- OvmfPkg/OvmfPkgIa32.dsc | 4 ++++ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++ OvmfPkg/OvmfPkgX64.dsc | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 993547d4859e..44c74c2674e3 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -143,7 +143,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index f36604ecb4d8..41ae1d88495b 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -148,7 +148,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index c5bf1a672b1e..fa4fdc81b44f 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -148,7 +148,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel