From nobody Sat Nov 2 14:39:57 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487934105715745.8056163771062; Fri, 24 Feb 2017 03:01:45 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 7FB6B82175; Fri, 24 Feb 2017 03:01:43 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 758F882175 for ; Fri, 24 Feb 2017 03:01:42 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F176B61D17; Fri, 24 Feb 2017 11:01:42 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com [10.3.116.39]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1OB1bDt003054; Fri, 24 Feb 2017 06:01:40 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 24 Feb 2017 12:01:28 +0100 Message-Id: <20170224110132.19374-2-lersek@redhat.com> In-Reply-To: <20170224110132.19374-1-lersek@redhat.com> References: <20170224110132.19374-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 24 Feb 2017 11:01:43 +0000 (UTC) Subject: [edk2] [PATCH v2 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Ard Biesheuvel , Ting Ye , Jordan Justen , Jiaxin Wu , Gary Lin , Qin Long , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) removed the "no-queue" configuration option in "process_files.sh", plus it enabled "process_files.sh" to place all libssl source files into "OpensslLib.inf". However, the patch apparently failed to capture two changes originating from the above actions: - the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not removed from "opensslconf.h", - "ssl/ssl_conf.c" was not added to "OpensslLib.inf". Refresh these files, completing commit 32387e0081db. I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression. Cc: Ard Biesheuvel Cc: Gary Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Qin Long Cc: Ruiyu Ni Cc: Ting Ye Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Qin Long Reviewed-by: Wu Jiaxin --- Notes: v2: - no changes CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + CryptoPkg/Library/OpensslLib/opensslconf.h | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar= y/OpensslLib/OpensslLib.inf index c14e36d341f7..42f523a611e5 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -516,6 +516,7 @@ [Sources] $(OPENSSL_PATH)/ssl/ssl_asn1.c $(OPENSSL_PATH)/ssl/ssl_txt.c $(OPENSSL_PATH)/ssl/ssl_algs.c + $(OPENSSL_PATH)/ssl/ssl_conf.c $(OPENSSL_PATH)/ssl/bio_ssl.c $(OPENSSL_PATH)/ssl/ssl_err.c $(OPENSSL_PATH)/ssl/kssl.c diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library= /OpensslLib/opensslconf.h index adcaa01d6b1d..e0054a45fc5f 100644 --- a/CryptoPkg/Library/OpensslLib/opensslconf.h +++ b/CryptoPkg/Library/OpensslLib/opensslconf.h @@ -92,9 +92,6 @@ extern "C" { #ifndef OPENSSL_NO_POSIX_IO # define OPENSSL_NO_POSIX_IO #endif -#ifndef OPENSSL_NO_PQUEUE -# define OPENSSL_NO_PQUEUE -#endif #ifndef OPENSSL_NO_RC2 # define OPENSSL_NO_RC2 #endif @@ -263,9 +260,6 @@ extern "C" { # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO) # define NO_POSIX_IO # endif -# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE) -# define NO_PQUEUE -# endif # if defined(OPENSSL_NO_RC2) && !defined(NO_RC2) # define NO_RC2 # endif --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:39:57 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 148793410991949.23656189196754; Fri, 24 Feb 2017 03:01:49 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id AE0B782199; Fri, 24 Feb 2017 03:01:48 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 391898216E for ; Fri, 24 Feb 2017 03:01:47 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BA31864A4D; Fri, 24 Feb 2017 11:01:47 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com [10.3.116.39]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1OB1bDu003054; Fri, 24 Feb 2017 06:01:45 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 24 Feb 2017 12:01:29 +0100 Message-Id: <20170224110132.19374-3-lersek@redhat.com> In-Reply-To: <20170224110132.19374-1-lersek@redhat.com> References: <20170224110132.19374-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 24 Feb 2017 11:01:47 +0000 (UTC) Subject: [edk2] [PATCH v2 2/5] CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Ard Biesheuvel , Ting Ye , Jordan Justen , Jiaxin Wu , Gary Lin , Qin Long , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly", 2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library instance unconditionally. If a platform doesn't include the TLS modules, such as - CryptoPkg/Library/TlsLib/TlsLib.inf - NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf - NetworkPkg/TlsDxe/TlsDxe.inf then the platform never actually uses the libssl functionality that gets built into "OpensslLib.inf". Tomas Hoger from Red Hat Product Security tells me that security evaluation is less demanding if we can actually *exclude* the libssl files from such OVMF builds that don't specify -D TLS_ENABLE (rather than just trust modules not to call libssl functions if we don't specify -D TLS_ENABLE). This patch introduces a parallel OpensslLib instance called "OpensslLibCrypto" that is appropriate for platform builds without TLS enablement. It does not build C source files in vain, and it eases security review -- all libssl vulnerabilities can be excluded at once. "OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines. "process_files.sh" is extended to auto-generate the list of OpenSSL files for both library instances accordingly. This list is updated in "OpensslLibCrypto.inf" at once. "OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni", highlighting the difference. Cc: Ard Biesheuvel Cc: Gary Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Qin Long Cc: Ruiyu Ni Cc: Ting Ye Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Qin Long --- Notes: v2: - relace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message - rename OpensslLibNoSsl.{inf,uni} to OpensslLibCrypto.{inf,uni} - adapt BASE_NAME and MODULE_UNI_FILE in INF file - replace "without libssl" with "(libcrypto only, no libssl)" in UNI file - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in shell script - rename variable OPENSSL_NOSSL_PATH to OPENSSL_CRYPTO_PATH in shell script - replace "with-ssl" parameter to "filelist" function with "crypto-and-ssl" in shell script - replace "without-ssl" parameter to "filelist" function with "crypto-only" in shell script - retest shell script CryptoPkg/Library/OpensslLib/{OpensslLib.inf =3D> OpensslLibCrypto.inf} | = 56 ++------------------ CryptoPkg/Library/OpensslLib/{OpensslLib.uni =3D> OpensslLibCrypto.uni} | = 8 +-- CryptoPkg/Library/OpensslLib/process_files.sh | 27= +++++++--- 3 files changed, 28 insertions(+), 63 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar= y/OpensslLib/OpensslLibCrypto.inf similarity index 90% copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf index 42f523a611e5..9a03c2cf10c5 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf @@ -14,9 +14,9 @@ =20 [Defines] INF_VERSION =3D 0x00010005 - BASE_NAME =3D OpensslLib - MODULE_UNI_FILE =3D OpensslLib.uni - FILE_GUID =3D C873A7D0-9824-409f-9B42-2C158B992E69 + BASE_NAME =3D OpensslLibCrypto + MODULE_UNI_FILE =3D OpensslLibCrypto.uni + FILE_GUID =3D E29FC209-8B64-4500-BD20-AF4EAE47EA0E MODULE_TYPE =3D BASE VERSION_STRING =3D 1.0 LIBRARY_CLASS =3D OpensslLib @@ -474,56 +474,6 @@ [Sources] $(OPENSSL_PATH)/crypto/cmac/cmac.c $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c - $(OPENSSL_PATH)/ssl/s2_meth.c - $(OPENSSL_PATH)/ssl/s2_srvr.c - $(OPENSSL_PATH)/ssl/s2_clnt.c - $(OPENSSL_PATH)/ssl/s2_lib.c - $(OPENSSL_PATH)/ssl/s2_enc.c - $(OPENSSL_PATH)/ssl/s2_pkt.c - $(OPENSSL_PATH)/ssl/s3_meth.c - $(OPENSSL_PATH)/ssl/s3_srvr.c - $(OPENSSL_PATH)/ssl/s3_clnt.c - $(OPENSSL_PATH)/ssl/s3_lib.c - $(OPENSSL_PATH)/ssl/s3_enc.c - $(OPENSSL_PATH)/ssl/s3_pkt.c - $(OPENSSL_PATH)/ssl/s3_both.c - $(OPENSSL_PATH)/ssl/s3_cbc.c - $(OPENSSL_PATH)/ssl/s23_meth.c - $(OPENSSL_PATH)/ssl/s23_srvr.c - $(OPENSSL_PATH)/ssl/s23_clnt.c - $(OPENSSL_PATH)/ssl/s23_lib.c - $(OPENSSL_PATH)/ssl/s23_pkt.c - $(OPENSSL_PATH)/ssl/t1_meth.c - $(OPENSSL_PATH)/ssl/t1_srvr.c - $(OPENSSL_PATH)/ssl/t1_clnt.c - $(OPENSSL_PATH)/ssl/t1_lib.c - $(OPENSSL_PATH)/ssl/t1_enc.c - $(OPENSSL_PATH)/ssl/t1_ext.c - $(OPENSSL_PATH)/ssl/d1_meth.c - $(OPENSSL_PATH)/ssl/d1_srvr.c - $(OPENSSL_PATH)/ssl/d1_clnt.c - $(OPENSSL_PATH)/ssl/d1_lib.c - $(OPENSSL_PATH)/ssl/d1_pkt.c - $(OPENSSL_PATH)/ssl/d1_both.c - $(OPENSSL_PATH)/ssl/d1_srtp.c - $(OPENSSL_PATH)/ssl/ssl_lib.c - $(OPENSSL_PATH)/ssl/ssl_err2.c - $(OPENSSL_PATH)/ssl/ssl_cert.c - $(OPENSSL_PATH)/ssl/ssl_sess.c - $(OPENSSL_PATH)/ssl/ssl_ciph.c - $(OPENSSL_PATH)/ssl/ssl_stat.c - $(OPENSSL_PATH)/ssl/ssl_rsa.c - $(OPENSSL_PATH)/ssl/ssl_asn1.c - $(OPENSSL_PATH)/ssl/ssl_txt.c - $(OPENSSL_PATH)/ssl/ssl_algs.c - $(OPENSSL_PATH)/ssl/ssl_conf.c - $(OPENSSL_PATH)/ssl/bio_ssl.c - $(OPENSSL_PATH)/ssl/ssl_err.c - $(OPENSSL_PATH)/ssl/kssl.c - $(OPENSSL_PATH)/ssl/t1_reneg.c - $(OPENSSL_PATH)/ssl/tls_srp.c - $(OPENSSL_PATH)/ssl/t1_trce.c - $(OPENSSL_PATH)/ssl/ssl_utst.c =20 # Autogenerated files list ends here =20 diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/CryptoPkg/Librar= y/OpensslLib/OpensslLibCrypto.uni similarity index 67% copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni index 0dffec1c98a3..7891b135953b 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni @@ -1,7 +1,7 @@ // /** @file -// This module provides openSSL Library implementation. +// This module provides openSSL Library implementation (libcrypto only, no= libssl). // -// This module provides OpenSSL Library implementation. +// This module provides OpenSSL Library implementation (libcrypto only, no= libssl). // // Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.
// @@ -16,7 +16,7 @@ // **/ =20 =20 -#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library i= mplementation" +#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library i= mplementation (libcrypto only, no libssl)" =20 -#string STR_MODULE_DESCRIPTION #language en-US "This module provi= des OpenSSL Library implementation." +#string STR_MODULE_DESCRIPTION #language en-US "This module provi= des OpenSSL Library implementation (libcrypto only, no libssl)." =20 diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh b/CryptoPkg/Libr= ary/OpensslLib/process_files.sh index 6f069ce264ac..9f10409824d1 100755 --- a/CryptoPkg/Library/OpensslLib/process_files.sh +++ b/CryptoPkg/Library/OpensslLib/process_files.sh @@ -1,8 +1,8 @@ #!/bin/sh # -# This script runs the OpenSSL Configure script, then processes the -# resulting file list into our local OpensslLib.inf and also takes -# a copy of opensslconf.h. +# This script runs the OpenSSL Configure script, then processes the result= ing +# file list into our local OpensslLib.inf and OpensslLibCrypto.inf, and al= so +# takes a copy of opensslconf.h. # # This only needs to be done once by a developer when updating to a # new version of OpenSSL (or changing options, etc.). Normal users @@ -10,6 +10,12 @@ # git repository for them. =20 OPENSSL_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]= *\)[[:space:]]*/\1/ p}' OpensslLib.inf) +OPENSSL_CRYPTO_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.= ]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibCrypto.inf) + +if [ "$OPENSSL_PATH" !=3D "$OPENSSL_CRYPTO_PATH" ]; then + echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibCrypt= o.inf" + exit 1 +fi =20 if ! cd "${OPENSSL_PATH}" ; then echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\"" @@ -65,6 +71,8 @@ cd - =20 function filelist () { + SSL_SELECT=3D"$1" + echo '1,/# Autogenerated files list starts here/p' echo '/# Autogenerated files list ends here/,$p' echo '/# Autogenerated files list starts here/a\' @@ -76,18 +84,25 @@ function filelist () ;; LIBSRC=3D*) LIBSRC=3D$(echo "$LINE" | sed s/^LIBSRC=3D//) - for FILE in $LIBSRC; do + if [ "$RELATIVE_DIRECTORY" !=3D "ssl" ] || + [ "$SSL_SELECT" =3D "crypto-and-ssl" ]; then + for FILE in $LIBSRC; do if [ "$FILE" !=3D "b_print.c" ]; then echo -e ' $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\ fi - done + done + fi ;; esac done echo -e \\r } =20 -filelist < "${OPENSSL_PATH}/MINFO" | sed -n -f - -i OpensslLib.inf +filelist crypto-and-ssl < "${OPENSSL_PATH}/MINFO" \ +| sed -n -f - -i OpensslLib.inf + +filelist crypto-only < "${OPENSSL_PATH}/MINFO" \ +| sed -n -f - -i OpensslLibCrypto.inf =20 # We can tell Windows users to put this back manually if they can't run # Configure. For now, until the git repository is fixed to store things --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:39:57 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487934115192279.232989360964; Fri, 24 Feb 2017 03:01:55 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id E3E938219C; Fri, 24 Feb 2017 03:01:50 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9A0588216E for ; Fri, 24 Feb 2017 03:01:48 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 36B4ED599F; Fri, 24 Feb 2017 11:01:49 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com [10.3.116.39]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1OB1bDv003054; Fri, 24 Feb 2017 06:01:48 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 24 Feb 2017 12:01:30 +0100 Message-Id: <20170224110132.19374-4-lersek@redhat.com> In-Reply-To: <20170224110132.19374-1-lersek@redhat.com> References: <20170224110132.19374-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 24 Feb 2017 11:01:49 +0000 (UTC) Subject: [edk2] [PATCH v2 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibCrypto X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tomas Hoger , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The OpensslLibCrypto library instance (which does not contain libssl functions) is sufficient for the Secure Boot feature. It would not be sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we don't even enable plaintext HTTP booting for the time being. Ease security analysis by excluding libssl functionality from the OpensslLib instance we use. Cc: Ard Biesheuvel Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel --- Notes: v2: - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message - fix typo "analsysis" in commit message - pick up Ard's R-b - resolve OpensslLib to OpensslLibCrypto.inf in ArmVirt.dsc.inc, rather than OpensslLibNoSsl.inf - test-build ArmVirtQemu ArmVirtPkg/ArmVirt.dsc.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 43699cb9bdd6..b5de4163c1cb 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -136,7 +136,7 @@ [LibraryClasses.common] # !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:39:57 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487934115772640.2678484032834; Fri, 24 Feb 2017 03:01:55 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 2E7A78219F; Fri, 24 Feb 2017 03:01:51 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1FACD8219B for ; Fri, 24 Feb 2017 03:01:50 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A2D608048D; Fri, 24 Feb 2017 11:01:50 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com [10.3.116.39]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1OB1bDw003054; Fri, 24 Feb 2017 06:01:49 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 24 Feb 2017 12:01:31 +0100 Message-Id: <20170224110132.19374-5-lersek@redhat.com> In-Reply-To: <20170224110132.19374-1-lersek@redhat.com> References: <20170224110132.19374-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 24 Feb 2017 11:01:50 +0000 (UTC) Subject: [edk2] [PATCH v2 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ruiyu Ni , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Ease security analysis by excluding libssl functionality from the OpensslLib instance we use with TLS_ENABLE=3DFALSE. Cc: Ruiyu Ni Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Ruiyu Ni Reviewed-by: Wu Jiaxin --- Notes: v2: - fix typo "analsysis" in commit message - resolve OpensslLib to OpensslLibCrypto.inf rather than to OpensslLibNoSsl.inf in Nt32Pkg.dsc =20 v1: - I can't build-test this. Nt32Pkg/Nt32Pkg.dsc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc index 47e37ecae134..499b1fe8abe0 100644 --- a/Nt32Pkg/Nt32Pkg.dsc +++ b/Nt32Pkg/Nt32Pkg.dsc @@ -159,7 +159,11 @@ [LibraryClasses] CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/C= puExceptionHandlerLibNull.inf LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Sat Nov 2 14:39:57 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1487934117941183.26559263125625; Fri, 24 Feb 2017 03:01:57 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 64B2F8219E; Fri, 24 Feb 2017 03:01:53 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A3D1B821A4 for ; Fri, 24 Feb 2017 03:01:51 -0800 (PST) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3B2D82E6076; Fri, 24 Feb 2017 11:01:52 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com [10.3.116.39]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1OB1bDx003054; Fri, 24 Feb 2017 06:01:50 -0500 X-Original-To: edk2-devel@ml01.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 24 Feb 2017 12:01:32 +0100 Message-Id: <20170224110132.19374-6-lersek@redhat.com> In-Reply-To: <20170224110132.19374-1-lersek@redhat.com> References: <20170224110132.19374-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 24 Feb 2017 11:01:52 +0000 (UTC) Subject: [edk2] [PATCH v2 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jordan Justen , Gary Lin , Tomas Hoger MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The OpensslLibCrypto library instance (which does not contain libssl functions) is sufficient for the Secure Boot feature. Ease security analysis by excluding libssl functionality from the OpensslLib instance we use with TLS_ENABLE=3DFALSE. Cc: Gary Lin Cc: Jordan Justen Cc: Tomas Hoger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek Reviewed-by: Gary Lin --- Notes: v2: - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message - fix typo "analsysis" in commit message - pick up Gary's R-b - resolve OpensslLib to OpensslLibCrypto.inf rather than to OpensslLibNoSsl.inf in OvmfPkgIa32.dsc, OvmfPkgIa32X64.dsc, OvmfPkgX64.dsc - test-build OVMF with TLS_ENABLE=3DTRUE and TLS_ENABLE=3DFALSE OvmfPkg/OvmfPkgIa32.dsc | 4 ++++ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++ OvmfPkg/OvmfPkgX64.dsc | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 993547d4859e..0bce56bc8323 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -143,7 +143,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index f36604ecb4d8..56f7ff9ad004 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -148,7 +148,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index c5bf1a672b1e..d0b0b0e1beb1 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -148,7 +148,11 @@ [LibraryClasses] DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf =20 IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf +!if $(TLS_ENABLE) =3D=3D TRUE OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!else + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +!endif =20 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf --=20 2.9.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel