From nobody Thu Apr 25 07:12:10 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zoho.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1487934105715745.8056163771062;
 Fri, 24 Feb 2017 03:01:45 -0800 (PST)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 7FB6B82175;
	Fri, 24 Feb 2017 03:01:43 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 758F882175
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:42 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id F176B61D17;
 Fri, 24 Feb 2017 11:01:42 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDt003054; Fri, 24 Feb 2017 06:01:40 -0500
X-Original-To: edk2-devel@ml01.01.org
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Date: Fri, 24 Feb 2017 12:01:28 +0100
Message-Id: <20170224110132.19374-2-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.39]); Fri, 24 Feb 2017 11:01:43 +0000 (UTC)
Subject: [edk2] [PATCH v2 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf,
 opensslconf.h after 32387e00
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Ting Ye <ting.ye@intel.com>, Jordan Justen <jordan.l.justen@intel.com>,
 Jiaxin Wu <jiaxin.wu@intel.com>, Gary Lin <glin@suse.com>,
 Qin Long <qin.long@intel.com>, Tomas Hoger <thoger@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".

However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
  removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".

Refresh these files, completing commit 32387e0081db.

I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
---

Notes:
    v2:
    - no changes

 CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
 CryptoPkg/Library/OpensslLib/opensslconf.h  | 6 ------
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar=
y/OpensslLib/OpensslLib.inf
index c14e36d341f7..42f523a611e5 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -516,6 +516,7 @@ [Sources]
   $(OPENSSL_PATH)/ssl/ssl_asn1.c
   $(OPENSSL_PATH)/ssl/ssl_txt.c
   $(OPENSSL_PATH)/ssl/ssl_algs.c
+  $(OPENSSL_PATH)/ssl/ssl_conf.c
   $(OPENSSL_PATH)/ssl/bio_ssl.c
   $(OPENSSL_PATH)/ssl/ssl_err.c
   $(OPENSSL_PATH)/ssl/kssl.c
diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library=
/OpensslLib/opensslconf.h
index adcaa01d6b1d..e0054a45fc5f 100644
--- a/CryptoPkg/Library/OpensslLib/opensslconf.h
+++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
@@ -92,9 +92,6 @@ extern "C" {
 #ifndef OPENSSL_NO_POSIX_IO
 # define OPENSSL_NO_POSIX_IO
 #endif
-#ifndef OPENSSL_NO_PQUEUE
-# define OPENSSL_NO_PQUEUE
-#endif
 #ifndef OPENSSL_NO_RC2
 # define OPENSSL_NO_RC2
 #endif
@@ -263,9 +260,6 @@ extern "C" {
 # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)
 #  define NO_POSIX_IO
 # endif
-# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE)
-#  define NO_PQUEUE
-# endif
 # if defined(OPENSSL_NO_RC2) && !defined(NO_RC2)
 #  define NO_RC2
 # endif
--=20
2.9.3


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
From nobody Thu Apr 25 07:12:10 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zoho.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 148793410991949.23656189196754;
 Fri, 24 Feb 2017 03:01:49 -0800 (PST)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id AE0B782199;
	Fri, 24 Feb 2017 03:01:48 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 391898216E
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:47 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id BA31864A4D;
 Fri, 24 Feb 2017 11:01:47 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDu003054; Fri, 24 Feb 2017 06:01:45 -0500
X-Original-To: edk2-devel@ml01.01.org
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Date: Fri, 24 Feb 2017 12:01:29 +0100
Message-Id: <20170224110132.19374-3-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.26]); Fri, 24 Feb 2017 11:01:47 +0000 (UTC)
Subject: [edk2] [PATCH v2 2/5] CryptoPkg/OpensslLib: introduce
 OpensslLibCrypto instance
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Ting Ye <ting.ye@intel.com>, Jordan Justen <jordan.l.justen@intel.com>,
 Jiaxin Wu <jiaxin.wu@intel.com>, Gary Lin <glin@suse.com>,
 Qin Long <qin.long@intel.com>, Tomas Hoger <thoger@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.

If a platform doesn't include the TLS modules, such as

- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf

then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".

Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).

This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.

"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.

"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.

"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
---

Notes:
    v2:
    - relace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message
    - rename OpensslLibNoSsl.{inf,uni} to OpensslLibCrypto.{inf,uni}
    - adapt BASE_NAME and MODULE_UNI_FILE in INF file
    - replace "without libssl" with "(libcrypto only, no libssl)" in UNI
      file
    - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in shell script
    - rename variable OPENSSL_NOSSL_PATH to OPENSSL_CRYPTO_PATH in shell
      script
    - replace "with-ssl" parameter to "filelist" function with
      "crypto-and-ssl" in shell script
    - replace "without-ssl" parameter to "filelist" function with
      "crypto-only" in shell script
    - retest shell script

 CryptoPkg/Library/OpensslLib/{OpensslLib.inf =3D> OpensslLibCrypto.inf} | =
56 ++------------------
 CryptoPkg/Library/OpensslLib/{OpensslLib.uni =3D> OpensslLibCrypto.uni} | =
 8 +--
 CryptoPkg/Library/OpensslLib/process_files.sh                         | 27=
 +++++++---
 3 files changed, 28 insertions(+), 63 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Librar=
y/OpensslLib/OpensslLibCrypto.inf
similarity index 90%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf
copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 42f523a611e5..9a03c2cf10c5 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -14,9 +14,9 @@
=20
 [Defines]
   INF_VERSION                    =3D 0x00010005
-  BASE_NAME                      =3D OpensslLib
-  MODULE_UNI_FILE                =3D OpensslLib.uni
-  FILE_GUID                      =3D C873A7D0-9824-409f-9B42-2C158B992E69
+  BASE_NAME                      =3D OpensslLibCrypto
+  MODULE_UNI_FILE                =3D OpensslLibCrypto.uni
+  FILE_GUID                      =3D E29FC209-8B64-4500-BD20-AF4EAE47EA0E
   MODULE_TYPE                    =3D BASE
   VERSION_STRING                 =3D 1.0
   LIBRARY_CLASS                  =3D OpensslLib
@@ -474,56 +474,6 @@ [Sources]
   $(OPENSSL_PATH)/crypto/cmac/cmac.c
   $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
   $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c
-  $(OPENSSL_PATH)/ssl/s2_meth.c
-  $(OPENSSL_PATH)/ssl/s2_srvr.c
-  $(OPENSSL_PATH)/ssl/s2_clnt.c
-  $(OPENSSL_PATH)/ssl/s2_lib.c
-  $(OPENSSL_PATH)/ssl/s2_enc.c
-  $(OPENSSL_PATH)/ssl/s2_pkt.c
-  $(OPENSSL_PATH)/ssl/s3_meth.c
-  $(OPENSSL_PATH)/ssl/s3_srvr.c
-  $(OPENSSL_PATH)/ssl/s3_clnt.c
-  $(OPENSSL_PATH)/ssl/s3_lib.c
-  $(OPENSSL_PATH)/ssl/s3_enc.c
-  $(OPENSSL_PATH)/ssl/s3_pkt.c
-  $(OPENSSL_PATH)/ssl/s3_both.c
-  $(OPENSSL_PATH)/ssl/s3_cbc.c
-  $(OPENSSL_PATH)/ssl/s23_meth.c
-  $(OPENSSL_PATH)/ssl/s23_srvr.c
-  $(OPENSSL_PATH)/ssl/s23_clnt.c
-  $(OPENSSL_PATH)/ssl/s23_lib.c
-  $(OPENSSL_PATH)/ssl/s23_pkt.c
-  $(OPENSSL_PATH)/ssl/t1_meth.c
-  $(OPENSSL_PATH)/ssl/t1_srvr.c
-  $(OPENSSL_PATH)/ssl/t1_clnt.c
-  $(OPENSSL_PATH)/ssl/t1_lib.c
-  $(OPENSSL_PATH)/ssl/t1_enc.c
-  $(OPENSSL_PATH)/ssl/t1_ext.c
-  $(OPENSSL_PATH)/ssl/d1_meth.c
-  $(OPENSSL_PATH)/ssl/d1_srvr.c
-  $(OPENSSL_PATH)/ssl/d1_clnt.c
-  $(OPENSSL_PATH)/ssl/d1_lib.c
-  $(OPENSSL_PATH)/ssl/d1_pkt.c
-  $(OPENSSL_PATH)/ssl/d1_both.c
-  $(OPENSSL_PATH)/ssl/d1_srtp.c
-  $(OPENSSL_PATH)/ssl/ssl_lib.c
-  $(OPENSSL_PATH)/ssl/ssl_err2.c
-  $(OPENSSL_PATH)/ssl/ssl_cert.c
-  $(OPENSSL_PATH)/ssl/ssl_sess.c
-  $(OPENSSL_PATH)/ssl/ssl_ciph.c
-  $(OPENSSL_PATH)/ssl/ssl_stat.c
-  $(OPENSSL_PATH)/ssl/ssl_rsa.c
-  $(OPENSSL_PATH)/ssl/ssl_asn1.c
-  $(OPENSSL_PATH)/ssl/ssl_txt.c
-  $(OPENSSL_PATH)/ssl/ssl_algs.c
-  $(OPENSSL_PATH)/ssl/ssl_conf.c
-  $(OPENSSL_PATH)/ssl/bio_ssl.c
-  $(OPENSSL_PATH)/ssl/ssl_err.c
-  $(OPENSSL_PATH)/ssl/kssl.c
-  $(OPENSSL_PATH)/ssl/t1_reneg.c
-  $(OPENSSL_PATH)/ssl/tls_srp.c
-  $(OPENSSL_PATH)/ssl/t1_trce.c
-  $(OPENSSL_PATH)/ssl/ssl_utst.c
=20
 # Autogenerated files list ends here
=20
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/CryptoPkg/Librar=
y/OpensslLib/OpensslLibCrypto.uni
similarity index 67%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni
copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni
index 0dffec1c98a3..7891b135953b 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni
@@ -1,7 +1,7 @@
 // /** @file
-// This module provides openSSL Library implementation.
+// This module provides openSSL Library implementation (libcrypto only, no=
 libssl).
 //
-// This module provides OpenSSL Library implementation.
+// This module provides OpenSSL Library implementation (libcrypto only, no=
 libssl).
 //
 // Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
 //
@@ -16,7 +16,7 @@
 // **/
=20
=20
-#string STR_MODULE_ABSTRACT             #language en-US "OpenSSL Library i=
mplementation"
+#string STR_MODULE_ABSTRACT             #language en-US "OpenSSL Library i=
mplementation (libcrypto only, no libssl)"
=20
-#string STR_MODULE_DESCRIPTION          #language en-US "This module provi=
des OpenSSL Library implementation."
+#string STR_MODULE_DESCRIPTION          #language en-US "This module provi=
des OpenSSL Library implementation (libcrypto only, no libssl)."
=20
diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh b/CryptoPkg/Libr=
ary/OpensslLib/process_files.sh
index 6f069ce264ac..9f10409824d1 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.sh
+++ b/CryptoPkg/Library/OpensslLib/process_files.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-# This script runs the OpenSSL Configure script, then processes the
-# resulting file list into our local OpensslLib.inf and also takes
-# a copy of opensslconf.h.
+# This script runs the OpenSSL Configure script, then processes the result=
ing
+# file list into our local OpensslLib.inf and OpensslLibCrypto.inf, and al=
so
+# takes a copy of opensslconf.h.
 #
 # This only needs to be done once by a developer when updating to a
 # new version of OpenSSL (or changing options, etc.). Normal users
@@ -10,6 +10,12 @@
 # git repository for them.
=20
 OPENSSL_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]=
*\)[[:space:]]*/\1/ p}' OpensslLib.inf)
+OPENSSL_CRYPTO_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.=
]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibCrypto.inf)
+
+if [ "$OPENSSL_PATH" !=3D "$OPENSSL_CRYPTO_PATH" ]; then
+    echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibCrypt=
o.inf"
+    exit 1
+fi
=20
 if ! cd "${OPENSSL_PATH}" ; then
     echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\""
@@ -65,6 +71,8 @@ cd -
=20
 function filelist ()
 {
+    SSL_SELECT=3D"$1"
+
     echo '1,/# Autogenerated files list starts here/p'
     echo '/# Autogenerated files list ends here/,$p'
     echo '/# Autogenerated files list starts here/a\'
@@ -76,18 +84,25 @@ function filelist ()
 		;;
 	    LIBSRC=3D*)
 		LIBSRC=3D$(echo "$LINE" | sed s/^LIBSRC=3D//)
-		for FILE in $LIBSRC; do
+		if [ "$RELATIVE_DIRECTORY" !=3D "ssl" ] ||
+		   [ "$SSL_SELECT" =3D "crypto-and-ssl" ]; then
+		    for FILE in $LIBSRC; do
 			if [ "$FILE" !=3D "b_print.c" ]; then
 			    echo -e '  $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\
 			fi
-		done
+		    done
+		fi
 		;;
 	esac
     done
     echo -e \\r
 }
=20
-filelist < "${OPENSSL_PATH}/MINFO" |  sed -n -f - -i OpensslLib.inf
+filelist crypto-and-ssl < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLib.inf
+
+filelist crypto-only < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLibCrypto.inf
=20
 # We can tell Windows users to put this back manually if they can't run
 # Configure. For now, until the git repository is fixed to store things
--=20
2.9.3


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
From nobody Thu Apr 25 07:12:10 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zoho.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1487934115192279.232989360964;
 Fri, 24 Feb 2017 03:01:55 -0800 (PST)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id E3E938219C;
	Fri, 24 Feb 2017 03:01:50 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 9A0588216E
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:48 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 36B4ED599F;
 Fri, 24 Feb 2017 11:01:49 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDv003054; Fri, 24 Feb 2017 06:01:48 -0500
X-Original-To: edk2-devel@ml01.01.org
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Date: Fri, 24 Feb 2017 12:01:30 +0100
Message-Id: <20170224110132.19374-4-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.38]); Fri, 24 Feb 2017 11:01:49 +0000 (UTC)
Subject: [edk2] [PATCH v2 3/5] ArmVirtPkg: resolve OpensslLib to
 OpensslLibCrypto
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Tomas Hoger <thoger@redhat.com>,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

The OpensslLibCrypto library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature. It would not be
sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
don't even enable plaintext HTTP booting for the time being.

Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---

Notes:
    v2:
    - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message
    - fix typo "analsysis" in commit message
    - pick up Ard's R-b
    - resolve OpensslLib to OpensslLibCrypto.inf in ArmVirt.dsc.inc, rather
      than OpensslLibNoSsl.inf
    - test-build ArmVirtQemu

 ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 43699cb9bdd6..b5de4163c1cb 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -136,7 +136,7 @@ [LibraryClasses.common]
   #
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
--=20
2.9.3


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
From nobody Thu Apr 25 07:12:10 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zoho.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1487934115772640.2678484032834;
 Fri, 24 Feb 2017 03:01:55 -0800 (PST)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 2E7A78219F;
	Fri, 24 Feb 2017 03:01:51 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 1FACD8219B
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:50 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id A2D608048D;
 Fri, 24 Feb 2017 11:01:50 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDw003054; Fri, 24 Feb 2017 06:01:49 -0500
X-Original-To: edk2-devel@ml01.01.org
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Date: Fri, 24 Feb 2017 12:01:31 +0100
Message-Id: <20170224110132.19374-5-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.28]); Fri, 24 Feb 2017 11:01:50 +0000 (UTC)
Subject: [edk2] [PATCH v2 4/5] Nt32Pkg: exclude libssl functionality from
 OpensslLib if TLS_ENABLE=FALSE
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>, Tomas Hoger <thoger@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=3DFALSE.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
---

Notes:
    v2:
    - fix typo "analsysis" in commit message
    - resolve OpensslLib to OpensslLibCrypto.inf rather than to
      OpensslLibNoSsl.inf in Nt32Pkg.dsc
   =20
    v1:
    - I can't build-test this.

 Nt32Pkg/Nt32Pkg.dsc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
index 47e37ecae134..499b1fe8abe0 100644
--- a/Nt32Pkg/Nt32Pkg.dsc
+++ b/Nt32Pkg/Nt32Pkg.dsc
@@ -159,7 +159,11 @@ [LibraryClasses]
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/C=
puExceptionHandlerLibNull.inf
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) =3D=3D TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+!endif
  =20
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
   PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--=20
2.9.3


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
From nobody Thu Apr 25 07:12:10 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by
 domain of lists.01.org) client-ip=198.145.21.10;
 envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org;
Authentication-Results: mx.zoho.com;
	spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain
 of lists.01.org)  smtp.mailfrom=edk2-devel-bounces@lists.01.org;
Return-Path: <edk2-devel-bounces@lists.01.org>
Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com
	with SMTPS id 1487934117941183.26559263125625;
 Fri, 24 Feb 2017 03:01:57 -0800 (PST)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 64B2F8219E;
	Fri, 24 Feb 2017 03:01:53 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A3D1B821A4
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:51 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 3B2D82E6076;
 Fri, 24 Feb 2017 11:01:52 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDx003054; Fri, 24 Feb 2017 06:01:50 -0500
X-Original-To: edk2-devel@ml01.01.org
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Date: Fri, 24 Feb 2017 12:01:32 +0100
Message-Id: <20170224110132.19374-6-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.29]); Fri, 24 Feb 2017 11:01:52 +0000 (UTC)
Subject: [edk2] [PATCH v2 5/5] OvmfPkg: exclude libssl functionality from
 OpensslLib if TLS_ENABLE=FALSE
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
Cc: Jordan Justen <jordan.l.justen@intel.com>, Gary Lin <glin@suse.com>,
 Tomas Hoger <thoger@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Errors-To: edk2-devel-bounces@lists.01.org
Sender: "edk2-devel" <edk2-devel-bounces@lists.01.org>
X-ZohoMail: RSF_4  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

The OpensslLibCrypto library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature.

Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=3DFALSE.

Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
---

Notes:
    v2:
    - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message
    - fix typo "analsysis" in commit message
    - pick up Gary's R-b
    - resolve OpensslLib to OpensslLibCrypto.inf rather than to
      OpensslLibNoSsl.inf in OvmfPkgIa32.dsc, OvmfPkgIa32X64.dsc,
      OvmfPkgX64.dsc
    - test-build OVMF with TLS_ENABLE=3DTRUE and TLS_ENABLE=3DFALSE

 OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
 OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
 OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 993547d4859e..0bce56bc8323 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -143,7 +143,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD=
ebugPrintErrorLevelLib.inf
=20
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) =3D=3D TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+!endif
=20
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index f36604ecb4d8..56f7ff9ad004 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD=
ebugPrintErrorLevelLib.inf
=20
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) =3D=3D TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+!endif
=20
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c5bf1a672b1e..d0b0b0e1beb1 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD=
ebugPrintErrorLevelLib.inf
=20
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) =3D=3D TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+!endif
=20
 !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--=20
2.9.3

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel