From nobody Tue Feb 10 05:17:32 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94994+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94994+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1665500674; cv=none; d=zohomail.com; s=zohoarc; b=mTiDhDead/EwoeHyi7Xxxyl5xuHPyIM65/QcU0ixxyLBue9Ap95pGW/f7AcGwrtP8HAryeMh4+LbA4L17i6YJR4Xd4kwQY7SyaanSjWSxfAYzhhCBTlMswt7hQG6O/E0RyAkWUxCBN0eC6Cg5xIwNjIGP7nj5pXKog35kjploIA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665500674; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=FaPPuJgx/me0KGBrrdb8J+zfbS9ON1Yh6G6723yKUBM=; b=jbS6rytz2uSIF7Hl2HxVJqMoPLKGEvD95A+faJT3yHmCPJlxdEYup2L8Zlmu9y0mb8dZN1GWVkZ8t3taMEghQTNN1Wx5PsZi9FXruTeL2kBG9rQGeX9FF2GqKYUdeUlbFVfTtkfphruqtakR9R/eaIEMd4A2tLrI6ynsJ5l4YAQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94994+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665500674170396.26401378751245; Tue, 11 Oct 2022 08:04:34 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id kREzYY1788612xYOK5ZDQ3YO; Tue, 11 Oct 2022 08:04:30 -0700 X-Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.8589.1665500668772364869 for ; Tue, 11 Oct 2022 08:04:29 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10497"; a="331008779" X-IronPort-AV: E=Sophos;i="5.95,176,1661842800"; d="scan'208";a="331008779" X-Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Oct 2022 08:04:06 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10497"; a="604172803" X-IronPort-AV: E=Sophos;i="5.95,176,1661842800"; d="scan'208";a="604172803" X-Received: from mdkinney-mobl2.amr.corp.intel.com ([10.209.79.249]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Oct 2022 08:04:05 -0700 From: "Michael D Kinney" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Christopher Zurcher Subject: [edk2-devel] [Patch 01/12] CryptoPkg: Document and disable deprecated crypto services Date: Tue, 11 Oct 2022 08:03:47 -0700 Message-Id: <20221011150358.1332-2-michael.d.kinney@intel.com> In-Reply-To: <20221011150358.1332-1-michael.d.kinney@intel.com> References: <20221011150358.1332-1-michael.d.kinney@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,michael.d.kinney@intel.com X-Gm-Message-State: A3I3lo3er9wERTCJg8Y6yho5x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665500670; bh=HvuPCGKr6Z0Mic/aMnzhO71KLiHz8ZAwocNdwK2jaWE=; h=Cc:Date:From:Reply-To:Subject:To; b=LF4mXdGbBXrat0ZDke4zYgJqZCrFass+UxQZ7yzKFMilkF5oFsWK3If9Q0fFeQICbfr Acyshi3e8me+dSf6OGuG3aKEj/vbhKQZAojUq+FCwsDmk8BY7/AsAKeNW4Oe7H8Bfd0Zy oaFYWm8/lUwU9MreXynhLmuRhql/a8z1PYw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665500676806100001 Content-Type: text/plain; charset="utf-8" Also note services that are recommended to be disabled and update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings disable all deprecated services. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Christopher Zurcher Signed-off-by: Michael D Kinney --- CryptoPkg/CryptoPkg.dsc | 10 +- .../Pcd/PcdCryptoServiceFamilyEnable.h | 122 ++++++++++-------- 2 files changed, 77 insertions(+), 55 deletions(-) diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index e4e7bc0dbfae..ab28d8861f10 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -150,7 +150,6 @@ [PcdsFixedAtBuild] !if $(CRYPTO_SERVICES) IN "PACKAGE ALL" gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fami= ly | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Fami= ly | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -160,8 +159,10 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Ge= tContextSize | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.In= it | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cb= cEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cb= cDecrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -172,7 +173,7 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Fa= mily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Fami= ly | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family = | 0 + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif =20 !if $(CRYPTO_SERVICES) =3D=3D MIN_PEI @@ -216,6 +217,7 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family = | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Ge= tContextSize | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.In= it | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cb= cEncrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cb= cDecrypt | TRUE diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoP= kg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 47405894176c..da533543172f 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -1,6 +1,26 @@ /** @file Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable. + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used + to enable/disable crypto services at either the family scope or the + individual service scope. Platforms can minimize the number of enabled + services to reduce size. + + The following services have been deprecated and must never be enabled. + The associated fields in this data structure are never removed or replac= ed + to preseve the binary layout of the data structure. New services are + always added to the end of the data structure. + * HmacMd5 family + * HmacSha1 family + * Md4 family + * Md5 family + * Tdes family + * Arc4 family + * Aes.Services.EcbEncrypt service + * Aes.Services.EcbDecrypt service + + Is is recommended that the following services always be disabled and may + be deprecated in the future. + * Sha1 family =20 Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent @@ -25,25 +45,25 @@ typedef struct { union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacMd5; union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacSha1; union { struct { @@ -71,26 +91,26 @@ typedef struct { } HmacSha384; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Md4; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; UINT32 Family; - } Md5; + } Md5; // Deprecated union { struct { UINT8 Pkcs1v2Encrypt : 1; @@ -143,14 +163,14 @@ typedef struct { } Rsa; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Recommend disable + UINT8 Init : 1; // Recommend disable + UINT8 Duplicate : 1; // Recommend disable + UINT8 Update : 1; // Recommend disable + UINT8 Final : 1; // Recommend disable + UINT8 HashAll : 1; // Recommend disable } Services; - UINT32 Family; + UINT32 Family; // Recommend disable } Sha1; union { struct { @@ -202,21 +222,21 @@ typedef struct { } X509; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; - UINT8 CbcEncrypt : 1; - UINT8 CbcDecrypt : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated + UINT8 CbcEncrypt : 1; // Deprecated + UINT8 CbcDecrypt : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Tdes; union { struct { UINT8 GetContextSize : 1; UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated UINT8 CbcEncrypt : 1; UINT8 CbcDecrypt : 1; } Services; @@ -224,13 +244,13 @@ typedef struct { } Aes; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Encrypt : 1; - UINT8 Decrypt : 1; - UINT8 Reset : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Encrypt : 1; // Deprecated + UINT8 Decrypt : 1; // Deprecated + UINT8 Reset : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Arc4; union { struct { --=20 2.37.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94994): https://edk2.groups.io/g/devel/message/94994 Mute This Topic: https://groups.io/mt/94260719/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-