[edk2-devel] [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt OpensslLibs
Michael D Kinney
michael.d.kinney at intel.com
Wed Oct 12 01:55:17 UTC 2022
Jiewen,
The BKM is to just call the EC services from the layers above OpensslLib.
The EC APIs will always be present. Either real EC service or Null EC service.
This way we can remove all the #ifdef on EC PCD.
Platform developers select the OpensslLib instance with EC (OpensslLibFull.inf) or
without EC (OpensslLib.inf).
Mike
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao at intel.com>
> Sent: Tuesday, October 11, 2022 6:37 PM
> To: Kinney, Michael D <michael.d.kinney at intel.com>; devel at edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang at intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>; Zurcher,
> Christopher <christopher.zurcher at microsoft.com>; Rebecca Cran <quic_rcran at quicinc.com>; Ard Biesheuvel <ardb at kernel.org>
> Subject: RE: [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt OpensslLibs
>
> Hi Mike
> For PcdOpensslEcEnabled, I am seeing other usage. For example:
> https://github.com/qizhangz/edk2/blob/EC_Upstream/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c#L156
>
> I think we may need BKM on "how to disable EC".
>
> Thank you
> Yao, Jiewen
>
>
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney at intel.com>
> > Sent: Wednesday, October 12, 2022 9:25 AM
> > To: Yao, Jiewen <jiewen.yao at intel.com>; devel at edk2.groups.io; Kinney,
> > Michael D <michael.d.kinney at intel.com>
> > Cc: Wang, Jian J <jian.j.wang at intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>;
> > Zurcher, Christopher <christopher.zurcher at microsoft.com>; Rebecca Cran
> > <quic_rcran at quicinc.com>; Ard Biesheuvel <ardb at kernel.org>
> > Subject: RE: [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt
> > OpensslLibs
> >
> > Hi Jiewen,
> >
> > Comments below.
> >
> > Mike
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao at intel.com>
> > > Sent: Tuesday, October 11, 2022 6:09 PM
> > > To: Kinney, Michael D <michael.d.kinney at intel.com>;
> > devel at edk2.groups.io
> > > Cc: Wang, Jian J <jian.j.wang at intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>;
> > Zurcher,
> > > Christopher <christopher.zurcher at microsoft.com>; Rebecca Cran
> > <quic_rcran at quicinc.com>; Ard Biesheuvel <ardb at kernel.org>
> > > Subject: RE: [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt
> > OpensslLibs
> > >
> > > Thank you Mike.
> > >
> > > 1) I like the idea to combine multiple OpensslLibIA32/X64.inf into one
> > OpensslLibAccel.inf.
> > > Also the cleanup looks good to me.
> > >
> > > 2) I also like the summary in readme in
> > >
> > https://github.com/mdkinney/edk2/tree/CryptoPkg_RemoveEcPcd_Merge
> > OptimizedOpensslLibs/CryptoPkg
> > > I notice some algorithms are listed Y(Deprecated) but N(Don't Use), such
> > as Tdes, Arc4, Aes.Ecb*.
> > > But I don’t see the use case for those algorithms and I suggest a
> > Y(Deprecated) have Y(Don't Use).
> >
> > Good catch. I will fix.
> >
> > >
> > > 3) About PcdOpensslEcEnabled
> > > I notice it is used in existing code -
> > >
> > https://github.com/mdkinney/edk2/blob/CryptoPkg_RemoveEcPcd_Merge
> > OptimizedOpensslLibs/CryptoPkg/Library/TlsLib/TlsConfig.c#L11
> > > 39
> > > Is this right way?
> >
> > This was added since I started this work and was added back in by rebase. I
> > will fix.
> > We can just remove the check for the PCD. If the OpensslLib instance does
> > not include
> > SSL services, then the Null SSL services are present and the call to SSL_ctrl()
> > will
> > return 0 which will force TlsSetEcCurve() to return EFI_UNSUPPORTED. It
> > will also
> > ASSERT() informing the developer that a call to a service that depends on
> > SSL was made
> > without SSL services available.
> >
> > long
> > SSL_ctrl (
> > SSL *ssl,
> > int cmd,
> > long larg,
> > void *parg
> > )
> > {
> > ASSERT (FALSE);
> > return 0;
> > }
> >
> > Likewise, if the OpensslLib instance does not support EC services, then the
> > Null
> > EC services will be included and the call to EC_KEY_new_by_curve_name()
> > will
> > return NULL which will force TlsSetEcCurve() to return EFI_UNSUPPORTED. It
> > will also
> > ASSERT() informing the developer that a call to a service that depends on EC
> > was made
> > without EC services available.
> >
> > EC_KEY *
> > EC_KEY_new_by_curve_name (
> > int nid
> > )
> > {
> > ASSERT (FALSE);
> > return NULL;
> > }
> >
> > >
> > > Thank you
> > > Yao, Jiewen
> > >
> > > > -----Original Message-----
> > > > From: Kinney, Michael D <michael.d.kinney at intel.com>
> > > > Sent: Tuesday, October 11, 2022 11:04 PM
> > > > To: devel at edk2.groups.io
> > > > Cc: Yao, Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> > > > <jian.j.wang at intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>; Jiang,
> > > > Guomin <guomin.jiang at intel.com>; Zurcher, Christopher
> > > > <christopher.zurcher at microsoft.com>; Rebecca Cran
> > > > <quic_rcran at quicinc.com>; Ard Biesheuvel <ardb at kernel.org>
> > > > Subject: [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt
> > > > OpensslLibs
> > > >
> > > > The recent addition of the Ecliptic Curve (EC) feature and the
> > performance
> > > > optimization features increased the complexity for platforms to
> > integrate
> > > > and enable these features. This series simplifies the platform
> > configuration
> > > > as much as possible and improves the ability to manage the the size
> > impact
> > > > of cryptographic services in each FW phase. A Readme.md is also added
> > > > that
> > > > provides an overview of the CryptoPkg design and features along with
> > > > platform
> > > > integration recommendations.
> > > >
> > > > This series also addresses private library class declarations missing from
> > > > CryptoPkg.dec and library instances not producing all the APIs defined
> > > > by the library classes. A review of the CryptoPkg EDK II meta data files
> > > > identified
> > > > a number of additional cleanups. The CryptoPkg.dsc file was also
> > updated to
> > > > improve CI coverage for future CryptoPkg changes and identified some
> > > > unit test bug fixes.
> > > >
> > > > PR: https://github.com/tianocore/edk2/pull/3443
> > > > Branch:
> > > >
> > https://github.com/mdkinney/edk2/tree/CryptoPkg_RemoveEcPcd_Merge
> > > > OptimizedOpensslLibs
> > > > Readme:
> > > >
> > https://github.com/mdkinney/edk2/blob/CryptoPkg_RemoveEcPcd_Merge
> > > > OptimizedOpensslLibs/CryptoPkg/Readme.md
> > > >
> > > > Change Summary
> > > > ==============
> > > > * Document disabled/deprecated cryptographic services
> > > > * Add missing UNI files in BaseCryptLib
> > > > * Update BaseCryptLib internal functions to be STATIC and remove
> > EFIAPI
> > > > * Add GLOBAL_REMOVE_IF_UNREFERENCED to BaseCryptLib global
> > > > variables
> > > > * Fix BaseCryptLib unit tests
> > > > * Cleanup BaseCryptLib and TlsLib INF files and
> > > > * Move SysCall/inet_pton.c from BaseCryptLib to TlsLib that uses it.
> > > > * Merge 4 performance optimized INFs into OpensslLib*Accel.inf
> > > > * Remove use of PcdOpensslEcEnabled and use OpensslLibFull*.inf
> > instead
> > > > * Add OpensslLib and IntrinsicLib to CryptoPkg.dec as private library
> > classes
> > > > * Update all OpensslLib instances to always produce all APIs in
> > OpensslLib
> > > > class
> > > > * Move PrintLib dependency from OpensslLib INF files to BaseCryptLib
> > INF
> > > > files
> > > > * Update CryptoPkg.dsc files to provide full CI test coverage across all
> > the
> > > > supported combinations of OpensslLib, BaseCryptLib, and TlsLib
> > instances.
> > > > * Remove PACKAGE profile from CryptoPkg.dsc and add
> > > > TARGET_UNIT_TESTS
> > > > profile. Adding TARGET_UNIT_TESTS profile is required to prevent a
> > few
> > > > unit
> > > > test artifacts being included in non unit test builds of components.
> > > > * Add CryptoPkg Readme.md with overview and platform integration
> > > > details.
> > > > * Update host-based unit tests to always use OpensslLibFull.inf and add
> > > > unit
> > > > test coverage for OpensslLibFullAccel.inf.
> > > > * Add Readme.md with CryptoPkg overview and platform integration
> > > > documentation
> > > >
> > > > Cc: Jiewen Yao <jiewen.yao at intel.com>
> > > > Cc: Jian J Wang <jian.j.wang at intel.com>
> > > > Cc: Xiaoyu Lu <xiaoyu1.lu at intel.com>
> > > > Cc: Guomin Jiang <guomin.jiang at intel.com>
> > > > Cc: Christopher Zurcher <christopher.zurcher at microsoft.com>
> > > > Cc: Rebecca Cran <quic_rcran at quicinc.com>
> > > > Cc: Ard Biesheuvel <ardb at kernel.org>
> > > > Signed-off-by: Michael D Kinney <michael.d.kinney at intel.com>
> > > >
> > > > Michael D Kinney (12):
> > > > CryptoPkg: Document and disable deprecated crypto services
> > > > CryptoPkg/Library/BaseCryptLib: Add missing UNI file and fix format
> > > > CryptoPkg/Library/BaseCryptLib: Update internal functions/variables
> > > > CryptoPkg/Test/UnitTest/Library/BaseCryptLib: Unit test fixes
> > > > CryptoPkg/Library: Cleanup BaseCryptLib and TlsLib
> > > > CryptoPkg/Library/OpensslLib: Combine all performance optimized
> > INFs
> > > > CryptoPkg/Library/OpensslLib: Produce consistent set of APIs
> > > > CryptoPkg/Library/OpensslLib: Remove PrintLib from INF files
> > > > CryptoPkg: Remove PcdOpensslEcEnabled from CryptoPkg.dec
> > > > CryptoPkg: Update DSC to improve CI test coverage
> > > > CryptoPkg: Fixed host-based unit tests
> > > > CryptoPkg: Add Readme.md
> > > >
> > > > CryptoPkg/CryptoPkg.ci.yaml | 11 +-
> > > > CryptoPkg/CryptoPkg.dec | 42 +-
> > > > CryptoPkg/CryptoPkg.dsc | 460 +++++++++---
> > > > .../Pcd/PcdCryptoServiceFamilyEnable.h | 122 +--
> > > > .../Library/BaseCryptLib/BaseCryptLib.inf | 10 +-
> > > > .../Library/BaseCryptLib/BaseCryptLib.uni | 2 -
> > > > .../Library/BaseCryptLib/Hmac/CryptHmac.c | 7 +
> > > > .../Library/BaseCryptLib/Kdf/CryptHkdf.c | 5 +-
> > > > .../Library/BaseCryptLib/PeiCryptLib.inf | 8 +-
> > > > .../Library/BaseCryptLib/PeiCryptLib.uni | 2 -
> > > > .../BaseCryptLib/Pk/CryptAuthenticode.c | 2 +-
> > > > .../BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 3 +-
> > > > .../BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 3 +
> > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 44 +-
> > > > .../Library/BaseCryptLib/RuntimeCryptLib.inf | 9 +-
> > > > .../Library/BaseCryptLib/RuntimeCryptLib.uni | 2 -
> > > > .../Library/BaseCryptLib/SecCryptLib.inf | 13 +-
> > > > .../{SmmCryptLib.uni => SecCryptLib.uni} | 11 +-
> > > > .../Library/BaseCryptLib/SmmCryptLib.inf | 12 -
> > > > .../Library/BaseCryptLib/SmmCryptLib.uni | 2 -
> > > > .../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 22 +-
> > > > .../Library/Include/openssl/opensslconf.h | 328 +++++++-
> > > > .../Include/openssl/opensslconf_generated.h | 333 ---------
> > > > CryptoPkg/Library/OpensslLib/EcSm2Null.c | 291 ++++++++
> > > > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 133 ++--
> > > > CryptoPkg/Library/OpensslLib/OpensslLib.uni | 10 +-
> > > > ...nsslLibIa32Gcc.inf => OpensslLibAccel.inf} | 189 +++--
> > > > .../Library/OpensslLib/OpensslLibAccel.uni | 14 +
> > > > .../OpensslLib/OpensslLibConstructor.c | 6 +-
> > > > .../Library/OpensslLib/OpensslLibCrypto.inf | 185 +++--
> > > > .../Library/OpensslLib/OpensslLibCrypto.uni | 11 +-
> > > > .../{OpensslLib.inf => OpensslLibFull.inf} | 143 ++--
> > > > .../{OpensslLib.uni => OpensslLibFull.uni} | 10 +-
> > > > ...sslLibIa32.inf => OpensslLibFullAccel.inf} | 192 +++--
> > > > .../OpensslLib/OpensslLibFullAccel.uni | 14 +
> > > > .../Library/OpensslLib/OpensslLibX64.inf | 706 ------------------
> > > > .../Library/OpensslLib/OpensslLibX64Gcc.inf | 706 ------------------
> > > > CryptoPkg/Library/OpensslLib/SslNull.c | 405 ++++++++++
> > > > .../SysCall/inet_pton.c | 0
> > > > CryptoPkg/Library/TlsLib/TlsConfig.c | 2 +-
> > > > CryptoPkg/Library/TlsLib/TlsLib.inf | 12 +-
> > > > CryptoPkg/Private/Library/IntrinsicLib.h | 16 +
> > > > CryptoPkg/Private/Library/OpensslLib.h | 14 +
> > > > CryptoPkg/Readme.md | 498 ++++++++++++
> > > > CryptoPkg/Test/CryptoPkgHostUnitTest.dsc | 17 +-
> > > > .../UnitTest/Library/BaseCryptLib/HmacTests.c | 17 +-
> > > > .../UnitTest/Library/BaseCryptLib/TSTests.c | 2 +-
> > > > .../TestBaseCryptLibHostAccel.inf | 55 ++
> > > > 48 files changed, 2667 insertions(+), 2434 deletions(-)
> > > > copy CryptoPkg/Library/BaseCryptLib/{SmmCryptLib.uni =>
> > > > SecCryptLib.uni} (74%)
> > > > delete mode 100644
> > > > CryptoPkg/Library/Include/openssl/opensslconf_generated.h
> > > > create mode 100644 CryptoPkg/Library/OpensslLib/EcSm2Null.c
> > > > rename CryptoPkg/Library/OpensslLib/{OpensslLibIa32Gcc.inf =>
> > > > OpensslLibAccel.inf} (79%)
> > > > create mode 100644
> > CryptoPkg/Library/OpensslLib/OpensslLibAccel.uni
> > > > copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf =>
> > OpensslLibFull.inf}
> > > > (80%)
> > > > copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni =>
> > OpensslLibFull.uni}
> > > > (56%)
> > > > rename CryptoPkg/Library/OpensslLib/{OpensslLibIa32.inf =>
> > > > OpensslLibFullAccel.inf} (79%)
> > > > create mode 100644
> > > > CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.uni
> > > > delete mode 100644 CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
> > > > delete mode 100644
> > CryptoPkg/Library/OpensslLib/OpensslLibX64Gcc.inf
> > > > create mode 100644 CryptoPkg/Library/OpensslLib/SslNull.c
> > > > rename CryptoPkg/Library/{BaseCryptLib => TlsLib}/SysCall/inet_pton.c
> > > > (100%)
> > > > create mode 100644 CryptoPkg/Private/Library/IntrinsicLib.h
> > > > create mode 100644 CryptoPkg/Private/Library/OpensslLib.h
> > > > create mode 100644 CryptoPkg/Readme.md
> > > > create mode 100644
> > > >
> > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestBaseCryptLibHostAccel.i
> > > > nf
> > > >
> > > > --
> > > > 2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95035): https://edk2.groups.io/g/devel/message/95035
Mute This Topic: https://groups.io/mt/94260718/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list