[edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b

Laszlo Ersek lersek at redhat.com
Thu May 16 18:53:17 UTC 2019 

On 05/16/19 09:54, Xiaoyu Lu wrote:
> This series is also available at:
> https://github.com/xiaoyuxlu/edk2/tree/bz_1089_upgrade_to_openssl_1_1_1b_v4
> 
> Changes:
> 
> (1) CryptoPkgOpensslLib: Modify process_files.pl for  upgrading OpenSSL
> 
> (2) CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl
>     crypto/store/* are excluded.
>     crypto/rand/randfile.c is excluded.
> 
> (3) CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue
> 
> (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL
>     Disable warnings for buiding OpenSSL_1_1_1b
> 
> (5) CryptoPkg/OpensslLib: Fix cross-build problem for AARCH64
> 
> (6) CryptoPkg: Upgrade OpenSSL to 1.1.1b
>     The biggest change is use TSC as entropy source
>     If TSC isn't avaiable, fallback to TimerLib(PerformanceCounter).
> 
> (7) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible
> 
> 
> Verification done for this series:
> * Https boot in OvmfPkg.
> * BaseCrypt Library test. (Ovmf, EmulatorPkg)
> 
> Important notice:
> Nt32Pkg doesn't support TimerLib
>> TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
> So it will failed in Nt32Pkg.

I did some minimal functional testing, as follows:

- built OvmfPkgIa32X64.dsc with -D SMM_REQUIRE -D SECURE_BOOT_ENABLE

- with SB pre-enabled in an existing VM, the firmware continued to
  reject an unsigned UEFI app
- in the same config, the firmware continued to accept a correctly
  signed UEFI boot loader (the Fedora OS was booted OK)

- with SB disabled afresh (deleting PK through SecureBootConfigDxe),
  both of the above binaries were accepted
- in the same SB-disabled state, OvmfPkg/EnrollDefaultKeys was possible
  to invoke from the UEFI shell, and it successfully re-enabled SB (with
  the effects described in the prior section).

So this part looks good.

Thanks
Laszlo

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#40824): https://edk2.groups.io/g/devel/message/40824
Mute This Topic: https://groups.io/mt/31638503/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list