[edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b

Tue May 21 09:01:55 UTC 2019

On Tue, 21 May 2019 at 09:43, Wang, Jian J <jian.j.wang at intel.com> wrote:
>
> Hi Ard,
>
> Any comments?
>
> Regards,
> Jian
>
> > -----Original Message-----
> > From: devel at edk2.groups.io [mailto:devel at edk2.groups.io] On Behalf Of Wang,
> > Jian J
> > Sent: Monday, May 20, 2019 9:41 AM
> > To: devel at edk2.groups.io; ard.biesheuvel at linaro.org; Laszlo Ersek
> > <lersek at redhat.com>
> > Cc: Lu, XiaoyuX <xiaoyux.lu at intel.com>; Ye, Ting <ting.ye at intel.com>; Leif
> > Lindholm <leif.lindholm at linaro.org>; Gao, Liming <liming.gao at intel.com>
> > Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b
> >
> > Ard,
> >
> >
> > > -----Original Message-----
> > > From: devel at edk2.groups.io [mailto:devel at edk2.groups.io] On Behalf Of Ard
> > > Biesheuvel
> > > Sent: Friday, May 17, 2019 11:06 PM
> > > To: Laszlo Ersek <lersek at redhat.com>
> > > Cc: Wang, Jian J <jian.j.wang at intel.com>; devel at edk2.groups.io; Lu, XiaoyuX
> > > <xiaoyux.lu at intel.com>; Ye, Ting <ting.ye at intel.com>; Leif Lindholm
> > > <leif.lindholm at linaro.org>; Gao, Liming <liming.gao at intel.com>
> > > Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to
> > 1.1.1b
> > >
> > > On Fri, 17 May 2019 at 15:17, Laszlo Ersek <lersek at redhat.com> wrote:
> > > >
> > > > On 05/17/19 15:04, Laszlo Ersek wrote:
> > > > > On 05/17/19 07:11, Wang, Jian J wrote:
> > > > >> Hi Laszlo,
> > > > >>
> > > > >> There's already a float library used in OpensslLib.inf.
> > > > >>
> > > > >> [LibraryClasses.ARM]
> > > > >>   ArmSoftFloatLib
> > > > >>
> > > > >> The problem is that the below instance doesn't implement __aeabi_ui2d
> > > > >> and __aeabi_d2uiz (I encountered this one as well)
> > > > >>
> > > > >>   ArmPkg\Library\ArmSoftFloatLib\ArmSoftFloatLib.inf
> > > > >>
> > > > >> I think we can update this library support those two APIs. So what about
> > > > >> we still push the patch and file a BZ to fix this issue?
> > > > >
> > > > > I'm OK with that, but it will break ARM and AARCH64 platforms that
> > > > > consume OpensslLib (directly or through BaseCryptLib), so this question
> > > > > is up to Leif and Ard to decide.
> > > >
> > > > Correction: break ARM platforms only, not AARCH64.
> > > >
> > >
> > > We obviously need to fix this before we can upgrade to a new OpenSSL version.
> > >
> > > Do we really have a need for the random functions? These seem the only
> > > ones that use floating point, which the UEFI spec does not permit, so
> > > it would be better if we could fix this by removing the dependency on
> > > FP in the first place (and get rid of ArmSoftFloatLib entirely)
> > >
> >
> > BaseCryptLib provides RandSeed/RandBytes interface which wrap openssl rand
> > functionalities. These interfaces are used by following components in edk2
> >
> >   - CryptoPkg\Library\TlsLib\TlsInit.c
> >   - SecurityPkg\HddPassword\HddPasswordDxe.c
> >
> > Openssl components, like asn1, bn, evp, ocsp, pem, pkcs7, pkcs12, rsa, ssl (in
> > addition
> > to cms, dsa, srp, which are disabled in edk2) will call rand_* interface as well.
> >

If we have both internal (to Openssl) and external users of the RNG
api, then I guess there is no way to work around this. It is
unfortunate, since the RNG code in OpenSSL doesn't actually use double
types except for keeping an entropy count, which could just as easily
be kept in an integer variable.

So we will need to fix ArmSoftFloatLib before we can merge this
OpenSSL update. I'm happy to help doing that, could you please
summarize what we are missing today?

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#41117): https://edk2.groups.io/g/devel/message/41117
Mute This Topic: https://groups.io/mt/31638503/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-