[edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1 support

Gao, Zhichao zhichao.gao at intel.com
Fri Nov 13 01:07:39 UTC 2020 

I plan to catch the 202011 stable tag for this patch set. Please help to review this patch. I would like to request to extend time for review after feature freeze.
Make the default setting for security and let the user of edk2 aware of it if they are using unsecure functions make sense.
If you have any doubt or comment, please feel free to let me know.

Thanks,
Zhichao 

> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Gao, Zhichao
> Sent: Wednesday, November 11, 2020 1:37 AM
> To: devel at edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen at intel.com>; Laszlo Ersek
> <lersek at redhat.com>; Ard Biesheuvel <ard.biesheuvel at arm.com>; Sami
> Mujawar <sami.mujawar at arm.com>; Leif Lindholm <leif at nuviainc.com>; Yao,
> Jiewen <jiewen.yao at intel.com>; Wang, Jian J <jian.j.wang at intel.com>; Lu,
> XiaoyuX <xiaoyux.lu at intel.com>; Jiang, Guomin <guomin.jiang at intel.com>;
> Kinney, Michael D <michael.d.kinney at intel.com>; Steele, Kelly
> <kelly.steele at intel.com>; Sun, Zailiang <zailiang.sun at intel.com>; Qian, Yi
> <yi.qian at intel.com>; Liming Gao <gaoliming at byosoft.com.cn>; Maciej Rabeda
> <maciej.rabeda at linux.intel.com>; Wu, Jiaxin <jiaxin.wu at intel.com>; Fu, Siyuan
> <siyuan.fu at intel.com>; Feng, Roger <roger.feng at intel.com>; Liu, Zhiguang
> <zhiguang.liu at intel.com>
> Subject: [edk2-devel] [PATCH V3 00/12] Disable the deprecated MD5 and SHA1
> support
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027
> 
> MD5 is deprecated, make it disable as default for security.
> It required to set MD5 enable explicitly if the module is still using MD5. List the
> modules that are still using it:
> iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).
> 
> This patch set would affact the platforms that are using iSCSI function.
> 
> V2:
> Remove MD5 and SHA1 support of Hash2DxeCrypto.
> Remove the MD5 GUID defination in MdePkg.dec. SHA1 related GUIDs are still
> using in TPM2, so keep them.
> No requirement to add MD5 enable MACRO in SecurityPkg.
> 
> V3:
> Explicitly enable iSCSI for ArmVirtQemu, ArmVirtQemuKernel, OvmfPkgIa32,
> OvmfPkgIa32X64, OvmfPkgX64 and BhyveX64.
> And set the MD5 enable base on the new MD5 MACRO.
> Rejust the patch order.
> 
> Cc: Jordan Justen <jordan.l.justen at intel.com>
> Cc: Laszlo Ersek <lersek at redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel at arm.com>
> Cc: Sami Mujawar <sami.mujawar at arm.com>
> Cc: Leif Lindholm <leif at nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao at intel.com>
> Cc: Jian J Wang <jian.j.wang at intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu at intel.com>
> Cc: Guomin Jiang <guomin.jiang at intel.com>
> Cc: Michael D Kinney <michael.d.kinney at intel.com>
> Cc: Kelly Steele <kelly.steele at intel.com>
> Cc: Zailiang Sun <zailiang.sun at intel.com>
> Cc: Yi Qian <yi.qian at intel.com>
> Cc: Liming Gao <gaoliming at byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda at linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu at intel.com>
> Cc: Siyuan Fu <siyuan.fu at intel.com>
> Cc: Roger Feng <roger.feng at intel.com>
> Cc: Zhiguang Liu <zhiguang.liu at intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao at intel.com>
> 
> Zhichao Gao (12):
>   SecurityPkg/Hash2DxeCrypto: Remove MD5 support
>   SecurityPkg/Hash2DxeCrypto: Remove SHA1 support
>   CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
>   NetworkPkg: Enable MD5 while enable iSCSI
>   ArmVirtPkg/ArmVirtQemu.dsc: Enable MD5 while enable iSCSI
>   ArmVirtPkg/ArmVirtQemuKernel.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgIa32.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgIa32X64.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/OvmfPkgX64.dsc: Enable MD5 while enable iSCSI
>   OvmfPkg/BhyveX64.dsc: Enable MD5 while enable iSCSI
>   NetworkPkg/Defines: Make iSCSI disable as default
>   CryptoPkg: Make the MD5 disable as default for security
> 
>  ArmVirtPkg/ArmVirtQemu.dsc                             | 8 +++++++-
>  ArmVirtPkg/ArmVirtQemuKernel.dsc                       | 8 +++++++-
>  CryptoPkg/CryptoPkg.dsc                                | 3 +++
>  CryptoPkg/Driver/Crypto.c                              | 4 ++--
>  CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
>  CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
>  CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
>  NetworkPkg/Network.dsc.inc                             | 5 +++++
>  NetworkPkg/NetworkDefines.dsc.inc                      | 4 ++--
>  OvmfPkg/Bhyve/BhyveX64.dsc                             | 7 ++++++-
>  OvmfPkg/OvmfPkgIa32.dsc                                | 5 +++++
>  OvmfPkg/OvmfPkgIa32X64.dsc                             | 5 +++++
>  OvmfPkg/OvmfPkgX64.dsc                                 | 5 +++++
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c            | 2 --
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf          | 4 +---
>  15 files changed, 51 insertions(+), 15 deletions(-)
> 
> --
> 2.21.0.windows.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#67411): https://edk2.groups.io/g/devel/message/67411
Mute This Topic: https://groups.io/mt/78164656/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list