Also note services that are recommended to be disabled and
update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings
disable all deprecated services.
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Xiaoyu Lu <xiaoyu1...@intel.com>
Cc: Guomin Jiang <guomin.ji...@intel.com>
Cc: Christopher Zurcher <christopher.zurc...@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kin...@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 10 +-
.../Pcd/PcdCryptoServiceFamilyEnable.h | 122 ++++++++++--------
2 files changed, 77 insertions(+), 55 deletions(-)
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index e4e7bc0dbfae..ab28d8861f10 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -150,7 +150,6 @@ [PcdsFixedAtBuild]
!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -160,8 +159,10 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize
| TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init
| TRUE
+
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt
| TRUE
+
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt
| TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -172,7 +173,7 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family
| 0
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
!if $(CRYPTO_SERVICES) == MIN_PEI
@@ -216,6 +217,7 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize
| TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init
| TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt
| TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt
| TRUE
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 47405894176c..da533543172f 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -1,6 +1,26 @@
/** @file
Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used
+ to enable/disable crypto services at either the family scope or the
+ individual service scope. Platforms can minimize the number of enabled
+ services to reduce size.
+
+ The following services have been deprecated and must never be enabled.
+ The associated fields in this data structure are never removed or replaced
+ to preseve the binary layout of the data structure. New services are
+ always added to the end of the data structure.
+ * HmacMd5 family
+ * HmacSha1 family
+ * Md4 family
+ * Md5 family
+ * Tdes family
+ * Arc4 family
+ * Aes.Services.EcbEncrypt service
+ * Aes.Services.EcbDecrypt service
+
+ Is is recommended that the following services always be disabled and may
+ be deprecated in the future.
+ * Sha1 family
Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -25,25 +45,25 @@
typedef struct {
union {
struct {
- UINT8 New : 1;
- UINT8 Free : 1;
- UINT8 SetKey : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
+ UINT8 New : 1; // Deprecated
+ UINT8 Free : 1; // Deprecated
+ UINT8 SetKey : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} HmacMd5;
union {
struct {
- UINT8 New : 1;
- UINT8 Free : 1;
- UINT8 SetKey : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
+ UINT8 New : 1; // Deprecated
+ UINT8 Free : 1; // Deprecated
+ UINT8 SetKey : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} HmacSha1;
union {
struct {
@@ -71,26 +91,26 @@ typedef struct {
} HmacSha384;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
+ UINT8 HashAll : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Md4;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
+ UINT8 HashAll : 1; // Deprecated
} Services;
UINT32 Family;
- } Md5;
+ } Md5; // Deprecated
union {
struct {
UINT8 Pkcs1v2Encrypt : 1;
@@ -143,14 +163,14 @@ typedef struct {
} Rsa;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Recommend disable
+ UINT8 Init : 1; // Recommend disable
+ UINT8 Duplicate : 1; // Recommend disable
+ UINT8 Update : 1; // Recommend disable
+ UINT8 Final : 1; // Recommend disable
+ UINT8 HashAll : 1; // Recommend disable
} Services;
- UINT32 Family;
+ UINT32 Family; // Recommend disable
} Sha1;
union {
struct {
@@ -202,21 +222,21 @@ typedef struct {
} X509;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 EcbEncrypt : 1;
- UINT8 EcbDecrypt : 1;
- UINT8 CbcEncrypt : 1;
- UINT8 CbcDecrypt : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 EcbEncrypt : 1; // Deprecated
+ UINT8 EcbDecrypt : 1; // Deprecated
+ UINT8 CbcEncrypt : 1; // Deprecated
+ UINT8 CbcDecrypt : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Tdes;
union {
struct {
UINT8 GetContextSize : 1;
UINT8 Init : 1;
- UINT8 EcbEncrypt : 1;
- UINT8 EcbDecrypt : 1;
+ UINT8 EcbEncrypt : 1; // Deprecated
+ UINT8 EcbDecrypt : 1; // Deprecated
UINT8 CbcEncrypt : 1;
UINT8 CbcDecrypt : 1;
} Services;
@@ -224,13 +244,13 @@ typedef struct {
} Aes;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Encrypt : 1;
- UINT8 Decrypt : 1;
- UINT8 Reset : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Encrypt : 1; // Deprecated
+ UINT8 Decrypt : 1; // Deprecated
+ UINT8 Reset : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Arc4;
union {
struct {
--
2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94994): https://edk2.groups.io/g/devel/message/94994
Mute This Topic: https://groups.io/mt/94260719/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
