from:"Li, Yi"

[edk2-devel] [PATCH 0/2] Add DECLARE_LENGTH opcode of dependency expression

2023-12-18 Thread Li, Yi

Mantis: https://mantis.uefi.org/mantis/view.php?id=2025

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

REF: UEFI spec 2.10 Table 23.4
Syntax
DECLARE_LENGTH <32-bit Length>
Description
Declares an 32-bit byte length of the entire dependency expression.
Behaviors and Restrictions
This opcode must be the first one in a dependency expression.

Yi Li (2):
  MdePkg: Add DECLARE_LENGTH opcode of dependency expression
  FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression

 .../FmpDependencyLib/FmpDependencyLib.c   | 35 
 .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
 .../EvaluateDependencyUnitTest.c  | 84 ---
 MdePkg/Include/Protocol/FirmwareManagement.h  | 29 +++
 4 files changed, 125 insertions(+), 26 deletions(-)

-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112686): https://edk2.groups.io/g/devel/message/112686
Mute This Topic: https://groups.io/mt/103257906/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/2] MdePkg: Add DECLARE_LENGTH opcode of dependency expression

2023-12-18 Thread Li, Yi

Mantis: https://mantis.uefi.org/mantis/view.php?id=2025

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

REF: UEFI spec 2.10 Table 23.4

Signed-off-by: Yi Li 

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
---
 MdePkg/Include/Protocol/FirmwareManagement.h | 29 ++--
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/MdePkg/Include/Protocol/FirmwareManagement.h 
b/MdePkg/Include/Protocol/FirmwareManagement.h
index f37067df3455..e535bb697d88 100644
--- a/MdePkg/Include/Protocol/FirmwareManagement.h
+++ b/MdePkg/Include/Protocol/FirmwareManagement.h
@@ -30,20 +30,21 @@ typedef struct _EFI_FIRMWARE_MANAGEMENT_PROTOCOL 
EFI_FIRMWARE_MANAGEMENT_PROTOCO
 ///
 /// Dependency Expression Opcode
 ///
-#define EFI_FMP_DEP_PUSH_GUID 0x00
-#define EFI_FMP_DEP_PUSH_VERSION  0x01
-#define EFI_FMP_DEP_VERSION_STR   0x02
-#define EFI_FMP_DEP_AND   0x03
-#define EFI_FMP_DEP_OR0x04
-#define EFI_FMP_DEP_NOT   0x05
-#define EFI_FMP_DEP_TRUE  0x06
-#define EFI_FMP_DEP_FALSE 0x07
-#define EFI_FMP_DEP_EQ0x08
-#define EFI_FMP_DEP_GT0x09
-#define EFI_FMP_DEP_GTE   0x0A
-#define EFI_FMP_DEP_LT0x0B
-#define EFI_FMP_DEP_LTE   0x0C
-#define EFI_FMP_DEP_END   0x0D
+#define EFI_FMP_DEP_PUSH_GUID   0x00
+#define EFI_FMP_DEP_PUSH_VERSION0x01
+#define EFI_FMP_DEP_VERSION_STR 0x02
+#define EFI_FMP_DEP_AND 0x03
+#define EFI_FMP_DEP_OR  0x04
+#define EFI_FMP_DEP_NOT 0x05
+#define EFI_FMP_DEP_TRUE0x06
+#define EFI_FMP_DEP_FALSE   0x07
+#define EFI_FMP_DEP_EQ  0x08
+#define EFI_FMP_DEP_GT  0x09
+#define EFI_FMP_DEP_GTE 0x0A
+#define EFI_FMP_DEP_LT  0x0B
+#define EFI_FMP_DEP_LTE 0x0C
+#define EFI_FMP_DEP_END 0x0D
+#define EFI_FMP_DEP_DECLARE_LENGTH  0x0E
 
 ///
 /// Image Attribute - Dependency
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112687): https://edk2.groups.io/g/devel/message/112687
Mute This Topic: https://groups.io/mt/103257908/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 2/2] FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression

2023-12-18 Thread Li, Yi

Mantis: https://mantis.uefi.org/mantis/view.php?id=2025

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

REF: UEFI spec 2.10 Table 23.4

Signed-off-by: Yi Li 

Cc: Liming Gao 
Cc: Michael D Kinney 
Cc: Wei6 Xu 
---
 .../FmpDependencyLib/FmpDependencyLib.c   | 35 
 .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
 .../EvaluateDependencyUnitTest.c  | 84 ---
 3 files changed, 110 insertions(+), 12 deletions(-)

diff --git a/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c 
b/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
index 76a1ee3f40db..50662e74e065 100644
--- a/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
+++ b/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
@@ -234,6 +234,7 @@ EvaluateDependency (
   GUID   ImageTypeId;
   UINT32 Version;
   UINT32 LocalLastAttemptStatus;
+  UINT32 DeclaredLength;
 
   LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS;
 
@@ -489,6 +490,37 @@ EvaluateDependency (
 }
 
 return Element1.Value.Boolean;
+  case EFI_FMP_DEP_DECLARE_LENGTH:
+if (Iterator + sizeof (UINT32) >= (UINT8 *)Dependencies->Dependencies 
+ DependenciesSize ) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH extends 
beyond end of dependency expression!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_BEYOND_DEPEX;
+  goto Error;
+}
+
+//
+// This opcode must be the first one in a dependency expression.
+//
+if (Iterator != Dependencies->Dependencies) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH is not the 
first opcode!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_NOT_FIRST_OPCODE;
+  goto Error;
+}
+
+DeclaredLength = *(UINT32 *)(Iterator + 1);
+if (DeclaredLength != DependenciesSize) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH is not 
equal to length of dependency expression!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_INCORRECT;
+  goto Error;
+}
+
+Status = Push (DeclaredLength, VersionType);
+if (EFI_ERROR (Status)) {
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE;
+  goto Error;
+}
+
+Iterator = Iterator + sizeof (UINT32);
+break;
   default:
 DEBUG ((DEBUG_ERROR, "EvaluateDependency: Unknown Opcode - %02x!\n", 
*Iterator));
 LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_UNKNOWN_OPCODE;
@@ -574,6 +606,9 @@ ValidateDependency (
 }
 
 return TRUE;
+  case EFI_FMP_DEP_DECLARE_LENGTH:
+Depex += sizeof (UINT32) + 1;
+break;
   default:
 return FALSE;
 }
diff --git a/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h 
b/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
index 39a55dd2c643..aaa3334909c8 100644
--- a/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
+++ b/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
@@ -66,6 +66,9 @@ enum LAST_ATTEMPT_STATUS_EXPANDED_ERROR_LIST {
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_FMP_NOT_FOUND,
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE,
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_NOT_FIRST_OPCODE,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_BEYOND_DEPEX,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_INCORRECT,
 
   ///
   /// Last attempt status codes used in FmpDependencyCheckLib
diff --git 
a/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
 
b/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
index 0edb7f67306f..352887af2c5e 100644
--- 
a/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
+++ 
b/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
@@ -125,19 +125,75 @@ static UINT8  mExpression11[] = {
   EFI_FMP_DEP_END
 };
 
+// Valid Dependency Expression 7: With correct declared length
+static UINT8  mExpression12[] = {
+  EFI_FMP_DEP_DECLARE_LENGTH, 0x35, 0x00, 0x00, 0x00,
+  EFI_FMP_DEP_PUSH_VERSION,   0x01, 0x00, 0x00, 0x00,
+  EFI_FMP_DEP_PUSH_GUID,  0xFA, 0x4D, 0x14, 0x97,0x8E,  0xEB, 0x4D, 0xD1, 
0x8B, 0x4D, 0x39, 0x88, 0x24, 0x96, 0x56, 0x42,
+  EFI_FMP_DEP_GT,
+  EFI_FMP_DEP_PUSH_VERSION,   0x03, 0x00, 0x00, 0x00,
+  EFI_FMP_DEP_PUSH_GUID,  0x70, 0x73, 0x2A, 0xA4,0x3A,  0x

[edk2-devel] [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency expression

2023-12-19 Thread Li, Yi

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

Syntax
DECLARE_LENGTH <32-bit Length>
Description
Declares an 32-bit byte length of the entire dependency expression.
Behaviors and Restrictions
This opcode must be the first one in a dependency expression.

REF: UEFI spec 2.10 Table 23.4

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
Cc: Wei6 Xu 

Yi Li (2):
  MdePkg: Add DECLARE_LENGTH opcode of dependency expression
  FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression

 .../FmpDependencyLib/FmpDependencyLib.c   | 35 
 .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
 .../EvaluateDependencyUnitTest.c  | 84 ---
 MdePkg/Include/Protocol/FirmwareManagement.h  | 29 +++
 4 files changed, 125 insertions(+), 26 deletions(-)

-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112737): https://edk2.groups.io/g/devel/message/112737
Mute This Topic: https://groups.io/mt/103274336/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 1/2] MdePkg: Add DECLARE_LENGTH opcode of dependency expression

2023-12-19 Thread Li, Yi

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

Syntax
DECLARE_LENGTH <32-bit Length>
Description
Declares an 32-bit byte length of the entire dependency expression.
Behaviors and Restrictions
This opcode must be the first one in a dependency expression.

REF: UEFI spec 2.10 Table 23.4

Signed-off-by: Yi Li 

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
---
 MdePkg/Include/Protocol/FirmwareManagement.h | 29 ++--
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/MdePkg/Include/Protocol/FirmwareManagement.h 
b/MdePkg/Include/Protocol/FirmwareManagement.h
index f37067df3455..e535bb697d88 100644
--- a/MdePkg/Include/Protocol/FirmwareManagement.h
+++ b/MdePkg/Include/Protocol/FirmwareManagement.h
@@ -30,20 +30,21 @@ typedef struct _EFI_FIRMWARE_MANAGEMENT_PROTOCOL 
EFI_FIRMWARE_MANAGEMENT_PROTOCO
 ///
 /// Dependency Expression Opcode
 ///
-#define EFI_FMP_DEP_PUSH_GUID 0x00
-#define EFI_FMP_DEP_PUSH_VERSION  0x01
-#define EFI_FMP_DEP_VERSION_STR   0x02
-#define EFI_FMP_DEP_AND   0x03
-#define EFI_FMP_DEP_OR0x04
-#define EFI_FMP_DEP_NOT   0x05
-#define EFI_FMP_DEP_TRUE  0x06
-#define EFI_FMP_DEP_FALSE 0x07
-#define EFI_FMP_DEP_EQ0x08
-#define EFI_FMP_DEP_GT0x09
-#define EFI_FMP_DEP_GTE   0x0A
-#define EFI_FMP_DEP_LT0x0B
-#define EFI_FMP_DEP_LTE   0x0C
-#define EFI_FMP_DEP_END   0x0D
+#define EFI_FMP_DEP_PUSH_GUID   0x00
+#define EFI_FMP_DEP_PUSH_VERSION0x01
+#define EFI_FMP_DEP_VERSION_STR 0x02
+#define EFI_FMP_DEP_AND 0x03
+#define EFI_FMP_DEP_OR  0x04
+#define EFI_FMP_DEP_NOT 0x05
+#define EFI_FMP_DEP_TRUE0x06
+#define EFI_FMP_DEP_FALSE   0x07
+#define EFI_FMP_DEP_EQ  0x08
+#define EFI_FMP_DEP_GT  0x09
+#define EFI_FMP_DEP_GTE 0x0A
+#define EFI_FMP_DEP_LT  0x0B
+#define EFI_FMP_DEP_LTE 0x0C
+#define EFI_FMP_DEP_END 0x0D
+#define EFI_FMP_DEP_DECLARE_LENGTH  0x0E
 
 ///
 /// Image Attribute - Dependency
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112738): https://edk2.groups.io/g/devel/message/112738
Mute This Topic: https://groups.io/mt/103274337/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 2/2] FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression

2023-12-19 Thread Li, Yi

To avoid messy parsing of the Depex section of a Capsule, it would
be a lot easier for everyone involved if we preceded the Capsule Depex
Section with a length declaration. It provides simple bounds checking
to avoid having to parse the op-codes, but in the case of a malformed
depex being parsed, avoid other issues which can be messy.

Syntax
DECLARE_LENGTH <32-bit Length>
Description
Declares an 32-bit byte length of the entire dependency expression.
Behaviors and Restrictions
This opcode must be the first one in a dependency expression.

REF: UEFI spec 2.10 Table 23.4

Signed-off-by: Yi Li 

Cc: Liming Gao 
Cc: Michael D Kinney 
Cc: Wei6 Xu 
---
 .../FmpDependencyLib/FmpDependencyLib.c   | 35 
 .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
 .../EvaluateDependencyUnitTest.c  | 84 ---
 3 files changed, 110 insertions(+), 12 deletions(-)

diff --git a/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c 
b/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
index 76a1ee3f40db..50662e74e065 100644
--- a/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
+++ b/FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.c
@@ -234,6 +234,7 @@ EvaluateDependency (
   GUID   ImageTypeId;
   UINT32 Version;
   UINT32 LocalLastAttemptStatus;
+  UINT32 DeclaredLength;
 
   LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS;
 
@@ -489,6 +490,37 @@ EvaluateDependency (
 }
 
 return Element1.Value.Boolean;
+  case EFI_FMP_DEP_DECLARE_LENGTH:
+if (Iterator + sizeof (UINT32) >= (UINT8 *)Dependencies->Dependencies 
+ DependenciesSize ) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH extends 
beyond end of dependency expression!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_BEYOND_DEPEX;
+  goto Error;
+}
+
+//
+// This opcode must be the first one in a dependency expression.
+//
+if (Iterator != Dependencies->Dependencies) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH is not the 
first opcode!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_NOT_FIRST_OPCODE;
+  goto Error;
+}
+
+DeclaredLength = *(UINT32 *)(Iterator + 1);
+if (DeclaredLength != DependenciesSize) {
+  DEBUG ((DEBUG_ERROR, "EvaluateDependency: DECLARE_LENGTH is not 
equal to length of dependency expression!\n"));
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_INCORRECT;
+  goto Error;
+}
+
+Status = Push (DeclaredLength, VersionType);
+if (EFI_ERROR (Status)) {
+  LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE;
+  goto Error;
+}
+
+Iterator = Iterator + sizeof (UINT32);
+break;
   default:
 DEBUG ((DEBUG_ERROR, "EvaluateDependency: Unknown Opcode - %02x!\n", 
*Iterator));
 LocalLastAttemptStatus = 
LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_UNKNOWN_OPCODE;
@@ -574,6 +606,9 @@ ValidateDependency (
 }
 
 return TRUE;
+  case EFI_FMP_DEP_DECLARE_LENGTH:
+Depex += sizeof (UINT32) + 1;
+break;
   default:
 return FALSE;
 }
diff --git a/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h 
b/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
index 39a55dd2c643..aaa3334909c8 100644
--- a/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
+++ b/FmpDevicePkg/PrivateInclude/FmpLastAttemptStatus.h
@@ -66,6 +66,9 @@ enum LAST_ATTEMPT_STATUS_EXPANDED_ERROR_LIST {
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_FMP_NOT_FOUND,
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE,
   LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_NOT_FIRST_OPCODE,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_BEYOND_DEPEX,
+  LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_DECLARE_LENGTH_INCORRECT,
 
   ///
   /// Last attempt status codes used in FmpDependencyCheckLib
diff --git 
a/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
 
b/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
index 0edb7f67306f..352887af2c5e 100644
--- 
a/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
+++ 
b/FmpDevicePkg/Test/UnitTest/Library/FmpDependencyLib/EvaluateDependencyUnitTest.c
@@ -125,19 +125,75 @@ static UINT8  mExpression11[] = {
   EFI_FMP_DEP_END
 };
 
+// Valid Dependency Expression 7: With correct declared length
+static UINT8  mExpression12[] = {
+  EFI_FMP_DEP_DECLARE_LENGTH, 0x35, 0x00, 0x00, 0x00,
+  EFI_FMP_DEP_PUSH_VERSION,   0x01, 0x00, 0x00, 0x00,
+  EFI_FMP_DEP_PUSH_GUID,  0xFA, 0x4D, 0x14, 0x97,0x8E,  0xEB, 0x4D, 0xD1, 
0x8B, 0x4D, 0x39, 0x88, 0x24, 0x96

[edk2-devel] [PATCH 0/2] Update keybaord map based on UEFI spec 2.10

2023-12-21 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
Cc: Rebecca Cran 
Cc: Liming Gao 
Cc: Bob Feng 
Cc: Yuwei Chen 

Yi Li (2):
  MdePkg: Update keybaord map based on UEFI spec 2.10
  BaseTools: Update keybaord map based on UEFI spec 2.10

 .../Include/Common/UefiInternalFormRepresentation.h  | 12 +++-
 BaseTools/Source/C/Include/Protocol/HiiFramework.h   | 12 +++-
 MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12 +++-
 3 files changed, 33 insertions(+), 3 deletions(-)

-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112830): https://edk2.groups.io/g/devel/message/112830
Mute This Topic: https://groups.io/mt/103312998/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/2] MdePkg: Update keybaord map based on UEFI spec 2.10

2023-12-21 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
---
 MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h 
b/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
index 3be9a0d7d66b..3f8974857258 100644
--- a/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
+++ b/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
@@ -1696,7 +1696,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112831): https://edk2.groups.io/g/devel/message/112831
Mute This Topic: https://groups.io/mt/103312999/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 2/2] BaseTools: Update keybaord map based on UEFI spec 2.10

2023-12-21 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

Cc: Rebecca Cran 
Cc: Liming Gao 
Cc: Bob Feng 
Cc: Yuwei Chen 
---
 .../Include/Common/UefiInternalFormRepresentation.h  | 12 +++-
 BaseTools/Source/C/Include/Protocol/HiiFramework.h   | 12 +++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h 
b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
index b9fa8c39a6d0..cb009ed68ecb 100644
--- a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
+++ b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
@@ -1556,7 +1556,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {
diff --git a/BaseTools/Source/C/Include/Protocol/HiiFramework.h 
b/BaseTools/Source/C/Include/Protocol/HiiFramework.h
index 448350967bbf..874889095700 100644
--- a/BaseTools/Source/C/Include/Protocol/HiiFramework.h
+++ b/BaseTools/Source/C/Include/Protocol/HiiFramework.h
@@ -350,7 +350,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112832): https://edk2.groups.io/g/devel/message/112832
Mute This Topic: https://groups.io/mt/103313001/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

2023-12-24 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

v2:
Remove changes in HiiFramework.h because it should follow HII spec.

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
Cc: Rebecca Cran 
Cc: Liming Gao 
Cc: Bob Feng 
Cc: Yuwei Chen 

Yi Li (2):
  MdePkg: Update keybaord map based on UEFI spec 2.10
  BaseTools: Update keybaord map based on UEFI spec 2.10

 .../Include/Common/UefiInternalFormRepresentation.h  | 12 +++-
 MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12 +++-
 2 files changed, 22 insertions(+), 2 deletions(-)

-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112878): https://edk2.groups.io/g/devel/message/112878
Mute This Topic: https://groups.io/mt/103355716/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 1/2] MdePkg: Update keybaord map based on UEFI spec 2.10

2023-12-24 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
---
 MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h 
b/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
index 3be9a0d7d66b..3f8974857258 100644
--- a/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
+++ b/MdePkg/Include/Uefi/UefiInternalFormRepresentation.h
@@ -1696,7 +1696,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112879): https://edk2.groups.io/g/devel/message/112879
Mute This Topic: https://groups.io/mt/103355717/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 2/2] BaseTools: Update keybaord map based on UEFI spec 2.10

2023-12-24 Thread Li, Yi

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

Cc: Rebecca Cran 
Cc: Liming Gao 
Cc: Bob Feng 
Cc: Yuwei Chen 
---
 .../Include/Common/UefiInternalFormRepresentation.h  | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h 
b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
index b9fa8c39a6d0..cb009ed68ecb 100644
--- a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
+++ b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
@@ -1556,7 +1556,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112880): https://edk2.groups.io/g/devel/message/112880
Mute This Topic: https://groups.io/mt/103355719/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 2/2] BaseTools: Update keybaord map based on UEFI spec 2.10

2023-12-24 Thread Li, Yi

Thanks for your review, patch updated.

Regards,
Yi

-Original Message-
From: gaoliming  
Sent: Saturday, December 23, 2023 10:16 AM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: 'Rebecca Cran' ; Feng, Bob C ; 
Chen, Christine 
Subject: 回复: [PATCH 2/2] BaseTools: Update keybaord map based on UEFI spec 2.10

Don't need to update HiiFramework.h , because this protocol is from HII spec, 
not from UEFI spec. 

Thanks
Liming
> -邮件原件-
> 发件人: Yi Li 
> 发送时间: 2023年12月22日 11:40
> 收件人: devel@edk2.groups.io
> 抄送: Yi Li ; Rebecca Cran ; Liming 
> Gao ; Bob Feng ; Yuwei 
> Chen 
> 主题: [PATCH 2/2] BaseTools: Update keybaord map based on UEFI spec 2.10
> 
> REF: UEFI SPEC 2.10 34.8.10 EFI_KEY
> 
> Add EfiKeyIntl0-9.
> 
> Signed-off-by: Yi Li 
> 
> Cc: Rebecca Cran 
> Cc: Liming Gao 
> Cc: Bob Feng 
> Cc: Yuwei Chen 
> ---
>  .../Include/Common/UefiInternalFormRepresentation.h  | 12
> +++-
>  BaseTools/Source/C/Include/Protocol/HiiFramework.h   | 12
> +++-
>  2 files changed, 22 insertions(+), 2 deletions(-)
> 
> diff --git
> a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
> b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
> index b9fa8c39a6d0..cb009ed68ecb 100644
> ---
> a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
> +++
> b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
> @@ -1556,7 +1556,17 @@ typedef enum {
>EfiKeyF12,
>EfiKeyPrint,
>EfiKeySLck,
> -  EfiKeyPause
> +  EfiKeyPause,
> +  EfiKeyIntl0,
> +  EfiKeyIntl1,
> +  EfiKeyIntl2,
> +  EfiKeyIntl3,
> +  EfiKeyIntl4,
> +  EfiKeyIntl5,
> +  EfiKeyIntl6,
> +  EfiKeyIntl7,
> +  EfiKeyIntl8,
> +  EfiKeyIntl9
>  } EFI_KEY;
> 
>  typedef struct {
> diff --git a/BaseTools/Source/C/Include/Protocol/HiiFramework.h
> b/BaseTools/Source/C/Include/Protocol/HiiFramework.h
> index 448350967bbf..874889095700 100644
> --- a/BaseTools/Source/C/Include/Protocol/HiiFramework.h
> +++ b/BaseTools/Source/C/Include/Protocol/HiiFramework.h
> @@ -350,7 +350,17 @@ typedef enum {
>EfiKeyF12,
>EfiKeyPrint,
>EfiKeySLck,
> -  EfiKeyPause
> +  EfiKeyPause,
> +  EfiKeyIntl0,
> +  EfiKeyIntl1,
> +  EfiKeyIntl2,
> +  EfiKeyIntl3,
> +  EfiKeyIntl4,
> +  EfiKeyIntl5,
> +  EfiKeyIntl6,
> +  EfiKeyIntl7,
> +  EfiKeyIntl8,
> +  EfiKeyIntl9
>  } EFI_KEY;
> 
>  typedef struct {
> --
> 2.42.0.windows.2





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112881): https://edk2.groups.io/g/devel/message/112881
Mute This Topic: https://groups.io/mt/103355726/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency expression

2023-12-29 Thread Li, Yi

Hello, any comments about this patch series?

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Wednesday, December 20, 2023 9:55 AM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Kinney, Michael D ; 
Gao, Liming ; Liu, Zhiguang ; 
Xu, Wei6 
Subject: [edk2-devel] [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency 
expression

To avoid messy parsing of the Depex section of a Capsule, it would be a lot 
easier for everyone involved if we preceded the Capsule Depex Section with a 
length declaration. It provides simple bounds checking to avoid having to parse 
the op-codes, but in the case of a malformed depex being parsed, avoid other 
issues which can be messy.

Syntax
DECLARE_LENGTH <32-bit Length>
Description
Declares an 32-bit byte length of the entire dependency expression.
Behaviors and Restrictions
This opcode must be the first one in a dependency expression.

REF: UEFI spec 2.10 Table 23.4

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
Cc: Wei6 Xu 

Yi Li (2):
  MdePkg: Add DECLARE_LENGTH opcode of dependency expression
  FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression

 .../FmpDependencyLib/FmpDependencyLib.c   | 35 
 .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
 .../EvaluateDependencyUnitTest.c  | 84 ---
 MdePkg/Include/Protocol/FirmwareManagement.h  | 29 +++
 4 files changed, 125 insertions(+), 26 deletions(-)

--
2.42.0.windows.2

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112998): https://edk2.groups.io/g/devel/message/112998
Mute This Topic: https://groups.io/mt/103274336/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

2023-12-29 Thread Li, Yi

Hello, any comments about this patch series?

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Monday, December 25, 2023 10:23 AM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Kinney, Michael D ; 
Gao, Liming ; Liu, Zhiguang ; 
Rebecca Cran ; Feng, Bob C ; Chen, 
Christine 
Subject: [edk2-devel] [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

REF: UEFI SPEC 2.10 34.8.10 EFI_KEY

Add EfiKeyIntl0-9.

Signed-off-by: Yi Li 

v2:
Remove changes in HiiFramework.h because it should follow HII spec.

Cc: Michael D Kinney 
Cc: Liming Gao 
Cc: Zhiguang Liu 
Cc: Rebecca Cran 
Cc: Liming Gao 
Cc: Bob Feng 
Cc: Yuwei Chen 

Yi Li (2):
  MdePkg: Update keybaord map based on UEFI spec 2.10
  BaseTools: Update keybaord map based on UEFI spec 2.10

 .../Include/Common/UefiInternalFormRepresentation.h  | 12 +++-  
MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12 +++-
 2 files changed, 22 insertions(+), 2 deletions(-)

--
2.42.0.windows.2








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112999): https://edk2.groups.io/g/devel/message/112999
Mute This Topic: https://groups.io/mt/103355716/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency expression

2024-01-03 Thread Li, Yi

Hi Liming,

I created a PR and CI passed, could you help merge it?
https://github.com/tianocore/edk2/pull/5210

Thanks,
Yi

-Original Message-
From: gaoliming  
Sent: Wednesday, January 3, 2024 8:52 AM
To: Xu, Wei6 ; Li, Yi1 ; 
devel@edk2.groups.io
Cc: Kinney, Michael D ; Liu, Zhiguang 

Subject: 回复: [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency expression

Reviewed-by: Liming Gao  for this patch set. 

> -邮件原件-
> 发件人: Xu, Wei6 
> 发送时间: 2024年1月2日 9:43
> 收件人: Li, Yi1 ; devel@edk2.groups.io
> 抄送: Kinney, Michael D ; Gao, Liming 
> ; Liu, Zhiguang 
> 主题: RE: [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency 
> expression
> 
> Reviewed-by: Wei6 Xu 
> 
> -Original Message-
> From: Li, Yi1 
> Sent: Wednesday, December 20, 2023 9:55 AM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 ; Kinney, Michael D 
> ; Gao, Liming ; 
> Liu, Zhiguang ; Xu, Wei6 
> Subject: [PATCH V2 0/2] Add DECLARE_LENGTH opcode of dependency 
> expression
> 
> To avoid messy parsing of the Depex section of a Capsule, it would be 
> a
lot
> easier for everyone involved if we preceded the Capsule Depex Section 
> with
a
> length declaration. It provides simple bounds checking to avoid having 
> to parse the op-codes, but in the case of a malformed depex being 
> parsed,
avoid
> other issues which can be messy.
> 
> Syntax
> DECLARE_LENGTH <32-bit Length>
> Description
> Declares an 32-bit byte length of the entire dependency expression.
> Behaviors and Restrictions
> This opcode must be the first one in a dependency expression.
> 
> REF: UEFI spec 2.10 Table 23.4
> 
> Cc: Michael D Kinney 
> Cc: Liming Gao 
> Cc: Zhiguang Liu 
> Cc: Wei6 Xu 
> 
> Yi Li (2):
>   MdePkg: Add DECLARE_LENGTH opcode of dependency expression
>   FmpDevicePkg: Add DECLARE_LENGTH opcode of dependency expression
> 
>  .../FmpDependencyLib/FmpDependencyLib.c   | 35 
>  .../PrivateInclude/FmpLastAttemptStatus.h |  3 +
>  .../EvaluateDependencyUnitTest.c  | 84
> ---
>  MdePkg/Include/Protocol/FirmwareManagement.h  | 29 +++
>  4 files changed, 125 insertions(+), 26 deletions(-)
> 
> --
> 2.42.0.windows.2





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113067): https://edk2.groups.io/g/devel/message/113067
Mute This Topic: https://groups.io/mt/103499595/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: move define to CrtLibSupport

2024-01-04 Thread Li, Yi




Looks good to me.
Reviewed-by: Yi Li 


-Original Message-
From: Hou, Wenxing  
Sent: Thursday, January 4, 2024 4:20 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH 1/1] CryptoPkg: move define to CrtLibSupport

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4632

The before code will cause redefine error.
This patch move them to CrtLibSupport header.
But Openssl has already defined them internally, need to increase support for 
OPENSLL_SYS_UEFI judgment.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/Library/Include/CrtLibSupport.h | 15 +++
 CryptoPkg/Library/Include/stdint.h| 10 --
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h 
b/CryptoPkg/Library/Include/CrtLibSupport.h
index f36fe08f0c61..76591f12cb67 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -424,4 +424,19 @@ strcpy (
 #define atoi(nptr)  AsciiStrDecimalToUintn(nptr) #define 
gettimeofday(tvp, tz)   do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } 
while (0) +//+// only use in Mbedlts. The Openssl has defined them 
internally.+//+#ifndef OPENSSL_SYS_UEFI+typedef INT8   int8_t;+typedef UINT8  
uint8_t;+typedef INT16  int16_t;+typedef UINT16 uint16_t;+typedef INT32  
int32_t;+typedef UINT32 uint32_t;+typedef INT64  int64_t;+typedef UINT64 
uint64_t;+typedef UINTN  uintptr_t;+#endif+ #endifdiff --git 
a/CryptoPkg/Library/Include/stdint.h b/CryptoPkg/Library/Include/stdint.h
index 17b8c767d7be..786d57e8d53d 100644
--- a/CryptoPkg/Library/Include/stdint.h
+++ b/CryptoPkg/Library/Include/stdint.h
@@ -7,13 +7,3 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 **/  #include --typedef INT8int8_t;-typedef UINT8   
uint8_t;-typedef INT16   int16_t;-typedef UINT16  uint16_t;-typedef INT32   
int32_t;-typedef UINT32  uint32_t;-typedef INT64   int64_t;-typedef UINT64  
uint64_t;-typedef UINTN   uintptr_t;-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113152): https://edk2.groups.io/g/devel/message/113152
Mute This Topic: https://groups.io/mt/103519077/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

2024-01-04 Thread Li, Yi

Hi,
> disabling it can reduce code size in some embedded targets.
Could you provide size change after/before this define enabled?

Thanks,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Thursday, January 4, 2024 4:34 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4630

Enable MBEDTLS_NO_UDBL_DIVISION to fix GCC x64 build failure.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h 
b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
index ae9ef3a1b380..3068612c0815 100644
--- a/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
+++ b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
@@ -67,7 +67,7 @@
  * example, if double-width division is implemented in software, disabling

  * it can reduce code size in some embedded targets.

  */

-// #define MBEDTLS_NO_UDBL_DIVISION

+#define MBEDTLS_NO_UDBL_DIVISION

 

 /**

  * \def MBEDTLS_NO_64BIT_MULTIPLICATION

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113154): https://edk2.groups.io/g/devel/message/113154
Mute This Topic: https://groups.io/mt/103519146/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

2024-01-08 Thread Li, Yi

Sounds good, thank you.

Reviewed-by: Yi Li 

-Original Message-
From: Hou, Wenxing  
Sent: Monday, January 8, 2024 4:23 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Yao, Jiewen ; Jiang, Guomin 
Subject: RE: [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

Hi,

For VS build, the size is same for enable or disable MBEDTLS_NO_UDBL_DIVISION, 
because the previous code only had GCC build failure. This MACRO doesn't affect 
the VS build.

For GCC build, the previous code didn`t have the size because of the build 
failure.
To compare the size ,I add the dummy API for previous code:
tu_int __udivti3 (tu_int a, tu_int b)  { return 0;} And the size has very small 
change(<1kb) for enable or disable MBEDTLS_NO_UDBL_DIVISION.

Thanks
Wenxing


-Original Message-
From: Li, Yi1 
Sent: Thursday, January 4, 2024 4:59 PM
To: Hou, Wenxing ; devel@edk2.groups.io
Cc: Yao, Jiewen ; Jiang, Guomin 
Subject: RE: [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

Hi,
> disabling it can reduce code size in some embedded targets.
Could you provide size change after/before this define enabled?

Thanks,
Yi

-Original Message-
From: Hou, Wenxing 
Sent: Thursday, January 4, 2024 4:34 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH 1/1] CryptoPkg: fix gcc build fail for CryptoPkgMbedtls

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4630

Enable MBEDTLS_NO_UDBL_DIVISION to fix GCC x64 build failure.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h 
b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
index ae9ef3a1b380..3068612c0815 100644
--- a/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
+++ b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
@@ -67,7 +67,7 @@
  * example, if double-width division is implemented in software, disabling

  * it can reduce code size in some embedded targets.

  */

-// #define MBEDTLS_NO_UDBL_DIVISION

+#define MBEDTLS_NO_UDBL_DIVISION

 

 /**

  * \def MBEDTLS_NO_64BIT_MULTIPLICATION

--
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113371): https://edk2.groups.io/g/devel/message/113371
Mute This Topic: https://groups.io/mt/103519146/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

2024-01-08 Thread Li, Yi

Thanks! I created a PR: https://github.com/tianocore/edk2/pull/5187
Could you help push it?

And there is another PR which reviewed by you and Wei: 
https://github.com/tianocore/edk2/pull/5210

-Original Message-
From: gaoliming  
Sent: Monday, January 8, 2024 9:16 AM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Kinney, Michael D ; Liu, Zhiguang 
; 'Rebecca Cran' ; Feng, Bob C 
; Chen, Christine 
Subject: 回复: [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

Reviewed-by: Liming Gao 

> -邮件原件-
> 发件人: Yi Li 
> 发送时间: 2023年12月25日 10:23
> 收件人: devel@edk2.groups.io
> 抄送: Yi Li ; Michael D Kinney 
> ; Liming Gao ; 
> Zhiguang Liu ; Rebecca Cran 
> ; Bob Feng ; Yuwei Chen 
> 
> 主题: [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10
> 
> REF: UEFI SPEC 2.10 34.8.10 EFI_KEY
> 
> Add EfiKeyIntl0-9.
> 
> Signed-off-by: Yi Li 
> 
> v2:
> Remove changes in HiiFramework.h because it should follow HII spec.
> 
> Cc: Michael D Kinney 
> Cc: Liming Gao 
> Cc: Zhiguang Liu 
> Cc: Rebecca Cran 
> Cc: Liming Gao 
> Cc: Bob Feng 
> Cc: Yuwei Chen 
> 
> Yi Li (2):
>   MdePkg: Update keybaord map based on UEFI spec 2.10
>   BaseTools: Update keybaord map based on UEFI spec 2.10
> 
>  .../Include/Common/UefiInternalFormRepresentation.h  | 12
> +++-
>  MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12
> +++-
>  2 files changed, 22 insertions(+), 2 deletions(-)
> 
> --
> 2.42.0.windows.2





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113421): https://edk2.groups.io/g/devel/message/113421
Mute This Topic: https://groups.io/mt/103615331/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] CryptoPkg: change the define

2024-01-10 Thread Li, Yi

Hi, this title is too simple.
Please change it to CryptoPkg: Fix redefinition error of int defines

-Original Message-
From: Hou, Wenxing  
Sent: Wednesday, January 10, 2024 7:16 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH] CryptoPkg: change the define

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4632

Move the define to stdint and add MACRO to prevent duplicate inclusion.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/Library/Include/CrtLibSupport.h | 15 ---
 CryptoPkg/Library/Include/stdint.h| 19 +++
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h 
b/CryptoPkg/Library/Include/CrtLibSupport.h
index 76591f12cb..f36fe08f0c 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -424,19 +424,4 @@ strcpy (
 #define atoi(nptr)  AsciiStrDecimalToUintn(nptr)

 #define gettimeofday(tvp, tz)   do { (tvp)->tv_sec = time(NULL); 
(tvp)->tv_usec = 0; } while (0)

 

-//

-// only use in Mbedlts. The Openssl has defined them internally.

-//

-#ifndef OPENSSL_SYS_UEFI

-typedef INT8   int8_t;

-typedef UINT8  uint8_t;

-typedef INT16  int16_t;

-typedef UINT16 uint16_t;

-typedef INT32  int32_t;

-typedef UINT32 uint32_t;

-typedef INT64  int64_t;

-typedef UINT64 uint64_t;

-typedef UINTN  uintptr_t;

-#endif

-

 #endif

diff --git a/CryptoPkg/Library/Include/stdint.h 
b/CryptoPkg/Library/Include/stdint.h
index 786d57e8d5..e1f54b412e 100644
--- a/CryptoPkg/Library/Include/stdint.h
+++ b/CryptoPkg/Library/Include/stdint.h
@@ -6,4 +6,23 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 

 **/

 

+#ifndef CRYPTO_CRT_STDIO_H_

+#define CRYPTO_CRT_STDIO_H_

 #include 

+

+//

+// only use in Mbedlts. The Openssl has defined them internally.

+//

+#ifndef OPENSSL_SYS_UEFI

+typedef INT8   int8_t;

+typedef UINT8  uint8_t;

+typedef INT16  int16_t;

+typedef UINT16 uint16_t;

+typedef INT32  int32_t;

+typedef UINT32 uint32_t;

+typedef INT64  int64_t;

+typedef UINT64 uint64_t;

+typedef UINTN  uintptr_t;

+#endif

+

+#endif

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113525): https://edk2.groups.io/g/devel/message/113525
Mute This Topic: https://groups.io/mt/103638765/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2] CryptoPkg: Fix redefinition error of int defines

2024-01-10 Thread Li, Yi




Looks good to me.
Reviewed-by: Yi Li 


-Original Message-
From: Hou, Wenxing  
Sent: Wednesday, January 10, 2024 7:36 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH v2] CryptoPkg: Fix redefinition error of int defines

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4632

Move the define to stdint and add MACRO to prevent duplicate inclusion.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/Library/Include/CrtLibSupport.h | 15 ---
 CryptoPkg/Library/Include/stdint.h| 19 +++
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h 
b/CryptoPkg/Library/Include/CrtLibSupport.h
index 76591f12cb..f36fe08f0c 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -424,19 +424,4 @@ strcpy (
 #define atoi(nptr)  AsciiStrDecimalToUintn(nptr)

 #define gettimeofday(tvp, tz)   do { (tvp)->tv_sec = time(NULL); 
(tvp)->tv_usec = 0; } while (0)

 

-//

-// only use in Mbedlts. The Openssl has defined them internally.

-//

-#ifndef OPENSSL_SYS_UEFI

-typedef INT8   int8_t;

-typedef UINT8  uint8_t;

-typedef INT16  int16_t;

-typedef UINT16 uint16_t;

-typedef INT32  int32_t;

-typedef UINT32 uint32_t;

-typedef INT64  int64_t;

-typedef UINT64 uint64_t;

-typedef UINTN  uintptr_t;

-#endif

-

 #endif

diff --git a/CryptoPkg/Library/Include/stdint.h 
b/CryptoPkg/Library/Include/stdint.h
index 786d57e8d5..e1f54b412e 100644
--- a/CryptoPkg/Library/Include/stdint.h
+++ b/CryptoPkg/Library/Include/stdint.h
@@ -6,4 +6,23 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 

 **/

 

+#ifndef CRYPTO_CRT_STDIO_H_

+#define CRYPTO_CRT_STDIO_H_

 #include 

+

+//

+// only use in Mbedlts. The Openssl has defined them internally.

+//

+#ifndef OPENSSL_SYS_UEFI

+typedef INT8   int8_t;

+typedef UINT8  uint8_t;

+typedef INT16  int16_t;

+typedef UINT16 uint16_t;

+typedef INT32  int32_t;

+typedef UINT32 uint32_t;

+typedef INT64  int64_t;

+typedef UINT64 uint64_t;

+typedef UINTN  uintptr_t;

+#endif

+

+#endif

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113530): https://edk2.groups.io/g/devel/message/113530
Mute This Topic: https://groups.io/mt/103638905/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

2024-01-14 Thread Li, Yi

Hi Liming,
Could you help merge below patches which got your reviewed-by?  Thanks!

https://github.com/tianocore/edk2/pull/5210
https://github.com/tianocore/edk2/pull/5187

Regards,
Yi


-Original Message-
From: gaoliming  
Sent: Monday, January 8, 2024 9:16 AM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Kinney, Michael D ; Liu, Zhiguang 
; 'Rebecca Cran' ; Feng, Bob C 
; Chen, Christine 
Subject: 回复: [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10

Reviewed-by: Liming Gao 

> -邮件原件-
> 发件人: Yi Li 
> 发送时间: 2023年12月25日 10:23
> 收件人: devel@edk2.groups.io
> 抄送: Yi Li ; Michael D Kinney 
> ; Liming Gao ; 
> Zhiguang Liu ; Rebecca Cran 
> ; Bob Feng ; Yuwei Chen 
> 
> 主题: [PATCH V2 0/2] Update keybaord map based on UEFI spec 2.10
> 
> REF: UEFI SPEC 2.10 34.8.10 EFI_KEY
> 
> Add EfiKeyIntl0-9.
> 
> Signed-off-by: Yi Li 
> 
> v2:
> Remove changes in HiiFramework.h because it should follow HII spec.
> 
> Cc: Michael D Kinney 
> Cc: Liming Gao 
> Cc: Zhiguang Liu 
> Cc: Rebecca Cran 
> Cc: Liming Gao 
> Cc: Bob Feng 
> Cc: Yuwei Chen 
> 
> Yi Li (2):
>   MdePkg: Update keybaord map based on UEFI spec 2.10
>   BaseTools: Update keybaord map based on UEFI spec 2.10
> 
>  .../Include/Common/UefiInternalFormRepresentation.h  | 12
> +++-
>  MdePkg/Include/Uefi/UefiInternalFormRepresentation.h | 12
> +++-
>  2 files changed, 22 insertions(+), 2 deletions(-)
> 
> --
> 2.42.0.windows.2





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113784): https://edk2.groups.io/g/devel/message/113784
Mute This Topic: https://groups.io/mt/103730745/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

2024-01-16 Thread Li, Yi

Hi Jiewen,

All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
Maybe we didn't have enough time to wait feedback and should fix the CI issue 
first.

Regards,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Yao, Jiewen
Sent: Tuesday, January 16, 2024 10:38 PM
To: Gerd Hoffmann ; devel@edk2.groups.io
Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

Sure. Let's start from OVMF.

We have leaf enough time for feedback, but I see no comment from other people.


> -Original Message-
> From: Gerd Hoffmann 
> Sent: Tuesday, January 16, 2024 10:35 PM
> To: devel@edk2.groups.io; Yao, Jiewen 
> Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
> 
> Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> TCBZ4118
> 
> On Tue, Jan 16, 2024 at 01:30:43PM +, Yao, Jiewen wrote:
> > Gerd
> > I have merged this patch set today.
> >
> > I am fine to remove TPM1.2 in OVMF because of the known security limitation.
> 
> I was thinking about the complete edk2 code base not only OVMF.
> 
> But I can surely start with OVMF.  Maybe it is the only platform 
> affected because on physical hardware you usually know whenever TPM 
> 1.2 or TPM 2.0 is present so there is no need to include both.
> 
> take care,
>   Gerd








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113933): https://edk2.groups.io/g/devel/message/113933
Mute This Topic: https://groups.io/mt/103675434/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

2024-01-17 Thread Li, Yi

Hi Jiewen,

Sounds strange, but new PRs in today all broken due to this issue, e.g.:
https://github.com/tianocore/edk2/pull/5210
https://github.com/tianocore/edk2/pull/5268

I checked build log, it matched the description from Gerd:
https://dev.azure.com/tianocore/11ea4a10-ac9f-4e5f-8b13-7def1f19d478/_apis/build/builds/114097/logs/350
2024-01-17T04:09:52.5996237Z INFO - /usr/bin/ld: 
DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function 
`SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6010570Z INFO - (.text+0x0): multiple definition of 
`SanitizeEfiPartitionTableHeader'; DxeTpmMeasureBootLibSanitization.obj (symbol 
from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6020435Z INFO - /usr/bin/ld: 
DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function 
`SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6030987Z INFO - (.text+0x0): multiple definition of 
`SanitizePrimaryHeaderAllocationSize'; DxeTpmMeasureBootLibSanitization.obj 
(symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6040167Z INFO - /usr/bin/ld: 
DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function 
`SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6050625Z INFO - (.text+0x0): multiple definition of 
`SanitizePrimaryHeaderGptEventSize'; DxeTpmMeasureBootLibSanitization.obj 
(symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6061966Z INFO - /usr/bin/ld: 
DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function 
`SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6072661Z INFO - (.text+0x0): multiple definition of 
`SanitizePeImageEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from 
plugin):(.text+0x0): first defined here
2024-01-17T04:10:12.9532147Z INFO - build.py...
2024-01-17T04:10:12.9593220Z INFO -  : error 7000: Failed to execute command
2024-01-17T04:10:23.2054653Z INFO - build.py...
2024-01-17T04:10:23.2055014Z INFO -  : error F002: Failed to build module
2024-01-17T04:10:23.2055379Z INFO - 
/__w/1/s/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf [X64, GCC5, 
DEBUG]

-Original Message-
From: Yao, Jiewen  
Sent: Wednesday, January 17, 2024 4:09 PM
To: Li, Yi1 ; devel@edk2.groups.io; Gerd Hoffmann 

Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

Please check https://github.com/tianocore/edk2/pull/5264. It is merged after 
pass CI.

May I know where you see PR CI builds are broken?

Thank you
Yao, Jiewen

> -Original Message-
> From: Li, Yi1 
> Sent: Wednesday, January 17, 2024 3:21 PM
> To: devel@edk2.groups.io; Yao, Jiewen ; Gerd 
> Hoffmann 
> Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
> 
> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & 
> TCBZ4118
> 
> Hi Jiewen,
> 
> All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
> Maybe we didn't have enough time to wait feedback and should fix the 
> CI issue first.
> 
> Regards,
> Yi
> 
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Yao, 
> Jiewen
> Sent: Tuesday, January 16, 2024 10:38 PM
> To: Gerd Hoffmann ; devel@edk2.groups.io
> Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
> 
> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & 
> TCBZ4118
> 
> Sure. Let's start from OVMF.
> 
> We have leaf enough time for feedback, but I see no comment from other people.
> 
> 
> > -Original Message-
> > From: Gerd Hoffmann 
> > Sent: Tuesday, January 16, 2024 10:35 PM
> > To: devel@edk2.groups.io; Yao, Jiewen 
> > Cc: dougfl...@microsoft.com; Douglas Flick [MSFT] 
> > 
> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 
> > &
> > TCBZ4118
> >
> > On Tue, Jan 16, 2024 at 01:30:43PM +, Yao, Jiewen wrote:
> > > Gerd
> > > I have merged this patch set today.
> > >
> > > I am fine to remove TPM1.2 in OVMF because of the known security
> limitation.
> >
> > I was thinking about the complete edk2 code base not only OVMF.
> >
> > But I can surely start with OVMF.  Maybe it is the only platform 
> > affected because on physical hardware you usually know whenever TPM
> > 1.2 or TPM 2.0 is present so there is no need to include both.
> >
> > take care,
> >   Gerd
> 
> 
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113937): https://edk2.groups.io/g/devel/message/113937
Mute This Topic: https://groups.io/mt/103675434/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] CryptoPkg: Add dummy inttypes header to fix clang build

2024-01-20 Thread Li, Yi




Looks good to me.
Reviewed-by: Yi Li 


-Original Message-
From: Hou, Wenxing  
Sent: Saturday, January 20, 2024 9:45 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Jiang, 
Guomin 
Subject: [PATCH] CryptoPkg: Add dummy inttypes header to fix clang build

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4642

When use Mbedtls, there is a clang build error.
Add dummy inttypes header to fix clang build.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/CryptoPkg.ci.yaml  | 1 +
 CryptoPkg/Library/Include/inttypes.h | 9 +
 2 files changed, 10 insertions(+)
 create mode 100644 CryptoPkg/Library/Include/inttypes.h

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml index 
f961d85927..b601bcf85c 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -44,6 +44,7 @@
 # This has Mbedtls interfaces that aren't UEFI spec compliant  
   "Library/Include/stdint.h", "Library/Include/stubs-32.h",+   
 "Library/Include/inttypes.h", # These directories contain 
auto-generated OpenSSL content "Library/OpensslLib", 
"Library/IntrinsicLib",diff --git a/CryptoPkg/Library/Include/inttypes.h 
b/CryptoPkg/Library/Include/inttypes.h
new file mode 100644
index 00..3d44d8201d
--- /dev/null
+++ b/CryptoPkg/Library/Include/inttypes.h
@@ -0,0 +1,9 @@
+/** @file+  Include file to support building the third-party 
+cryptographic library.++Copyright (c) 2024, Intel Corporation. All 
+rights reserved.+SPDX-License-Identifier: 
+BSD-2-Clause-Patent++**/++#include --
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114123): https://edk2.groups.io/g/devel/message/114123
Mute This Topic: https://groups.io/mt/103849296/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v1 0/7] CryptoPkg: Enable Openssl native instruction support for AARCH64

2023-11-06 Thread Li, Yi

Hi Pierre,

Could you share what tests you did and the test results?

Regards,
Yi

-Original Message-
From: Pierre Gondois  
Sent: Thursday, November 2, 2023 9:54 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin ; Leif Lindholm 
; Ard Biesheuvel ; Sami 
Mujawar ; Gerd Hoffmann 
Subject: [PATCH v1 0/7] CryptoPkg: Enable Openssl native instruction support 
for AARCH64

Various OpensslLib implementations are available in edk2. The 
OpensslLibAccel.inf and OpensslLibFullAccel.inf ones use architecture specific 
instructions, e.g. AESE, PMULL, SHA256H, ..., allowing to improve speed.

Enable support for Aarch64's native instructions:
- Add ArmReadCntPctReg() and ArmReadIdAA64Isar0Reg() to
  Aarch64's BaseLib.
- Generate Aarch64's specific Openssl functions.
- Add a OpensslStub/AArch64Cap.c file to allow Openssl
  to probe Aarch64 native instruction support.

This patch-set only enable support for GCC for now (MSFT support not added).

Pierre Gondois (7):
  MdePkg/BaseLib: AARCH64: Add ArmReadCntPctReg()
  MdePkg/BaseLib: AARCH64: Add ArmReadIdAA64Isar0Reg()
  MdePkg/BaseRngLib: Prefer ArmReadIdAA64Isar0Reg() over
ArmReadIdIsar0()
  CryptoPkg/OpensslLib: Add native instruction support for AARCH64
  CryptoPkg/OpensslLib: Generate files for AARCH64 native support
  CryptoPkg/OpensslLib: Add AArch64Cap for arch specific hooks
  CryptoPkg: Enable Openssl Accel builds for AARCH64

 CryptoPkg/CryptoPkg.dsc   |   23 +-
 .../AARCH64-GCC/crypto/aes/aesv8-armx.S   | 3180 
 .../AARCH64-GCC/crypto/aes/vpaes-armv8.S  | 1196 +++
 .../AARCH64-GCC/crypto/arm64cpuid.S   |  129 +
 .../AARCH64-GCC/crypto/bn/armv8-mont.S| 2124 ++
 .../crypto/ec/ecp_nistz256-armv8.S| 4242 +++
 .../crypto/modes/aes-gcm-armv8_64.S   | 6389 +
 .../AARCH64-GCC/crypto/modes/ghashv8-armx.S   |  552 ++
 .../AARCH64-GCC/crypto/sha/keccak1600-armv8.S | 1009 +++
 .../AARCH64-GCC/crypto/sha/sha1-armv8.S   | 1211 
 .../AARCH64-GCC/crypto/sha/sha256-armv8.S | 2051 ++
 .../AARCH64-GCC/crypto/sha/sha512-armv8.S | 1606 +
 .../Library/OpensslLib/OpensslLibAccel.inf|  642 +-
 .../OpensslLib/OpensslLibFullAccel.inf|  691 +-
 .../OpensslLib/OpensslStub/AArch64Cap.c   |  107 +
 CryptoPkg/Library/OpensslLib/UefiAsm.conf |6 +
 CryptoPkg/Library/OpensslLib/configure.py |5 +-
 CryptoPkg/Readme.md   |   14 +-
 MdePkg/Include/Library/BaseLib.h  |   86 +
 .../BaseLib/AArch64/ArmReadCntPctReg.S|   30 +
 .../BaseLib/AArch64/ArmReadCntPctReg.asm  |   30 +
 .../AArch64/ArmReadIdAA64Isar0Reg.S}  |   10 +-
 .../AArch64/ArmReadIdAA64Isar0Reg.asm}|   10 +-
 MdePkg/Library/BaseLib/BaseLib.inf|6 +-
 MdePkg/Library/BaseRngLib/AArch64/ArmRng.h|   12 -
 MdePkg/Library/BaseRngLib/AArch64/Rndr.c  |   14 +-
 MdePkg/Library/BaseRngLib/BaseRngLib.inf  |2 -
 27 files changed, 25320 insertions(+), 57 deletions(-)  create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/aes/aesv8-armx.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/aes/vpaes-armv8.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/arm64cpuid.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/bn/armv8-mont.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/ec/ecp_nistz256-armv8.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/modes/aes-gcm-armv8_64.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/modes/ghashv8-armx.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/sha/keccak1600-armv8.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/sha/sha1-armv8.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/sha/sha256-armv8.S
 create mode 100644 
CryptoPkg/Library/OpensslLib/OpensslGen/AARCH64-GCC/crypto/sha/sha512-armv8.S
 create mode 100644 CryptoPkg/Library/OpensslLib/OpensslStub/AArch64Cap.c
 create mode 100644 MdePkg/Library/BaseLib/AArch64/ArmReadCntPctReg.S
 create mode 100644 MdePkg/Library/BaseLib/AArch64/ArmReadCntPctReg.asm
 rename MdePkg/Library/{BaseRngLib/AArch64/ArmReadIdIsar0.S => 
BaseLib/AArch64/ArmReadIdAA64Isar0Reg.S} (70%)  rename 
MdePkg/Library/{BaseRngLib/AArch64/ArmReadIdIsar0.asm => 
BaseLib/AArch64/ArmReadIdAA64Isar0Reg.asm} (72%)

--
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110785): https://edk2.groups.io/g/devel/message/110785
Mute This Topic: https://groups.io/mt/102342394/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [edk2-platforms][PATCH] MinPlatformPkg: should build Performance driver only when perf enabled

2023-11-27 Thread Li, Yi

Should build FirmwarePerformancePei only when perf enabled.
Avoiding unconditional compilation of performance PEI drivers can
save 2KB(LZMA compressed) in PostMem FV, small but important.

Cc: Chasel Chiu 
Cc: Nate DeSimone 
Cc: Liming Gao 
Cc: Eric Dong 
Signed-off-by: Yi Li 
---
 .../MinPlatformPkg/Include/Fdf/CorePostMemoryInclude.fdf| 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git 
a/Platform/Intel/MinPlatformPkg/Include/Fdf/CorePostMemoryInclude.fdf 
b/Platform/Intel/MinPlatformPkg/Include/Fdf/CorePostMemoryInclude.fdf
index 3edc239e5..bc8ebc84b 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Fdf/CorePostMemoryInclude.fdf
+++ b/Platform/Intel/MinPlatformPkg/Include/Fdf/CorePostMemoryInclude.fdf
@@ -1,12 +1,14 @@
 ## @file
 #  FDF file of Platform.
 #
-# Copyright (c) 2017, Intel Corporation. All rights reserved.
+# Copyright (c) 2017 - 2023, Intel Corporation. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
 
 !if gMinPlatformPkgTokenSpaceGuid.PcdBootToShellOnly == FALSE
-  INF  
MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.inf
+  !if gMinPlatformPkgTokenSpaceGuid.PcdPerformanceEnable == TRUE
+INF  
MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.inf
+  !endif
 !endif
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111793): https://edk2.groups.io/g/devel/message/111793
Mute This Topic: https://groups.io/mt/102845821/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

2024-02-19 Thread Li, Yi

Hi Eddie,

> the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always returned 
> false

Does your code run in a XIP environment? Such like PreMemory stage or other 
cases.
The setup of Randlib in OpenSsl 3.0 relies on global variables, so there may be 
an error if the global variables are read-only.

Regards,
Yi


-Original Message-
From: devel@edk2.groups.io  On Behalf Of Yao, Jiewen
Sent: Tuesday, February 20, 2024 9:11 AM
To: devel@edk2.groups.io; ler...@redhat.com; eddie wang 
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom 
number generator properly

Thanks Laslo and Eddie.

I am just back from Chinese New Year vocation, still checking email.

If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source code 
of your app, that would be very helpful for us to investigate this issue.


> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Laszlo 
> Ersek
> Sent: Tuesday, February 20, 2024 4:18 AM
> To: eddie wang 
> Cc: devel@edk2.groups.io
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the 
> pseudorandom number generator properly
> 
> On 2/17/24 10:17, eddie wang wrote:
> > Hi Laszlo,
> > After digging dipper,  we found that the *EVP_RAND_fetch *in 
> > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's 
> > meant the DRBG implementation could not be fetched. We also compared 
> > it to the case on Linux, and they could both fetched DRBG 
> > implementation correctly. Is it possible that the opensslLib 3.0.9 
> > caused any compatibility issues with edk2?  Or has anyone else 
> > encountered the same problem with these openssl services?
> 
> Sorry, I can't say.
> 
> If you have a small reproducer UEFI application that works fine when 
> built with edk2-stable202305, but does not work when built against 
> either edk2-stable202308 or current master, then filing a TianoCore BZ
> (regression) seems justified. (AFAICT it was edk2-stable202308 that 
> incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the 
> source code of the small repro application to the ticket would likely 
> be helpful.
> 
> Laszlo
> 
> > Laszlo Ersek mailto:ler...@redhat.com>> 於 
> > 2024年2月
> > 15日 週四 下午7:48寫道：
> >
> > On 2/15/24 12:09, eddie wang wrote:
> > > Hi Laszlo,
> > > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> > ? Or
> > > any suggesting information that I can provide?
> >
> > Sorry, upon a closer look, I see you had already narrowed it down to
> > RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> > suggestion would amount to adding DEBUGs to OpenSSL, such as to
> > RAND_seed() in
> > "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> >
> > But, I think you may be able to do just that.
> > "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> > , and DebugLib is listed under [LibraryClasses] in each
> > instance of OpensslLib. So if you modify your
> > "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> > with the following patch:
> >
> > | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> > | index 0fcf4fe3bc1e..e5f105268f52 100644
> > | --- a/crypto/rand/rand_lib.c
> > | +++ b/crypto/rand/rand_lib.c
> > | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> > |      drbg = RAND_get0_primary(NULL);
> > |      if (drbg != NULL && num > 0)
> > |          EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> > | +
> > | +    DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> > |  }
> > |
> > |  void RAND_add(const void *buf, int num, double randomness)
> >
> > then you should get usable debug messages -- at least it builds for me.
> >
> > Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> > should lead you to the exact location that is responsible for the
> > initialization failure.
> >
> > You mention you have encountered the problem with a UEFI application.
> > That is relevant for choosing your DebugLib instance. If you already
> > have a function DebugLib instance for your platform (logging to the
> > serial port, for example), then just use that.
> >
> > Otherwise, consider building your UEFI application with a module scope
> > override in the DSC file, one that resolves DebugLib to
> >
> >   MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> >
> > or
> >
> >   MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> >
> > These will send DEBUG messages to the UEFI console or standard error
> > devices, respectively.
> >
> > hth
> > Laszlo
> >
> > > Laszlo Ersek mailto:ler...@redhat.com>
> > >> 於 2024年2月
> > > 8日 週四 上午5:03寫道：
> > >
> > >     On 2/6/24 08:00, eddie wang wrote:
> > >     > Hi all,
> > >

Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly

2024-02-29 Thread Li, Yi

Hi Eddie,

There will be build error if you didn’t include OpensslLib*.inf but consume 
openssl BaseCryptLib, are you using BaseCryptLibOnProtocolPpi?
This sounds strange, CryptRand should work fine in non-XIP environments, could 
you send me .map file of your application?

Regards,
Yi


From: eddie wang 
Sent: Thursday, February 29, 2024 5:49 PM
To: devel@edk2.groups.io; Li, Yi1 
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom 
number generator properly

Hi and many thanks to all of you,
I'm not entirely sure if it's running in a XIP environment, but I think not. 
Our application executed on UEFI interactive shell and it was put in an USB 
device(as the FS0 showed in the screenshot). And here's another question as 
well, because I found that the drbg implementation counld not be fetched in our 
case,  and I discovered that our package did not include 
"OpensslLibCrypto.inf." Could it be connected to our problem?
[cid:image001.png@01DA6B44.21876340]


BR,
Eddie Wang

Li, Yi mailto:yi1...@intel.com>> 於 2024年2月20日 週二 上午9:49寫道：
Hi Eddie,

> the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always returned 
> false

Does your code run in a XIP environment? Such like PreMemory stage or other 
cases.
The setup of Randlib in OpenSsl 3.0 relies on global variables, so there may be 
an error if the global variables are read-only.

Regards,
Yi


-Original Message-
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
mailto:devel@edk2.groups.io>> On Behalf Of Yao, Jiewen
Sent: Tuesday, February 20, 2024 9:11 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; 
ler...@redhat.com<mailto:ler...@redhat.com>; eddie wang 
mailto:qw1562...@gmail.com>>
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom 
number generator properly

Thanks Laslo and Eddie.

I am just back from Chinese New Year vocation, still checking email.

If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source code 
of your app, that would be very helpful for us to investigate this issue.


> -Original Message-
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> 
> mailto:devel@edk2.groups.io>> On Behalf Of Laszlo
> Ersek
> Sent: Tuesday, February 20, 2024 4:18 AM
> To: eddie wang mailto:qw1562...@gmail.com>>
> Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> pseudorandom number generator properly
>
> On 2/17/24 10:17, eddie wang wrote:
> > Hi Laszlo,
> > After digging dipper,  we found that the *EVP_RAND_fetch *in
> > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> > meant the DRBG implementation could not be fetched. We also compared
> > it to the case on Linux, and they could both fetched DRBG
> > implementation correctly. Is it possible that the opensslLib 3.0.9
> > caused any compatibility issues with edk2?  Or has anyone else
> > encountered the same problem with these openssl services?
>
> Sorry, I can't say.
>
> If you have a small reproducer UEFI application that works fine when
> built with edk2-stable202305, but does not work when built against
> either edk2-stable202308 or current master, then filing a TianoCore BZ
> (regression) seems justified. (AFAICT it was edk2-stable202308 that
> incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
> source code of the small repro application to the ticket would likely
> be helpful.
>
> Laszlo
>
> > Laszlo Ersek mailto:ler...@redhat.com> 
> > <mailto:ler...@redhat.com<mailto:ler...@redhat.com>>> 於
> > 2024年2月
> > 15日 週四 下午7:48寫道：
> >
> > On 2/15/24 12:09, eddie wang wrote:
> > > Hi Laszlo,
> > > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> > ? Or
> > > any suggesting information that I can provide?
> >
> > Sorry, upon a closer look, I see you had already narrowed it down to
> > RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> > suggestion would amount to adding DEBUGs to OpenSSL, such as to
> > RAND_seed() in
> > "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> >
> > But, I think you may be able to do just that.
> > "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> > , and DebugLib is listed under [LibraryClasses] in each
> > instance of OpensslLib. So if you modify your
> > "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> > with the following patch:
> >
> >

Re: [edk2-devel] [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto functions

2024-03-18 Thread Li, Yi

Hi Chris,

1. Please create a feature request BugZilla to introduce the background of the 
new API, such as purpose and application scenarios.
2. I took a quick look, the new API will make Pkcs1v2De/Encrypt support 
RsaContext input and the rest is same as old API right?

Regards,
Yi

-Original Message-
From: Chris Ruffin  
Sent: Tuesday, March 19, 2024 5:52 AM
To: devel@edk2.groups.io
Cc: Chris Ruffin ; Yao, Jiewen 
; Li, Yi1 ; Hou, Wenxing 

Subject: [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto 
functions

From: Chris Ruffin 

Expand the availability of the RSAEP-OAEP crypto capability in BaseCryptLib.  
Applications using RSA crypto functions directly from OpensslLib can transition 
to BaseCryptLib to take advantage of the shared crypto feature in CryptoDxe.

Pkcs1v2Decrypt(): decryption using DER-encoded private key
RsaOaepEncrypt(): encryption using RSA contexts
RsaOaepDecrypt(): decryption using RSA contexts

Signed-off-by: Chris Ruffin 
Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Wenxing Hou 
---
 CryptoPkg/Include/Library/BaseCryptLib.h  | 102 
 .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c  | 506 --
 .../BaseCryptLib/Pk/CryptPkcs1OaepNull.c  | 114 
 .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c  | 114 
 4 files changed, 789 insertions(+), 47 deletions(-)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h 
b/CryptoPkg/Include/Library/BaseCryptLib.h
index a52bd91ad6..7ad2bf21fe 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2147,6 +2147,108 @@ Pkcs1v2Encrypt (
   OUT  UINTN*EncryptedDataSize   ); +/**+  Encrypts a blob using 
PKCS1v2 (RSAES-OAEP) schema. On success, will return the+  encrypted message in 
a newly allocated buffer.++  Things that can cause a failure include:+  - X509 
key size does not match any known key size.+  - Fail to allocate an 
intermediate buffer.+  - Null pointer provided for a non-optional parameter.+  
- Data size is too large for the provided key size (max size is a function of 
key size+and hash digest size).++  @param[in]  RsaContext  A 
pointer to an RSA context created by RsaNew() and+  
provisioned with a public key using RsaSetKey().+  @param[in]  InData   
   Data to be encrypted.+  @param[in]  InDataSize  Size of the data 
buffer.+  @param[in]  PrngSeed[Optional] If provided, a pointer to 
a random seed buffer+  to be used when 
initializing the PRNG. NULL otherwise.+  @param[in]  PrngSeedSize
[Optional] If provided, size of the random seed buffer.+
  0 otherwise.+  @param[out] EncryptedData   Pointer to an 
allocated buffer containing the encrypted+  
message.+  @param[out] EncryptedDataSize   Size of the encrypted message 
buffer.++  @retval TRUEEncryption was successful.+  @retval 
FALSE   Encryption failed.++**/+BOOLEAN+EFIAPI+RsaOaepEncrypt 
(+  IN   VOID *RsaContext,+  IN   UINT8*InData,+  IN   UINTN
InDataSize,+  IN   CONST UINT8  *PrngSeed   OPTIONAL,+  IN   UINTN
PrngSeedSize   OPTIONAL,+  OUT  UINT8**EncryptedData,+  OUT  UINTN  
  *EncryptedDataSize+  );++/**+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) 
schema. On success, will return the+  decrypted message in a newly allocated 
buffer.++  Things that can cause a failure include:+  - Fail to parse private 
key.+  - Fail to allocate an intermediate buffer.+  - Null pointer provided for 
a non-optional parameter.++  @param[in]  PrivateKey  A pointer to the 
DER-encoded private key.+  @param[in]  PrivateKeySize  Size of the private 
key buffer.+  @param[in]  EncryptedData   Data to be decrypted.+  
@param[in]  EncryptedDataSize   Size of the encrypted buffer.+  @param[out] 
OutData Pointer to an allocated buffer containing the encrypted+
  message.+  @param[out] OutDataSize Size 
of the encrypted message buffer.++  @retval TRUEEncryption 
was successful.+  @retval FALSE   Encryption 
failed.++**/+BOOLEAN+EFIAPI+Pkcs1v2Decrypt (+  IN   CONST UINT8  *PrivateKey,+  
IN   UINTNPrivateKeySize,+  IN   UINT8*EncryptedData,+  IN   
UINTNEncryptedDataSize,+  OUT  UINT8**OutData,+  OUT  UINTN 
   *OutDataSize+  );++/**+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. 
On success, will return the+  decrypted message in a newly allocated buffer.++  
Things that can cause a failure include:+  - Fail to parse private key.+  - 
Fail to allocate an intermediate buffer.+  - Null pointer provided for a 
non-optional parameter.++  @param[in]  RsaContext  A pointer to an RSA 
context created by RsaNew() and+  provisioned 
with a private key using RsaSetKey().+  @para

Re: [edk2-devel] [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto functions

2024-03-25 Thread Li, Yi

Hi Chris,

1. Add BZ link to commit message,
2. Add null implementation of new APIs to BaseCryptLibMbedTls to avoid build 
error.
For other comments please check the PR: 
https://github.com/tianocore/edk2/pull/5473

Regards,
Yi

-Original Message-
From: Chris Ruffin  
Sent: Tuesday, March 19, 2024 10:16 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Chris Ruffin ; Yao, Jiewen 
; Hou, Wenxing 
Subject: RE: [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP 
crypto functions


Hi Yi, thanks for  your email.  I created a Bugzilla ticket for this, see 
Bugzilla ID #4732: https://bugzilla.tianocore.org/show_bug.cgi?id=4732.  The 
Pkcs1v2Encrypt() API is maintained but the implementation is refactored.  There 
is currently no Pkcs1v2Decrypt(), this is also a newly implemented API but the 
converse of Pkcs1v2Encypt().  Pkcs1v2Encrypt() (existing) and Pkcs1v2Decrypt() 
(new) both take they keys from DER-encoded certificates/keys.  RsaOaepEncrypt() 
and RsaOaepDecrypt() both take keys from RsaContext.  The internal functions 
use a common ENV_PKEY.

More from the Bugzilla:

BasecryptLib currently only provides RSAES-OAEP encryption capability with 
Pkcs1v2Encrypt() which takes as input a DER encoded x.509 certificate.  A DXE 
application which needs access to RSAES-OAEP encryption and decryption 
capabilities currently only has the option of statically linking OpensslLib and 
using functions such as RSA_public_encrypt() and RSA_private_decrypt().  These 
applications would benefit from an expanded access to RSAES-OAEP encryption / 
decryption capability in BaseCryptLib so that the shared crypto driver can be 
used and the applciation can be migrated away from RSA_public_decrypt() and 
RSA_private_decrypt() which are deprecated in Openssl 3.

There is the following challenges with migrating to BaseCryptLib interfaces:

1) BaseCryptLib Pkcs1v2Encrypt() requires the use of an X.509 
DER-encoded certificate to pass the public key.  This interface is dissimilar 
from the rest of the RSA APIs in BasecryptLib.  Applications that have used 
other RSA APIs from BaseCryptLib for key generation and management such as 
RsaGenerateKey() and RsaSetKey() will not have such a structure available.
2) BaseCryptLib currently exposes no decryption capability.

This feature provides an easy migration path for drivers/applications which 
need access to RSAES-OAEP encryption / decryption and that are currently using 
an RsaContext structure to pass key components to OpensslLib. These 
applications can be easily migrated to one of the new APIs to remove the direct 
dependency on OpensslLib, migrate away from deprecated interfaces, take 
advantage of CryptoPkg/Driver, and get BasecryptLib access to RSAES-OAEP 
decryption.

Key changes proposed:
InternalPkcs1v2Encrypt(): New internal-only function created from refactoring 
of Pkcs1v2Encrypt().  Takes key input from an ENV_PKEY and is used by both 
public functions Pkcs1v2Encrypt() and RsaOaepEncrypt().

Pkcs1v2Encrypt(): has been refactored to create InternalPkcs1v2Encrypt() but 
the public interface is maintained.

RsaOaepEncrypt(): New function takes key input from an RsaContext, creates an 
ENV_PKEY, and calls InternalPkcs1v2Encrypt()

InternalPkcs1v2Decrypt(): New internal-only function InternalPkcs1v2Decrypt() 
takes key input from an ENV_PKEY and provides the RSAES-OAEP decryption 
capability to Pkcs1v2Decrypt() and RsaOaepDecrypt().

Pkcs1v2Decrypt(): New public function Pkcs1v2Decrypt() takes a DER-encoded 
private key, creates an ENV_PKEY, and calls InternalPkcs1v2Decrypt()

RsaOaepDecrypt(): New public function RsaOaepDecrypt() takes a pointer to 
RsaContext, creates an ENV_PKEY, and calls InternalPkcs1v2Decrypt()

Thanks,

Chris


-Original Message-
From: Li, Yi1  
Sent: Monday, March 18, 2024 11:52 PM
To: Chris Ruffin ; devel@edk2.groups.io
Cc: Chris Ruffin ; Yao, Jiewen 
; Hou, Wenxing 
Subject: RE: [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP 
crypto functions

[You don't often get email from yi1...@intel.com. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

Hi Chris,

1. Please create a feature request BugZilla to introduce the background of the 
new API, such as purpose and application scenarios.
2. I took a quick look, the new API will make Pkcs1v2De/Encrypt support 
RsaContext input and the rest is same as old API right?

Regards,
Yi

-Original Message-
From: Chris Ruffin 
Sent: Tuesday, March 19, 2024 5:52 AM
To: devel@edk2.groups.io
Cc: Chris Ruffin ; Yao, Jiewen 
; Li, Yi1 ; Hou, Wenxing 

Subject: [PATCH 1/3] CryptoPkg/BaseCryptLib: add additional RSAEP-OAEP crypto 
functions

From: Chris Ruffin 

Expand the availability of the RSAEP-OAEP crypto capability in BaseCryptLib.  
Applications using RSA crypto functions directly from OpensslLib can transition 
to BaseCryptLib to take advantage of the shared crypto feature in CryptoDxe.

Pkcs1v2Decrypt(): decryption using DER-encode

Re: [edk2-devel] [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() function return value is not checked properly in CryptX509.c.

2024-03-27 Thread Li, Yi

Hi,

Please follow the correct upstream process to avoid Github CI errors. 
https://github.com/tianocore/tianocore.github.io/wiki/Laszlo%27s-unkempt-git-guide-for-edk2-contributors-and-maintainers#contributor-workflow
You are missing your Sign-off and Cc maintainers in this patch,
And please add BZ link to commit message: ''REF: 
https://bugzilla.tianocore.org/show_bug.cgi?id=4509''.

For your code change, '''ASN1_get_object() return error''' or  
''ASN1_get_object() success but Asn1Tag != V_ASN1_SEQUENCE ''' both need to 
be treated as errors and returned.
So you should use logic or instead of and.

Before you send V2 patch, please create a PR in EDK2 github to test CI: 
https://github.com/tianocore/edk2/pulls

Regards,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Sountharya N via 
groups.io
Sent: Tuesday, March 19, 2024 1:44 PM
To: devel@edk2.groups.io; Sountharya N 
Cc: MANI, SRINIVASAN ; Prarthana Sagar V 

Subject: [edk2-devel] [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() 
function return value is not checked properly in CryptX509.c.

Added Inf variable, and the error case returned value was checked properly.
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c 
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 1182323b63..ac05441383 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -839,17 +839,17 @@ X509GetTBSCert (
   Length = 0;

   Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)CertSize);



-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {

+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {

 return FALSE;

   }



   *TBSCert = (UINT8 *)Temp;



-  ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, 
(long)Length);

+  Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)Length);

   //

   // Verify the parsed TBSCertificate is one correct SEQUENCE data.

   //

-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {

+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {

 return FALSE;

   }



--
2.35.1.windows.2
-The information contained in this message may be confidential and proprietary 
to American Megatrends (AMI). This communication is intended to be read only by 
the individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any distribution of this message, in any form, is strictly prohibited. Please 
promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and 
then delete or destroy all copies of the transmission.







-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117189): https://edk2.groups.io/g/devel/message/117189
Mute This Topic: https://groups.io/mt/105019593/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 0/3] CryptoPkg: Optimize APIs in BaseCryptLibMbedTls

2024-03-28 Thread Li, Yi

For this patch set:

Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: Hou, Wenxing  
Sent: Friday, March 29, 2024 10:33 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH 0/3] CryptoPkg: Optimize APIs in BaseCryptLibMbedTls

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4740
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4741
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4742


These patch will fix OPTIONAL location and update hash implementation and 
remove the interdependence for RsaPssVerify.
And these patch has paseed the EDKII CI test.
https://github.com/tianocore/edk2/pull/5501


Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 

Wenxing Hou (3):
  CryptoPkg: Update OPTIONAL location for BaseCryptLibMbedTls
  CryptoPkg: Update Md5/Sha1/Sha2 by using new mbedtls api
  CryptoPkg: Remove interdependence for RsaPssVerify

 .../BaseCryptLibMbedTls/Hash/CryptMd5.c   |  9 +--
 .../BaseCryptLibMbedTls/Hash/CryptSha1.c  |  9 +--
 .../BaseCryptLibMbedTls/Hash/CryptSha256.c|  9 +--
 .../BaseCryptLibMbedTls/Hash/CryptSha512.c| 17 ++---
 .../Pk/CryptPkcs1OaepNull.c   |  6 +-
 .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c  | 74 +++
 .../BaseCryptLibMbedTls/Pk/CryptX509Null.c|  6 +-
 7 files changed, 35 insertions(+), 95 deletions(-)

--
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117226): https://edk2.groups.io/g/devel/message/117226
Mute This Topic: https://groups.io/mt/105210159/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2 0/3] CryptoPkg/BaseCryptLib: add additional RSAES-OAEP crypto functions

2024-03-31 Thread Li, Yi

Appreciate your efforts in optimization of unit test, for this patch set:

Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Chris Ruffin via 
groups.io
Sent: Sunday, March 31, 2024 6:00 AM
To: devel@edk2.groups.io
Cc: Chris Ruffin 
Subject: [edk2-devel] [PATCH v2 0/3] CryptoPkg/BaseCryptLib: add additional 
RSAES-OAEP crypto functions

From: Chris Ruffin 

v2 patchset adds:
- Add digest length parameter to RsaOaepEncrypt(), RsaOaepDecrypt() so that 
SHA256, SHA384, SHA512 message digests and mask generation functions can be 
used with the API.
- Add NullLib implementation for BaseCryptLibMbedTls
- Cleanups from v1 review
- Significantly refactored and expanded test suite:
  - Use UNIT_TEST_CONTEXT and abstaction to run same tests on
Pkcs1v2Encrypt()/Pkcs1v2Decrypt() and RsaOaepEncrypt() RsaOaepDecrypt()
  - Align DER Certificate / PrivateKey used with Pkcs1v2 APIs
with RsaN, RsaE, RsaD parameters used by RsaOaep APIs
so that they represent the same keys.
  - Implement fixed ciphertext test for Pkcs1v2Decrypt(), RsaOaepDecrypt()
  - Implementation was also checked with wycheproof test vectors (not
included in the patch).

Chris Ruffin (3):
  CryptoPkg/BaseCryptLib: add additional RSAES-OAEP crypto functions
  CryptoPkg/Driver: add additional RSAES-OAEP crypto functions
  CryptoPkg/BaseCryptLibUnitTest: add unit test functions

 CryptoPkg/Driver/Crypto.c | 130 ++-
 CryptoPkg/Include/Library/BaseCryptLib.h  | 117 +++
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   4 +
 .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c  | 598 --
 .../BaseCryptLib/Pk/CryptPkcs1OaepNull.c  | 130 ++-
 .../Pk/CryptPkcs1OaepNull.c   | 135 +++-
 .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c  | 130 ++-
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 114 +++
 CryptoPkg/Private/Protocol/Crypto.h   | 109 ++-
 .../Library/BaseCryptLib/OaepEncryptTests.c   | 758 --
 10 files changed, 2098 insertions(+), 127 deletions(-)

--
2.44.0.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117272): https://edk2.groups.io/g/devel/message/117272
Mute This Topic: https://groups.io/mt/105239222/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() function return value is not checked properly in CryptX509.c.

2024-04-01 Thread Li, Yi

Hi,

Please remove 'Reviewed-by: @yi1...@intel.com' and send V2 patch to 
devel@edk2.groups.io by send-email. 

Generate V2 patch:
Add '--subject-prefix="PATCH V2" ' when you format patch:
git format-patch --subject-prefix="PATCH V2" ...

The content of patch looks good to me, will give you my Reviewed-by and push it 
after receiving your V2 patch.

Thanks,
Yi

-Original Message-
From: Sountharya N  
Sent: Monday, April 1, 2024 7:23 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: MANI, SRINIVASAN ; Prarthana Sagar V 
; Yao, Jiewen ; Hou, Wenxing 

Subject: RE: [EXTERNAL] RE: [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() 
function return value is not checked properly in CryptX509.c.

Hi Yi,

As you suggested, modified the changes and gave PR. Here I have attached the 
Link for reference.
https://github.com/tianocore/edk2/pull/5507

Thanks,
Sountharya

-Original Message-
From: Li, Yi1 
Sent: Thursday, March 28, 2024 7:17 AM
To: devel@edk2.groups.io; Sountharya N 
Cc: Srinivasan Mani ; Prarthana Sagar V 
; Yao, Jiewen ; Hou, Wenxing 

Subject: [EXTERNAL] RE: [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() 
function return value is not checked properly in CryptX509.c.


**CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.**

Hi,

Please follow the correct upstream process to avoid Github CI errors.
https://github.com/tianocore/tianocore.github.io/wiki/Laszlo%27s-unkempt-git-guide-for-edk2-contributors-and-maintainers#contributor-workflow
You are missing your Sign-off and Cc maintainers in this patch, And please add 
BZ link to commit message: ''REF: 
https://bugzilla.tianocore.org/show_bug.cgi?id=4509''.

For your code change, '''ASN1_get_object() return error''' or  
''ASN1_get_object() success but Asn1Tag != V_ASN1_SEQUENCE ''' both need to 
be treated as errors and returned.
So you should use logic or instead of and.

Before you send V2 patch, please create a PR in EDK2 github to test CI: 
https://github.com/tianocore/edk2/pulls

Regards,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Sountharya N via 
groups.io
Sent: Tuesday, March 19, 2024 1:44 PM
To: devel@edk2.groups.io; Sountharya N 
Cc: MANI, SRINIVASAN ; Prarthana Sagar V 

Subject: [edk2-devel] [PATCH] CryptoPkg: BaseCryptLib: ASN1_get_object() 
function return value is not checked properly in CryptX509.c.

Added Inf variable, and the error case returned value was checked properly.
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c 
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 1182323b63..ac05441383 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -839,17 +839,17 @@ X509GetTBSCert (
   Length = 0;

   Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)CertSize);



-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {

+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {

 return FALSE;

   }



   *TBSCert = (UINT8 *)Temp;



-  ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, 
(long)Length);

+  Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)Length);

   //

   // Verify the parsed TBSCertificate is one correct SEQUENCE data.

   //

-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {

+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {

 return FALSE;

   }



--
2.35.1.windows.2
-The information contained in this message may be confidential and proprietary 
to American Megatrends (AMI). This communication is intended to be read only by 
the individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any distribution of this message, in any form, is strictly prohibited. Please 
promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and 
then delete or destroy all copies of the transmission.





-The information contained in this message may be confidential and proprietary 
to American Megatrends (AMI). This communication is intended to be read only by 
the individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any distribution of this message, in any form, is strictly prohibited. Please 
promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and 
then delete or destroy all copies of the transmission.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117301): https://edk2.groups.io/g/devel/message/117301
Mute This Topic: https://groups.io/mt/105019593/21656
Group O

Re: [edk2-devel] [PATCH v2 0/3] CryptoPkg/BaseCryptLib: add additional RSAES-OAEP crypto functions

2024-04-07 Thread Li, Yi

Pushed: https://github.com/tianocore/edk2/pull/5532

Thanks,
Yi

-Original Message-
From: Li, Yi1 
Sent: Monday, April 1, 2024 9:46 AM
To: devel@edk2.groups.io; cruf...@millcore.com
Cc: Chris Ruffin ; Yao, Jiewen 
; Hou, Wenxing 
Subject: RE: [edk2-devel] [PATCH v2 0/3] CryptoPkg/BaseCryptLib: add additional 
RSAES-OAEP crypto functions

Appreciate your efforts in optimization of unit test, for this patch set:

Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Chris Ruffin via 
groups.io
Sent: Sunday, March 31, 2024 6:00 AM
To: devel@edk2.groups.io
Cc: Chris Ruffin 
Subject: [edk2-devel] [PATCH v2 0/3] CryptoPkg/BaseCryptLib: add additional 
RSAES-OAEP crypto functions

From: Chris Ruffin 

v2 patchset adds:
- Add digest length parameter to RsaOaepEncrypt(), RsaOaepDecrypt() so that 
SHA256, SHA384, SHA512 message digests and mask generation functions can be 
used with the API.
- Add NullLib implementation for BaseCryptLibMbedTls
- Cleanups from v1 review
- Significantly refactored and expanded test suite:
  - Use UNIT_TEST_CONTEXT and abstaction to run same tests on
Pkcs1v2Encrypt()/Pkcs1v2Decrypt() and RsaOaepEncrypt() RsaOaepDecrypt()
  - Align DER Certificate / PrivateKey used with Pkcs1v2 APIs
with RsaN, RsaE, RsaD parameters used by RsaOaep APIs
so that they represent the same keys.
  - Implement fixed ciphertext test for Pkcs1v2Decrypt(), RsaOaepDecrypt()
  - Implementation was also checked with wycheproof test vectors (not
included in the patch).

Chris Ruffin (3):
  CryptoPkg/BaseCryptLib: add additional RSAES-OAEP crypto functions
  CryptoPkg/Driver: add additional RSAES-OAEP crypto functions
  CryptoPkg/BaseCryptLibUnitTest: add unit test functions

 CryptoPkg/Driver/Crypto.c | 130 ++-
 CryptoPkg/Include/Library/BaseCryptLib.h  | 117 +++
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   4 +
 .../Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c  | 598 --
 .../BaseCryptLib/Pk/CryptPkcs1OaepNull.c  | 130 ++-
 .../Pk/CryptPkcs1OaepNull.c   | 135 +++-
 .../BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c  | 130 ++-
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 114 +++
 CryptoPkg/Private/Protocol/Crypto.h   | 109 ++-
 .../Library/BaseCryptLib/OaepEncryptTests.c   | 758 --
 10 files changed, 2098 insertions(+), 127 deletions(-)

--
2.44.0.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117474): https://edk2.groups.io/g/devel/message/117474
Mute This Topic: https://groups.io/mt/105239222/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] Add SHA3/SM3 functions with openssl for Mbedtls

2024-04-22 Thread Li, Yi

Adding a copy of BaseCryptLib/Sm3/Sha3 seems like a workaround to me.
I prefer to use files directly from BaseCryptLib, such like:

DEFINE BASE_CRYPT_PATH= ../BaseCryptLib
[Sources]
  $(BASE_CRYPT_PATH)/Hash/CryptDispatchApDxe.c
  ...

Then I think DummyOpensslSupport.c should not be needed.

Regards,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Monday, April 22, 2024 9:34 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH] Add SHA3/SM3 functions with openssl for Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Because the Mbedlts 3.3.0 doesn't have SHA3 and Sm3, the SHA3 and Sm3
implementaion based on Openssl.

Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 
---
 CryptoPkg/CryptoPkg.ci.yaml   |   1 +
 .../BaseCryptLibMbedTls/Hash/CryptCShake256.c | 282 +
 .../Hash/CryptDispatchApDxe.c |  49 ++
 .../Hash/CryptDispatchApMm.c  |  35 ++
 .../Hash/CryptDispatchApPei.c |  54 ++
 .../Hash/CryptParallelHash.c  | 254 
 .../Hash/CryptParallelHash.h  | 231 +++
 .../BaseCryptLibMbedTls/Hash/CryptSha3.c  | 166 +
 .../BaseCryptLibMbedTls/Hash/CryptSm3.c   | 235 +++
 .../BaseCryptLibMbedTls/Hash/CryptXkcp.c  | 107 
 .../SysCall/DummyOpensslSupport.c | 595 ++
 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf   |   6 +
 .../Library/MbedTlsLib/MbedTlsLibFull.inf |   6 +
 13 files changed, 2021 insertions(+)
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptCShake256.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptDispatchApDxe.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptDispatchApMm.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptDispatchApPei.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHash.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHash.h
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha3.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptXkcp.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/DummyOpensslSupport.c

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
index b601bcf85c..046cc05163 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -40,6 +40,7 @@
 "Library/Include/CrtLibSupport.h",

 # This has OpenSSL interfaces that aren't UEFI spec compliant

 "Library/BaseCryptLib/Hash/CryptParallelHash.h",

+"Library/BaseCryptLibMbedTls/Hash/CryptParallelHash.h",

 "Library/Include/fcntl.h",

 # This has Mbedtls interfaces that aren't UEFI spec compliant

 "Library/Include/stdint.h",

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptCShake256.c 
b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptCShake256.c
new file mode 100644
index 00..64d8fa97c5
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptCShake256.c
@@ -0,0 +1,282 @@
+/** @file

+  cSHAKE-256 Digest Wrapper Implementations.

+

+Copyright (c) 2024, Intel Corporation. All rights reserved.

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#include "CryptParallelHash.h"

+

+#define  CSHAKE256_SECURITY_STRENGTH  256

+#define  CSHAKE256_RATE_IN_BYTES  136

+

+CONST CHAR8  mZeroPadding[CSHAKE256_RATE_IN_BYTES] = { 0 };

+

+/**

+  CShake256 initial function.

+

+  Initializes user-supplied memory pointed by CShake256Context as cSHAKE-256 
hash context for

+  subsequent use.

+

+  @param[out] CShake256Context  Pointer to cSHAKE-256 context being 
initialized.

+  @param[in]  OutputLen The desired number of output length in bytes.

+  @param[in]  Name  Pointer to the function name string.

+  @param[in]  NameLen   The length of the function name in bytes.

+  @param[in]  Customization Pointer to the customization string.

+  @param[in]  CustomizationLen  The length of the customization string in 
bytes.

+

+  @retval TRUE   cSHAKE-256 context initialization succeeded.

+  @retval FALSE  cSHAKE-256 context initialization failed.

+  @retval FALSE  This interface is not supported.

+**/

+BOOLEAN

+EFIAPI

+CShake256Init (

+  OUT  VOID*CShake256Context,

+  IN   UINTN   OutputLen,

+  IN   CONST VOID  *Name,

+  IN   UINTN   NameLen,

+  IN   CONST VOID  *Customization,

+  IN   UINTN   CustomizationLen

+  )

+{

+  BOOLEAN  Status;

+  UINT8EncBuf[sizeof (UINTN) + 1];

+  UINTNEncLen;

+  UINTNAbsorbLen;

+  UINTNPadLen;

+

+  //

+  // Check input parameters.

+  //

+  if ((CShake256Context == NULL) || (OutputLen == 0) || ((NameLen != 0) && 
(Name == NULL)) || ((CustomizationLen != 0) &&

Re: [edk2-devel] [PATCH 5/9] CryptoPkg: Add Pkcs7 related functions based on Mbedtls

2024-04-22 Thread Li, Yi

The pools used to store cert chain are not released properly, which will lead 
to memory leak problems
Please ensure MbedtlsPkcs7SignedData.Certificates are handled correctly when:
  1. error occurred in Pkcs7GetSigner/SignedData
  2. Pkcs7Verify finished.

Regards,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Tuesday, April 16, 2024 3:51 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH 5/9] CryptoPkg: Add Pkcs7 related functions based on Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Because the current Mbedlts pkcs7 library doesn't support
authenticatedAttributes:
Mbed-TLS/mbedtls@bb82ab7
and only support 0 or 1 certificates in Signed data:
tianocore/edk2-staging@9c5b26b

The patch implement Pkcs7 by low Mbedtls Api.
And the implementation has pass unit_tes and integration test.

Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 
---
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   33 +
 .../Pk/CryptPkcs7Internal.h   |   20 +-
 .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c   |  615 
 .../Pk/CryptPkcs7VerifyBase.c |  113 ++
 .../Pk/CryptPkcs7VerifyCommon.c   | 1315 +
 .../Pk/CryptPkcs7VerifyEku.c  |  689 +
 6 files changed, 2773 insertions(+), 12 deletions(-)
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h 
b/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
index e2c7e42ecb..1b9742c166 100644
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
@@ -38,4 +38,37 @@ MbedtlsRand (
   UINT8  *output,

   UINTN  len

   );

+

+/**

+  Check input P7Data is a wrapped ContentInfo structure or not. If not 
construct

+  a new structure to wrap P7Data.

+

+  Caution: This function may receive untrusted input.

+  UEFI Authenticated Variable is external input, so this function will do basic

+  check for PKCS#7 data structure.

+

+  @param[in]  P7Data   Pointer to the PKCS#7 message to verify.

+  @param[in]  P7Length Length of the PKCS#7 message in bytes.

+  @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise

+   return FALSE.

+  @param[out] WrapData If return status of this function is TRUE:

+   1) when WrapFlag is TRUE, pointer to P7Data.

+   2) when WrapFlag is FALSE, pointer to a new 
ContentInfo

+   structure. It's caller's responsibility to free this

+   buffer.

+  @param[out] WrapDataSize Length of ContentInfo structure in bytes.

+

+  @retval TRUE The operation is finished successfully.

+  @retval FALSEThe operation is failed due to lack of resources.

+

+**/

+BOOLEAN

+WrapPkcs7Data (

+  IN  CONST UINT8  *P7Data,

+  IN  UINTNP7Length,

+  OUT BOOLEAN  *WrapFlag,

+  OUT UINT8**WrapData,

+  OUT UINTN*WrapDataSize

+  );

+

 #endif

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h 
b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
index 207f493cbb..d4bdb0abf7 100644
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
@@ -4,7 +4,7 @@
 

   RFC 2315 - PKCS #7: Cryptographic Message Syntax Version 1.5

 

-Copyright (c) 2023, Intel Corporation. All rights reserved.

+Copyright (c) 2023-2024, Intel Corporation. All rights reserved.

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -31,10 +31,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define MBEDTLS_OID_PKCS7_DIGESTED_DATA  MBEDTLS_OID_PKCS7 "\x05"

 #define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06"

 

-typedef mbedtls_asn1_buf MBEDTLSPKCS7BUF;

-typedef mbedtls_asn1_named_data  MBEDTLSPKCS7NAME;

-typedef mbedtls_asn1_sequenceMBEDTLSPKCS7SEQUENCE;

-

 ///

 /// PKCS7 SignerInfo type

 /// https://tools.ietf.org/html/rfc2315#section-9.2

@@ -48,8 +44,8 @@ typedef struct MbedtlsPkcs7SignerInfo {
   mbedtls_x509_buf SigAlgIdentifier;

   mbedtls_x509_buf AuthAttr;

   mbedtls_x509_buf Sig;

-  struct MBEDTLSPKCS7SIGNERINFO*Next;

-} MBEDTLSPKCS7SIGNERINFO;

+  struct MbedtlsPkcs7SignerInfo*Next;

+} MbedtlsPkcs7SignerInfo;

 

 ///

 /// PKCS7 signed data attached data format

@@ -57,7 +53,7 @@ typedef struct MbedtlsPkcs7SignerInfo {
 typedef struct MbedtlsPkcs7Data {

   mbedtls_asn1_bufOid;

   mbedtls_asn1_b

Re: [edk2-devel] [PATCH 0/9] Add more crypt APIs based on Mbedtls

2024-04-22 Thread Li, Yi

I found some magic number and format issues, please check comments in your PR.

Regards,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Tuesday, April 16, 2024 3:51 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH 0/9] Add more crypt APIs based on Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Add AeadAesGcm/Pem(only RSA)/X509(only RSA)/More RSA/PKCS5 
/pKCS7/Authenticode/Timestamp implementation based on Mbedtls.

The patch has passed the EDKII CI check:
https://github.com/tianocore/edk2/pull/5552

And the patch has passed unit_test in EDKII and integration test for platform.
And the patch hass passed the fuzz test:
https://github.com/tianocore/edk2-staging/commit/4f19398053c92e4f7791d468a184530b6ab89128

Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 

Wenxing Hou (9):
  CryptoPkg: Add AeadAesGcm based on Mbedtls
  CryptoPkg: Add rand function for BaseCryptLibMbedTls
  CryptoPkg: Add Pem APIs based on Mbedtls
  CryptoPkg: Add X509 functions based on Mbedtls
  CryptoPkg: Add Pkcs7 related functions based on Mbedtls
  CryptoPkg: Add Pkcs5 functions based on Mbedtls
  CryptoPkg: Add more RSA related functions based on Mbedtls
  CryptoPkg: Add AuthenticodeVerify based on Mbedtls
  CryptoPkg: Add ImageTimestampVerify based on Mbedtls

 CryptoPkg/CryptoPkg.ci.yaml   |1 +
 .../Cipher/CryptAeadAesGcm.c  |  227 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   49 +
 .../BaseCryptLibMbedTls/Pem/CryptPem.c|  138 ++
 .../Pk/CryptAuthenticode.c|  214 ++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c   |  278 +++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c |  100 +
 .../Pk/CryptPkcs7Internal.h   |   20 +-
 .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c   |  615 ++
 .../Pk/CryptPkcs7VerifyBase.c |  113 +
 .../Pk/CryptPkcs7VerifyCommon.c   | 1315 +++
 .../Pk/CryptPkcs7VerifyEku.c  |  689 ++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c  |  346 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  |  137 ++  
.../Library/BaseCryptLibMbedTls/Pk/CryptTs.c  |  381 
 .../BaseCryptLibMbedTls/Pk/CryptX509.c| 1924 +
 .../BaseCryptLibMbedTls/Rand/CryptRand.c  |  105 +
 .../BaseCryptLibMbedTls/Rand/CryptRandTsc.c   |  105 +
 18 files changed, 6745 insertions(+), 12 deletions(-)  create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPem.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticode.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRand.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c

--
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118073): https://edk2.groups.io/g/devel/message/118073
Mute This Topic: https://groups.io/mt/105552830/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2] Add SHA3/SM3 functions with openssl for Mbedtls

2024-04-24 Thread Li, Yi



Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: Hou, Wenxing  
Sent: Wednesday, April 24, 2024 4:25 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH v2] Add SHA3/SM3 functions with openssl for Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177



Because the Mbedlts 3.3.0 doesn't have SHA3 and Sm3, the SHA3 and Sm3

implementaion based on Openssl.

And the implementaion has passed build check.



Cc: Jiewen Yao 

Cc: Yi Li 

Signed-off-by: Wenxing Hou 

---

 CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf   | 9 +++--

 CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf| 9 +++--

 .../Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf  | 3 ++-

 CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf| 9 +++--

 .../Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf | 4 +++-

 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf  | 6 ++

 CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf  | 6 ++

 7 files changed, 38 insertions(+), 8 deletions(-)



diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf 
b/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf

index 16def792c5..999054500f 100644

--- a/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf

+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf

@@ -18,6 +18,7 @@

   MODULE_TYPE= DXE_DRIVER

   VERSION_STRING = 1.0

   LIBRARY_CLASS  = BaseCryptLib|DXE_DRIVER DXE_CORE 
UEFI_APPLICATION UEFI_DRIVER

+  DEFINE BASE_CRYPT_PATH = ../BaseCryptLib

 

 #

 # The following information is for reference only and not required by the 
build tools.

@@ -31,10 +32,14 @@

   Cipher/CryptAes.c

   Hash/CryptSha256.c

   Hash/CryptSha512.c

-  Hash/CryptParallelHashNull.c

-  Hash/CryptSm3Null.c

   Hash/CryptMd5.c

   Hash/CryptSha1.c

+  $(BASE_CRYPT_PATH)/Hash/CryptCShake256.c

+  $(BASE_CRYPT_PATH)/Hash/CryptDispatchApDxe.c

+  $(BASE_CRYPT_PATH)/Hash/CryptParallelHash.c

+  $(BASE_CRYPT_PATH)/Hash/CryptSha3.c

+  $(BASE_CRYPT_PATH)/Hash/CryptSm3.c

+  $(BASE_CRYPT_PATH)/Hash/CryptXkcp.c

   Hmac/CryptHmac.c

   Kdf/CryptHkdf.c

   Pk/CryptRsaBasic.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf 
b/CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf

index 72b22a24e8..a153c0c8e4 100644

--- a/CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf

+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf

@@ -26,6 +26,7 @@

   MODULE_TYPE= PEIM

   VERSION_STRING = 1.0

   LIBRARY_CLASS  = BaseCryptLib|PEIM PEI_CORE

+  DEFINE BASE_CRYPT_PATH = ../BaseCryptLib

 

 #

 # The following information is for reference only and not required by the 
build tools.

@@ -38,9 +39,13 @@

   Hash/CryptMd5.c

   Hash/CryptSha1.c

   Hash/CryptSha256.c

-  Hash/CryptSm3Null.c

   Hash/CryptSha512.c

-  Hash/CryptParallelHashNull.c

+  $(BASE_CRYPT_PATH)/Hash/CryptCShake256.c

+  $(BASE_CRYPT_PATH)/Hash/CryptDispatchApPei.c

+  $(BASE_CRYPT_PATH)/Hash/CryptParallelHash.c

+  $(BASE_CRYPT_PATH)/Hash/CryptSha3.c

+  $(BASE_CRYPT_PATH)/Hash/CryptSm3.c

+  $(BASE_CRYPT_PATH)/Hash/CryptXkcp.c

   Hmac/CryptHmac.c

   Kdf/CryptHkdf.c

   Cipher/CryptAes.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf 
b/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf

index 9f17ef00bf..1b33dbdaad 100644

--- a/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf

+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf

@@ -25,6 +25,7 @@

   VERSION_STRING = 1.0

   LIBRARY_CLASS  = BaseCryptLib|DXE_RUNTIME_DRIVER

   CONSTRUCTOR= RuntimeCryptLibConstructor

+  DEFINE BASE_CRYPT_PATH = ../BaseCryptLib

 

 #

 # The following information is for reference only and not required by the 
build tools.

@@ -37,9 +38,9 @@

   Hash/CryptMd5.c

   Hash/CryptSha1.c

   Hash/CryptSha256.c

-  Hash/CryptSm3Null.c

   Hash/CryptSha512.c

   Hash/CryptParallelHashNull.c

+  $(BASE_CRYPT_PATH)/Hash/CryptSm3.c

   Hmac/CryptHmac.c

   Kdf/CryptHkdf.c

   Cipher/CryptAes.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf 
b/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf

index 40c56d1b7d..d9a9cb8d10 100644

--- a/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf

+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf

@@ -24,6 +24,7 @@

   VERSION_STRING = 1.0

   PI_SPECIFICATION_VERSION   = 0x0001000A

   LIBRARY_CLASS  = BaseCryptLib|DXE_SMM_DRIVER SMM_CORE 
MM_STANDALONE

+  DEFINE BASE_CRYPT_PATH = ../BaseCryptLib

 

 #

 # The following information is for reference only and not required by the 
build tools.

@@ -36,9 +37,13 @@

   Hash/CryptMd5.c

   Hash/CryptSha1.c

   Hash/CryptSha256.c

-  Hash/CryptSm3Null.c

   Hash/CryptSha512.c

-  Hash/C

Re: [edk2-devel] [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

2024-05-08 Thread Li, Yi

For this patch set:

Looks good to me.
Reviewed-by: Yi Li 


-Original Message-
From: Hou, Wenxing  
Sent: Thursday, May 9, 2024 2:27 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Add AeadAesGcm/Pem(only RSA)/X509(only RSA)/More 
RSA/PKCS5/pKCS7/Authenticode/Timestamp
implementation based on Mbedtls.

The patch has passed the EDKII CI check:
https://github.com/tianocore/edk2/pull/5552

And the patch has passed unit_test in EDKII and integration test for platform.
And the patch hass passed the fuzz test:
https://github.com/tianocore/edk2-staging/commit/4f19398053c92e4f7791d468a184530b6ab89128

v2 changes:
 - Fix format variable name/hardcode number issue;
 - Fix Pkcs7 memory leak;

v3 changes:
 - Fix some issues form reviewer;
 - Add SHA3/SM3 implementation;
 - Update *.inf files;

Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 

Wenxing Hou (11):
  CryptoPkg: Add AeadAesGcm based on Mbedtls
  CryptoPkg: Add rand function for BaseCryptLibMbedTls
  CryptoPkg: Add Pem APIs based on Mbedtls
  CryptoPkg: Add X509 functions based on Mbedtls
  CryptoPkg: Add Pkcs7 related functions based on Mbedtls
  CryptoPkg: Add Pkcs5 functions based on Mbedtls
  CryptoPkg: Add more RSA related functions based on Mbedtls
  CryptoPkg: Add AuthenticodeVerify based on Mbedtls
  CryptoPkg: Add ImageTimestampVerify based on Mbedtls
  CryptoPkg: Update *.inf in BaseCryptLibMbedTls
  Add SHA3/SM3 functions with openssl for Mbedtls

 CryptoPkg/Include/Library/BaseCryptLib.h  |4 +
 .../BaseCryptLibMbedTls/BaseCryptLib.inf  |   47 +-
 .../Cipher/CryptAeadAesGcm.c  |  227 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   49 +
 .../BaseCryptLibMbedTls/PeiCryptLib.inf   |   27 +-
 .../BaseCryptLibMbedTls/Pem/CryptPem.c|  138 ++
 .../Pk/CryptAuthenticode.c|  214 ++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c   |  278 +++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c |  100 +
 .../Pk/CryptPkcs7Internal.h   |   29 +-
 .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c   |  635 ++
 .../Pk/CryptPkcs7VerifyBase.c |  113 +
 .../Pk/CryptPkcs7VerifyCommon.c   | 1354 
 .../Pk/CryptPkcs7VerifyEku.c  |  689 ++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c  |  352 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  |  140 ++  
.../Library/BaseCryptLibMbedTls/Pk/CryptTs.c  |  381 
 .../BaseCryptLibMbedTls/Pk/CryptX509.c| 1940 +
 .../BaseCryptLibMbedTls/Rand/CryptRand.c  |  114 +
 .../BaseCryptLibMbedTls/Rand/CryptRandTsc.c   |  114 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   26 +-
 .../BaseCryptLibMbedTls/SmmCryptLib.inf   |   36 +-
 .../BaseCryptLibMbedTls/TestBaseCryptLib.inf  |   39 +-
 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf   |6 +
 .../Library/MbedTlsLib/MbedTlsLibFull.inf |6 +
 25 files changed, 6973 insertions(+), 85 deletions(-)  create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPem.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticode.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRand.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandTsc.c

--
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118743): https://edk2.groups.io/g/devel/message/118743
Mute This Topic: https://groups.io/mt/105996826/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

2024-05-09 Thread Li, Yi

This patch set was submitted before soft freeze and will not affect other 
existed codes, I am OK to merge it.

Hi Liming,

Do you have any comments?  I will merge it if no objections.

Thanks,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Thursday, May 9, 2024 4:29 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Yao, Jiewen ; gaoliming 
Subject: RE: [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

Hi,

Thanks for your feedback.
The new PR is: https://github.com/tianocore/edk2/pull/5645

Could Li Yi help me merge the PR?

Thanks,
Wenxing

-Original Message-
From: Li, Yi1  
Sent: Thursday, May 9, 2024 2:54 PM
To: Hou, Wenxing ; devel@edk2.groups.io
Cc: Yao, Jiewen 
Subject: RE: [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

For this patch set:

Looks good to me.
Reviewed-by: Yi Li 


-Original Message-
From: Hou, Wenxing  
Sent: Thursday, May 9, 2024 2:27 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH v3 00/11] Add more crypt APIs based on Mbedtls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Add AeadAesGcm/Pem(only RSA)/X509(only RSA)/More 
RSA/PKCS5/pKCS7/Authenticode/Timestamp
implementation based on Mbedtls.

The patch has passed the EDKII CI check:
https://github.com/tianocore/edk2/pull/5552

And the patch has passed unit_test in EDKII and integration test for platform.
And the patch hass passed the fuzz test:
https://github.com/tianocore/edk2-staging/commit/4f19398053c92e4f7791d468a184530b6ab89128

v2 changes:
 - Fix format variable name/hardcode number issue;
 - Fix Pkcs7 memory leak;

v3 changes:
 - Fix some issues form reviewer;
 - Add SHA3/SM3 implementation;
 - Update *.inf files;

Cc: Jiewen Yao 
Cc: Yi Li 
Signed-off-by: Wenxing Hou 

Wenxing Hou (11):
  CryptoPkg: Add AeadAesGcm based on Mbedtls
  CryptoPkg: Add rand function for BaseCryptLibMbedTls
  CryptoPkg: Add Pem APIs based on Mbedtls
  CryptoPkg: Add X509 functions based on Mbedtls
  CryptoPkg: Add Pkcs7 related functions based on Mbedtls
  CryptoPkg: Add Pkcs5 functions based on Mbedtls
  CryptoPkg: Add more RSA related functions based on Mbedtls
  CryptoPkg: Add AuthenticodeVerify based on Mbedtls
  CryptoPkg: Add ImageTimestampVerify based on Mbedtls
  CryptoPkg: Update *.inf in BaseCryptLibMbedTls
  Add SHA3/SM3 functions with openssl for Mbedtls

 CryptoPkg/Include/Library/BaseCryptLib.h  |4 +
 .../BaseCryptLibMbedTls/BaseCryptLib.inf  |   47 +-
 .../Cipher/CryptAeadAesGcm.c  |  227 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   49 +
 .../BaseCryptLibMbedTls/PeiCryptLib.inf   |   27 +-
 .../BaseCryptLibMbedTls/Pem/CryptPem.c|  138 ++
 .../Pk/CryptAuthenticode.c|  214 ++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c   |  278 +++
 .../BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c |  100 +
 .../Pk/CryptPkcs7Internal.h   |   29 +-
 .../BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c   |  635 ++
 .../Pk/CryptPkcs7VerifyBase.c |  113 +
 .../Pk/CryptPkcs7VerifyCommon.c   | 1354 
 .../Pk/CryptPkcs7VerifyEku.c  |  689 ++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c  |  352 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  |  140 ++  
.../Library/BaseCryptLibMbedTls/Pk/CryptTs.c  |  381 
 .../BaseCryptLibMbedTls/Pk/CryptX509.c| 1940 +
 .../BaseCryptLibMbedTls/Rand/CryptRand.c  |  114 +
 .../BaseCryptLibMbedTls/Rand/CryptRandTsc.c   |  114 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   26 +-
 .../BaseCryptLibMbedTls/SmmCryptLib.inf   |   36 +-
 .../BaseCryptLibMbedTls/TestBaseCryptLib.inf  |   39 +-
 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf   |6 +
 .../Library/MbedTlsLib/MbedTlsLibFull.inf |6 +
 25 files changed, 6973 insertions(+), 85 deletions(-)  create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcm.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPem.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticode.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Sign.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyBase.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyCommon.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRand.c
 create mode 100644 CryptoPkg/Library

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Fix bug for correct return value checking when get X509Cert

2024-05-15 Thread Li, Yi



Looks good to me.
Reviewed-by: Yi Li 

We are in Hard Freeze phase, will push it after freeze. Thanks.

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Qingyu
Sent: Wednesday, May 15, 2024 8:58 PM
To: devel@edk2.groups.io
Cc: Shang, Qingyu ; Yao, Jiewen ; 
Li, Yi1 
Subject: [edk2-devel] [PATCH 1/1] CryptoPkg: Fix bug for correct return value 
checking when get X509Cert

From: Qingyu 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4509

CryptX509.c file has X509GetTBSCert() funtion and it is added Inf variable to 
collect the return value of ASN1_get_object(), which return 0x80 in error case. 
Supplement the return value check during the second function call and correct 
the check logic.

Signed-off-by: Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c 
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 1182323b63ee..7ebec9dbad5b 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -839,17 +839,17 @@ X509GetTBSCert (
   Length = 0;
   Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)CertSize);
 
-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {
+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {
 return FALSE;
   }
 
   *TBSCert = (UINT8 *)Temp;
 
-  ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, 
(long)Length);
+  Inf = ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
+ *)&ObjClass, (long)Length);
   //
   // Verify the parsed TBSCertificate is one correct SEQUENCE data.
   //
-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {
+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {
 return FALSE;
   }
 
--
2.44.0.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118924): https://edk2.groups.io/g/devel/message/118924
Mute This Topic: https://groups.io/mt/106113214/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Remove deprecated code related to SHA-1

2024-05-15 Thread Li, Yi

Hi Qingyu,

1. Commit message is not clear enough, we need to clarify 'why removing SHA-1 
code does not affect the functionality of Rand'.
Could you please add:
The default drbg type of randlib has been switched to aes_256_ctr in 
openssl1.1.1, so sha1 is not really used in RandomSeed().

2. Please remove sha1 in BaseCryptLib\Rand\CryptRand.c also.

Thanks,
Yi

-Original Message-
From: Shang, Qingyu  
Sent: Wednesday, May 15, 2024 11:04 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH 1/1] CryptoPkg: Remove deprecated code related to SHA-1

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4698

SHA-1 is deprecated by NIST for any cryptographic use. Remove related code 
which do SHA-1 support checking in CryptRandTsc.c

Signed-off-by: Shang Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c | 8 
 1 file changed, 8 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c 
b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
index 30454bf10f9b..b94c16de562d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
+++ b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
@@ -40,14 +40,6 @@ RandomSeed (
 return FALSE;
   }
 
-  //
-  // The software PRNG implementation built in OpenSSL depends on message 
digest algorithm.
-  // Make sure SHA-1 digest algorithm is available here.
-  //
-  if (EVP_add_digest (EVP_sha1 ()) == 0) {
-return FALSE;
-  }
-
   //
   // Seed the pseudorandom number generator with user-supplied value.
   // NOTE: A cryptographic PRNG must be seeded with unpredictable data.
--
2.44.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118925): https://edk2.groups.io/g/devel/message/118925
Mute This Topic: https://groups.io/mt/106115677/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V2 1/1] CryptoPkg: Remove outdated code related to deprecated SHA-1

2024-05-15 Thread Li, Yi

Hi, Qingyu

I am still not see any codes related to CryptRand.c, are you missed 'git add' 
for new change?

Regards,
Yi

-Original Message-
From: Shang, Qingyu  
Sent: Thursday, May 16, 2024 10:28 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH V2 1/1] CryptoPkg: Remove outdated code related to deprecated 
SHA-1

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4698

The default drbg type of randlib has been switched to aes_256_ctr in 
openssl1.1.1, so sha1 is not really used in RandomSeed(). Remove related code 
which do SHA-1 support checking in CryptRand.c and CryptRandTsc.c to avoid 
potential compatibility errors.

Signed-off-by: Shang Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c | 8 
 1 file changed, 8 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c 
b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
index 30454bf10f9b..b94c16de562d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
+++ b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
@@ -40,14 +40,6 @@ RandomSeed (
 return FALSE;
   }
 
-  //
-  // The software PRNG implementation built in OpenSSL depends on message 
digest algorithm.
-  // Make sure SHA-1 digest algorithm is available here.
-  //
-  if (EVP_add_digest (EVP_sha1 ()) == 0) {
-return FALSE;
-  }
-
   //
   // Seed the pseudorandom number generator with user-supplied value.
   // NOTE: A cryptographic PRNG must be seeded with unpredictable data.
--
2.44.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118944): https://edk2.groups.io/g/devel/message/118944
Mute This Topic: https://groups.io/mt/106127679/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Add support for aes128-sha256 and aes256-sha256 cipher

2024-05-15 Thread Li, Yi



Looks good to me.
Reviewed-by: Yi Li 

We are in Hard Freeze phase, will push it after freeze. Thanks.

-Original Message-
From: Shang, Qingyu  
Sent: Thursday, May 16, 2024 9:54 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [PATCH 1/1] CryptoPkg: Add support for aes128-sha256 and aes256-sha256 
cipher

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4739

AES256-SHA256 is a Tls1.2 suite we need to support, add it to deflt_ciphers in 
OpensslStub.

Signed-off-by: Shang Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c 
b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
index 40ab7e937c69..f2af6a49d85e 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
+++ b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
@@ -141,6 +141,17 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = {
 ALG(PROV_NAMES_AES_192_GCM, ossl_aes192gcm_functions),
 ALG(PROV_NAMES_AES_128_GCM, ossl_aes128gcm_functions),
 
+ALGC (
+PROV_NAMES_AES_128_CBC_HMAC_SHA256,
+ossl_aes128cbc_hmac_sha256_functions,
+ossl_cipher_capable_aes_cbc_hmac_sha256
+),
+ALGC (
+PROV_NAMES_AES_256_CBC_HMAC_SHA256,
+ossl_aes256cbc_hmac_sha256_functions,
+ossl_cipher_capable_aes_cbc_hmac_sha256
+),
+
 { { NULL, NULL, NULL }, NULL }
 };
 static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)];
--
2.44.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118945): https://edk2.groups.io/g/devel/message/118945
Mute This Topic: https://groups.io/mt/106127156/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V3 1/1] CryptoPkg: Remove deprecated code related to SHA-1

2024-05-16 Thread Li, Yi

Looks good to me.
Reviewed-by: Yi Li 

We are in Hard Freeze phase, will push it after freeze. Thanks.

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Qingyu
Sent: Thursday, May 16, 2024 3:35 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 
Subject: [edk2-devel] [PATCH V3 1/1] CryptoPkg: Remove deprecated code related 
to SHA-1

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4698

The default drbg type of randlib has been switched to aes_256_ctr in 
openssl1.1.1, so sha1 is not really used in RandomSeed(). Remove related code 
which do SHA-1 support checking in CryptRand.c and CryptRandTsc.c to avoid 
potential compatibility errors.

Signed-off-by: Shang Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c| 8 
 CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c | 8 
 2 files changed, 16 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c 
b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c
index 9e2fcefe084e..51c7435898c7 100644
--- a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c
+++ b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRand.c
@@ -42,14 +42,6 @@ RandomSeed (
 return FALSE;
   }
 
-  //
-  // The software PRNG implementation built in OpenSSL depends on message 
digest algorithm.
-  // Make sure SHA-1 digest algorithm is available here.
-  //
-  if (EVP_add_digest (EVP_sha1 ()) == 0) {
-return FALSE;
-  }
-
   //
   // Seed the pseudorandom number generator with user-supplied value.
   // NOTE: A cryptographic PRNG must be seeded with unpredictable data.
diff --git a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c 
b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
index 30454bf10f9b..b94c16de562d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
+++ b/CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c
@@ -40,14 +40,6 @@ RandomSeed (
 return FALSE;
   }
 
-  //
-  // The software PRNG implementation built in OpenSSL depends on message 
digest algorithm.
-  // Make sure SHA-1 digest algorithm is available here.
-  //
-  if (EVP_add_digest (EVP_sha1 ()) == 0) {
-return FALSE;
-  }
-
   //
   // Seed the pseudorandom number generator with user-supplied value.
   // NOTE: A cryptographic PRNG must be seeded with unpredictable data.
--
2.44.0.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118954): https://edk2.groups.io/g/devel/message/118954
Mute This Topic: https://groups.io/mt/106130347/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Fix bug for correct return value checking when get X509Cert

2024-05-19 Thread Li, Yi

Hi @sounthar...@ami.com,

I already asked Qingyu to help raise patch.
Will merge it after hard freeze.

Thanks,
Yi 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Wednesday, May 15, 2024 11:32 PM
To: devel@edk2.groups.io; Shang, Qingyu 
Cc: Yao, Jiewen 
Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Fix bug for correct return 
value checking when get X509Cert


Looks good to me.
Reviewed-by: Yi Li 

We are in Hard Freeze phase, will push it after freeze. Thanks.

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Qingyu
Sent: Wednesday, May 15, 2024 8:58 PM
To: devel@edk2.groups.io
Cc: Shang, Qingyu ; Yao, Jiewen ; 
Li, Yi1 
Subject: [edk2-devel] [PATCH 1/1] CryptoPkg: Fix bug for correct return value 
checking when get X509Cert

From: Qingyu 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4509

CryptX509.c file has X509GetTBSCert() funtion and it is added Inf variable to 
collect the return value of ASN1_get_object(), which return 0x80 in error case. 
Supplement the return value check during the second function call and correct 
the check logic.

Signed-off-by: Qingyu 
Cc: Jiewen Yao 
Cc: Yi Li 
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c 
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 1182323b63ee..7ebec9dbad5b 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -839,17 +839,17 @@ X509GetTBSCert (
   Length = 0;
   Inf= ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
*)&ObjClass, (long)CertSize);
 
-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {
+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {
 return FALSE;
   }
 
   *TBSCert = (UINT8 *)Temp;
 
-  ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, 
(long)Length);
+  Inf = ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int 
+ *)&ObjClass, (long)Length);
   //
   // Verify the parsed TBSCertificate is one correct SEQUENCE data.
   //
-  if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {
+  if (((Inf & 0x80) == 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {
 return FALSE;
   }
 
--
2.44.0.windows.1













-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119066): https://edk2.groups.io/g/devel/message/119066
Mute This Topic: https://groups.io/mt/106113214/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg OpensslLib TLSv1.3 support

2024-05-20 Thread Li, Yi

No, Tls1.3 is not supported yet: 
https://github.com/tianocore/edk2/blob/7142e648416ff5d3eac6c6d607874805f5de0ca8/CryptoPkg/Library/OpensslLib/OpensslGen/include/openssl/configuration-ec.h#L271-L273

We have a BZ to track it but afaik no dedicated folk working on it.
https://bugzilla.tianocore.org/show_bug.cgi?id=2424

Regards,
Yi

From: devel@edk2.groups.io  On Behalf Of eddie wang
Sent: Tuesday, May 21, 2024 11:39 AM
To: devel@edk2.groups.io
Subject: [edk2-devel] CryptoPkg OpensslLib TLSv1.3 support

Hi all,
I have a question about the OpenSSL library in CryptoPkg. Does tlsv1.3 support 
exist in the current OpensslLib? If not, is there a way to make TLSV1.3 support 
possible?
Many thanks.

BR,
Eddie



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119097): https://edk2.groups.io/g/devel/message/119097
Mute This Topic: https://groups.io/mt/106217831/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] CryptoPkg: Fix BaseCryptLib CrtWrapper strcpy

2024-06-04 Thread Li, Yi

Thanks for your patch, this is a known issue: 
https://bugzilla.tianocore.org/show_bug.cgi?id=2817

Could you also update other wrappers in CrtWrapper.h and add BZ link to commit 
message?

Edk2 has switched to github pr code review process, you can raise PR in 
https://github.com/tianocore/edk2/pulls directly.

Regards,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Witt, Sebastian 
via groups.io
Sent: Tuesday, June 4, 2024 12:19 AM
To: devel@edk2.groups.io
Subject: [edk2-devel] [PATCH] CryptoPkg: Fix BaseCryptLib CrtWrapper strcpy


strcpy fails when strSource is closer than 4096 bytes after strDest.

This is caused by an overlap check in AsciiStrCpyS:
  //
  // 5. Copying shall not take place between objects that overlap.
  //
  SAFE_STRING_CONSTRAINT_CHECK (InternalSafeStringNoAsciiStrOverlap 
(Destination, DestMax, (CHAR8 *)Source, SourceLen + 1), RETURN_ACCESS_DENIED);

Since DestMax is MAX_STRING_SIZE (0x1000) and with a Source that is in this 
area behind Destination, AsciiStrCpyS will fail and strcpy will do nothing.

When called by CRYPTO_strdup in openssl this leads to uninitialzed memory that 
gets accessed instead of the copied string.

Signed-of-by: Sebastian Witt 
---
 CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c 
b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index 37cdecc9bd..880ed140fd 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -271,7 +271,7 @@ strcpy (
   const char  *strSource
   )
 {
-  AsciiStrCpyS (strDest, MAX_STRING_SIZE, strSource);
+  AsciiStrCpyS (strDest, AsciiStrnSizeS (strSource, MAX_STRING_SIZE), 
+ strSource);
   return strDest;
 }
 
--
2.39.2








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119443): https://edk2.groups.io/g/devel/message/119443
Mute This Topic: https://groups.io/mt/106471263/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

All crypto host tests which consumed randlib broken due to:
https://github.com/tianocore/edk2/pull/5714
Not sure why this issue not reported  by CI when merge this PR.

The reason is that the ```BaseRngLibConstructor``` of rnglib is not called in 
host test, so ```mRdRandSupported``` is not enabled.
Then the Crypto API calls ```GetRandomNumber*``` will fail.
GetRandomNumber64 (
  OUT UINT64  *Rand
  )
{
  ..
  if (!ArchIsRngSupported ()) {
return FALSE;
  }

Is there a way to let unit test host to call the constructors correctly?

Regards,
Yi



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119567): https://edk2.groups.io/g/devel/message/119567
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

Yes, we can create a host test specific lib if no better ways.

Regards,
Yi

From: Yao, Jiewen 
Sent: Friday, June 14, 2024 3:20 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Hou, Wenxing ; Kinney, Michael D 
; Pedro Falcato ; Ard 
Biesheuvel 
Subject: RE: CryptoPkg host test broken due to smoketest for RDRAND

Can we use a host test specific RngLib?

From: Li, Yi1 mailto:yi1...@intel.com>>
Sent: Friday, June 14, 2024 3:08 PM
To: devel@edk2.groups.io
Cc: Hou, Wenxing mailto:wenxing@intel.com>>; Yao, 
Jiewen mailto:jiewen@intel.com>>; Kinney, Michael D 
mailto:michael.d.kin...@intel.com>>; Pedro Falcato 
mailto:pedro.falc...@gmail.com>>; Ard Biesheuvel 
mailto:ardb+tianoc...@kernel.org>>
Subject: CryptoPkg host test broken due to smoketest for RDRAND

All crypto host tests which consumed randlib broken due to:
https://github.com/tianocore/edk2/pull/5714
Not sure why this issue not reported  by CI when merge this PR.

The reason is that the ```BaseRngLibConstructor``` of rnglib is not called in 
host test, so ```mRdRandSupported``` is not enabled.
Then the Crypto API calls ```GetRandomNumber*``` will fail.
GetRandomNumber64 (
  OUT UINT64  *Rand
  )
{
  ..
  if (!ArchIsRngSupported ()) {
return FALSE;
  }

Is there a way to let unit test host to call the constructors correctly?

Regards,
Yi

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119569): https://edk2.groups.io/g/devel/message/119569
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

Approved, appreciate your quick response.

Thanks,
Yi 

-Original Message-
From: Gerd Hoffmann  
Sent: Friday, June 14, 2024 6:41 PM
To: devel@edk2.groups.io; Li, Yi1 
Cc: Hou, Wenxing ; Yao, Jiewen ; 
Kinney, Michael D ; Pedro Falcato 
; Ard Biesheuvel 
Subject: Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

On Fri, Jun 14, 2024 at 07:07:41AM GMT, Li, Yi wrote:
> All crypto host tests which consumed randlib broken due to:
> https://github.com/tianocore/edk2/pull/5714
> Not sure why this issue not reported  by CI when merge this PR.
> 
> The reason is that the ```BaseRngLibConstructor``` of rnglib is not called in 
> host test, so ```mRdRandSupported``` is not enabled.
> Then the Crypto API calls ```GetRandomNumber*``` will fail.
> GetRandomNumber64 (
>   OUT UINT64  *Rand
>   )
> {
>   ..
>   if (!ArchIsRngSupported ()) {
> return FALSE;
>   }
> 
> Is there a way to let unit test host to call the constructors correctly?

https://github.com/tianocore/edk2/pull/5775

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119572): https://edk2.groups.io/g/devel/message/119572
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

Yes we did use PRNG(DRBG), the entropy pool is polled from HW RngLib. Seed is 
generated by TSC.

Regards,
Yi

From: Ard Biesheuvel 
Sent: Friday, June 14, 2024 3:52 PM
To: Li, Yi1 
Cc: Yao, Jiewen ; devel@edk2.groups.io; Hou, Wenxing 
; Kinney, Michael D ; Pedro 
Falcato 
Subject: Re: CryptoPkg host test broken due to smoketest for RDRAND

For crypto unit tests, it is generally better to use a pseudo-random RNG, with 
a known (but not constant) seed, so that potential failures can be diagnosed 
more easily. E.g., the seed could be logged in the test output.

On Fri, 14 Jun 2024 at 09:24, Li, Yi1 
mailto:yi1...@intel.com>> wrote:
Yes, we can create a host test specific lib if no better ways.

Regards,
Yi

From: Yao, Jiewen mailto:jiewen@intel.com>>
Sent: Friday, June 14, 2024 3:20 PM
To: Li, Yi1 mailto:yi1...@intel.com>>; 
devel@edk2.groups.io
Cc: Hou, Wenxing mailto:wenxing@intel.com>>; Kinney, 
Michael D mailto:michael.d.kin...@intel.com>>; 
Pedro Falcato mailto:pedro.falc...@gmail.com>>; Ard 
Biesheuvel mailto:ardb%2btianoc...@kernel.org>>
Subject: RE: CryptoPkg host test broken due to smoketest for RDRAND

Can we use a host test specific RngLib?

From: Li, Yi1 mailto:yi1...@intel.com>>
Sent: Friday, June 14, 2024 3:08 PM
To: devel@edk2.groups.io
Cc: Hou, Wenxing mailto:wenxing@intel.com>>; Yao, 
Jiewen mailto:jiewen@intel.com>>; Kinney, Michael D 
mailto:michael.d.kin...@intel.com>>; Pedro Falcato 
mailto:pedro.falc...@gmail.com>>; Ard Biesheuvel 
mailto:ardb+tianoc...@kernel.org>>
Subject: CryptoPkg host test broken due to smoketest for RDRAND

All crypto host tests which consumed randlib broken due to:
https://github.com/tianocore/edk2/pull/5714
Not sure why this issue not reported  by CI when merge this PR.

The reason is that the ```BaseRngLibConstructor``` of rnglib is not called in 
host test, so ```mRdRandSupported``` is not enabled.
Then the Crypto API calls ```GetRandomNumber*``` will fail.
GetRandomNumber64 (
  OUT UINT64  *Rand
  )
{
  ……
  if (!ArchIsRngSupported ()) {
return FALSE;
  }

Is there a way to let unit test host to call the constructors correctly?

Regards,
Yi

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119573): https://edk2.groups.io/g/devel/message/119573
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

> I think we need follow 24 hour rule.
> Any patch requires at least 24 hours before merge, to give people chance to 
> review and feedback.

Sure I will follow this rule future.
There is a critical Mbedtls bug based on this patch (blocked build) so I merged 
this patch quickly to unblock CI.
https://github.com/tianocore/edk2/pull/5773


Thanks,
Yi

-Original Message-
From: Yao, Jiewen  
Sent: Saturday, June 15, 2024 12:45 AM
To: Ard Biesheuvel 
Cc: Li, Yi1 ; Gerd Hoffmann ; 
devel@edk2.groups.io; Hou, Wenxing ; Kinney, Michael D 
; Pedro Falcato 
Subject: RE: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND


> -Original Message-
> From: Ard Biesheuvel 
> Sent: Saturday, June 15, 2024 12:14 AM
> To: Yao, Jiewen 
> Cc: Li, Yi1 ; Gerd Hoffmann ; 
> devel@edk2.groups.io; Hou, Wenxing ; Kinney, 
> Michael D ; Pedro Falcato 
> 
> Subject: Re: [edk2-devel] CryptoPkg host test broken due to smoketest 
> for RDRAND
> 
> On Fri, 14 Jun 2024 at 18:09, Yao, Jiewen  wrote:
> >
> > Hey
> > This PR seems just a workaround.
> >
> > I don't feel it is right solution to hardcode BIT30.
> > What if the host platform does not have such capability? You will 
> > get failure
> later.
> >
> 
> Agreed. But that was already the case: RngLib assumed that RDRAND was 
> implemented without checking CPUID at all, and so the code was already 
> broken on systems without RDRAND.

[Jiewen] Sorry, I don’t understand your comment. " implemented without checking 
CPUID at all "

See below code. It does use CPUID to check the capability.

EFI_STATUS
EFIAPI
BaseRngLibConstructor (
  VOID
  )
{
  UINT32  RegEcx;

  //
  // Determine RDRAND support by examining bit 30 of the ECX register returned 
by
  // CPUID. A value of 1 indicates that processor support RDRAND instruction.
  //
  AsmCpuid (1, 0, 0, &RegEcx, 0);

  mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);

  if (mRdRandSupported) {
mRdRandSupported = TestRdRand ();
  }

  return EFI_SUCCESS;
}


> 
> >
> > To fix this function, can we call real CPUID instruction to return real 
> > value?
> >
> 
> That would be better. But this change just restores the old behavior.
> And on top of that, Yi Li already merged it.

[Jiewen] I don’t think it is right to merge it without thorough review.

I think we need follow 24 hour rule.
Any patch requires at least 24 hours before merge, to give people chance to 
review and feedback.







-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119582): https://edk2.groups.io/g/devel/message/119582
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

Hi Jiewen,

Currently Host lib using a dummy AsmCpuid implementation:
BaseLib\X86UnitTestHost.c
AsmCpuid -> UnitTestHostBaseLibAsmCpuid -> Return all zero (BIT30 of ECX 
hardcode to 1 after change of Gerd)

Did you mean prefer to use real AsmCpuid func in Host?
Or only use cpuid to check RdRand bit and set it.

Regards,
Yi

-Original Message-
From: Ard Biesheuvel  
Sent: Saturday, June 15, 2024 1:16 AM
To: Yao, Jiewen 
Cc: Li, Yi1 ; Gerd Hoffmann ; 
devel@edk2.groups.io; Hou, Wenxing ; Kinney, Michael D 
; Pedro Falcato 
Subject: Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

On Fri, 14 Jun 2024 at 18:45, Yao, Jiewen  wrote:
>
>
> > -Original Message-
> > From: Ard Biesheuvel 
> > Sent: Saturday, June 15, 2024 12:14 AM
> > To: Yao, Jiewen 
> > Cc: Li, Yi1 ; Gerd Hoffmann ; 
> > devel@edk2.groups.io; Hou, Wenxing ; Kinney, 
> > Michael D ; Pedro Falcato 
> > 
> > Subject: Re: [edk2-devel] CryptoPkg host test broken due to 
> > smoketest for RDRAND
> >
> > On Fri, 14 Jun 2024 at 18:09, Yao, Jiewen  wrote:
> > >
> > > Hey
> > > This PR seems just a workaround.
> > >
> > > I don't feel it is right solution to hardcode BIT30.
> > > What if the host platform does not have such capability? You will 
> > > get failure
> > later.
> > >
> >
> > Agreed. But that was already the case: RngLib assumed that RDRAND 
> > was implemented without checking CPUID at all, and so the code was 
> > already broken on systems without RDRAND.
>
> [Jiewen] Sorry, I don’t understand your comment. " implemented without 
> checking CPUID at all "
>
> See below code. It does use CPUID to check the capability.
>
> EFI_STATUS
> EFIAPI
> BaseRngLibConstructor (
>   VOID
>   )
> {
>   UINT32  RegEcx;
>
>   //
>   // Determine RDRAND support by examining bit 30 of the ECX register 
> returned by
>   // CPUID. A value of 1 indicates that processor support RDRAND instruction.
>   //
>   AsmCpuid (1, 0, 0, &RegEcx, 0);
>
>   mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
>
>   if (mRdRandSupported) {
> mRdRandSupported = TestRdRand ();
>   }
>
>   return EFI_SUCCESS;
> }
>
>

See commit 9301e5644cef5a5234f71b178373dd508cabb9ee

The old code had

+BOOLEAN
+EFIAPI
+ArchIsRngSupported (
+  VOID
+  )
+{
+  /*
+ Existing software depends on this always returning TRUE, so for
+ now hard-code it.
+
+ return mRdRandSupported;
+  */
+  return TRUE;
+}



> >
> > >
> > > To fix this function, can we call real CPUID instruction to return real 
> > > value?
> > >
> >
> > That would be better. But this change just restores the old behavior.
> > And on top of that, Yi Li already merged it.
>
> [Jiewen] I don’t think it is right to merge it without thorough review.
>
> I think we need follow 24 hour rule.
> Any patch requires at least 24 hours before merge, to give people chance to 
> review and feedback.
>

Agreed.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119585): https://edk2.groups.io/g/devel/message/119585
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

2024-06-14 Thread Li, Yi

Sounds good, I will try it.

Thanks,
Yi

-Original Message-
From: Kinney, Michael D  
Sent: Saturday, June 15, 2024 12:58 PM
To: Li, Yi1 ; Ard Biesheuvel ; Yao, Jiewen 

Cc: Gerd Hoffmann ; devel@edk2.groups.io; Hou, Wenxing 
; Pedro Falcato ; Kinney, 
Michael D 
Subject: RE: [edk2-devel] CryptoPkg host test broken due to smoketest for RDRAND

If the host test was updated to use GoogleTest/GoogleMock, then the call to 
AsmCpuid() could be mocked instead of calling the version of BaseLib that is 
safe to use from host envs.  Then all the code paths can be tested properly.

Mike

> -Original Message-
> From: Li, Yi1 
> Sent: Friday, June 14, 2024 9:55 PM
> To: Ard Biesheuvel ; Yao, Jiewen 
> 
> Cc: Gerd Hoffmann ; devel@edk2.groups.io; Hou, 
> Wenxing ; Kinney, Michael D 
> ; Pedro Falcato 
> Subject: RE: [edk2-devel] CryptoPkg host test broken due to smoketest 
> for RDRAND
> 
> Hi Jiewen,
> 
> Currently Host lib using a dummy AsmCpuid implementation:
> BaseLib\X86UnitTestHost.c
> AsmCpuid -> UnitTestHostBaseLibAsmCpuid -> Return all zero (BIT30 of 
> ECX hardcode to 1 after change of Gerd)
> 
> Did you mean prefer to use real AsmCpuid func in Host?
> Or only use cpuid to check RdRand bit and set it.
> 
> Regards,
> Yi
> 
> -Original Message-
> From: Ard Biesheuvel 
> Sent: Saturday, June 15, 2024 1:16 AM
> To: Yao, Jiewen 
> Cc: Li, Yi1 ; Gerd Hoffmann ; 
> devel@edk2.groups.io; Hou, Wenxing ; Kinney, 
> Michael D ; Pedro Falcato 
> 
> Subject: Re: [edk2-devel] CryptoPkg host test broken due to smoketest 
> for RDRAND
> 
> On Fri, 14 Jun 2024 at 18:45, Yao, Jiewen  wrote:
> >
> >
> > > -Original Message-
> > > From: Ard Biesheuvel 
> > > Sent: Saturday, June 15, 2024 12:14 AM
> > > To: Yao, Jiewen 
> > > Cc: Li, Yi1 ; Gerd Hoffmann ; 
> > > devel@edk2.groups.io; Hou, Wenxing ; 
> > > Kinney, Michael D ; Pedro Falcato 
> > > 
> > > Subject: Re: [edk2-devel] CryptoPkg host test broken due to 
> > > smoketest for RDRAND
> > >
> > > On Fri, 14 Jun 2024 at 18:09, Yao, Jiewen  wrote:
> > > >
> > > > Hey
> > > > This PR seems just a workaround.
> > > >
> > > > I don't feel it is right solution to hardcode BIT30.
> > > > What if the host platform does not have such capability? You 
> > > > will get failure
> > > later.
> > > >
> > >
> > > Agreed. But that was already the case: RngLib assumed that RDRAND 
> > > was implemented without checking CPUID at all, and so the code was 
> > > already broken on systems without RDRAND.
> >
> > [Jiewen] Sorry, I don’t understand your comment. " implemented 
> > without
> checking CPUID at all "
> >
> > See below code. It does use CPUID to check the capability.
> >
> > EFI_STATUS
> > EFIAPI
> > BaseRngLibConstructor (
> >   VOID
> >   )
> > {
> >   UINT32  RegEcx;
> >
> >   //
> >   // Determine RDRAND support by examining bit 30 of the ECX 
> > register
> returned by
> >   // CPUID. A value of 1 indicates that processor support RDRAND
> instruction.
> >   //
> >   AsmCpuid (1, 0, 0, &RegEcx, 0);
> >
> >   mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
> >
> >   if (mRdRandSupported) {
> > mRdRandSupported = TestRdRand ();
> >   }
> >
> >   return EFI_SUCCESS;
> > }
> >
> >
> 
> See commit 9301e5644cef5a5234f71b178373dd508cabb9ee
> 
> The old code had
> 
> +BOOLEAN
> +EFIAPI
> +ArchIsRngSupported (
> +  VOID
> +  )
> +{
> +  /*
> + Existing software depends on this always returning TRUE, so for
> + now hard-code it.
> +
> + return mRdRandSupported;
> +  */
> +  return TRUE;
> +}
> 
> 
> 
> > >
> > > >
> > > > To fix this function, can we call real CPUID instruction to 
> > > > return real
> value?
> > > >
> > >
> > > That would be better. But this change just restores the old behavior.
> > > And on top of that, Yi Li already merged it.
> >
> > [Jiewen] I don’t think it is right to merge it without thorough review.
> >
> > I think we need follow 24 hour rule.
> > Any patch requires at least 24 hours before merge, to give people 
> > chance to
> review and feedback.
> >
> 
> Agreed.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119587): https://edk2.groups.io/g/devel/message/119587
Mute This Topic: https://groups.io/mt/10288/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/3] MdePkg: Add Tls configuration related define

2022-09-25 Thread Li, Yi

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList.

Cc: Jiewen Yao 
Cc: Michael D Kinney 
Cc: Liming Gao 
Signed-off-by: Yi Li 
---
 MdePkg/Include/IndustryStandard/Tls1.h | 110 +
 1 file changed, 74 insertions(+), 36 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/Tls1.h 
b/MdePkg/Include/IndustryStandard/Tls1.h
index cf67428b11..5cf2860caf 100644
--- a/MdePkg/Include/IndustryStandard/Tls1.h
+++ b/MdePkg/Include/IndustryStandard/Tls1.h
@@ -15,42 +15,46 @@
 ///
 /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
 ///
-#define TLS_RSA_WITH_NULL_MD5{0x00, 0x01}
-#define TLS_RSA_WITH_NULL_SHA{0x00, 0x02}
-#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
-#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
-#define TLS_RSA_WITH_IDEA_CBC_SHA{0x00, 0x07}
-#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x0A}
-#define TLS_DH_DSS_WITH_DES_CBC_SHA  {0x00, 0x0C}
-#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
-#define TLS_DH_RSA_WITH_DES_CBC_SHA  {0x00, 0x0F}
-#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
-#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
-#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA{0x00, 0x13}
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x16}
-#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA  {0x00, 0x30}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA  {0x00, 0x31}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
-#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA  {0x00, 0x36}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA  {0x00, 0x37}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
-#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
-#define TLS_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x3C}
-#define TLS_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x3D}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256   {0x00, 0x3E}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256   {0x00, 0x3F}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  {0x00, 0x40}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x67}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256   {0x00, 0x68}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256   {0x00, 0x69}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256  {0x00, 0x6A}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x6B}
+#define TLS_RSA_WITH_NULL_MD5  {0x00, 0x01}
+#define TLS_RSA_WITH_NULL_SHA  {0x00, 0x02}
+#define TLS_RSA_WITH_RC4_128_MD5   {0x00, 0x04}
+#define TLS_RSA_WITH_RC4_128_SHA   {0x00, 0x05}
+#define TLS_RSA_WITH_IDEA_CBC_SHA  {0x00, 0x07}
+#define TLS_RSA_WITH_DES_CBC_SHA   {0x00, 0x09}
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA  {0x00, 0x0A}
+#define TLS_DH_DSS_WITH_DES_CBC_SHA{0x00, 0x0C}
+#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA   {0x00, 0x0D}
+#define TLS_DH_RSA_WITH_DES_CBC_SHA{0x00, 0x0F}
+#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA   {0x00, 0x10}
+#define TLS_DHE_DSS_WITH_DES_CBC_SHA   {0x00, 0x12}
+#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  {0x00, 0x13}
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA   {0x00, 0x15}
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  {0x00, 0x16}
+#define TLS_RSA_WITH_AES_128_CBC_SHA   {0x00, 0x2F}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA{0x00, 0x30}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA{0x00, 0x31}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA   {0x00, 0x32}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA   {0x00, 0x33}
+#define TLS_RSA_WITH_AES_256_CBC_SHA   {0x00, 0x35}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA{0x00, 0x36}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA{0x00, 0x37}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA   {0x00, 0x38}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA   {0x00, 0x39}
+#define TLS_RSA_WITH_NULL_SHA256   {0x00, 0x3B}
+#define TLS_RSA_WITH_AES_128_CBC_SHA256{0x00, 0x3C}
+#define TLS_RSA_WITH_AES_256_CBC_SHA256{0x00, 0x3D}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256{0x00, 0x40}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256{0x00, 0x67}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256{0x00, 0x6A}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256{0x00, 0x6B}
+#define TLS_DHE_RSA_WITH_AES_256_GCM_S

[edk2-devel] [PATCH 0/3] CryptoPkg: Extend Tls library

2022-09-25 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Review PR: https://github.com/tianocore/edk2/pull/3400
This patch sequence is used to extend Tls library, which are wrapped
over OpenSSL. The implementation provides library functions for EFI
DXE dirver and Protocol.

All APIs passed unit test and fuzzing test, detail as:
1. Unit test:
New Tls APIs tested on Intel platform as part of WIFI WPA3 feature.
2. Fuzzing test:
Various Fuzz Testing are employed across the all introduced APIs, and the
test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer,
based on HBFA.
Fuzzing Pass Rate is 100%;
The Code Coverage of new APIs is 91%.
All test case show in:
https://github.com/liyi77/edk2-staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg

Tested-by: Yi Li 
Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 

Signed-off-by: Yi Li 

*** BLURB HERE ***

Yi Li (3):
  MdePkg: Add Tls configuration related define
  CryptoPkg: Extend Tls function library
  CryptoPkg: Add new Tls APIs to DXE and protocol

 CryptoPkg/Driver/Crypto.c | 155 ++-
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 ++-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 413 --
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 +
 CryptoPkg/Private/Protocol/Crypto.h   | 136 +-
 MdePkg/Include/IndustryStandard/Tls1.h| 110 +++--
 11 files changed, 1200 insertions(+), 73 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94309): https://edk2.groups.io/g/devel/message/94309
Mute This Topic: https://groups.io/mt/93921698/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol

2022-09-25 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

The implementation provides new Tls library functions
for Crypto EFI Driver and Protocol.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Driver/Crypto.c | 155 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 -
 CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
 4 files changed, 435 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 7a8266aaba..f1ff77855c 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite (
   return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, 
BufferSize), 0);
 }
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsShutdown (
+  IN VOID  *Tls
+  )
+{
+  return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), 
EFI_UNSUPPORTED);
+}
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, 
TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList (
   return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, 
TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
 }
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+ in RFC 5246
+  @param[in]  DataSize   The length the SignatureAlgoList. Must be 
divisible by 2.
+
+  @retval  EFI_SUCCESS   The signature algorithm list was set 
successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED   No supported TLS signature algorithm was 
found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetSignatureAlgoList (
+  IN VOID   *Tls,
+  IN UINT8  *Data,
+  IN UINTN  DataSize
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, 
TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   An EC named curve as defined in section 5.1.1 
of RFC 4492.
+

[edk2-devel] [PATCH 2/3] CryptoPkg: Extend Tls function library

2022-09-25 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

3. TlsShutdown():
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.

4. TlsGetExportKey(): Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).

5. TlsSetHostPrivateKeyEx(): This function adds the local private key
(PEM-encoded or PKCS#8 or DER-encoded private key) into the specified
TLS object for TLS negotiation. There is already a similar function
TlsSetHostPrivateKey(), the new Ex function introduces a new parameter
Password, set Password to NULL when useless.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 412 --
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 +
 6 files changed, 690 insertions(+), 30 deletions(-)

diff --git a/CryptoPkg/Include/Library/TlsLib.h 
b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aa..d37c5fcc35 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -294,6 +294,25 @@ TlsWrite (
   IN UINTN  BufferSize
   );
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN VOID  *Tls
+  );
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -492,11 +511,38 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  );
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -534,6 +580,53 @@ TlsSetCertRevocationList (
   IN UINTN  DataSize
   );
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+

Re: [edk2-devel] [PATCH 0/3] CryptoPkg: Extend Tls library

2022-09-29 Thread Li, Yi

Hi All,
Any comment about this patch set? Thanks very much.

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Monday, September 26, 2022 2:27 PM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Yao, Jiewen ; Wang, Jian 
J ; Lu, Xiaoyu1 ; Jiang, Guomin 

Subject: [edk2-devel] [PATCH 0/3] CryptoPkg: Extend Tls library

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Review PR: https://github.com/tianocore/edk2/pull/3400
This patch sequence is used to extend Tls library, which are wrapped over 
OpenSSL. The implementation provides library functions for EFI DXE dirver and 
Protocol.

All APIs passed unit test and fuzzing test, detail as:
1. Unit test:
New Tls APIs tested on Intel platform as part of WIFI WPA3 feature.
2. Fuzzing test:
Various Fuzz Testing are employed across the all introduced APIs, and the test 
is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer, based on 
HBFA.
Fuzzing Pass Rate is 100%;
The Code Coverage of new APIs is 91%.
All test case show in:
https://github.com/liyi77/edk2-staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg

Tested-by: Yi Li 
Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 

Signed-off-by: Yi Li 

*** BLURB HERE ***

Yi Li (3):
  MdePkg: Add Tls configuration related define
  CryptoPkg: Extend Tls function library
  CryptoPkg: Add new Tls APIs to DXE and protocol

 CryptoPkg/Driver/Crypto.c | 155 ++-
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 ++-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 413 --
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-  
CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 +
 CryptoPkg/Private/Protocol/Crypto.h   | 136 +-
 MdePkg/Include/IndustryStandard/Tls1.h| 110 +++--
 11 files changed, 1200 insertions(+), 73 deletions(-)

--
2.31.1.windows.1

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94559): https://edk2.groups.io/g/devel/message/94559
Mute This Topic: https://groups.io/mt/93921698/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol

2022-09-29 Thread Li, Yi

Thanks, next patch set will fix it.

-Original Message-
From: Kinney, Michael D  
Sent: Friday, September 30, 2022 1:09 PM
To: devel@edk2.groups.io; Li, Yi1 ; Kinney, Michael D 

Cc: Yao, Jiewen ; Wang, Jian J ; 
Lu, Xiaoyu1 ; Jiang, Guomin 
Subject: RE: [edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE and 
protocol

I see one issue with adding new bits to the crypto services structured PCD.

Comment below.

Mike

> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Li, Yi
> Sent: Sunday, September 25, 2022 11:27 PM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 ; Yao, Jiewen ; 
> Wang, Jian J ; Lu, Xiaoyu1 
> ; Jiang, Guomin 
> Subject: [edk2-devel] [PATCH 3/3] CryptoPkg: Add new Tls APIs to DXE 
> and protocol
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
> 
> The implementation provides new Tls library functions for Crypto EFI 
> Driver and Protocol.
> 
> Cc: Jiewen Yao 
> Cc: Jian J Wang 
> Cc: Xiaoyu Lu 
> Cc: Guomin Jiang 
> Signed-off-by: Yi Li 
> ---
>  CryptoPkg/Driver/Crypto.c | 155 +-
>  .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 -
>  CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
>  4 files changed, 435 insertions(+), 7 deletions(-)
> 
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c 
> index 7a8266aaba..f1ff77855c 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite (
>return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, 
> Buffer, BufferSize), 0);  }
> 
> +/**
> +  Shutdown a TLS connection.
> +
> +  Shutdown the TLS connection without releasing the resources, 
> + meaning a new  connection can be started without calling TlsNew() 
> + and without setting  certificates etc.
> +
> +  @param[in]   TlsPointer to the TLS object to shutdown.
> +
> +  @retval EFI_SUCCESS The TLS is shutdown successfully.
> +  @retval EFI_INVALID_PARAMETER   Tls is NULL.
> +  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsShutdown (
> +  IN VOID  *Tls
> +  )
> +{
> +  return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, 
> +(Tls), EFI_UNSUPPORTED); }
> +
>  /**
>Set a new TLS/SSL method for a particular TLS object.
> 
> @@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert (
>  /**
>Adds the local private key to the specified TLS object.
> 
> -  This function adds the local private key (PEM-encoded RSA or PKCS#8 
> private
> +  This function adds the local private key (DER-encoded or 
> + PEM-encoded or PKCS#8 private
> +  key) into the specified TLS object for TLS negotiation.
> +
> +  @param[in]  Tls Pointer to the TLS object.
> +  @param[in]  DataPointer to the data buffer of a DER-encoded or 
> PEM-encoded
> +  or PKCS#8 private key.
> +  @param[in]  DataSizeThe size of data buffer in bytes.
> +  @param[in]  PasswordPointer to NULL-terminated private key password, 
> set it to NULL
> +  if private key not encrypted.
> +
> +  @retval  EFI_SUCCESS The operation succeeded.
> +  @retval  EFI_UNSUPPORTED This function is not supported.
> +  @retval  EFI_ABORTED Invalid private key data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +CryptoServiceTlsSetHostPrivateKeyEx (
> +  IN VOID   *Tls,
> +  IN VOID   *Data,
> +  IN UINTN  DataSize,
> +  IN VOID   *Password  OPTIONAL
> +  )
> +{
> +  return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, 
> +TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password),
> EFI_UNSUPPORTED);
> +}
> +
> +/**
> +  Adds the local private key to the specified TLS object.
> +
> +  This function adds the local private key (DER-encoded or 
> + PEM-encoded or PKCS#8 private
>key) into the specified TLS object for TLS negotiation.
> 
>@param[in]  Tls Pointer to the TLS object.
> -  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
> +  @param[in]  DataPointer to the data buffer of a DER-encoded or 
> PEM-encoded
>or PKCS#8 private key.
>@param[in]  DataSizeThe size of data buffer in bytes.
> 
> @@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList (
>return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, 
> TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);  }
> 
> +/**
> +  Set the signature algorithm list to used by the TLS object.
> +
&

[edk2-devel] [PATCH V2 0/3] CryptoPkg: Extend Tls library

2022-10-07 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Review PR: https://github.com/tianocore/edk2/pull/3400
This patch sequence is used to extend Tls library, which are wrapped
over OpenSSL. The implementation provides library functions for EFI
DXE dirver and Protocol.

All APIs passed unit test and fuzzing test, detail as:
1. Unit test:
New Tls APIs tested on Intel platform as part of WIFI WPA3 feature.
2. Fuzzing test:
Various Fuzz Testing are employed across the all introduced APIs, and the
test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer,
based on HBFA.
Fuzzing Pass Rate is 100%;
The Code Coverage of new APIs is 91%.
All test case show in:
https://github.com/liyi77/edk2-staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg

V2 change:
Move the newly added APIs to the end of struct PCD.

Tested-by: Yi Li 
Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Cc: Michael D Kinney 
Cc: Liming Gao 

Signed-off-by: Yi Li 

Yi Li (3):
  MdePkg: Add Tls configuration related define
  CryptoPkg: Extend Tls function library
  CryptoPkg: Add new Tls APIs to DXE and protocol

 CryptoPkg/Driver/Crypto.c | 155 ++-
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 ++-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 412 --
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 +
 CryptoPkg/Private/Protocol/Crypto.h   | 136 +-
 MdePkg/Include/IndustryStandard/Tls1.h| 110 +++--
 11 files changed, 1199 insertions(+), 73 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94832): https://edk2.groups.io/g/devel/message/94832
Mute This Topic: https://groups.io/mt/94193503/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V2 1/3] MdePkg: Add Tls configuration related define

2022-10-07 Thread Li, Yi

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList.

Cc: Jiewen Yao 
Cc: Michael D Kinney 
Cc: Liming Gao 
Signed-off-by: Yi Li 
---
 MdePkg/Include/IndustryStandard/Tls1.h | 110 +
 1 file changed, 74 insertions(+), 36 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/Tls1.h 
b/MdePkg/Include/IndustryStandard/Tls1.h
index cf67428b11..5cf2860caf 100644
--- a/MdePkg/Include/IndustryStandard/Tls1.h
+++ b/MdePkg/Include/IndustryStandard/Tls1.h
@@ -15,42 +15,46 @@
 ///
 /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
 ///
-#define TLS_RSA_WITH_NULL_MD5{0x00, 0x01}
-#define TLS_RSA_WITH_NULL_SHA{0x00, 0x02}
-#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
-#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
-#define TLS_RSA_WITH_IDEA_CBC_SHA{0x00, 0x07}
-#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x0A}
-#define TLS_DH_DSS_WITH_DES_CBC_SHA  {0x00, 0x0C}
-#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
-#define TLS_DH_RSA_WITH_DES_CBC_SHA  {0x00, 0x0F}
-#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
-#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
-#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA{0x00, 0x13}
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x16}
-#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA  {0x00, 0x30}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA  {0x00, 0x31}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
-#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA  {0x00, 0x36}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA  {0x00, 0x37}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
-#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
-#define TLS_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x3C}
-#define TLS_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x3D}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256   {0x00, 0x3E}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256   {0x00, 0x3F}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  {0x00, 0x40}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x67}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256   {0x00, 0x68}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256   {0x00, 0x69}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256  {0x00, 0x6A}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x6B}
+#define TLS_RSA_WITH_NULL_MD5  {0x00, 0x01}
+#define TLS_RSA_WITH_NULL_SHA  {0x00, 0x02}
+#define TLS_RSA_WITH_RC4_128_MD5   {0x00, 0x04}
+#define TLS_RSA_WITH_RC4_128_SHA   {0x00, 0x05}
+#define TLS_RSA_WITH_IDEA_CBC_SHA  {0x00, 0x07}
+#define TLS_RSA_WITH_DES_CBC_SHA   {0x00, 0x09}
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA  {0x00, 0x0A}
+#define TLS_DH_DSS_WITH_DES_CBC_SHA{0x00, 0x0C}
+#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA   {0x00, 0x0D}
+#define TLS_DH_RSA_WITH_DES_CBC_SHA{0x00, 0x0F}
+#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA   {0x00, 0x10}
+#define TLS_DHE_DSS_WITH_DES_CBC_SHA   {0x00, 0x12}
+#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  {0x00, 0x13}
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA   {0x00, 0x15}
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  {0x00, 0x16}
+#define TLS_RSA_WITH_AES_128_CBC_SHA   {0x00, 0x2F}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA{0x00, 0x30}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA{0x00, 0x31}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA   {0x00, 0x32}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA   {0x00, 0x33}
+#define TLS_RSA_WITH_AES_256_CBC_SHA   {0x00, 0x35}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA{0x00, 0x36}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA{0x00, 0x37}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA   {0x00, 0x38}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA   {0x00, 0x39}
+#define TLS_RSA_WITH_NULL_SHA256   {0x00, 0x3B}
+#define TLS_RSA_WITH_AES_128_CBC_SHA256{0x00, 0x3C}
+#define TLS_RSA_WITH_AES_256_CBC_SHA256{0x00, 0x3D}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 {0x00, 0x3E}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 {0x00, 0x3F}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256{0x00, 0x40}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256{0x00, 0x67}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 {0x00, 0x68}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 {0x00, 0x69}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256{0x00, 0x6A}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256{0x00, 0x6B}
+#define TLS_DHE_RSA_WITH_AES_256_GCM_S

[edk2-devel] [PATCH V2 2/3] CryptoPkg: Extend Tls function library

2022-10-07 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

3. TlsShutdown():
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.

4. TlsGetExportKey(): Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).

5. TlsSetHostPrivateKeyEx(): This function adds the local private key
(PEM-encoded or PKCS#8 or DER-encoded private key) into the specified
TLS object for TLS negotiation. There is already a similar function
TlsSetHostPrivateKey(), the new Ex function introduces a new parameter
Password, set Password to NULL when useless.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 412 --
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 +
 6 files changed, 690 insertions(+), 30 deletions(-)

diff --git a/CryptoPkg/Include/Library/TlsLib.h 
b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aa..d37c5fcc35 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -294,6 +294,25 @@ TlsWrite (
   IN UINTN  BufferSize
   );
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN VOID  *Tls
+  );
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -492,11 +511,38 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  );
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -534,6 +580,53 @@ TlsSetCertRevocationList (
   IN UINTN  DataSize
   );
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+

[edk2-devel] [PATCH V2 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol

2022-10-07 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

The implementation provides new Tls library functions
for Crypto EFI Driver and Protocol.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Driver/Crypto.c | 155 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 -
 CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
 4 files changed, 435 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 7a8266aaba..f1ff77855c 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite (
   return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, 
BufferSize), 0);
 }
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsShutdown (
+  IN VOID  *Tls
+  )
+{
+  return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), 
EFI_UNSUPPORTED);
+}
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, 
TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList (
   return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, 
TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
 }
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+ in RFC 5246
+  @param[in]  DataSize   The length the SignatureAlgoList. Must be 
divisible by 2.
+
+  @retval  EFI_SUCCESS   The signature algorithm list was set 
successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED   No supported TLS signature algorithm was 
found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetSignatureAlgoList (
+  IN VOID   *Tls,
+  IN UINT8  *Data,
+  IN UINTN  DataSize
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, 
TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   An EC named curve as defined in section 5.1.1 
of RFC 4492.
+

[edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library

2022-10-09 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Review PR: https://github.com/tianocore/edk2/pull/3400
This patch sequence is used to extend Tls library, which are wrapped
over OpenSSL. The implementation provides library functions for EFI
DXE dirver and Protocol.

All APIs passed unit test and fuzzing test, detail as:
1. Unit test:
New Tls APIs tested on Intel platform as part of WIFI WPA3 feature.
2. Fuzzing test:
Various Fuzz Testing are employed across the all introduced APIs, and the
test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) as the fuzzer,
based on HBFA.
Fuzzing Pass Rate is 100%;
The Code Coverage of new APIs is 91%.
All test case show in:
https://github.com/liyi77/edk2-staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg

V2 change:
Move the newly added APIs to the end of struct PCD.
V3 change:
Corrected tls specification reference and tls cipher suite names.

Tested-by: Yi Li 
Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Cc: Michael D Kinney 
Cc: Liming Gao 

Signed-off-by: Yi Li 

Yi Li (3):
  MdePkg: Add Tls configuration related define
  CryptoPkg: Extend Tls function library
  CryptoPkg: Add new Tls APIs to DXE and protocol

 CryptoPkg/Driver/Crypto.c | 155 +++-
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 ++-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 366 +-
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 ++
 CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
 MdePkg/Include/IndustryStandard/Tls1.h| 112 --
 11 files changed, 1177 insertions(+), 51 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94861): https://edk2.groups.io/g/devel/message/94861
Mute This Topic: https://groups.io/mt/94229172/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V3 1/3] MdePkg: Add Tls configuration related define

2022-10-09 Thread Li, Yi

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892

Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList.

Cc: Jiewen Yao 
Cc: Michael D Kinney 
Cc: Liming Gao 
Signed-off-by: Yi Li 
---
 MdePkg/Include/IndustryStandard/Tls1.h | 112 +
 1 file changed, 75 insertions(+), 37 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/Tls1.h 
b/MdePkg/Include/IndustryStandard/Tls1.h
index cf67428b11..f1ba0af7dc 100644
--- a/MdePkg/Include/IndustryStandard/Tls1.h
+++ b/MdePkg/Include/IndustryStandard/Tls1.h
@@ -13,44 +13,48 @@
 #pragma pack(1)
 
 ///
-/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
+/// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346, rfc-5246, rfc-5288 
and rfc-5289.
 ///
-#define TLS_RSA_WITH_NULL_MD5{0x00, 0x01}
-#define TLS_RSA_WITH_NULL_SHA{0x00, 0x02}
-#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
-#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
-#define TLS_RSA_WITH_IDEA_CBC_SHA{0x00, 0x07}
-#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x0A}
-#define TLS_DH_DSS_WITH_DES_CBC_SHA  {0x00, 0x0C}
-#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
-#define TLS_DH_RSA_WITH_DES_CBC_SHA  {0x00, 0x0F}
-#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
-#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
-#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA{0x00, 0x13}
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x16}
-#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA  {0x00, 0x30}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA  {0x00, 0x31}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
-#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA  {0x00, 0x36}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA  {0x00, 0x37}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
-#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
-#define TLS_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x3C}
-#define TLS_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x3D}
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256   {0x00, 0x3E}
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256   {0x00, 0x3F}
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  {0x00, 0x40}
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x67}
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256   {0x00, 0x68}
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256   {0x00, 0x69}
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256  {0x00, 0x6A}
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x6B}
+#define TLS_RSA_WITH_NULL_MD5{0x00, 0x01}
+#define TLS_RSA_WITH_NULL_SHA{0x00, 0x02}
+#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
+#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
+#define TLS_RSA_WITH_IDEA_CBC_SHA{0x00, 0x07}
+#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x0A}
+#define TLS_DH_DSS_WITH_DES_CBC_SHA  {0x00, 0x0C}
+#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
+#define TLS_DH_RSA_WITH_DES_CBC_SHA  {0x00, 0x0F}
+#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
+#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
+#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA{0x00, 0x13}
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x16}
+#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA  {0x00, 0x30}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA  {0x00, 0x31}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
+#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA  {0x00, 0x36}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA  {0x00, 0x37}
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA {0x00, 0x38}
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA {0x00, 0x39}
+#define TLS_RSA_WITH_NULL_SHA256 {0x00, 0x3B}
+#define TLS_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x3C}
+#define TLS_RSA_WITH_AES_256_CBC_SHA256  {0x00, 0x3D}
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256   {0x00, 0x3E}
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256   {0x00, 0x3F}
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  {0x00, 0x40}
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  {0x00, 0x67}
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256   {0x00, 0x68}
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256

[edk2-devel] [PATCH V3 2/3] CryptoPkg: Extend Tls function library

2022-10-09 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

1. TlsSetSignatureAlgoList(): Configure the list of TLS signature algorithms
that should be used as part of the TLS session establishment.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used, e.g.,
Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

2. TlsSetEcCurve(): Configure the Elliptic Curve that should be used for
TLS flows the use cipher suite with EC,
e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
This is needed for some WLAN Supplicant connection establishment flows
that allow only specific TLS signature algorithms to be used,
e.g., Authenticate and Key Managmenet (AKM) suites that are SUITE-B compliant.

3. TlsShutdown():
Shutdown the TLS connection without releasing the resources,
meaning a new connection can be started without calling TlsNew() and
without setting certificates etc.

4. TlsGetExportKey(): Derive keying material from a TLS connection using the
mechanism described in RFC 5705 and export the key material (needed
by EAP methods such as EAP-TTLS and EAP-PEAP).

5. TlsSetHostPrivateKeyEx(): This function adds the local private key
(PEM-encoded or PKCS#8 or DER-encoded private key) into the specified
TLS object for TLS negotiation. There is already a similar function
TlsSetHostPrivateKey(), the new Ex function introduces a new parameter
Password, set Password to NULL when useless.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Include/Library/TlsLib.h| 126 +-
 CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
 CryptoPkg/Library/TlsLib/TlsConfig.c  | 366 +-
 CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
 CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-
 CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 ++
 6 files changed, 667 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Include/Library/TlsLib.h 
b/CryptoPkg/Include/Library/TlsLib.h
index 3b75fde0aa..d37c5fcc35 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -294,6 +294,25 @@ TlsWrite (
   IN UINTN  BufferSize
   );
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+TlsShutdown (
+  IN VOID  *Tls
+  );
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -492,11 +511,38 @@ TlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+TlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  );
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -534,6 +580,53 @@ TlsSetCertRevocationList (
   IN UINTN  DataSize
   );
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+

[edk2-devel] [PATCH V3 3/3] CryptoPkg: Add new Tls APIs to DXE and protocol

2022-10-09 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892

The implementation provides new Tls library functions
for Crypto EFI Driver and Protocol.

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/Driver/Crypto.c | 155 +-
 .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 -
 CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
 4 files changed, 435 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 7a8266aaba..f1ff77855c 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4238,6 +4238,28 @@ CryptoServiceTlsWrite (
   return CALL_BASECRYPTLIB (Tls.Services.Write, TlsWrite, (Tls, Buffer, 
BufferSize), 0);
 }
 
+/**
+  Shutdown a TLS connection.
+
+  Shutdown the TLS connection without releasing the resources, meaning a new
+  connection can be started without calling TlsNew() and without setting
+  certificates etc.
+
+  @param[in]   TlsPointer to the TLS object to shutdown.
+
+  @retval EFI_SUCCESS The TLS is shutdown successfully.
+  @retval EFI_INVALID_PARAMETER   Tls is NULL.
+  @retval EFI_PROTOCOL_ERROR  Some other error occurred.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsShutdown (
+  IN VOID  *Tls
+  )
+{
+  return CALL_BASECRYPTLIB (Tls.Services.Shutdown, TlsShutdown, (Tls), 
EFI_UNSUPPORTED);
+}
+
 /**
   Set a new TLS/SSL method for a particular TLS object.
 
@@ -4463,11 +4485,41 @@ CryptoServiceTlsSetHostPublicCert (
 /**
   Adds the local private key to the specified TLS object.
 
-  This function adds the local private key (PEM-encoded RSA or PKCS#8 private
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
+  key) into the specified TLS object for TLS negotiation.
+
+  @param[in]  Tls Pointer to the TLS object.
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
+  or PKCS#8 private key.
+  @param[in]  DataSizeThe size of data buffer in bytes.
+  @param[in]  PasswordPointer to NULL-terminated private key password, set 
it to NULL
+  if private key not encrypted.
+
+  @retval  EFI_SUCCESS The operation succeeded.
+  @retval  EFI_UNSUPPORTED This function is not supported.
+  @retval  EFI_ABORTED Invalid private key data.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetHostPrivateKeyEx (
+  IN VOID   *Tls,
+  IN VOID   *Data,
+  IN UINTN  DataSize,
+  IN VOID   *Password  OPTIONAL
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKeyEx, 
TlsSetHostPrivateKeyEx, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
+}
+
+/**
+  Adds the local private key to the specified TLS object.
+
+  This function adds the local private key (DER-encoded or PEM-encoded or 
PKCS#8 private
   key) into the specified TLS object for TLS negotiation.
 
   @param[in]  Tls Pointer to the TLS object.
-  @param[in]  DataPointer to the data buffer of a PEM-encoded RSA
+  @param[in]  DataPointer to the data buffer of a DER-encoded or 
PEM-encoded
   or PKCS#8 private key.
   @param[in]  DataSizeThe size of data buffer in bytes.
 
@@ -4511,6 +4563,59 @@ CryptoServiceTlsSetCertRevocationList (
   return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, 
TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
 }
 
+/**
+  Set the signature algorithm list to used by the TLS object.
+
+  This function sets the signature algorithms for use by a specified TLS 
object.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   Array of UINT8 of signature algorithms. The 
array consists of
+ pairs of the hash algorithm and the signature 
algorithm as defined
+ in RFC 5246
+  @param[in]  DataSize   The length the SignatureAlgoList. Must be 
divisible by 2.
+
+  @retval  EFI_SUCCESS   The signature algorithm list was set 
successfully.
+  @retval  EFI_INVALID_PARAMETER The parameters are invalid.
+  @retval  EFI_UNSUPPORTED   No supported TLS signature algorithm was 
found in SignatureAlgoList
+  @retval  EFI_OUT_OF_RESOURCES  Memory allocation failed.
+
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetSignatureAlgoList (
+  IN VOID   *Tls,
+  IN UINT8  *Data,
+  IN UINTN  DataSize
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.SignatureAlgoList, 
TlsSetSignatureAlgoList, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+}
+
+/**
+  Set the EC curve to be used for TLS flows
+
+  This function sets the EC curve to be used for TLS flows.
+
+  @param[in]  TlsPointer to a TLS object.
+  @param[in]  Data   An EC named curve as defined in section 5.1.1 
of RFC 4492.
+

Re: [edk2-devel] [PATCH V2 1/3] MdePkg: Add Tls configuration related define

2022-10-09 Thread Li, Yi

Hi Jiewen and Heng,

Thanks for review, I have corrected the comments and cipher suites name.

Thanks,
Yi

-Original Message-
From: Luo, Heng  
Sent: Monday, October 10, 2022 9:37 AM
To: devel@edk2.groups.io; Yao, Jiewen ; Li, Yi1 

Cc: Kinney, Michael D ; Gao, Liming 

Subject: RE: [edk2-devel] [PATCH V2 1/3] MdePkg: Add Tls configuration related 
define

Hi Yi,
Please double check and update the comments:

https://www.rfc-editor.org/rfc/rfc5288, 
> #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384{0x00, 0x9F}

https://www.rfc-editor.org/rfc/rfc5289, section 3.2
> #define TLS_ECDHE_ECDSA_AES128_GCM_SHA256  {0xC0, 0x2B}  -> 
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> #define TLS_ECDHE_ECDSA_AES256_GCM_SHA384  {0xC0, 0x2C} -> 
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  {0xC0, 0x30}

Below definitions in https://www.rfc-editor.org/rfc/rfc8422#section-5.1.1
> /// typedef enum {
>   TlsEcNamedCurveSecp256r1 = 23,
>   TlsEcNamedCurveSecp384r1 = 24,
>   TlsEcNamedCurveSecp521r1 = 25,
>   TlsEcNamedCurveX25519= 29,
>   TlsEcNamedCurveX448  = 30,
> } TLS_EC_NAMED_CURVE;

Thanks,
Heng
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Yao, 
> Jiewen
> Sent: Monday, October 10, 2022 8:12 AM
> To: Li, Yi1 ; devel@edk2.groups.io
> Cc: Kinney, Michael D ; Gao, Liming 
> 
> Subject: Re: [edk2-devel] [PATCH V2 1/3] MdePkg: Add Tls configuration 
> related define
> 
> Hi
> 1) I cannot find the new cipher suite definition in rfc-5246 
> (https://www.rfc- editor.org/rfc/rfc5246).
> Would you please update comment as well, to let it point to right document?
> 
> ///
> /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
> ///
> ...
> #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384{0x00, 0x9F}
> #define TLS_ECDHE_ECDSA_AES128_GCM_SHA256  {0xC0, 0x2B}
> #define TLS_ECDHE_ECDSA_AES256_GCM_SHA384  {0xC0, 0x2C}
> #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  {0xC0, 0x30}
> 
> 2) I cannot find the new cipher suite definition in rfc-8442. 
> (Actually, there is no section 5.1.1 in RFC8442 
> https://www.rfc-editor.org/rfc/rfc8442)
> Would you please update comment as well, to let it point to right document?
> 
> ///
> /// TLS Supported Elliptic Curves Extensions, refers to section 5.1.1 
> of rfc-8442 /// typedef enum {
>   TlsEcNamedCurveSecp256r1 = 23,
>   TlsEcNamedCurveSecp384r1 = 24,
>   TlsEcNamedCurveSecp521r1 = 25,
>   TlsEcNamedCurveX25519= 29,
>   TlsEcNamedCurveX448  = 30,
> } TLS_EC_NAMED_CURVE;
> 
> 
> > -Original Message-
> > From: Li, Yi1 
> > Sent: Saturday, October 8, 2022 10:10 AM
> > To: devel@edk2.groups.io
> > Cc: Li, Yi1 ; Yao, Jiewen ; 
> > Kinney, Michael D ; Gao, Liming 
> > 
> > Subject: [PATCH V2 1/3] MdePkg: Add Tls configuration related define
> >
> > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3892
> >
> > Consumed by TlsSetEcCurve and TlsSetSignatureAlgoList.
> >
> > Cc: Jiewen Yao 
> > Cc: Michael D Kinney 
> > Cc: Liming Gao 
> > Signed-off-by: Yi Li 
> > ---
> >  MdePkg/Include/IndustryStandard/Tls1.h | 110 
> > +---
> > -
> >  1 file changed, 74 insertions(+), 36 deletions(-)
> >
> > diff --git a/MdePkg/Include/IndustryStandard/Tls1.h
> > b/MdePkg/Include/IndustryStandard/Tls1.h
> > index cf67428b11..5cf2860caf 100644
> > --- a/MdePkg/Include/IndustryStandard/Tls1.h
> > +++ b/MdePkg/Include/IndustryStandard/Tls1.h
> > @@ -15,42 +15,46 @@
> >  ///
> >  /// TLS Cipher Suite, refers to A.5 of rfc-2246, rfc-4346 and rfc-5246.
> >  ///
> > -#define TLS_RSA_WITH_NULL_MD5{0x00, 0x01}
> > -#define TLS_RSA_WITH_NULL_SHA{0x00, 0x02}
> > -#define TLS_RSA_WITH_RC4_128_MD5 {0x00, 0x04}
> > -#define TLS_RSA_WITH_RC4_128_SHA {0x00, 0x05}
> > -#define TLS_RSA_WITH_IDEA_CBC_SHA{0x00, 0x07}
> > -#define TLS_RSA_WITH_DES_CBC_SHA {0x00, 0x09}
> > -#define TLS_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x0A}
> > -#define TLS_DH_DSS_WITH_DES_CBC_SHA  {0x00, 0x0C}
> > -#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA {0x00, 0x0D}
> > -#define TLS_DH_RSA_WITH_DES_CBC_SHA  {0x00, 0x0F}
> > -#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA {0x00, 0x10}
> > -#define TLS_DHE_DSS_WITH_DES_CBC_SHA {0x00, 0x12}
> > -#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA{0x00, 0x13}
> > -#define TLS_DHE_RSA_WITH_DES_CBC_SHA {0x00, 0x15}
> > -#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA{0x00, 0x16}
> > -#define TLS_RSA_WITH_AES_128_CBC_SHA {0x00, 0x2F}
> > -#define TLS_DH_DSS_WITH_AES_128_CBC_SHA  {0x00, 0x30}
> > -#define TLS_DH_RSA_WITH_AES_128_CBC_SHA  {0x00, 0x31}
> > -#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA {0x00, 0x32}
> > -#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA {0x00, 0x33}
> > -#define TLS_RSA_WITH_AES_256_CBC_SHA {0x00, 0x35}
> > -#define TLS_DH_DSS_WITH_AES_256_CBC_SHA  {0x00, 0x36}
> > -#define TLS_DH_RSA_WITH_AES_256_CBC_SHA

Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library

2022-10-09 Thread Li, Yi

Hi Jiewen,
Yes it is, based on latest commit 3c9e2f239a38590b4e3a8c1ec2304227f2af0103.
I applied them to EDKII master branch successfully, not sure why.
Attachments are the successful patch files for reference, But they are same as 
the patches in the mail.
Let me know if there are still conflicts.

Thanks,
Yi

-Original Message-
From: Yao, Jiewen  
Sent: Monday, October 10, 2022 12:46 PM
To: devel@edk2.groups.io; Yao, Jiewen ; Li, Yi1 

Cc: Wang, Jian J ; Lu, Xiaoyu1 ; 
Jiang, Guomin ; Kinney, Michael D 
; Gao, Liming 
Subject: RE: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library

Hi Yi
Is this patch based on latest EDKII?

I failed to apply the patch 2/3.
The 1/3 and 3/3 are good.




> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Yao, 
> Jiewen
> Sent: Monday, October 10, 2022 10:47 AM
> To: Li, Yi1 ; devel@edk2.groups.io
> Cc: Wang, Jian J ; Lu, Xiaoyu1 
> ; Jiang, Guomin ; 
> Kinney, Michael D ; Gao, Liming 
> 
> Subject: Re: [edk2-devel] [PATCH V3 0/3] CryptoPkg: Extend Tls library
> 
> Thanks for the update.
> For all patches, reviewed-by: Jiewen Yao 
> 
> I think we need MdePkg owner to give R-B or A-B for TLS definition in 
> MdePkg. Mike or Liming?
> 
> Thank you
> Yao Jiewen
> 
> 
> > -Original Message-
> > From: Li, Yi1 
> > Sent: Monday, October 10, 2022 10:40 AM
> > To: devel@edk2.groups.io
> > Cc: Li, Yi1 ; Yao, Jiewen ; 
> > Wang, Jian J ; Lu, Xiaoyu1 
> > ; Jiang, Guomin ; 
> > Kinney, Michael D ; Gao, Liming 
> > 
> > Subject: [PATCH V3 0/3] CryptoPkg: Extend Tls library
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3892
> >
> > Review PR: https://github.com/tianocore/edk2/pull/3400
> > This patch sequence is used to extend Tls library, which are wrapped 
> > over OpenSSL. The implementation provides library functions for EFI 
> > DXE dirver and Protocol.
> >
> > All APIs passed unit test and fuzzing test, detail as:
> > 1. Unit test:
> > New Tls APIs tested on Intel platform as part of WIFI WPA3 feature.
> > 2. Fuzzing test:
> > Various Fuzz Testing are employed across the all introduced APIs, 
> > and the test is used AFL (2.52b) and Libfuzzer (clang+llvm-11.0.0) 
> > as the fuzzer, based on HBFA.
> > Fuzzing Pass Rate is 100%;
> > The Code Coverage of new APIs is 91%.
> > All test case show in:
> > https://github.com/liyi77/edk2-
> > staging/tree/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg
> >
> > V2 change:
> > Move the newly added APIs to the end of struct PCD.
> > V3 change:
> > Corrected tls specification reference and tls cipher suite names.
> >
> > Tested-by: Yi Li 
> > Cc: Jiewen Yao 
> > Cc: Jian J Wang 
> > Cc: Xiaoyu Lu 
> > Cc: Guomin Jiang 
> > Cc: Michael D Kinney 
> > Cc: Liming Gao 
> >
> > Signed-off-by: Yi Li 
> >
> > Yi Li (3):
> >   MdePkg: Add Tls configuration related define
> >   CryptoPkg: Extend Tls function library
> >   CryptoPkg: Add new Tls APIs to DXE and protocol
> >
> >  CryptoPkg/Driver/Crypto.c | 155 +++-
> >  CryptoPkg/Include/Library/TlsLib.h| 126 +-
> >  .../Pcd/PcdCryptoServiceFamilyEnable.h|   5 +
> >  .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 146 ++-
> >  CryptoPkg/Library/TlsLib/InternalTlsLib.h |   4 +
> >  CryptoPkg/Library/TlsLib/TlsConfig.c  | 366 +-
> >  CryptoPkg/Library/TlsLib/TlsProcess.c |  32 ++
> >  CryptoPkg/Library/TlsLibNull/TlsConfigNull.c  | 123 +-  
> > CryptoPkg/Library/TlsLibNull/TlsProcessNull.c |  23 ++
> >  CryptoPkg/Private/Protocol/Crypto.h   | 136 ++-
> >  MdePkg/Include/IndustryStandard/Tls1.h| 112 --
> >  11 files changed, 1177 insertions(+), 51 deletions(-)
> >
> > --
> > 2.31.1.windows.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94874): https://edk2.groups.io/g/devel/message/94874
Mute This Topic: https://groups.io/mt/94229172/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-




0001-MdePkg-Add-Tls-configuration-related-define.patch
Description: 0001-MdePkg-Add-Tls-configuration-related-define.patch


0002-CryptoPkg-Extend-Tls-function-library.patch
Description: 0002-CryptoPkg-Extend-Tls-function-library.patch


0003-CryptoPkg-Add-new-Tls-APIs-to-DXE-and-protocol.patch
Description: 0003-CryptoPkg-Add-new-Tls-APIs-to-DXE-and-protocol.patch

[edk2-devel] [edk2-staging/crypto-new-api][PATCH] CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1u

2023-08-17 Thread Li, Yi

From: Sheng Wei 

(cherry-pick from: master b2de9ec5a759aa4a7ac029cda9079dce077bf856)

Cc: Zhichao Gao 
Cc: Heng Luo 
Signed-off-by: Yi Li 
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 -
 CryptoPkg/Library/OpensslLib/OpensslLibFull.inf | 1 -
 CryptoPkg/Library/OpensslLib/openssl| 2 +-
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index eec497c7c4..2908bb62a4 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -157,7 +157,6 @@
   $(OPENSSL_PATH)/crypto/bn/bn_srp.c
   $(OPENSSL_PATH)/crypto/bn/bn_word.c
   $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
-  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
   $(OPENSSL_PATH)/crypto/buffer/buf_err.c
   $(OPENSSL_PATH)/crypto/buffer/buffer.c
   $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
index b07abec1af..4491b762d0 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
@@ -157,7 +157,6 @@
   $(OPENSSL_PATH)/crypto/bn/bn_srp.c
   $(OPENSSL_PATH)/crypto/bn/bn_word.c
   $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
-  $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
   $(OPENSSL_PATH)/crypto/buffer/buf_err.c
   $(OPENSSL_PATH)/crypto/buffer/buffer.c
   $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
diff --git a/CryptoPkg/Library/OpensslLib/openssl 
b/CryptoPkg/Library/OpensslLib/openssl
index 830bf8e1e4..70c2912f63 16
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit 830bf8e1e4749ad65c51b6a1d0d769ae689404ba
+Subproject commit 70c2912f635aac8ab28629a2b5ea0c09740d2bda
-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107825): https://edk2.groups.io/g/devel/message/107825
Mute This Topic: https://groups.io/mt/100796057/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] * Add HMAC/HKDF/RSA/HASH features based on Mbedtls *

2023-08-31 Thread Li, Yi

Hi Sean,

>  I propose we remove openssl from the edk2 CryptoPkg and into the 
> OpenSslCryptoPkg in another new tianocore repository dedicated to OpenSsl.  
> MbedTls could then be checked into the MbedTlsCryptoPkg and added to another 
> new repository.

It may be a better choice to put openssl and mbedtls in the one CryptoPkg, and 
the users can more easily choose the lib they wants to use in different 
scenarios. openssl and mbedtls have their own disadvantages: mbedtls lacks the 
implementation of SM3 and SHA3, and most of the algorithms of openssl3.0 cannot 
be used in the PREMEM stage due to known issue.

New tianocore repository is a good proposal, actually we did encounter similar 
problems: EDK2 of the old platform was frozen on a Stable tag, but we had to 
continue to apply new patches under EDK2 because of the openssl vulnerability. 
Can we use another bugzilla to track this proposal? It will be a complicated 
thing, I can imagine that CI and customer's EDK2 sync-test process needs lots 
changes.

I hope to merge this patch series first, because some EDK2 users have requested 
to use HKDF, HMAC or RSA algorithms in the PREMEM stage.

Thanks,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Sean
Sent: Thursday, August 31, 2023 2:57 AM
To: devel@edk2.groups.io; Hou, Wenxing 
Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add 
HMAC/HKDF/RSA/HASH features based on Mbedtls ***

I appreciate and really like this work to enable mbedtls but I don't like the 
idea of adding another submodule to edk2.

For a long time there has been discussion about formalizing the abstraction of 
the edk2 crypto api so that it would be practical to implement edk2's crypto 
using various libraries.   I propose we remove openssl from the edk2 CryptoPkg 
and into the OpenSslCryptoPkg in another new tianocore repository dedicated to 
OpenSsl.  MbedTls could then be checked into the MbedTlsCryptoPkg and added to 
another new repository. This would also have the benefit of breaking the tight 
coupling of edk2 stable tags from the crypto used in the code base (crypto has 
more widely tracked vulnerabilities).

Happy to discuss more if others have different ideas.

Thanks

Sean

On 8/30/2023 12:52 AM, Wenxing Hou wrote:
> *** Add BaseCryptLibMbedTls for CryptoPkg, which can be an alternative 
> to OpenSSL in some scenarios. There are four features in the patch: 
> HMAC/HKDF/RSA/HASH.***
>
> Wenxing Hou (9):
>CryptoPkg: Add mbedtls submodule for EDKII
>CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
>CryptoPkg: Add HMAC functions based on Mbedtls
>CryptoPkg: Add HKDF functions based on Mbedtls
>CryptoPkg: Add RSA functions based on Mbedtls
>CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
>CryptoPkg: Add Null functions for building pass
>CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
>CryptoPkg: Add Mbedtls submodule in CI
>
>   .gitmodules   |3 +
>   .pytool/CISettings.py |2 +
>   CryptoPkg/CryptoPkg.ci.yaml   |   66 +-
>   CryptoPkg/CryptoPkg.dec   |4 +
>   CryptoPkg/CryptoPkgMbedTls.dsc|  280 ++
>   .../BaseCryptLibMbedTls/BaseCryptLib.inf  |   81 +
>   .../BaseCryptLibMbedTls/Bn/CryptBnNull.c  |  520 +++
>   .../Cipher/CryptAeadAesGcmNull.c  |  100 +
>   .../BaseCryptLibMbedTls/Cipher/CryptAesNull.c |  159 +
>   .../BaseCryptLibMbedTls/Hash/CryptMd5.c   |  234 +
>   .../BaseCryptLibMbedTls/Hash/CryptMd5Null.c   |  163 +
>   .../Hash/CryptParallelHashNull.c  |   40 +
>   .../BaseCryptLibMbedTls/Hash/CryptSha1.c  |  234 +
>   .../BaseCryptLibMbedTls/Hash/CryptSha1Null.c  |  166 +
>   .../BaseCryptLibMbedTls/Hash/CryptSha256.c|  227 +
>   .../Hash/CryptSha256Null.c|  162 +
>   .../BaseCryptLibMbedTls/Hash/CryptSha512.c|  447 ++
>   .../Hash/CryptSha512Null.c|  275 ++
>   .../BaseCryptLibMbedTls/Hash/CryptSm3Null.c   |  164 +
>   .../BaseCryptLibMbedTls/Hmac/CryptHmac.c  |  620 +++
>   .../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c  |  359 ++
>   .../BaseCryptLibMbedTls/InternalCryptLib.h|   44 +
>   .../BaseCryptLibMbedTls/Kdf/CryptHkdf.c   |  372 ++
>   .../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c   |  192 +
>   .../BaseCryptLibMbedTls/PeiCryptLib.inf   |  101 +
>   .../BaseCryptLibMbedTls/PeiCryptLib.uni   |   25 +
>   .../BaseCryptLibMbedTls/Pem/CryptPemNull.c|   69 +
>   .../Pk/CryptAuthenticodeNull.c|   45 +
>   .../BaseCryptLibMbedTls/Pk/CryptDhNull.c  |  150 +
>   .../BaseCryptLibMbedTls/Pk/CryptEcNull.c  |  578 +++
>   .../Pk/CryptPkcs1OaepNull.c   |   51 +
>   .../Pk/CryptPkcs5Pbkdf2Null.c |   48 +
>   .../Pk/CryptPkcs7Internal.h   |   83 +
>   .../Pk/CryptPkcs7SignNull.c   |   53 +
>   .../Pk/CryptPkcs7VerifyEkuNull.c

Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] * Add HMAC/HKDF/RSA/HASH features based on Mbedtls *

2023-09-03 Thread Li, Yi

Hi Sean,

I would like to clarify that the purpose of this patch sequence is to 
supplement the defects of openssl3.0 rather than seek a substitute for openssl.
Crypto implementations other than HASH and AES in Openssl3.0 cannot be used in 
the PREMEM stage, and all implementations will be like this after all legacy 
openssl APIs are deleted in the future (openssl4.0).

This solution, introducing mbedtls to support RSA/HKDF/HMAC in PREMEM, has been 
proposed in the POC stage and I see no objection:
https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md#type-1-openssl-30-main--mbedtls-for-pei-premem

So I prefer to treat this patch sequence as a BUG fix or a supplement to 
existing code, rather than a new CryptoPkg, And it's already a part of our 
openssl3.0 upgrade plan.

Your idea of separating the submodule from CryptoPkg is great even without 
mbedtls, but it sounds more like a new feature which needs a lot of changes. So 
I don't want to block the review of this patch sequence because of it.

Thanks,
Yi

From: devel@edk2.groups.io  On Behalf Of Sean
Sent: Friday, September 1, 2023 1:52 AM
To: devel@edk2.groups.io; Kinney, Michael D ; Yao, 
Jiewen ; Leif Lindholm ; Hou, 
Wenxing 
Cc: af...@apple.com
Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add 
HMAC/HKDF/RSA/HASH features based on Mbedtls ***


replying to the whole chain.

I am not encouraging importing the source directly but still trying to isolate 
the "wrapper code" and the external mbedtls submodule management.

I am advocating that the underlying crypto implementation is 100% "hidden" from 
public include/dependency and the rest of the edk2 tree.  I am advocating that 
crypto "releases" are in essence independent of Edk2 stable tags (obviously a 
stable tag would still have reference to version tested at that time) because 
crypto needs to be updated more quickly and regularly and should have very 
minimal breaking dependencies.

Regarding Jiewen's options for layout my proposal would be more like option 5.  
:)

Tianocore/Edk2: CryptoPkg

  *   Header files for the crypto api of edk2(protocol, ppi, pcd, library 
definitions).
  *   Modules that are underlying crypto library independent.
  *   Null libraries that support compile test of edk2 CI

Tianocore/MbedTlsRepo: MbedTlsCryptoPkg

  *   No public header files for consumption outside package.
  *   Wrapper code and modules to support edk2 crypto using mbedtls library.
  *   submodule tracking info for mbedtls upstream project
  *   tests
  *   release notes
  *   Security vulnerability management for mbedtls based work

Tianocore/OpenSslRepo: OpenSslCryptoPkg

  *   No public header files for consumption outside package.
  *   Wrapper code and modules to support edk2 crypto using openssl library.
  *   submodule tracking info for openssl upstream project
  *   tests
  *   release notes
  *   Security vulnerability management for OpenSSL based work



I hope that helps explain.

Regarding checking in and then moving later...well i am skeptical.  This is a 
breaking change and once dependencies are formed, edk2 has historically had 
challenges in making these kinds of changes.

Thanks for consideration.

Sean






On 8/31/2023 10:24 AM, Michael D Kinney wrote:

Jiewen,



Thanks.  Option #1 makes more sense if it is the Mbedtls

wrapper code.



I prefer Option #1.



Breaking out into multiple repos also makes it hard to align

Releases across multiple repos.  We already have this as an

unsolved problem for edk2-platforms repo, and I am not interested

in adding more repos until we have a complete solution to do

edk2-platforms releases in place.



Mike



-Original Message-

From: Yao, Jiewen 

Sent: Thursday, August 31, 2023 9:07 AM

To: Kinney, Michael D 
; Leif Lindholm

; 
devel@edk2.groups.io; 
spbro...@outlook.com;

Hou, Wenxing 

Cc: af...@apple.com

Subject: RE: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add

HMAC/HKDF/RSA/HASH features based on Mbedtls ***



Hi Mike

We are using submodule for mbedtls in this patch. Copying source code is

not preferred.



I think we are discussing multiple ways to layout the *mbedtls crypto

wrapper*. See following 4 options.



Thank you

Yao, Jiewen





-Original Message-

From: Kinney, Michael D 


Sent: Thursday, August 31, 2023 11:45 PM

To: Leif Lindholm 
; Yao, Jiewen

; 
devel@edk2.groups.io; 
spbro...@outlook.com;

Hou,

Wenxing 

Cc: af...@apple.com; Kinney, Michael D 


Subject: RE: [edk2-devel] [edk2/add_mbedtls

Re: [edk2-devel] [PATCH v2 05/10] CryptoPkg: Add RSA functions based on Mbedtls

2023-09-04 Thread Li, Yi

TestPublicExponent[] is same as default value so this test is nonsense.

Please use a different value to generate key and use RsaGetKey to confirm PE is 
same as expect.

-Original Message-
From: Hou, Wenxing  
Sent: Saturday, September 2, 2023 10:16 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH v2 05/10] CryptoPkg: Add RSA functions based on Mbedtls

Add RSA APIs.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 .../BaseCryptLibMbedTls/InternalCryptLib.h|  44 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c| 268 ++
 .../Pk/CryptRsaBasicNull.c| 121 +++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c  | 333 ++
 .../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c  | 117 ++
 .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c  | 164 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c  |  46 +++  
.../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  | 231 
 .../Pk/CryptRsaPssSignNull.c  |  60 
 .../UnitTest/Library/BaseCryptLib/RsaTests.c  |   4 +
 10 files changed, 1388 insertions(+)
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
 create mode 100644 
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h 
b/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
new file mode 100644
index 00..3e56c9a75c
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
@@ -0,0 +1,44 @@
+/** @file+  Internal include file for BaseCryptLib.++Copyright (c) 2023, Intel 
Corporation. All rights reserved.+SPDX-License-Identifier: 
BSD-2-Clause-Patent++**/++#ifndef INTERNAL_CRYPT_LIB_H_+#define 
INTERNAL_CRYPT_LIB_H_++#include +#include 
+#include +#include 
+#include +#include 
++//+// We should alwasy add mbedtls/config.h here+// to ensure the 
config override takes effect.+//+#include ++/**+  The 
MbedTLS function f_rng, which MbedRand implements, is not+  documented well.++  
@param[in]   RngState  RngState.+  @param[in]   OutputOutput.+  
@param[in]   Len   Len.++  @retval  0 success.+  
@retval  non-zero  failed.++**/+INT32+MbedRand (+  VOID   *RngState,+  
UINT8  *OutPut,+  UINTN  Len+  );++#endifdiff --git 
a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c 
b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
new file mode 100644
index 00..05c2cbd25a
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
@@ -0,0 +1,268 @@
+/** @file+  RSA Asymmetric Cipher Wrapper Implementation over MbedTLS.++  This 
file implements following APIs which provide basic capabilities for RSA:+  1) 
RsaNew+  2) RsaFree+  3) RsaSetKey+  4) RsaPkcs1Verify++  RFC 8017 - PKCS #1: 
RSA Cryptography Specifications Version 2.2++Copyright (c) 2023, Intel 
Corporation. All rights reserved.+SPDX-License-Identifier: 
BSD-2-Clause-Patent++**/++#include "InternalCryptLib.h"++#include 
++/**+  Allocates and initializes one RSA context for subsequent 
use.++  @return  Pointer to the RSA context that has been initialized.+ 
  If the allocations fails, RsaNew() returns NULL.++**/+VOID *+EFIAPI+RsaNew (+ 
 VOID+  )+{+  VOID  *RsaContext;++  RsaContext = AllocateZeroPool (sizeof 
(mbedtls_rsa_context));+  if (RsaContext == NULL) {+return RsaContext;+  
}++  mbedtls_rsa_init (RsaContext);+  if (mbedtls_rsa_set_padding (RsaContext, 
MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE) != 0) {+return NULL;+  }++  return 
RsaContext;+}++/**+  Release the specified RSA context.++  @param[in]  
RsaContext  Pointer to the RSA context to be released.++**/+VOID+EFIAPI+RsaFree 
(+  IN  VOID  *RsaContext+  )+{+  mbedtls_rsa_free (RsaContext);+  if 
(RsaContext != NULL) {+FreePool (RsaContext);+  }+}++/**+  Sets the 
tag-designated key component into the established RSA context.++  This function 
sets the tag-designated RSA key component into the established+  RSA context 
from the user-specified non-negative integer (octet string format+  represented 
in RSA PKCS#1).+  If BigNumber is NULL, then the specified key component in RSA 
context is cleared.++  If RsaContext is NULL, then return FALSE.++  @param[in, 
out]  RsaContext  Pointer to RSA context being set.+  @para

Re: [edk2-devel] [PATCH v2 09/10] CryptoPkg: Add Mbedtls submodule in CI

2023-09-04 Thread Li, Yi

Skip those files in DscCompleteCheck is workaround IMO, I think we can add all 
mbedtls libraries and components to CryptoPkg.dsc with new CRYPTO_SERVICES.

-Original Message-
From: Hou, Wenxing  
Sent: Saturday, September 2, 2023 10:16 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH v2 09/10] CryptoPkg: Add Mbedtls submodule in CI

Change CI for new Mbedtls submodule.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 .pytool/CISettings.py   |  2 ++
 CryptoPkg/CryptoPkg.ci.yaml | 66 +++--
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/.pytool/CISettings.py b/.pytool/CISettings.py index 
6fb7342f81..c5803a877c 100644
--- a/.pytool/CISettings.py
+++ b/.pytool/CISettings.py
@@ -199,6 +199,8 @@ class Settings(CiBuildSettingsManager, 
UpdateSettingsManager, SetupSettingsManag
 "MdePkg/Library/BaseFdtLib/libfdt", False)) 
rs.append(RequiredSubmodule( "MdePkg/Library/MipiSysTLib/mipisyst", 
False))+rs.append(RequiredSubmodule(+
"CryptoPkg/Library/MbedTlsLib/mbedtls", False)) return rs  def 
GetName(self):diff --git a/CryptoPkg/CryptoPkg.ci.yaml 
b/CryptoPkg/CryptoPkg.ci.yaml
index 59ba56d41e..204b97f470 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -41,7 +41,14 @@
 # These directories contain auto-generated OpenSSL content 
"Library/OpensslLib", "Library/IntrinsicLib",-
"Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c"+
"Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c",+# mbedtls+
"Library/MbedTlsLib/mbedtls",+# This has mbedtls interfaces 
that aren't UEFI spec compliant+"Library/MbedTlsLib/EcSm2Null.c",+  
  "Library/MbedTlsLib/CrtWrapper.c",+
"Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h",+
"Library/BaseCryptLibMbedTls/SysCall" ] }, "CompilerPlugin": 
{@@ -68,7 +75,16 @@
 }, "DscCompleteCheck": { "DscPath": "CryptoPkg.dsc",-
"IgnoreInf": []+"IgnoreInf": [+
"CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf",+
"CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf",+
"CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf",+
"CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf",+
"CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf",+
"CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf",+
"CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf",+
"CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf"+] }, 
"GuidCheck": { "IgnoreGuidName": [],@@ -76,7 +92,51 @@
 "IgnoreFoldersAndFiles": [] }, "LibraryClassCheck": {-
"IgnoreHeaderFile": []+"IgnoreHeaderFile": [+
"Library/MbedTlsLib/mbedtls/Library/aesni.h",+
"Library/MbedTlsLib/mbedtls/Library/bignum_core.h",+
"Library/MbedTlsLib/mbedtls/Library/bignum_mod.h",+
"Library/MbedTlsLib/mbedtls/Library/bignum_mod_raw.h",+
"Library/MbedTlsLib/mbedtls/Library/bn_mul.h",+
"Library/MbedTlsLib/mbedtls/Library/check_crypto_config.h",+
"Library/MbedTlsLib/mbedtls/Library/cipher_wrap.h",+
"Library/MbedTlsLib/mbedtls/Library/common.h",+
"Library/MbedTlsLib/mbedtls/Library/constant_time_internal.h",+
"Library/MbedTlsLib/mbedtls/Library/constant_time_invasive.h",+
"Library/MbedTlsLib/mbedtls/Library/ecp_internal_alt.h",+
"Library/MbedTlsLib/mbedtls/Library/ecp_invasive.h",+
"Library/MbedTlsLib/mbedtls/Library/entropy_poll.h",+
"Library/MbedTlsLib/mbedtls/Library/hash_info.h",+
"Library/MbedTlsLib/mbedtls/Library/lmots.h",+
"Library/MbedTlsLib/mbedtls/Library/md_wrap.h",+
"Library/MbedTlsLib/mbedtls/Library/mps_common.h",+
"Library/MbedTlsLib/mbedtls/Library/mps_error.h",+
"Library/MbedTlsLib/mbedtls/Library/mps_reader.h",+
"Library/MbedTlsLib/mbedtls/Library/mps_trace.h",+
"Library/MbedTlsLib/mbedtls/Library/padlock.h",+
"Library/MbedTlsLib/mbedtls/Library/pkwrite.h",+
"Library/MbedTlsLib/mbedtls/Library/pk_wrap.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_aead.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_cipher.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_driver_wrappers.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_ecp.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_hash.h",+
"Library/MbedTlsLib/mbedtls/Library/psa_crypto_invasive.h",+
"Library

Re: [edk2-devel] [PATCH] NetworkPkg: Increase HTTP buffer size and enable TCP window scaling

2023-09-06 Thread Li, Yi

Hi Saloni and Zachary, can you help to merge this patch?  It got reviewed-by 
but not check-in, Thanks!

-Original Message-
From: Kasbekar, Saloni  
Sent: Tuesday, July 25, 2023 12:18 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Otcheretianski, Andrei ; Clark-williams, 
Zachary 
Subject: RE: [PATCH] NetworkPkg: Increase HTTP buffer size and enable TCP 
window scaling

Reviewed-by: Saloni Kasbekar 

-Original Message-
From: Li, Yi1  
Sent: Thursday, July 20, 2023 10:18 PM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Otcheretianski, Andrei 
; Kasbekar, Saloni 
; Clark-williams, Zachary 

Subject: [PATCH] NetworkPkg: Increase HTTP buffer size and enable TCP window 
scaling

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4505
This gives something like ~3 fold throughput boost.

Signed-off-by: Andrei Otcheretianski 
Cc: Saloni Kasbekar 
Cc: Zachary Clark-williams 
---
 NetworkPkg/HttpBootDxe/HttpBootClient.h |  2 +-
 NetworkPkg/HttpDxe/HttpProto.c  | 48 +
 NetworkPkg/HttpDxe/HttpProto.h  |  2 +-
 3 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/NetworkPkg/HttpBootDxe/HttpBootClient.h 
b/NetworkPkg/HttpBootDxe/HttpBootClient.h
index 2fba713679..86a28bc91a 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootClient.h
+++ b/NetworkPkg/HttpBootDxe/HttpBootClient.h
@@ -10,7 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent  #ifndef 
__EFI_HTTP_BOOT_HTTP_H__  #define __EFI_HTTP_BOOT_HTTP_H__
 
-#define HTTP_BOOT_BLOCK_SIZE   1500
+#define HTTP_BOOT_BLOCK_SIZE   32000
 #define HTTP_USER_AGENT_EFI_HTTP_BOOT  "UefiHttpBoot/1.0"
 #define HTTP_BOOT_AUTHENTICATION_INFO_MAX_LEN  255
 
diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c 
index 33ae622c3f..7dfb82dd2e 100644
--- a/NetworkPkg/HttpDxe/HttpProto.c
+++ b/NetworkPkg/HttpDxe/HttpProto.c
@@ -1073,18 +1073,19 @@ HttpConfigureTcp4 (
   Tcp4AP->ActiveFlag  = TRUE;
   IP4_COPY_ADDRESS (&Tcp4AP->RemoteAddress, &HttpInstance->RemoteAddr);
 
-  Tcp4Option= Tcp4CfgData->ControlOption;
-  Tcp4Option->ReceiveBufferSize = HTTP_BUFFER_SIZE_DEAULT;
-  Tcp4Option->SendBufferSize= HTTP_BUFFER_SIZE_DEAULT;
-  Tcp4Option->MaxSynBackLog = HTTP_MAX_SYN_BACK_LOG;
-  Tcp4Option->ConnectionTimeout = HTTP_CONNECTION_TIMEOUT;
-  Tcp4Option->DataRetries   = HTTP_DATA_RETRIES;
-  Tcp4Option->FinTimeout= HTTP_FIN_TIMEOUT;
-  Tcp4Option->KeepAliveProbes   = HTTP_KEEP_ALIVE_PROBES;
-  Tcp4Option->KeepAliveTime = HTTP_KEEP_ALIVE_TIME;
-  Tcp4Option->KeepAliveInterval = HTTP_KEEP_ALIVE_INTERVAL;
-  Tcp4Option->EnableNagle   = TRUE;
-  Tcp4CfgData->ControlOption= Tcp4Option;
+  Tcp4Option  = Tcp4CfgData->ControlOption;
+  Tcp4Option->ReceiveBufferSize   = HTTP_BUFFER_SIZE_DEAULT;
+  Tcp4Option->SendBufferSize  = HTTP_BUFFER_SIZE_DEAULT;
+  Tcp4Option->MaxSynBackLog   = HTTP_MAX_SYN_BACK_LOG;
+  Tcp4Option->ConnectionTimeout   = HTTP_CONNECTION_TIMEOUT;
+  Tcp4Option->DataRetries = HTTP_DATA_RETRIES;
+  Tcp4Option->FinTimeout  = HTTP_FIN_TIMEOUT;
+  Tcp4Option->KeepAliveProbes = HTTP_KEEP_ALIVE_PROBES;
+  Tcp4Option->KeepAliveTime   = HTTP_KEEP_ALIVE_TIME;
+  Tcp4Option->KeepAliveInterval   = HTTP_KEEP_ALIVE_INTERVAL;
+  Tcp4Option->EnableNagle = TRUE;
+  Tcp4Option->EnableWindowScaling = TRUE;
+  Tcp4CfgData->ControlOption  = Tcp4Option;
 
   if ((HttpInstance->State == HTTP_STATE_TCP_CONNECTED) ||
   (HttpInstance->State == HTTP_STATE_TCP_CLOSED)) @@ -1156,17 +1157,18 @@ 
HttpConfigureTcp6 (
   IP6_COPY_ADDRESS (&Tcp6Ap->StationAddress, 
&HttpInstance->Ipv6Node.LocalAddress);
   IP6_COPY_ADDRESS (&Tcp6Ap->RemoteAddress, &HttpInstance->RemoteIpv6Addr);
 
-  Tcp6Option= Tcp6CfgData->ControlOption;
-  Tcp6Option->ReceiveBufferSize = HTTP_BUFFER_SIZE_DEAULT;
-  Tcp6Option->SendBufferSize= HTTP_BUFFER_SIZE_DEAULT;
-  Tcp6Option->MaxSynBackLog = HTTP_MAX_SYN_BACK_LOG;
-  Tcp6Option->ConnectionTimeout = HTTP_CONNECTION_TIMEOUT;
-  Tcp6Option->DataRetries   = HTTP_DATA_RETRIES;
-  Tcp6Option->FinTimeout= HTTP_FIN_TIMEOUT;
-  Tcp6Option->KeepAliveProbes   = HTTP_KEEP_ALIVE_PROBES;
-  Tcp6Option->KeepAliveTime = HTTP_KEEP_ALIVE_TIME;
-  Tcp6Option->KeepAliveInterval = HTTP_KEEP_ALIVE_INTERVAL;
-  Tcp6Option->EnableNagle   = TRUE;
+  Tcp6Option  = Tcp6CfgData->ControlOption;
+  Tcp6Option->ReceiveBufferSize   = HTTP_BUFFER_SIZE_DEAULT;
+  Tcp6Option->SendBufferSize  = HTTP_BUFFER_SIZE_DEAULT;
+  Tcp6Option->MaxSynBackLog   = HTTP_MAX_SYN_BACK_LOG;
+  Tcp6Option->ConnectionTimeout   = HTTP_CONNECTION_TIMEOUT;
+  Tcp6Option->DataRetries = HTTP_DATA_RETRIES;
+  Tcp6Option->FinTimeout  = HTTP_FIN_TIMEOUT;
+  Tcp6Option->KeepAliveProbes = HTTP_KEEP_ALIVE_PROBES;
+  Tcp6Option->KeepAliveTime   = HTTP_KEEP_ALIVE_TIME;
+  Tcp6Option->KeepAliveInterval   = HTTP_KEEP_ALIVE_INT

Re: [edk2-devel] [PATCH] Maintainers.txt: update maintainer for CryptoPkg

2023-09-24 Thread Li, Yi

Hi Mike,

I signed up to work as Maintainer for CryptoPkg, need help to add reviewer and 
maintainer permissions. Thanks!

Regards,
Yi 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Friday, June 16, 2023 12:21 PM
To: Wang, Jian J ; devel@edk2.groups.io
Cc: Yao, Jiewen ; Lu, Xiaoyu1 ; 
Jiang, Guomin 
Subject: Re: [edk2-devel] [PATCH] Maintainers.txt: update maintainer for 
CryptoPkg

Reviewed-by: Yi Li 

-Original Message-
From: Wang, Jian J  
Sent: Friday, June 16, 2023 12:09 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH] Maintainers.txt: update maintainer for CryptoPkg

Cc: Jiewen Yao  [jyao1]
Cc: Yi Li  [liyi77]
Cc: Xiaoyu Lu  [xiaoyuxlu]
Cc: Guomin Jiang  [guominjia]
Signed-off-by: Jian J Wang 
---
 Maintainers.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Maintainers.txt b/Maintainers.txt index 42e40dced3..c645df397c 
100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -178,7 +178,7 @@ CryptoPkg
 F: CryptoPkg/ W: 
https://github.com/tianocore/tianocore.github.io/wiki/CryptoPkg M: Jiewen Yao 
 [jyao1]-M: Jian J Wang  
[jwang36]+M: Yi Li  [liyi77] R: Xiaoyu Lu 
 [xiaoyuxlu] R: Guomin Jiang  
[guominjia] --
2.39.1.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109026): https://edk2.groups.io/g/devel/message/109026
Mute This Topic: https://groups.io/mt/99564153/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)

2023-09-27 Thread Li, Yi

Hi Gerd,

We have validated HTTPs boot and WIFI with EAP-TLS, where the code consumed 
openssl3.0 TLS lib API.

So we cannot reproduce this issue. Could you provide detail test steps to me, I 
will look into it.

Thanks,
Yi  

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Yao, Jiewen
Sent: Thursday, September 28, 2023 1:31 AM
To: devel@edk2.groups.io; kra...@redhat.com
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)

Hi Gerd
Thanks for the reporting. 

We will look into that. Is below text full reproduce steps? Which server you 
are using? Which TLS version is configured?
Please provide as detail as possible, if you could.


One more thing: We are going to have 1 week National Holiday since Tomorrow.
If we cannot nail down shortly, that would be next next week.

Thank you
Yao, Jiewen



> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Gerd 
> Hoffmann
> Sent: Wednesday, September 27, 2023 4:39 PM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
> 
>   Hi,
> 
> I've noticed that setting chipers for TLS stopped working in ovmf, 
> most likely due to the openssl 3.0 update.
> 
> Test case: try http boot from https server, set ciphers on the qemu 
> command line using:
> -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
> -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0
> 
> OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set 
> EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
> 
> CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the 
> IDs to strings and call SSL_set_cipher_list() with the result.
> 
> Later on the tls handshake fails.  From the log:
> 
> [ ... ]
> TlsDxe:TlsSetCipherList: CipherString={
>   ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-AES128-GC
>   M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-
> SHA384:DHE-RSA-A
>   ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA
>   }
> [ ... ]
> TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL 
> TlsDoHandshake ERROR 0x308010C=L6:R8010C TlsDoHandshake ERROR 
> 0xA0C0103=L14:RC0103 [ ... ]
> 
> take care,
>   Gerd
> 
> 
> 
> 
> 








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109131): https://edk2.groups.io/g/devel/message/109131
Mute This Topic: https://groups.io/mt/101613778/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v1 07/24] CryptoPkg: CI: Add PrEval entry

2023-10-06 Thread Li, Yi

Joey:

I already give feedback for CryptoPkg part.

Seems there are two Crypto patch 07/24 and 13/24, but actually 13 is 
StandaloneMmPkg changes. Please check.
[PATCH v1 13/24] CryptoPkg: CI: Add PrEval entry 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Wednesday, August 2, 2023 12:42 PM
To: Joey Vagedes ; devel@edk2.groups.io
Cc: Yao, Jiewen ; Lu, Xiaoyu1 ; 
Jiang, Guomin 
Subject: Re: [edk2-devel] [PATCH v1 07/24] CryptoPkg: CI: Add PrEval entry


Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: Joey Vagedes  
Sent: Tuesday, June 27, 2023 5:34 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH v1 07/24] CryptoPkg: CI: Add PrEval entry

Adds a PrEval entry to the package's ci.yaml file which is used to verify if 
the package uses a particular library instance when that library instance file 
(INF) is updated.

When a library instance file (INF) is updated, PrEval will review each 
package's DSC as described in the ci.yaml file to determine if the package uses 
said library instance. If the package does use the library instance, it will be 
built and tested to ensure the package is not broken from the change.

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Joey Vagedes 
---
 CryptoPkg/CryptoPkg.ci.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml index 
47f29759676d..4cec206477bc 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -6,6 +6,9 @@
 # SPDX-License-Identifier: BSD-2-Clause-Patent ## {+"PrEval": {+
"DscPath": "CryptoPkg.dsc",+}, "LicenseCheck": { "IgnoreFiles": 
[ # These directories contain auto-generated OpenSSL content-- 
2.41.0.windows.1








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109377): https://edk2.groups.io/g/devel/message/109377
Mute This Topic: https://groups.io/mt/99798040/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 00/11] Add HMAC/HKDF/RSA/HASH/AES features based on Mbedtls

2023-10-07 Thread Li, Yi



Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: Hou, Wenxing  
Sent: Thursday, September 28, 2023 11:34 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH v3 00/11] Add HMAC/HKDF/RSA/HASH/AES features based on Mbedtls

Purpose: This patch is needed to resolve the limitation from OpenSSL 3.0 that 
HMAC/HKDF/RSA cannot work in pre-memory phase.

There are five features based on mbedtls in the patch: HMAC/HKDF/RSA/HASH/AES.

Test: The patch has passed the unit_test and fuzz test. And the patch has 
passed testing on the Intel platform.

POC: https://github.com/tianocore/edk2-
staging/tree/OpenSSL11_EOL/CryptoPkg/Library/BaseCryptLibMbedTls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 

Wenxing Hou (11):
  CryptoPkg: Add mbedtls submodule for EDKII
  CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
  CryptoPkg: Add HMAC functions based on Mbedtls
  CryptoPkg: Add HKDF functions based on Mbedtls
  CryptoPkg: Add RSA functions based on Mbedtls
  CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
  CryptoPkg: Add Null functions for building pass
  CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
  CryptoPkg: Add Mbedtls submodule in CI
  CryptoPkg: Add basic Readme for BaseCryptLibMbedTls
  CryptoPkg: Add CryptAes functions based on Mbedtls Add CryptAes APIS.

 .gitmodules   |3 +
 .pytool/CISettings.py |2 +
 CryptoPkg/CryptoPkg.ci.yaml   |   12 +-
 CryptoPkg/CryptoPkg.dec   |5 +
 CryptoPkg/CryptoPkg.dsc   |8 +
 CryptoPkg/CryptoPkgMbedTls.dsc|  280 ++
 .../BaseCryptLibMbedTls/BaseCryptLib.inf  |   81 +
 .../BaseCryptLibMbedTls/Bn/CryptBnNull.c  |  520 +++
 .../Cipher/CryptAeadAesGcmNull.c  |  100 +
 .../BaseCryptLibMbedTls/Cipher/CryptAes.c |  225 +
 .../BaseCryptLibMbedTls/Cipher/CryptAesNull.c |  159 +
 .../BaseCryptLibMbedTls/Hash/CryptMd5.c   |  226 +
 .../BaseCryptLibMbedTls/Hash/CryptMd5Null.c   |  163 +
 .../Hash/CryptParallelHashNull.c  |   40 +
 .../BaseCryptLibMbedTls/Hash/CryptSha1.c  |  226 +
 .../BaseCryptLibMbedTls/Hash/CryptSha1Null.c  |  166 +
 .../BaseCryptLibMbedTls/Hash/CryptSha256.c|  219 +
 .../Hash/CryptSha256Null.c|  162 +
 .../BaseCryptLibMbedTls/Hash/CryptSha512.c|  431 ++
 .../Hash/CryptSha512Null.c|  275 ++
 .../BaseCryptLibMbedTls/Hash/CryptSm3Null.c   |  164 +
 .../BaseCryptLibMbedTls/Hmac/CryptHmac.c  |  678 +++
 .../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c  |  359 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   25 +
 .../BaseCryptLibMbedTls/Kdf/CryptHkdf.c   |  372 ++
 .../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c   |  192 +
 .../BaseCryptLibMbedTls/PeiCryptLib.inf   |  101 +
 .../BaseCryptLibMbedTls/PeiCryptLib.uni   |   25 +
 .../BaseCryptLibMbedTls/Pem/CryptPemNull.c|   69 +
 .../Pk/CryptAuthenticodeNull.c|   45 +
 .../BaseCryptLibMbedTls/Pk/CryptDhNull.c  |  150 +
 .../BaseCryptLibMbedTls/Pk/CryptEcNull.c  |  578 +++
 .../Pk/CryptPkcs1OaepNull.c   |   51 +
 .../Pk/CryptPkcs5Pbkdf2Null.c |   48 +
 .../Pk/CryptPkcs7Internal.h   |   83 +
 .../Pk/CryptPkcs7SignNull.c   |   53 +
 .../Pk/CryptPkcs7VerifyEkuNull.c  |  152 +
 .../Pk/CryptPkcs7VerifyEkuRuntime.c   |   56 +
 .../Pk/CryptPkcs7VerifyNull.c |  163 +
 .../Pk/CryptPkcs7VerifyRuntime.c  |   38 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c|  278 ++
 .../Pk/CryptRsaBasicNull.c|  121 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c  |  117 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c  |  174 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c  |   46 +
 .../Pk/CryptRsaPssSignNull.c  |   60 +
 .../BaseCryptLibMbedTls/Pk/CryptTsNull.c  |   42 +
 .../BaseCryptLibMbedTls/Pk/CryptX509Null.c|  753 
 .../BaseCryptLibMbedTls/Rand/CryptRandNull.c  |   56 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   92 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.uni   |   22 +
 .../BaseCryptLibMbedTls/SecCryptLib.inf   |   84 +
 .../BaseCryptLibMbedTls/SecCryptLib.uni   |   17 +
 .../BaseCryptLibMbedTls/SmmCryptLib.inf   |   92 +
 .../BaseCryptLibMbedTls/SmmCryptLib.uni   |   22 +
 .../SysCall/ConstantTimeClock.c   |   75 +
 .../BaseCryptLibMbedTls/SysCall/CrtWrapper.c  |   58 +
 .../SysCall/RuntimeMemAllocation.c|  462 ++
 .../SysCall/TimerWrapper.c|  198 +
 .../BaseCryptLibMbedTls/TestBaseCryptLib.inf  |   76 +
 CryptoPkg/Library/Include/stdint.h|   19 +
 CryptoPkg/Library/Include/stubs-32.h  |9 +
 CryptoPkg/Library/MbedTlsLib/CrtWrapper.c |

Re: [edk2-devel] [PATCH v2 1/1] CryptoPkg/TlsLib: fix tls cipher configuration

2023-10-07 Thread Li, Yi

Sorry for delayed response due to PRC holiday.
This is a pretty good solution, I also ran some basic HTTPSBOOT and EAP-TLS 
test cases, and all passed.

Reviewed-by: Yi Li 

-Original Message-
From: Gerd Hoffmann  
Sent: Wednesday, October 4, 2023 5:20 PM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Pawel Polawski ; László 
Érsek ; Jiang, Guomin ; Yao, Jiewen 
; Oliver Steffen ; Lu, Xiaoyu1 
; Gerd Hoffmann 
Subject: [PATCH v2 1/1] CryptoPkg/TlsLib: fix tls cipher configuration

Trying to configure the TLS ciphers can lead to TLS handshake failures because 
TlsCipherMappingTable is not in line with the ciphers actually supported by 
OpensslLib.

Fix that by removing TlsCipherMappingTable altogether.  Use
SSL_get_ciphers() instead to get the stack of ciphers supported by openssl.  
Name and ID of the ciphers can be queried using the
SSL_CIPHER_get_name() and SSL_CIPHER_get_protocol_id() functions, which allows 
us to map IDs to names without a hard-code table.

Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2541
Signed-off-by: Gerd Hoffmann 
---
 CryptoPkg/Library/TlsLib/TlsConfig.c | 164 ++-
 1 file changed, 36 insertions(+), 128 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c 
b/CryptoPkg/Library/TlsLib/TlsConfig.c
index f9333165a913..29d24abdca0f 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -9,65 +9,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalTlsLib.h"
 
-typedef struct {
-  //
-  // IANA/IETF defined Cipher Suite ID
-  //
-  UINT16 IanaCipher;
-  //
-  // OpenSSL-used Cipher Suite String
-  //
-  CONST CHAR8*OpensslCipher;
-  //
-  // Length of OpensslCipher
-  //
-  UINTN  OpensslCipherLength;
-} TLS_CIPHER_MAPPING;
-
-//
-// Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher 
so -// that OpensslCipherLength is filled in automatically. IanaCipher must be 
an -// integer constant expression, and OpensslCipher must be a string literal.
-//
-#define MAP(IanaCipher, OpensslCipher) \
-  { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
-
-//
-// The mapping table between IANA/IETF Cipher Suite definitions and -// 
OpenSSL-used Cipher Suite name.
-//
-// Keep the table uniquely sorted by the IanaCipher field, in increasing order.
-//
-STATIC CONST TLS_CIPHER_MAPPING  TlsCipherMappingTable[] = {
-  MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
-  MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
-  MAP (0x0004, "RC4-MD5"),  /// 
TLS_RSA_WITH_RC4_128_MD5
-  MAP (0x0005, "RC4-SHA"),  /// 
TLS_RSA_WITH_RC4_128_SHA
-  MAP (0x000A, "DES-CBC3-SHA"), /// 
TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
-  MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// 
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  MAP (0x002F, "AES128-SHA"),   /// 
TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
-  MAP (0x0030, "DH-DSS-AES128-SHA"),/// 
TLS_DH_DSS_WITH_AES_128_CBC_SHA
-  MAP (0x0031, "DH-RSA-AES128-SHA"),/// 
TLS_DH_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0033, "DHE-RSA-AES128-SHA"),   /// 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-  MAP (0x0035, "AES256-SHA"),   /// 
TLS_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0036, "DH-DSS-AES256-SHA"),/// 
TLS_DH_DSS_WITH_AES_256_CBC_SHA
-  MAP (0x0037, "DH-RSA-AES256-SHA"),/// 
TLS_DH_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x0039, "DHE-RSA-AES256-SHA"),   /// 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-  MAP (0x003B, "NULL-SHA256"),  /// 
TLS_RSA_WITH_NULL_SHA256
-  MAP (0x003C, "AES128-SHA256"),/// 
TLS_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x003D, "AES256-SHA256"),/// 
TLS_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x003E, "DH-DSS-AES128-SHA256"), /// 
TLS_DH_DSS_WITH_AES_128_CBC_SHA256
-  MAP (0x003F, "DH-RSA-AES128-SHA256"), /// 
TLS_DH_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0067, "DHE-RSA-AES128-SHA256"),/// 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-  MAP (0x0068, "DH-DSS-AES256-SHA256"), /// 
TLS_DH_DSS_WITH_AES_256_CBC_SHA256
-  MAP (0x0069, "DH-RSA-AES256-SHA256"), /// 
TLS_DH_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x006B, "DHE-RSA-AES256-SHA256"),/// 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-  MAP (0x009F, "DHE-RSA-AES256-GCM-SHA384"),/// 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"),/// 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-  MAP (0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"),/// 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  MAP (0xC030, "ECDHE-RSA-AES256-GCM-SHA384"),  /// 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-};
-
 typedef struct {
   //
   // TLS Algorithm
@@ -96,54 +37,6 @@ STATIC CONST TLS_ALGO_TO_NAME  TlsSignatureAlg

Re: [edk2-devel] [PATCH v3 09/11] CryptoPkg: Add Mbedtls submodule in CI

2023-10-11 Thread Li, Yi

Hello .pytools maintainers and reviewers, any comments for this patch series?

Background:
https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md#openssl30-mbedtls-dual-mode
This patch series is needed to resolve the limitation from OpenSSL 3.0 that 
provider based algorithms cannot work in pre-memory phase.
There are five features based on mbedtls in the patch series: 
HMAC/HKDF/RSA/HASH/AES.


Thanks,
Yi

-Original Message-
From: Hou, Wenxing  
Sent: Tuesday, October 10, 2023 9:50 AM
To: devel@edk2.groups.io; sean.bro...@microsoft.com; 
mikub...@linux.microsoft.com; Kinney, Michael D ; 
Gao, Liming 
Cc: Li, Yi1 
Subject: RE: [edk2-devel] [PATCH v3 09/11] CryptoPkg: Add Mbedtls submodule in 
CI

Hi all,

Could you help me take a look at this patch? 

Thank you very much!!



Thanks.
Wenxing



-Original Message-
From: Hou, Wenxing
Sent: Saturday, October 7, 2023 9:39 PM
To: devel@edk2.groups.io; sean.bro...@microsoft.com; 
mikub...@linux.microsoft.com; Kinney, Michael D ; 
gaolim...@byosoft.com.cn
Cc: Li, Yi1 
Subject: RE: [edk2-devel] [PATCH v3 09/11] CryptoPkg: Add Mbedtls submodule in 
CI

Hi all,


My patch is about enabling Mbedtls. And this patch will change the pytool.

Could you review this patch for the pytool change?

Thanks
Wenxing



-Original Message-
From: devel@edk2.groups.io  On Behalf Of Wenxing Hou
Sent: Thursday, September 28, 2023 11:34 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [edk2-devel] [PATCH v3 09/11] CryptoPkg: Add Mbedtls submodule in CI

Change CI for new Mbedtls submodule.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 
---
 .pytool/CISettings.py  |  2 ++
 CryptoPkg/CryptoPkg.ci.yaml| 12 +++-
 CryptoPkg/CryptoPkg.dec|  3 ++-
 CryptoPkg/CryptoPkg.dsc|  8 
 CryptoPkg/Private/Library/MbedTlsLib.h | 12 
 5 files changed, 35 insertions(+), 2 deletions(-)  create mode 100644 
CryptoPkg/Private/Library/MbedTlsLib.h

diff --git a/.pytool/CISettings.py b/.pytool/CISettings.py index 
6fb7342f81..c5803a877c 100644
--- a/.pytool/CISettings.py
+++ b/.pytool/CISettings.py
@@ -199,6 +199,8 @@ class Settings(CiBuildSettingsManager, 
UpdateSettingsManager, SetupSettingsManag
 "MdePkg/Library/BaseFdtLib/libfdt", False)) 
rs.append(RequiredSubmodule( "MdePkg/Library/MipiSysTLib/mipisyst", 
False))+rs.append(RequiredSubmodule(+
"CryptoPkg/Library/MbedTlsLib/mbedtls", False)) return rs  def 
GetName(self):diff --git a/CryptoPkg/CryptoPkg.ci.yaml 
b/CryptoPkg/CryptoPkg.ci.yaml
index 59ba56d41e..967612230d 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -38,10 +38,20 @@
 # This has OpenSSL interfaces that aren't UEFI spec compliant  
   "Library/BaseCryptLib/Hash/CryptParallelHash.h", 
"Library/Include/fcntl.h",+# This has Mbedtls interfaces that 
aren't UEFI spec compliant+"Library/Include/stdint.h",+
"Library/Include/stubs-32.h", # These directories contain 
auto-generated OpenSSL content "Library/OpensslLib", 
"Library/IntrinsicLib",-
"Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c"+
"Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c",+# mbedtls+
"Library/MbedTlsLib/mbedtls",+# This has mbedtls interfaces 
that aren't UEFI spec compliant+"Library/MbedTlsLib/EcSm2Null.c",+  
  "Library/MbedTlsLib/CrtWrapper.c",+
"Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h",+
"Library/BaseCryptLibMbedTls/SysCall" ] }, "CompilerPlugin": 
{diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index a5fa81a338..e613b6b1ae 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -28,9 +28,9 @@
   Library/OpensslLib/OpensslGen/include   
Library/OpensslLib/OpensslGen/providers/common/include   
Library/MbedTlsLib/Include-  Library/MbedTlsLib/mbedtls   
Library/MbedTlsLib/mbedtls/include   
Library/MbedTlsLib/mbedtls/include/mbedtls+  Library/MbedTlsLib/mbedtls/library 
 [LibraryClasses]   ##  @libraryclass  Provides basic library functions for 
cryptographic primitives.@@ -49,6 +49,7 @@
   ##  @libraryclass  Provides library functions from the openssl project.   #  
 OpensslLib|Private/Library/OpensslLib.h+  
MbedTlsLib|Private/Library/MbedTlsLib.h##  @libraryclass  Provides compiler 
intrinsic functions required to link openssl project.   #diff --git 
a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index a55dcb9668..6a0104a3bb 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -364,6 +364,14 @@
   CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf   
CryptoPkg/

Re: [edk2-devel] [PATCH v3 00/11] Add HMAC/HKDF/RSA/HASH/AES features based on Mbedtls

2023-10-11 Thread Li, Yi

Patch merged via: https://github.com/tianocore/edk2/pull/4897
Thanks for your contribution.

Regards,
Yi 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Saturday, October 7, 2023 8:38 PM
To: Hou, Wenxing ; devel@edk2.groups.io
Cc: Yao, Jiewen ; Lu, Xiaoyu1 ; 
Jiang, Guomin 
Subject: Re: [edk2-devel] [PATCH v3 00/11] Add HMAC/HKDF/RSA/HASH/AES features 
based on Mbedtls


Looks good to me.
Reviewed-by: Yi Li 

-Original Message-
From: Hou, Wenxing  
Sent: Thursday, September 28, 2023 11:34 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Li, Yi1 ; Lu, Xiaoyu1 
; Jiang, Guomin 
Subject: [PATCH v3 00/11] Add HMAC/HKDF/RSA/HASH/AES features based on Mbedtls

Purpose: This patch is needed to resolve the limitation from OpenSSL 3.0 that 
HMAC/HKDF/RSA cannot work in pre-memory phase.

There are five features based on mbedtls in the patch: HMAC/HKDF/RSA/HASH/AES.

Test: The patch has passed the unit_test and fuzz test. And the patch has 
passed testing on the Intel platform.

POC: https://github.com/tianocore/edk2-
staging/tree/OpenSSL11_EOL/CryptoPkg/Library/BaseCryptLibMbedTls

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177

Cc: Jiewen Yao 
Cc: Yi Li 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Wenxing Hou 

Wenxing Hou (11):
  CryptoPkg: Add mbedtls submodule for EDKII
  CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
  CryptoPkg: Add HMAC functions based on Mbedtls
  CryptoPkg: Add HKDF functions based on Mbedtls
  CryptoPkg: Add RSA functions based on Mbedtls
  CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
  CryptoPkg: Add Null functions for building pass
  CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
  CryptoPkg: Add Mbedtls submodule in CI
  CryptoPkg: Add basic Readme for BaseCryptLibMbedTls
  CryptoPkg: Add CryptAes functions based on Mbedtls Add CryptAes APIS.

 .gitmodules   |3 +
 .pytool/CISettings.py |2 +
 CryptoPkg/CryptoPkg.ci.yaml   |   12 +-
 CryptoPkg/CryptoPkg.dec   |5 +
 CryptoPkg/CryptoPkg.dsc   |8 +
 CryptoPkg/CryptoPkgMbedTls.dsc|  280 ++
 .../BaseCryptLibMbedTls/BaseCryptLib.inf  |   81 +
 .../BaseCryptLibMbedTls/Bn/CryptBnNull.c  |  520 +++
 .../Cipher/CryptAeadAesGcmNull.c  |  100 +
 .../BaseCryptLibMbedTls/Cipher/CryptAes.c |  225 +
 .../BaseCryptLibMbedTls/Cipher/CryptAesNull.c |  159 +
 .../BaseCryptLibMbedTls/Hash/CryptMd5.c   |  226 +
 .../BaseCryptLibMbedTls/Hash/CryptMd5Null.c   |  163 +
 .../Hash/CryptParallelHashNull.c  |   40 +
 .../BaseCryptLibMbedTls/Hash/CryptSha1.c  |  226 +
 .../BaseCryptLibMbedTls/Hash/CryptSha1Null.c  |  166 +
 .../BaseCryptLibMbedTls/Hash/CryptSha256.c|  219 +
 .../Hash/CryptSha256Null.c|  162 +
 .../BaseCryptLibMbedTls/Hash/CryptSha512.c|  431 ++
 .../Hash/CryptSha512Null.c|  275 ++
 .../BaseCryptLibMbedTls/Hash/CryptSm3Null.c   |  164 +
 .../BaseCryptLibMbedTls/Hmac/CryptHmac.c  |  678 +++
 .../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c  |  359 ++
 .../BaseCryptLibMbedTls/InternalCryptLib.h|   25 +
 .../BaseCryptLibMbedTls/Kdf/CryptHkdf.c   |  372 ++
 .../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c   |  192 +
 .../BaseCryptLibMbedTls/PeiCryptLib.inf   |  101 +
 .../BaseCryptLibMbedTls/PeiCryptLib.uni   |   25 +
 .../BaseCryptLibMbedTls/Pem/CryptPemNull.c|   69 +
 .../Pk/CryptAuthenticodeNull.c|   45 +
 .../BaseCryptLibMbedTls/Pk/CryptDhNull.c  |  150 +
 .../BaseCryptLibMbedTls/Pk/CryptEcNull.c  |  578 +++
 .../Pk/CryptPkcs1OaepNull.c   |   51 +
 .../Pk/CryptPkcs5Pbkdf2Null.c |   48 +
 .../Pk/CryptPkcs7Internal.h   |   83 +
 .../Pk/CryptPkcs7SignNull.c   |   53 +
 .../Pk/CryptPkcs7VerifyEkuNull.c  |  152 +
 .../Pk/CryptPkcs7VerifyEkuRuntime.c   |   56 +
 .../Pk/CryptPkcs7VerifyNull.c |  163 +
 .../Pk/CryptPkcs7VerifyRuntime.c  |   38 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c|  278 ++
 .../Pk/CryptRsaBasicNull.c|  121 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c  |  117 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c  |  174 +
 .../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c  |   46 +
 .../Pk/CryptRsaPssSignNull.c  |   60 +
 .../BaseCryptLibMbedTls/Pk/CryptTsNull.c  |   42 +
 .../BaseCryptLibMbedTls/Pk/CryptX509Null.c|  753 
 .../BaseCryptLibMbedTls/Rand/CryptRandNull.c  |   56 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   92 +
 .../BaseCryptLibMbedTls/RuntimeCryptLib.uni   |   22 +
 .../BaseCryptLibMbedTls/SecCryptLib.inf   |   84 +
 .../BaseCryptLibMbedTls/SecCryptLib.uni   |   17 +
 .../BaseCryptLibMbedTls/SmmCryptLib.inf   |   92 +
 .../BaseCryptLibMbedTls/SmmCryptLib.uni   |   22 +
 .../SysCall/ConstantTimeClock.c

[edk2-devel] [PATCH] CryptoPkg: Add b_print.c which removed floating-point to OpensslLib

2022-11-19 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4110

Openssl will use BIO_snprintf() to print time string when converting
time_t to ASN1_time.
Currently edk2 code just give it a NULL implement in CrtWrapper.c, so
getting current time in X509 time check will be fail.

This patch add a copy of OpensslLib\openssl\crypto\bio\b_print.c to
OpensslLib, with below changes:

1. All floating point related code removed.
2. Replace ull divide and remainder with DivU64x32Remainder().

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/CryptoPkg.ci.yaml   |   4 +-
 .../Library/BaseCryptLib/SysCall/CrtWrapper.c |  27 -
 .../SysCall/UnitTestHostCrtWrapper.c  |  25 -
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 +
 .../Library/OpensslLib/OpensslLibAccel.inf|   1 +
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 +
 .../Library/OpensslLib/OpensslLibFull.inf |   1 +
 .../OpensslLib/OpensslLibFullAccel.inf|   1 +
 CryptoPkg/Library/OpensslLib/b_print.c| 613 ++
 9 files changed, 621 insertions(+), 53 deletions(-)
 create mode 100644 CryptoPkg/Library/OpensslLib/b_print.c

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
index 47f2975967..8c25f581fb 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -13,7 +13,9 @@
 "Library/OpensslLib/IA32Gcc",
 "Library/OpensslLib/X64",
 "Library/OpensslLib/X64Gcc",
-"Library/Include/openssl"
+"Library/Include/openssl",
+# b_print.c is a copy from OpenSSl.
+"Library/OpensslLib/b_print.c"
 ]
 },
 "EccCheck": {
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c 
b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index b65d29485b..6d7ac3efdc 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -472,33 +472,6 @@ fwrite (
   return 0;
 }
 
-//
-//  -- Dummy OpenSSL Support Routines --
-//
-
-int
-BIO_printf (
-  void*bio,
-  const char  *format,
-  ...
-  )
-{
-  return 0;
-}
-
-int
-BIO_snprintf (
-  char*buf,
-  size_t  n,
-  const char  *format,
-  ...
-  )
-{
-  // Because the function does not actually print anything to buf, it returns 
-1 as error.
-  // Otherwise, the consumer may think that the buf is valid and parse the 
buffer.
-  return -1;
-}
-
 #ifdef __GNUC__
 
 typedef
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c 
b/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
index 066d53e4fa..244e57437e 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
@@ -72,31 +72,6 @@ sscanf (
   return 0;
 }
 
-//
-//  -- Dummy OpenSSL Support Routines --
-//
-
-int
-BIO_printf (
-  void*bio,
-  const char  *format,
-  ...
-  )
-{
-  return 0;
-}
-
-int
-BIO_snprintf (
-  char*buf,
-  size_t  n,
-  const char  *format,
-  ...
-  )
-{
-  return 0;
-}
-
 uid_t
 getuid (
   void
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 60c6c24b0a..f8ddfadc51 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -580,6 +580,7 @@
   rand_pool.c
 #  SslNull.c
   EcSm2Null.c
+  b_print.c
 
 [Packages]
   MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf
index 103ef7bda2..6ee7bfd329 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf
@@ -580,6 +580,7 @@
   rand_pool.c
 #  SslNull.c
   EcSm2Null.c
+  b_print.c
 
 [Sources.IA32]
 # Autogenerated IA32 files list starts here
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index c4eaea888c..3e43cf146b 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -530,6 +530,7 @@
   rand_pool.c
   SslNull.c
   EcSm2Null.c
+  b_print.c
 
 [Packages]
   MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
index 309e43055c..440d3e7e1d 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
@@ -635,6 +635,7 @@
   rand_pool.c
 #  SslNull.c
 #  EcSm2Null.c
+  b_print.c
 
 [Packages]
   MdePkg/MdePkg.dec
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf
index 4b79bd..413f70f733 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf
@@ -635,6 +635,7 @@
   rand_pool.c
 #  SslNull.c

Re: [edk2-devel] [PATCH] CryptoPkg: Add b_print.c which removed floating-point to OpensslLib

2022-11-19 Thread Li, Yi

Hi all,

This patch is the pre-work for enabling the X509 certificate time check.
I know it looks weird to add a new b_print.c, so I wanted to explain the 
background of this patch.

1. Why not directly use the b_print.c file in openssl?
The original file uses code related to floating-point and ulldrvm, which will 
cause compilation errors like:
unresolved external symbol __aulldvrm
error: SSE register return with SSE disabled 
ref: https://github.com/tianocore/edk2/pull/3508

So I removed all float code and replaced ulldrvm with DivU64x32Remainder():
1). 
case 'f':
case 'E':
case 'e':
case 'G':
case 'g':
return -1;
2).
+uvalue = DivU64x32Remainder(uvalue, (unsigned)base, &uremainder);
 convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")
-[uvalue % (unsigned)base];
-uvalue = (uvalue / (unsigned)base);
+[uremainder];


2. Why not use the similar print function AsciiVSPrint in EDK2?
EDK2 functions are all ms_abi but openssl functions not, so they use different 
va_list definitions, the relevant codes are as follows:
GCC:*_*_X64_CC_FLAGS = ..  -DNO_MSABI_VA_FUNCS
https://github.com/tianocore/edk2/blob/fff6d81270b57ee786ea18ad74f43149b9f03494/CryptoPkg/Library/OpensslLib/OpensslLib.inf#LL636C2-L636C3

Therefore, segmentation fault will occur when calling the edk2 VA parameter 
function in the openssl function.

3. Why not remove NO_MSABI_VA_FUNCS?
Similarly, ms va_list cannot be used in the sysv function in openssl, which 
will also cause segmentation fault.

I am not expert of compilation, let me know if there is other better idea.

Thanks,
Yi

-Original Message-
From: Li, Yi1  
Sent: Sunday, November 20, 2022 12:28 AM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Yao, Jiewen ; Wang, Jian 
J ; Lu, Xiaoyu1 ; Jiang, Guomin 

Subject: [PATCH] CryptoPkg: Add b_print.c which removed floating-point to 
OpensslLib

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4110

Openssl will use BIO_snprintf() to print time string when converting time_t to 
ASN1_time.
Currently edk2 code just give it a NULL implement in CrtWrapper.c, so getting 
current time in X509 time check will be fail.

This patch add a copy of OpensslLib\openssl\crypto\bio\b_print.c to OpensslLib, 
with below changes:

1. All floating point related code removed.
2. Replace ull divide and remainder with DivU64x32Remainder().

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 CryptoPkg/CryptoPkg.ci.yaml   |   4 +-
 .../Library/BaseCryptLib/SysCall/CrtWrapper.c |  27 -
 .../SysCall/UnitTestHostCrtWrapper.c  |  25 -
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 +
 .../Library/OpensslLib/OpensslLibAccel.inf|   1 +
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 +
 .../Library/OpensslLib/OpensslLibFull.inf |   1 +
 .../OpensslLib/OpensslLibFullAccel.inf|   1 +
 CryptoPkg/Library/OpensslLib/b_print.c| 613 ++
 9 files changed, 621 insertions(+), 53 deletions(-)  create mode 100644 
CryptoPkg/Library/OpensslLib/b_print.c

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml index 
47f2975967..8c25f581fb 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -13,7 +13,9 @@
 "Library/OpensslLib/IA32Gcc",
 "Library/OpensslLib/X64",
 "Library/OpensslLib/X64Gcc",
-"Library/Include/openssl"
+"Library/Include/openssl",
+# b_print.c is a copy from OpenSSl.
+"Library/OpensslLib/b_print.c"
 ]
 },
 "EccCheck": {
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c 
b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
index b65d29485b..6d7ac3efdc 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
@@ -472,33 +472,6 @@ fwrite (
   return 0;
 }
 
-//
-//  -- Dummy OpenSSL Support Routines -- -//
-
-int
-BIO_printf (
-  void*bio,
-  const char  *format,
-  ...
-  )
-{
-  return 0;
-}
-
-int
-BIO_snprintf (
-  char*buf,
-  size_t  n,
-  const char  *format,
-  ...
-  )
-{
-  // Because the function does not actually print anything to buf, it returns 
-1 as error.
-  // Otherwise, the consumer may think that the buf is valid and parse the 
buffer.
-  return -1;
-}
-
 #ifdef __GNUC__
 
 typedef
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c 
b/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
index 066d53e4fa..244e57437e 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/UnitTestHostCrtWrapper.c
@@ -72,31 +72,6 @@ sscanf (
   return 0;
 }
 
-//
-//  -- Dummy OpenSSL Support Routines -- -//
-
-int
-BIO_printf (
-  void*bio,
-  const char  *format,
-  ...

Re: [edk2-devel] [PATCH] CryptoPkg: Add b_print.c which removed floating-point to OpensslLib

2022-11-19 Thread Li, Yi

Hi Jiewen,

Oh, I didn't realize we had this macro, maybe we could use it to eliminate 
floating point actions and upstream to openssl.

If it can be upstreamed, then we don't need these workarounds, I will try to do 
these things, thank you.

-Original Message-
From: Yao, Jiewen  
Sent: Sunday, November 20, 2022 10:19 AM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Wang, Jian J ; Lu, Xiaoyu1 ; 
Jiang, Guomin 
Subject: RE: [PATCH] CryptoPkg: Add b_print.c which removed floating-point to 
OpensslLib

HI Yi
I have question for 1 - The original file uses code related to floating-point 
and ulldrvm.

a) Openssl supports OPENSSL_SYS_UEFI macro 
(https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/openssl/opensslconf.h#L28),
 why not use OPENSSL_SYS_UEFI macro to eliminate float point action?

b) For ulldrvm, why not implement it in 
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/IntrinsicLib, 
as we already did.

Thank you
Yao, Jiewen

> -Original Message-
> From: Li, Yi1 
> Sent: Sunday, November 20, 2022 12:33 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J 
> ; Lu, Xiaoyu1 ; Jiang, 
> Guomin 
> Subject: RE: [PATCH] CryptoPkg: Add b_print.c which removed floating- 
> point to OpensslLib
> 
> Hi all,
> 
> This patch is the pre-work for enabling the X509 certificate time check.
> I know it looks weird to add a new b_print.c, so I wanted to explain 
> the background of this patch.
> 
> 1. Why not directly use the b_print.c file in openssl?
> The original file uses code related to floating-point and ulldrvm, 
> which will cause compilation errors like:
> unresolved external symbol __aulldvrm
> error: SSE register return with SSE disabled
> ref: https://github.com/tianocore/edk2/pull/3508
> 
> So I removed all float code and replaced ulldrvm with
> DivU64x32Remainder():
> 1).
> case 'f':
> case 'E':
> case 'e':
> case 'G':
> case 'g':
> return -1;
> 2).
> +uvalue = DivU64x32Remainder(uvalue, (unsigned)base, 
> + &uremainder);
>  convert[place++] = (caps ? "0123456789ABCDEF" :
> "0123456789abcdef")
> -[uvalue % (unsigned)base];
> -uvalue = (uvalue / (unsigned)base);
> +[uremainder];
> 
> 
> 2. Why not use the similar print function AsciiVSPrint in EDK2?
> EDK2 functions are all ms_abi but openssl functions not, so they use 
> different va_list definitions, the relevant codes are as follows:
> GCC:*_*_X64_CC_FLAGS = ..  -DNO_MSABI_VA_FUNCS
> https://github.com/tianocore/edk2/blob/fff6d81270b57ee786ea18ad74f4
> 3149b9f03494/CryptoPkg/Library/OpensslLib/OpensslLib.inf#LL636C2-
> L636C3
> 
> Therefore, segmentation fault will occur when calling the edk2 VA 
> parameter function in the openssl function.
> 
> 3. Why not remove NO_MSABI_VA_FUNCS?
> Similarly, ms va_list cannot be used in the sysv function in openssl, 
> which will also cause segmentation fault.
> 
> I am not expert of compilation, let me know if there is other better idea.
> 
> Thanks,
> Yi
> 
> -Original Message-
> From: Li, Yi1 
> Sent: Sunday, November 20, 2022 12:28 AM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 ; Yao, Jiewen ; 
> Wang, Jian J ; Lu, Xiaoyu1 
> ; Jiang, Guomin 
> Subject: [PATCH] CryptoPkg: Add b_print.c which removed floating-point 
> to OpensslLib
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4110
> 
> Openssl will use BIO_snprintf() to print time string when converting 
> time_t to ASN1_time.
> Currently edk2 code just give it a NULL implement in CrtWrapper.c, so 
> getting current time in X509 time check will be fail.
> 
> This patch add a copy of OpensslLib\openssl\crypto\bio\b_print.c to 
> OpensslLib, with below changes:
> 
> 1. All floating point related code removed.
> 2. Replace ull divide and remainder with DivU64x32Remainder().
> 
> Cc: Jiewen Yao 
> Cc: Jian J Wang 
> Cc: Xiaoyu Lu 
> Cc: Guomin Jiang 
> Signed-off-by: Yi Li 
> ---
>  CryptoPkg/CryptoPkg.ci.yaml   |   4 +-
>  .../Library/BaseCryptLib/SysCall/CrtWrapper.c |  27 -
>  .../SysCall/UnitTestHostCrtWrapper.c  |  25 -
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 +
>  .../Library/OpensslLib/OpensslLibAccel.inf|   1 +
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 +
>  .../Library/OpensslLib/OpensslLibFull.inf |   1 +
>  .../OpensslLib/OpensslLibFullAccel.inf|   1 +
>  CryptoPkg/Library/OpensslLib/b_print.c| 613 ++
>  9 files changed, 621 insertions(+), 53 deletions(-)  create mode 
> 100644 CryptoPkg/Library/OpensslLib/b_print.c
> 
> diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml 
> index 47f2975967..8c25f581fb 100644
> --- a/CryptoPkg/CryptoPkg.ci.yaml
> +++ b/CryptoPkg/CryptoPkg.ci.yaml
> @@ -13,7 +13,9 @@
>  "Library/OpensslLib/IA32Gcc",
>  "Library/OpensslLib/X64",
>  "Library/OpensslLib/X64Gcc",
> -"Lib

Re: [edk2-devel] [PATCH] CryptoPkg: Add b_print.c which removed floating-point to OpensslLib

2022-11-21 Thread Li, Yi

Hi Gerd,

Cool! I noticed your patch in openssl3.0 branch.
Because the Tls cert time check needs to be solved as soon as possible,
I will cherry-pick your patch to 1.1.1 branch instead of updating edk2 openssl 
to 3.0. The latter seems to take a long time.

By the way, I remember you are already working on upstream openssl3.0, right?
How is it doing now, I can help with some work if needed.

Thanks,
Yi

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Gerd Hoffmann
Sent: Monday, November 21, 2022 2:24 PM
To: devel@edk2.groups.io; Yao, Jiewen 
Cc: Li, Yi1 ; Wang, Jian J ; Lu, 
Xiaoyu1 ; Jiang, Guomin 
Subject: Re: [edk2-devel] [PATCH] CryptoPkg: Add b_print.c which removed 
floating-point to OpensslLib

On Sun, Nov 20, 2022 at 02:18:36AM +, Yao, Jiewen wrote:
> HI Yi
> I have question for 1 - The original file uses code related to floating-point 
> and ulldrvm.
> 
> a) Openssl supports OPENSSL_SYS_UEFI macro 
> (https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/openssl/opensslconf.h#L28),
>  why not use OPENSSL_SYS_UEFI macro to eliminate float point action?

openssl 3.x already has that btw.

take care,
  Gerd








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96513): https://edk2.groups.io/g/devel/message/96513
Mute This Topic: https://groups.io/mt/95135786/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API backward compatible

2022-12-18 Thread Li, Yi

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4197

Using older Crypto protocol will be allowed.
Each function wrapper will be annotated to require a minimum required
version of the crypto protocol and assert if called when the version is
not compatible.
Ths minimum version difined as the version when the API was introduced.
Details:
///Parallel hash: MinVersion 8
  ParallelHash256HashAll,
/// HMAC SHA256 (continued): MinVersion 9
  HmacSha256All,
/// HMAC SHA384: MinVersion 9
  HmacSha384New,
  ...
  HmacSha384All,
/// HKDF (continued): MinVersion 10
  HkdfSha256Extract,
  ...
  HkdfSha384Expand,
/// Aead Aes GCM: MinVersion 11
  AeadAesGcmEncrypt,
  AeadAesGcmDecrypt,
/// Big Numbers: MinVersion 12
  BigNumInit,
  ...
  BigNumAddMod,
/// EC: MinVersion 13
  EcGroupInit,
  ...
  EcDhComputeKey,
/// TLS (continued): MinVersion 14
  TlsShutdown,
  ...
  TlsGetExportKey,
/// Ec (Continued): MinVersion 15
  EcGetPublicKeyFromX509,
  ...
  EcDsaVerify,
/// X509 (Continued): MinVersion 16
  X509GetVersion,
  ...
  X509GetExtendedBasicConstraints
/// Others: MinVersion 7

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 449 +-
 .../BaseCryptLibOnProtocolPpi/DxeCryptLib.c   |   9 -
 .../BaseCryptLibOnProtocolPpi/PeiCryptLib.c   |   8 -
 .../BaseCryptLibOnProtocolPpi/SmmCryptLib.c   |   9 -
 4 files changed, 227 insertions(+), 248 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c 
b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 4e31bc278e..e470a0f0d4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -24,18 +24,20 @@
   @param  Args  The argument list to pass to Function.
   @param  ErrorReturnValue  The value to return if the protocol is NULL or the
 service in the protocol is NULL.
-
-**/
-#define CALL_CRYPTO_SERVICE(Function, Args, ErrorReturnValue)  \
-  do { \
-EDKII_CRYPTO_PROTOCOL  *CryptoServices;\
-   \
-CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();\
-if (CryptoServices != NULL && CryptoServices->Function != NULL) {  \
-  return (CryptoServices->Function) Args;  \
-}  \
-CryptoServiceNotAvailable (#Function); \
-return ErrorReturnValue;   \
+  @param  MinVersionThe minimum protocol version that supports the API.
+
+**/
+#define CALL_CRYPTO_SERVICE(Function, Args, ErrorReturnValue, MinVersion) \
+  do {\
+EDKII_CRYPTO_PROTOCOL  *CryptoServices;   \
+  \
+CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();   \
+if (CryptoServices != NULL && CryptoServices->Function != NULL && \
+CryptoServices->GetVersion () >= MinVersion) {\
+  return (CryptoServices->Function) Args; \
+} \
+CryptoServiceNotAvailable (#Function);\
+return ErrorReturnValue;  \
   } while (FALSE);
 
 /**
@@ -45,14 +47,16 @@
 
   @param  Function  Name of the EDK II Crypto Protocol service to call.
   @param  Args  The argument list to pass to Function.
+  @param  MinVersionThe minimum protocol version that supports the API.
 
 **/
-#define CALL_VOID_CRYPTO_SERVICE(Function, Args)   \
+#define CALL_VOID_CRYPTO_SERVICE(Function, Args, MinVersion)   \
   do { \
 EDKII_CRYPTO_PROTOCOL  *CryptoServices;\
\
 CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();\
-if (CryptoServices != NULL && CryptoServices->Function != NULL) {  \
+if (CryptoServices != NULL && CryptoServices->Function != NULL &&  \
+CryptoServices->GetVersion () >= MinVersion) { \
   (CryptoServices->Function) Args; \
   return;  \
 }  \
@@ -116,7 +120,7 @@ Md5GetContextSize (
   VOID
   )
 {
-  CALL_CRYPTO_SERVICE (Md5GetContextSize, (), 0);
+  CALL_CRYPTO_SERVICE (Md5GetContextSize, (), 0,

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API backward compatible

2023-01-03 Thread Li, Yi

Hi, any comments about this BZ and patch?
Code link: https://github.com/tianocore/edk2/pull/3787

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Li, Yi
Sent: Monday, December 19, 2022 2:24 PM
To: devel@edk2.groups.io
Cc: Li, Yi1 ; Yao, Jiewen ; Wang, Jian 
J ; Lu, Xiaoyu1 ; Jiang, Guomin 

Subject: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API backward 
compatible

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4197

Using older Crypto protocol will be allowed.
Each function wrapper will be annotated to require a minimum required
version of the crypto protocol and assert if called when the version is
not compatible.
Ths minimum version difined as the version when the API was introduced.
Details:
///Parallel hash: MinVersion 8
  ParallelHash256HashAll,
/// HMAC SHA256 (continued): MinVersion 9
  HmacSha256All,
/// HMAC SHA384: MinVersion 9
  HmacSha384New,
  ...
  HmacSha384All,
/// HKDF (continued): MinVersion 10
  HkdfSha256Extract,
  ...
  HkdfSha384Expand,
/// Aead Aes GCM: MinVersion 11
  AeadAesGcmEncrypt,
  AeadAesGcmDecrypt,
/// Big Numbers: MinVersion 12
  BigNumInit,
  ...
  BigNumAddMod,
/// EC: MinVersion 13
  EcGroupInit,
  ...
  EcDhComputeKey,
/// TLS (continued): MinVersion 14
  TlsShutdown,
  ...
  TlsGetExportKey,
/// Ec (Continued): MinVersion 15
  EcGetPublicKeyFromX509,
  ...
  EcDsaVerify,
/// X509 (Continued): MinVersion 16
  X509GetVersion,
  ...
  X509GetExtendedBasicConstraints
/// Others: MinVersion 7

Cc: Jiewen Yao 
Cc: Jian J Wang 
Cc: Xiaoyu Lu 
Cc: Guomin Jiang 
Signed-off-by: Yi Li 
---
 .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 449 +-
 .../BaseCryptLibOnProtocolPpi/DxeCryptLib.c   |   9 -
 .../BaseCryptLibOnProtocolPpi/PeiCryptLib.c   |   8 -
 .../BaseCryptLibOnProtocolPpi/SmmCryptLib.c   |   9 -
 4 files changed, 227 insertions(+), 248 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c 
b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 4e31bc278e..e470a0f0d4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -24,18 +24,20 @@
   @param  Args  The argument list to pass to Function.
   @param  ErrorReturnValue  The value to return if the protocol is NULL or the
 service in the protocol is NULL.
-
-**/
-#define CALL_CRYPTO_SERVICE(Function, Args, ErrorReturnValue)  \
-  do { \
-EDKII_CRYPTO_PROTOCOL  *CryptoServices;\
-   \
-CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();\
-if (CryptoServices != NULL && CryptoServices->Function != NULL) {  \
-  return (CryptoServices->Function) Args;  \
-}  \
-CryptoServiceNotAvailable (#Function); \
-return ErrorReturnValue;   \
+  @param  MinVersionThe minimum protocol version that supports the API.
+
+**/
+#define CALL_CRYPTO_SERVICE(Function, Args, ErrorReturnValue, MinVersion) \
+  do {\
+EDKII_CRYPTO_PROTOCOL  *CryptoServices;   \
+  \
+CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();   \
+if (CryptoServices != NULL && CryptoServices->Function != NULL && \
+CryptoServices->GetVersion () >= MinVersion) {\
+  return (CryptoServices->Function) Args; \
+} \
+CryptoServiceNotAvailable (#Function);\
+return ErrorReturnValue;  \
   } while (FALSE);
 
 /**
@@ -45,14 +47,16 @@
 
   @param  Function  Name of the EDK II Crypto Protocol service to call.
   @param  Args  The argument list to pass to Function.
+  @param  MinVersionThe minimum protocol version that supports the API.
 
 **/
-#define CALL_VOID_CRYPTO_SERVICE(Function, Args)   \
+#define CALL_VOID_CRYPTO_SERVICE(Function, Args, MinVersion)   \
   do { \
 EDKII_CRYPTO_PROTOCOL  *CryptoServices;\
\
 CryptoServices = (EDKII_CRYPTO_PROTOCOL *)GetCryptoServices ();\
-if (CryptoServices != NULL && CryptoServices->Function != NULL) {  \
+if (CryptoServices != NULL && CryptoService

Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API backward compatible

2023-01-06 Thread Li, Yi

Hi Jiewen,

Thanks for feedback.

>If you can upgrade the CryptoConsumer, why not upgrade the CryptoBin at the 
>same time?

1. CryptoConsumer and CryptoBin are usually delivered by different people. For 
example, some features that require CryptoBin are responsible for by an 
independent team, but Cyptobin is responsible for the platform as part of the 
platform firmware.

2. In the actual development process, the update of CryptoBin is often 
difficult due to reasons such as binary size or freeze of platform code, 
especially on older platforms, which will cause the feature development team to 
have to maintain multiple feature versions based on different EDK2 CyptoPkg.

> But it is NOT TRUE, if you care the implementation of API. Maybe the higher 
> version of an API fixed some bug, or add some new features.

Perhaps we can ask developers to update the minimum version of CyptoAPI after 
bug or security fixes.

Thanks,
Yi

-Original Message-
From: Yao, Jiewen  
Sent: Friday, January 6, 2023 6:06 PM
To: Li, Yi1 ; devel@edk2.groups.io
Cc: Wang, Jian J ; Lu, Xiaoyu1 ; 
Jiang, Guomin ; Kinney, Michael D 

Subject: RE: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API 
backward compatible

Thanks Yi.
You raised a very interesting question.

+ Mike Kinney, to comment from the requirement perspective.

The original design is very simple: CryptoBin.Version >= CryptoConsumer.Version.

Now you want to handle the case that: CryptoConsumer.Version > 
CryptoBin.Version, but the CryptoConsumer.Api is already present in 
CryptoBin.Api.
To me, the hidden assumption is that: As long as an API is present, it will be 
used. The version of the API is not cared.

This is only TRUE, if you only care the API is present or absent.
But it is NOT TRUE, if you care the implementation of API. Maybe the higher 
version of an API fixed some bug, or add some new features.

I believe this is very dangerous downgrade. I don't recommend we do it.
Mike, what do you think?

Question to Yi: If you can upgrade the CryptoConsumer, why not upgrade the 
CryptoBin at the same time?

Thank you
Yao, Jiewen

> -Original Message-
> From: Li, Yi1 
> Sent: Wednesday, January 4, 2023 10:03 AM
> To: devel@edk2.groups.io; Li, Yi1 
> Cc: Yao, Jiewen ; Wang, Jian J
> ; Lu, Xiaoyu1 ; Jiang,
> Guomin 
> Subject: RE: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API
> backward compatible
> 
> Hi, any comments about this BZ and patch?
> Code link: https://github.com/tianocore/edk2/pull/3787
> 
> -Original Message-
> From: devel@edk2.groups.io  On Behalf Of Li, Yi
> Sent: Monday, December 19, 2022 2:24 PM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 ; Yao, Jiewen ; Wang,
> Jian J ; Lu, Xiaoyu1 ; Jiang,
> Guomin 
> Subject: [edk2-devel] [PATCH 1/1] CryptoPkg: Make Protocol Service API
> backward compatible
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4197
> 
> Using older Crypto protocol will be allowed.
> Each function wrapper will be annotated to require a minimum required
> version of the crypto protocol and assert if called when the version is
> not compatible.
> Ths minimum version difined as the version when the API was introduced.
> Details:
> ///Parallel hash: MinVersion 8
>   ParallelHash256HashAll,
> /// HMAC SHA256 (continued): MinVersion 9
>   HmacSha256All,
> /// HMAC SHA384: MinVersion 9
>   HmacSha384New,
>   ...
>   HmacSha384All,
> /// HKDF (continued): MinVersion 10
>   HkdfSha256Extract,
>   ...
>   HkdfSha384Expand,
> /// Aead Aes GCM: MinVersion 11
>   AeadAesGcmEncrypt,
>   AeadAesGcmDecrypt,
> /// Big Numbers: MinVersion 12
>   BigNumInit,
>   ...
>   BigNumAddMod,
> /// EC: MinVersion 13
>   EcGroupInit,
>   ...
>   EcDhComputeKey,
> /// TLS (continued): MinVersion 14
>   TlsShutdown,
>   ...
>   TlsGetExportKey,
> /// Ec (Continued): MinVersion 15
>   EcGetPublicKeyFromX509,
>   ...
>   EcDsaVerify,
> /// X509 (Continued): MinVersion 16
>   X509GetVersion,
>   ...
>   X509GetExtendedBasicConstraints
> /// Others: MinVersion 7
> 
> Cc: Jiewen Yao 
> Cc: Jian J Wang 
> Cc: Xiaoyu Lu 
> Cc: Guomin Jiang 
> Signed-off-by: Yi Li 
> ---
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c  | 449 +-
>  .../BaseCryptLibOnProtocolPpi/DxeCryptLib.c   |   9 -
>  .../BaseCryptLibOnProtocolPpi/PeiCryptLib.c   |   8 -
>  .../BaseCryptLibOnProtocolPpi/SmmCryptLib.c   |   9 -
>  4 files changed, 227 insertions(+), 248 deletions(-)
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 4e31bc278e..e470a0f0d4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtoc

Re: [edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to openssl-3.0.8

2023-03-13 Thread Li, Yi

Hi Gerd,

I also have some work on Openssl3, mainly to research how to reduce the binary 
size increase after the upgrade:

https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md



I really appreciate your work in this patch series, especially the clear py 
script.

But it seems that part of our work is repeated, if you don't mind, can I merge 
your work into openssl3.0 Edk2Staging branch? You can find it here if you're 
interested:

https://github.com/tianocore/edk2-staging/pull/358

Thanks,
Yi



-Original Message-
From: devel@edk2.groups.io  On Behalf Of Gerd Hoffmann
Sent: Monday, March 13, 2023 4:30 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J ; Pawel Polawski ; 
Lu, Xiaoyu1 ; Ard Biesheuvel ; 
Jiang, Guomin ; Gerd Hoffmann ; Yao, 
Jiewen ; Oliver Steffen ; Justen, 
Jordan L 
Subject: [edk2-devel] [PATCH 01/22] CryptoPkg/openssl: update submodule to 
openssl-3.0.8



Signed-off-by: Gerd Hoffmann mailto:kra...@redhat.com>>

---

CryptoPkg/Library/OpensslLib/openssl | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/CryptoPkg/Library/OpensslLib/openssl 
b/CryptoPkg/Library/OpensslLib/openssl

index 830bf8e1e474..31157bc0b46e 16

--- a/CryptoPkg/Library/OpensslLib/openssl

+++ b/CryptoPkg/Library/OpensslLib/openssl

@@ -1 +1 @@

-Subproject commit 830bf8e1e4749ad65c51b6a1d0d769ae689404ba

+Subproject commit 31157bc0b46e04227b8468d3e6915e4d0332777c

--

2.39.2














-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101100): https://edk2.groups.io/g/devel/message/101100
Mute This Topic: https://groups.io/mt/97576405/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 19/22] CryptoPkg/openssl: update *.inf, add generated files

2023-03-13 Thread Li, Yi

>+  DEFINE OPENSSL_FLAGS_NOASM = -DSTATIC_LEGACY



Why we need this macro, EDK2 does not seem to use the algorithm in the legacy 
provider.





-Original Message-
From: devel@edk2.groups.io 
devel@edk2.groups.io On Behalf Of Gerd Hoffmann
Sent: Monday, March 13, 2023 4:30 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J jian.j.w...@intel.com; Pawel 
Polawski ppola...@redhat.com; Lu, Xiaoyu1 
xiaoyu1...@intel.com; Ard Biesheuvel 
ardb+tianoc...@kernel.org; Jiang, Guomin 
guomin.ji...@intel.com; Gerd Hoffmann 
kra...@redhat.com; Yao, Jiewen 
jiewen@intel.com; Oliver Steffen 
ostef...@redhat.com; Justen, Jordan L 
jordan.l.jus...@intel.com
Subject: [edk2-devel] [PATCH 19/22] CryptoPkg/openssl: update *.inf, add 
generated files



Commits the changes done by configure.py.



Allows building edk2 without perl ;)



Signed-off-by: Gerd Hoffmann mailto:kra...@redhat.com>>

---

CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  679 +-

.../Library/OpensslLib/OpensslLibAccel.inf| 2112 -

.../Library/OpensslLib/OpensslLibCrypto.inf   |  634 +-

.../Library/OpensslLib/OpensslLibFull.inf |  738 +-

.../OpensslLib/OpensslLibFullAccel.inf| 2299 -

.../Library/OpensslLib/OpensslLibHash.inf |   10 +-

.../openssl-gen/include/crypto/bn_conf.h  |   29 +

.../openssl-gen/include/crypto/dso_conf.h |   18 +

.../openssl-gen/include/openssl/asn1.h| 1128 +++

.../openssl-gen/include/openssl/asn1t.h   |  946 ++

.../openssl-gen/include/openssl/bio.h |  887 ++

.../openssl-gen/include/openssl/cmp.h |  596 ++

.../openssl-gen/include/openssl/cms.h |  493 +

.../openssl-gen/include/openssl/conf.h|  211 +

.../include/openssl/configuration-ec.h|  284 +

.../include/openssl/configuration-noec.h  |  296 +

.../include/openssl/configuration.h   |5 +

.../openssl-gen/include/openssl/crmf.h|  227 +

.../openssl-gen/include/openssl/crypto.h  |  558 ++

.../openssl-gen/include/openssl/ct.h  |  573 ++

.../openssl-gen/include/openssl/err.h |  504 +

.../openssl-gen/include/openssl/ess.h |  128 +

.../openssl-gen/include/openssl/fipskey.h |   36 +

.../openssl-gen/include/openssl/lhash.h   |  288 +

.../openssl-gen/include/openssl/ocsp.h|  483 +

.../openssl-gen/include/openssl/opensslv.h|  114 +

.../openssl-gen/include/openssl/pkcs12.h  |  350 +

.../openssl-gen/include/openssl/pkcs7.h   |  427 +

.../openssl-gen/include/openssl/safestack.h   |  297 +

.../openssl-gen/include/openssl/srp.h |  285 +

.../openssl-gen/include/openssl/ssl.h | 2599 ++

.../openssl-gen/include/openssl/ui.h  |  407 +

.../openssl-gen/include/openssl/x509.h| 1276 +++

.../openssl-gen/include/openssl/x509_vfy.h|  894 ++

.../openssl-gen/include/openssl/x509v3.h  | 1450 +++

.../common/include/prov/der_digests.h |  160 +

.../providers/common/include/prov/der_ec.h|  286 +

.../providers/common/include/prov/der_ecx.h   |   50 +

.../providers/common/include/prov/der_rsa.h   |  187 +

.../providers/common/include/prov/der_sm2.h   |   37 +

.../providers/common/include/prov/der_wrap.h  |   46 +

.../providers/common/der/der_digests_gen.c|  160 +

.../providers/common/der/der_ec_gen.c |  279 +

.../providers/common/der/der_ecx_gen.c|   44 +

.../providers/common/der/der_rsa_gen.c|  174 +

.../providers/common/der/der_sm2_gen.c|   30 +

.../providers/common/der/der_wrap_gen.c   |   46 +

.../AARCH64-GCC/crypto/aes/aesv8-armx.S   | 1087 +++

.../AARCH64-GCC/crypto/aes/vpaes-armv8.S  | 1196 +++

.../AARCH64-GCC/crypto/arm64cpuid.S   |  129 +

.../AARCH64-GCC/crypto/bn/armv8-mont.S| 2124 +

.../crypto/ec/ecp_nistz256-armv8.S| 4242 +

.../crypto/modes/aes-gcm-armv8_64.S   | 6026 

.../AARCH64-GCC/crypto/modes/ghashv8-armx.S   |  243 +

.../AARCH64-GCC/crypto/sha/keccak1600-armv8.S | 1009 ++

.../AARCH64-GCC/crypto/sha/sha1-armv8.S   | 1211 +++

.../AARCH64-GCC/crypto/sha/sha256-armv8.S | 2051 

.../AARCH64-GCC/crypto/sha/sha512-armv8.S | 1606 

.../openssl-gen/IA32-GCC/crypto/aes/aes-586.S | 3320 +++

.../IA32-GCC/crypto/aes/aesni-x86.S   | 3364 +++

.../IA32-GCC/crypto/aes/vpaes-x86.S   |  742 ++

.../openssl-gen/IA32-GCC/crypto/bn/bn-586.S   | 1572 

.../openssl-gen/IA32-GCC/crypto/bn/co-586.S   | 1290 +++

.../openssl-gen/IA32-GCC/crypto/bn/x86-gf2m.S |  374 +

.../openssl-gen/IA32-GCC/crypto/bn/x86-mont.S |  494 +

.../IA32-GCC/crypto/e

Re: [edk2-devel] [PATCH 16/22] [hash] CryptoPkg/openssl: add OpensslLibHash.inf

2023-03-13 Thread Li, Yi

A bit confused here, why we need this inf, just to make it clear?
As you mentioned, it doesn't help with binary file size.

Regards,
Yi 

-Original Message-
From: devel@edk2.groups.io  On Behalf Of Gerd Hoffmann
Sent: Monday, March 13, 2023 4:30 PM
To: devel@edk2.groups.io
Cc: Wang, Jian J ; Pawel Polawski ; 
Lu, Xiaoyu1 ; Ard Biesheuvel ; 
Jiang, Guomin ; Gerd Hoffmann ; Yao, 
Jiewen ; Oliver Steffen ; Justen, 
Jordan L 
Subject: [edk2-devel] [PATCH 16/22] [hash] CryptoPkg/openssl: add 
OpensslLibHash.inf

Add *.inf variant with hash functions only, to support SEC and PEI doing 
measurements.

I don't think we really need this, using OpensslLibCrypto.inf and depending on 
the linker dropping unused object files should work equally well.  For 
trouble-shooting it's handy though because you'll get linker errors instead of 
bloated binaries.

So not sure yet what to do with this ...

Signed-off-by: Gerd Hoffmann 
---
 .../Library/OpensslLib/OpensslLibHash.inf | 126 ++
 1 file changed, 126 insertions(+)
 create mode 100644 CryptoPkg/Library/OpensslLib/OpensslLibHash.inf

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibHash.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLibHash.inf
new file mode 100644
index ..2d5838e682e9
--- /dev/null
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibHash.inf
@@ -0,0 +1,126 @@
+## @file
+#  This module provides OpenSSL Library implementation with ECC and TLS 
+#  features removed and features have performance optimizations enabled.
+#
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights 
+reserved. #  (C) Copyright 2020 Hewlett Packard Enterprise 
+Development LP #  Copyright (c) 2022, Loongson Technology 
+Corporation Limited. All rights reserved. #  
+SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+  INF_VERSION= 0x00010005
+  BASE_NAME  = OpensslLibCrypto
+  MODULE_UNI_FILE= OpensslLibCrypto.uni
+  FILE_GUID  = E29FC209-8B64-4500-BD20-AF4EAE47EA0E
+  MODULE_TYPE= BASE
+  VERSION_STRING = 1.0
+  LIBRARY_CLASS  = OpensslLib
+
+  DEFINE OPENSSL_PATH= openssl
+  DEFINE OPENSSL_GEN_PATH= openssl-gen
+  DEFINE OPENSSL_FLAGS   = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT 
-D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DEDK2_OPENSSL_NOEC=1 
-DOPENSSL_NO_ASM
+  DEFINE OPENSSL_FLAGS_NOASM = 
+
+#
+#  VALID_ARCHITECTURES   = IA32 X64 ARM AARCH64
+#
+
+[Sources]
+# Autogenerated files list starts here
+# Autogenerated files list ends here
+
+[Packages]
+  MdePkg/MdePkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  RngLib
+
+[LibraryClasses.ARM]
+  ArmSoftFloatLib
+
+[BuildOptions]
+  #
+  # Disables the following Visual Studio compiler warnings brought by 
+openssl source,
+  # so we do not break the build with /WX option:
+  #   C4090: 'function' : different 'const' qualifiers
+  #   C4132: 'object' : const object should be initialized (tls13_enc.c)
+  #   C4210: nonstandard extension used: function given file scope
+  #   C4244: conversion from type1 to type2, possible loss of data
+  #   C4245: conversion from type1 to type2, signed/unsigned mismatch
+  #   C4267: conversion from size_t to type, possible loss of data
+  #   C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size
+  #   C4310: cast truncates constant value
+  #   C4389: 'operator' : signed/unsigned mismatch ()
+  #   C4700: uninitialized local variable 'name' used. (conf_sap.c(71))
+  #   C4702: unreachable code
+  #   C4706: assignment within conditional expression
+  #   C4819: The file contains a character that cannot be represented in the 
current code page
+  #
+  MSFT:*_*_IA32_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) 
$(OPENSSL_FLAGS_NOASM) /wd4090 /wd4132 /wd4210 /wd4244 /wd4245 /wd4267 /wd4310 
/wd4389 /wd4700 /wd4702 /wd4706 /wd4819
+  MSFT:*_*_X64_CC_FLAGS= -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) 
$(OPENSSL_FLAGS_NOASM) /wd4090 /wd4132 /wd4210 /wd4244 /wd4245 /wd4267 /wd4306 
/wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819
+
+  #
+  # Disable following Visual Studio 2015 compiler warnings brought by 
+ openssl source,  # so we do not break the build with /WX option:
+  #   C4718: recursive call has no side effects, deleting
+  #
+  MSFT:*_VS2015x86_IA32_CC_FLAGS = /wd4718  
+ MSFT:*_VS2015x86_X64_CC_FLAGS  = /wd4718
+
+  INTEL:*_*_IA32_CC_FLAGS  = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC 
$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /w
+  INTEL:*_*_X64_CC_FLAGS   = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC 
$(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /w
+
+  #
+  # Suppress the following build warnings in openssl so we don't break the 
build with -Werror
+  #   -Werror=maybe-uninitialized: there exist some other paths for which the 
variable is not initialized.
+  #   -Werror=format: Check calls to printf and scanf, et

[edk2-devel] [edk2-staging/OpenSSL11_EOL 1/7] OpensslLib: remove bio prov

2023-03-16 Thread Li, Yi

Signed-off-by: Yi Li 
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
 CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c | 8 ++--
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 032862ac1f..47a045ef66 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -116,7 +116,7 @@
   $(OPENSSL_PATH)/providers/common/provider_seeding.c
   $(OPENSSL_PATH)/providers/common/digest_to_nid.c
   $(OPENSSL_PATH)/providers/common/capabilities.c
-  $(OPENSSL_PATH)/providers/common/bio_prov.c
+  # $(OPENSSL_PATH)/providers/common/bio_prov.c
   $(OPENSSL_PATH)/providers/common/der/der_rsa_sig.c
   $(OPENSSL_PATH)/providers/prov_running.c
   $(OPENSSL_PATH)/providers/nullprov.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c 
b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
index 0b61e72933..c21c475331 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
+++ b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
@@ -266,10 +266,8 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
void **provctx)
 {
 OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL;
-BIO_METHOD *corebiometh;
 
-if (!ossl_prov_bio_from_dispatch(in)
-|| !ossl_prov_seeding_from_dispatch(in))
+if (!ossl_prov_seeding_from_dispatch(in))
 return 0;
 for (; in->function_id != 0; in++) {
 switch (in->function_id) {
@@ -299,8 +297,7 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
  * This only works for built-in providers.  Most providers should
  * create their own library context.
  */
-if ((*provctx = ossl_prov_ctx_new()) == NULL
-|| (corebiometh = ossl_bio_prov_init_bio_method()) == NULL) {
+if ((*provctx = ossl_prov_ctx_new()) == NULL) {
 ossl_prov_ctx_free(*provctx);
 *provctx = NULL;
 return 0;
@@ -308,7 +305,6 @@ int ossl_uefi_provider_init(const OSSL_CORE_HANDLE *handle,
 ossl_prov_ctx_set0_libctx(*provctx,
(OSSL_LIB_CTX *)c_get_libctx(handle));
 ossl_prov_ctx_set0_handle(*provctx, handle);
-ossl_prov_ctx_set0_core_bio_method(*provctx, corebiometh);
 
 *out = deflt_dispatch_table;
 ossl_prov_cache_exported_algorithms(deflt_ciphers, exported_ciphers);
-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101292): https://edk2.groups.io/g/devel/message/101292
Mute This Topic: https://groups.io/mt/97666987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [edk2-staging/OpenSSL11_EOL 3/7] CryptoPkg/OpensslLib: enable no autoalginit

2023-03-16 Thread Li, Yi

Signed-off-by: Yi Li 
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf 
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 47a045ef66..8641cd2521 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -19,7 +19,7 @@
   CONSTRUCTOR= OpensslLibConstructor
 
   DEFINE OPENSSL_PATH= openssl
-  DEFINE OPENSSL_FLAGS   = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT 
-D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_EC 
-DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_TLS1_3 -DOPENSSL_NO_ASM 
-DOPENSSL_NO_DH -DOPENSSL_NO_SM3 -DOPENSSL_NO_MD5
+  DEFINE OPENSSL_FLAGS   = -DOPENSSL_NO_AUTOALGINIT -DL_ENDIAN 
-DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE 
-D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH 
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_TLS1_3 -DOPENSSL_NO_ASM -DOPENSSL_NO_DH 
-DOPENSSL_NO_SM3 -DOPENSSL_NO_MD5
   DEFINE OPENSSL_FLAGS_CONFIG=
 
 #
-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101293): https://edk2.groups.io/g/devel/message/101293
Mute This Topic: https://groups.io/mt/97666988/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

2023-03-16 Thread Li, Yi

Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/359

Latest size data:
Binaries:   
CryptoDxeFull   ->  1.7%17KB (New)
CryptoDxe   14% ->  10.10%  82KB
CryptoSmm   14% ->  8.20%   46KB
After LZMA: 
CryptoDxe   15% ->  12.20%  39KB
CryptoSmm   17% ->  12.80%  27KB
FV (Dxe+Smm)18% ->  15.40%  55KB

Cc: Jiewen Yao 
Cc: Wenxing Hou 
Cc: Gerd Hoffmann 
Signed-off-by: Yi Li 

Yi Li (7):
  OpensslLib: remove bio prov
  CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test
  CryptoPkg/OpensslLib: enable no autoalginit
  Readme: 0315 update
  bugfix: The order of NIDs should remain the same as before
  CryptoPkg/OpensslLibFull: apply all work to full inf
  Readme: 0317 update

 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |4 +-
 .../Library/OpensslLib/OpensslLibFull.inf |  171 +-
 .../OpensslStub/crypto/objects/obj_dat.h  | 6474 -
 .../OpensslStub/crypto/objects/obj_xref.h |   72 +-
 .../OpensslLib/OpensslStub/openssl/obj_mac.h  | 1397 ++--
 .../Library/OpensslLib/OpensslStub/uefiprov.c |8 +-
 CryptoPkg/Readme-OpenSSL3.0.md|   22 +-
 .../Library/BaseCryptLib/RsaPkcs7Tests.c  |  145 +-
 8 files changed, 4197 insertions(+), 4096 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101291): https://edk2.groups.io/g/devel/message/101291
Mute This Topic: https://groups.io/mt/97666986/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

1 2 >

1 - 100 of 198 matches

Mail list logo