CryptoPkg: Document and disable deprecated crypto services

Also note services that are recommended to be disabled and update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings to disable all deprecated services. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Christopher Zurcher <christopher.zurcher@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2025-04-08 17:05:09 +02:00 · 2022-09-29 09:32:54 -07:00 · 2022-09-29 09:32:54 -07:00 · d7d9866ef4
commit d7d9866ef4
parent 4d29da411f
2 changed files with 77 additions and 55 deletions
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@ -151,7 +151,6 @@
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family                                | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@ -161,8 +160,10 @@
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize              | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init                        | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt                  | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt                  | TRUE
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@ -173,7 +174,7 @@
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Family                      | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family                                | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family                                | 0
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family                                | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
 !endif

 !if $(CRYPTO_SERVICES) == MIN_PEI
@ -217,6 +218,7 @@
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize              | TRUE
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init                        | TRUE
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt                  | TRUE
  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt                  | TRUE
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@ -1,6 +1,26 @@
 /** @file
  Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used
+  to enable/disable crypto services at either the family scope or the
+  individual service scope.  Platforms can minimize the number of enabled
+  services to reduce size.
+
+  The following services have been deprecated and must never be enabled.
+  The associated fields in this data structure are never removed or replaced
+  to preseve the binary layout of the data structure.  New services are
+  always added to the end of the data structure.
+  * HmacMd5 family
+  * HmacSha1 family
+  * Md4 family
+  * Md5 family
+  * Tdes family
+  * Arc4 family
+  * Aes.Services.EcbEncrypt service
+  * Aes.Services.EcbDecrypt service
+
+  Is is recommended that the following services always be disabled and may
+  be deprecated in the future.
+  * Sha1 family

  Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
  SPDX-License-Identifier: BSD-2-Clause-Patent
@ -25,25 +45,25 @@
 typedef struct {
  union {
    struct {
-      UINT8    New       : 1;
-      UINT8    Free      : 1;
-      UINT8    SetKey    : 1;
-      UINT8    Duplicate : 1;
-      UINT8    Update    : 1;
-      UINT8    Final     : 1;
+      UINT8    New       : 1;  // Deprecated
+      UINT8    Free      : 1;  // Deprecated
+      UINT8    SetKey    : 1;  // Deprecated
+      UINT8    Duplicate : 1;  // Deprecated
+      UINT8    Update    : 1;  // Deprecated
+      UINT8    Final     : 1;  // Deprecated
    } Services;
-    UINT32    Family;
+    UINT32    Family;          // Deprecated
  } HmacMd5;
  union {
    struct {
-      UINT8    New       : 1;
-      UINT8    Free      : 1;
-      UINT8    SetKey    : 1;
-      UINT8    Duplicate : 1;
-      UINT8    Update    : 1;
-      UINT8    Final     : 1;
+      UINT8    New       : 1;  // Deprecated
+      UINT8    Free      : 1;  // Deprecated
+      UINT8    SetKey    : 1;  // Deprecated
+      UINT8    Duplicate : 1;  // Deprecated
+      UINT8    Update    : 1;  // Deprecated
+      UINT8    Final     : 1;  // Deprecated
    } Services;
-    UINT32    Family;
+    UINT32    Family;          // Deprecated
  } HmacSha1;
  union {
    struct {
@ -71,26 +91,26 @@ typedef struct {
  } HmacSha384;
  union {
    struct {
-      UINT8    GetContextSize : 1;
-      UINT8    Init           : 1;
-      UINT8    Duplicate      : 1;
-      UINT8    Update         : 1;
-      UINT8    Final          : 1;
-      UINT8    HashAll        : 1;
+      UINT8    GetContextSize : 1;  // Deprecated
+      UINT8    Init           : 1;  // Deprecated
+      UINT8    Duplicate      : 1;  // Deprecated
+      UINT8    Update         : 1;  // Deprecated
+      UINT8    Final          : 1;  // Deprecated
+      UINT8    HashAll        : 1;  // Deprecated
    } Services;
-    UINT32    Family;
+    UINT32    Family;               // Deprecated
  } Md4;
  union {
    struct {
-      UINT8    GetContextSize : 1;
-      UINT8    Init           : 1;
-      UINT8    Duplicate      : 1;
-      UINT8    Update         : 1;
-      UINT8    Final          : 1;
-      UINT8    HashAll        : 1;
+      UINT8    GetContextSize : 1;  // Deprecated
+      UINT8    Init           : 1;  // Deprecated
+      UINT8    Duplicate      : 1;  // Deprecated
+      UINT8    Update         : 1;  // Deprecated
+      UINT8    Final          : 1;  // Deprecated
+      UINT8    HashAll        : 1;  // Deprecated
    } Services;
    UINT32    Family;
-  } Md5;
+  } Md5;                            // Deprecated
  union {
    struct {
      UINT8    Pkcs1v2Encrypt             : 1;
@ -143,14 +163,14 @@ typedef struct {
  } Rsa;
  union {
    struct {
-      UINT8    GetContextSize : 1;
-      UINT8    Init           : 1;
-      UINT8    Duplicate      : 1;
-      UINT8    Update         : 1;
-      UINT8    Final          : 1;
-      UINT8    HashAll        : 1;
+      UINT8    GetContextSize : 1;  // Recommend disable
+      UINT8    Init           : 1;  // Recommend disable
+      UINT8    Duplicate      : 1;  // Recommend disable
+      UINT8    Update         : 1;  // Recommend disable
+      UINT8    Final          : 1;  // Recommend disable
+      UINT8    HashAll        : 1;  // Recommend disable
    } Services;
-    UINT32    Family;
+    UINT32    Family;               // Recommend disable
  } Sha1;
  union {
    struct {
@ -216,21 +236,21 @@ typedef struct {
  } X509;
  union {
    struct {
-      UINT8    GetContextSize : 1;
-      UINT8    Init           : 1;
-      UINT8    EcbEncrypt     : 1;
-      UINT8    EcbDecrypt     : 1;
-      UINT8    CbcEncrypt     : 1;
-      UINT8    CbcDecrypt     : 1;
+      UINT8    GetContextSize : 1;  // Deprecated
+      UINT8    Init           : 1;  // Deprecated
+      UINT8    EcbEncrypt     : 1;  // Deprecated
+      UINT8    EcbDecrypt     : 1;  // Deprecated
+      UINT8    CbcEncrypt     : 1;  // Deprecated
+      UINT8    CbcDecrypt     : 1;  // Deprecated
    } Services;
-    UINT32    Family;
+    UINT32    Family;               // Deprecated
  } Tdes;
  union {
    struct {
      UINT8    GetContextSize : 1;
      UINT8    Init           : 1;
-      UINT8    EcbEncrypt     : 1;
-      UINT8    EcbDecrypt     : 1;
+      UINT8    EcbEncrypt     : 1;  // Deprecated
+      UINT8    EcbDecrypt     : 1;  // Deprecated
      UINT8    CbcEncrypt     : 1;
      UINT8    CbcDecrypt     : 1;
    } Services;
@ -238,13 +258,13 @@ typedef struct {
  } Aes;
  union {
    struct {
-      UINT8    GetContextSize : 1;
-      UINT8    Init           : 1;
-      UINT8    Encrypt        : 1;
-      UINT8    Decrypt        : 1;
-      UINT8    Reset          : 1;
+      UINT8    GetContextSize : 1;  // Deprecated
+      UINT8    Init           : 1;  // Deprecated
+      UINT8    Encrypt        : 1;  // Deprecated
+      UINT8    Decrypt        : 1;  // Deprecated
+      UINT8    Reset          : 1;  // Deprecated
    } Services;
-    UINT32    Family;
+    UINT32    Family;               // Deprecated
  } Arc4;
  union {
    struct {