Commit 0df6c8c157 ("BaseTools/tools_def AARCH64: avoid SIMD registers
in XIP code") updated the compiler flags used by AARCH64 when building
modules (including BASE libraries) that may execute before the MMU is
enabled.
This broke the build for OpensslLib/OpensslLibCrypto because the SIMD
register file is shared with the FPU, and since OpenSSL contains some
references to float/double types (which are mostly unused for UEFI btw),
disabling floating point prevents the compiler from building OpenSSL
at all. So for OpensslLib[Crypto], we need to override the XIP CC flags,
to remove the -mgeneral-regs-only compiler flag again.
When introducing the support for XIP CC flags, we were aware that this
would affect BASE libraries as well, but were not expecting this to
have any performance impact. However, in the case of software crypto,
it makes sense not to needlessly inhibit the compiler's ability to
generate fast code, and even if OpenssLib is a BASE library, it is
guaranteed not to run with the MMU off. So omit -mstrict-align from the
local XIP CC flags override as well.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Long Qin <qin.long@intel.com>
(Need further follow-ups as described in
https://bugzilla.tianocore.org/show_bug.cgi?id=455)
This patch added some extra build options to suppress possible warnings
when building openssl source under GCC48 and VS2010. Including:
Adding "-Wno-error=maybe-uninitialized" to suppress the following GCC48
build warning:
OpensslLib/openssl/ssl/statem/statem_clnt.c:2543:9: error: "len" may
be used uninitialized in this function [-Werror=maybe-uninitialized]
len += pskhdrlen;
^
And adding "/wd4306" to suppress the following VS2010 build warning:
openssl\crypto\asn1\tasn_dec.c(795) : warning C4306: 'type cast' :
conversion from 'int' to 'ASN1_VALUE *' of greater size
Cc: Ting Ye <ting.ye@intel.com>
Cc: Hao Wu <hao.a.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Update OpensslLib INF files to support OpenSSL-1.1.0x source build.
The file list was generated from the latest OpenSSL-1.1.0e release.
Main changes to support OpensslLib build in this patch include:
1. Use "openssl" instead of "openssl-x.x.xx" as main source directory,
Also update include path in CryptoPkg.dec
2. Enable warnings in GCC builds;
3. Update Visual Studio build options to silence current possible build
warnings.
4. Move the default opensslconf.h to Include/openssl, and add one dummy
dso_conf.h for native UEFI build.
The OpensslLib module build was validated as
build -t VSXXXX -a XX -p CryptoPkg/CryptoPkg.dsc
-m CryptoPkg/Library/OpensslLib/OpensslLib.inf
(NOTE: The extra build options for ARM/RVCT/XCODE were kept, which expect
further optimizations from community)
Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Gary Lin <glin@suse.com>
v2:
Re-generate the patch after the new OpensslLibCrypto instance.
OpenSSL 1.0.2k was released with several severity fixes at
26-Jan-2017 (https://www.openssl.org/news/secadv/20170126.txt).
This patch is to upgrade the supported OpenSSL version in
CryptoPkg/OpensslLib to catch the latest release 1.0.2k.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Commit 32387e0081 ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.
If a platform doesn't include the TLS modules, such as
- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf
then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".
Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).
This patch introduces a parallel OpensslLib instance called
"OpensslLibCrypto" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.
"OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.
"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibCrypto.inf" at once.
"OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Ard Biesheuvel
Qin Long
Laszlo Ersek