Laszlo, Thanks for the test.
Regards, Jian > -----Original Message----- > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of > Laszlo Ersek > Sent: Friday, May 17, 2019 2:53 AM > To: Lu, XiaoyuX <xiaoyux...@intel.com>; devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.w...@intel.com>; Ye, Ting <ting...@intel.com> > Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b > > On 05/16/19 09:54, Xiaoyu Lu wrote: > > This series is also available at: > > > https://github.com/xiaoyuxlu/edk2/tree/bz_1089_upgrade_to_openssl_1_1_1b > _v4 > > > > Changes: > > > > (1) CryptoPkgOpensslLib: Modify process_files.pl for upgrading OpenSSL > > > > (2) CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl > > crypto/store/* are excluded. > > crypto/rand/randfile.c is excluded. > > > > (3) CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue > > > > (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL > > Disable warnings for buiding OpenSSL_1_1_1b > > > > (5) CryptoPkg/OpensslLib: Fix cross-build problem for AARCH64 > > > > (6) CryptoPkg: Upgrade OpenSSL to 1.1.1b > > The biggest change is use TSC as entropy source > > If TSC isn't avaiable, fallback to TimerLib(PerformanceCounter). > > > > (7) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible > > > > > > Verification done for this series: > > * Https boot in OvmfPkg. > > * BaseCrypt Library test. (Ovmf, EmulatorPkg) > > > > Important notice: > > Nt32Pkg doesn't support TimerLib > >> > TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat > e.inf > > So it will failed in Nt32Pkg. > > I did some minimal functional testing, as follows: > > - built OvmfPkgIa32X64.dsc with -D SMM_REQUIRE -D SECURE_BOOT_ENABLE > > - with SB pre-enabled in an existing VM, the firmware continued to > reject an unsigned UEFI app > - in the same config, the firmware continued to accept a correctly > signed UEFI boot loader (the Fedora OS was booted OK) > > - with SB disabled afresh (deleting PK through SecureBootConfigDxe), > both of the above binaries were accepted > - in the same SB-disabled state, OvmfPkg/EnrollDefaultKeys was possible > to invoke from the UEFI shell, and it successfully re-enabled SB (with > the effects described in the prior section). > > So this part looks good. > > Thanks > Laszlo > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#40855): https://edk2.groups.io/g/devel/message/40855 Mute This Topic: https://groups.io/mt/31638503/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
