--- /dev/null
+# Crypto Package\r
+\r
+This package provides cryptographic services that are used to implement firmware\r
+features such as UEFI Secure Boot, Measured Boot, firmware image authentication,\r
+and network boot. The cryptographic service implementation in this package uses\r
+services from the [OpenSSL](https://www.openssl.org/) project.\r
+\r
+EDK II firmware modules/libraries that requires the use of cryptographic\r
+services can either statically link all the required services, or the EDK II\r
+firmware module/library can use a dynamic Protocol/PPI service to call\r
+cryptographic services. The dynamic Protocol/PPI services are only available to\r
+PEIMs, DXE Drivers, UEFI Drivers, and SMM Drivers, and only if the cryptographic\r
+modules are included in the platform firmware image.\r
+\r
+There may be firmware image size differences between the static and dynamic\r
+options. Some experimentation may be required to find the solution that\r
+provides the smallest overall firmware overhead.\r
+\r
+# Public Library Classes\r
+\r
+* **BaseCryptLib** - Provides library functions for cryptographic primitives.\r
+* **TlsLib** - Provides TLS library functions for EFI TLS protocol.\r
+* **HashApiLib** - Provides Unified API for different hash implementations.\r
+\r
+# Private Library Classes\r
+\r
+* **OpensslLib** - Provides library functions from the openssl project.\r
+* **IntrinsicLib** - Provides C runtime library (CRT) required by openssl.\r
+\r
+# Private Protocols and PPIs\r
+\r
+* **EDK II Crypto PPI** - PPI that provides all the services from\r
+ the BaseCryptLib and TlsLib library classes.\r
+* **EDK II Crypto Protocol** - Protocol that provides all the services from\r
+ the BaseCryptLib and TlsLib library classes.\r
+* **EDK II SMM Crypto Protocol** - SMM Protocol that provides all the services\r
+ from the BaseCryptLib and TlsLib library\r
+ classes.\r
+\r
+## Statically Linking Cryptographic Services\r
+\r
+The figure below shows an example of a firmware modules that requires the use of\r
+cryptographic services. The cryptographic services are provided by three library\r
+classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are\r
+implemented using APIs from the OpenSSL project that are abstracted by the\r
+private library class called OpensslLib. The OpenSSL project implementation\r
+depends on C runtime library services. The EDK II project does not provide a\r
+full C runtime library for firmware components. Instead, the CryptoPkg includes\r
+the smallest subset of services required to build the OpenSSL project in the\r
+private library class called IntrinsicLib.\r
+\r
+The CryptoPkg provides several instances if the BaseCryptLib and OpensslLib with\r
+different cryptographic service features and performance optimizations. The\r
+platform developer must select the correct instances based on cryptographic\r
+service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI,\r
+UEFI RT, and SMM), firmware image size requirements, and firmware boot\r
+performance requirements.\r
+\r
+```\r
++================================+\r
+| EDK II Firmware Module/Library |\r
++================================+\r
+ ^ ^ ^\r
+ | | |\r
+ | | v\r
+ | | +============+\r
+ | | | HashApiLib |\r
+ | | +============+\r
+ | | ^\r
+ | | |\r
+ v v v\r
++========+ +====================+\r
+| TlsLib | | BaseCryptLib |\r
++========+ +====================+\r
+ ^ ^\r
+ | |\r
+ v v\r
++================================+\r
+| OpensslLib (Private) |\r
++================================+\r
+ ^\r
+ |\r
+ v\r
++================================+\r
+| IntrinsicLib (Private) |\r
++================================+\r
+```\r
+\r
+## Dynamically Linking Cryptographic Services\r
+\r
+The figure below shows the entire stack when dynamic linking is used with\r
+cryptographic services produced by the CryptoPei, CryptoDxe, or CryptoSmm module\r
+through a PPI/Protocol. This solution requires the CryptoPei, CryptoDxe, and\r
+CryptoSmm modules to be configured with the set of cryptographic services\r
+required by all the PEIMs, DXE Drivers, UEFI Drivers, and SMM Drivers. Dynamic\r
+linking is not available for SEC or UEFI RT modules.\r
+\r
+The EDK II modules/libraries that require cryptographic services use the same\r
+BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required\r
+to use static linking or dynamic linking. It is a platform configuration options\r
+to select static linking or dynamic linking. This choice can be make globally,\r
+per firmware module type, or individual modules.\r
+\r
+```\r
++===================+ +===================+ +===================+\r
+| EDK II PEI | | EDK II DXE/UEFI | | EDK II SMM |\r
+| Module/Library | | Module/Library | | Module/Library |\r
++===================+ +===================+ +===================+\r
+ ^ ^ ^ ^ ^ ^ ^ ^ ^\r
+ | | | | | | | | |\r
+ | | v | | v | | v\r
+ | | +==========+ | | +==========+ | | +==========+\r
+ | | |HashApiLib| | | |HashApiLib| | | |HashApiLib|\r
+ | | +==========+ | | +==========+ | | +==========+\r
+ | | ^ | | ^ | | ^\r
+ | | | | | | | | |\r
+ v v v v v v v v v\r
++===================+ +===================+ +===================+\r
+|TlsLib|BaseCryptLib| |TlsLib|BaseCryptLib| |TlsLib|BaseCryptLib|\r
++-------------------+ +-------------------+ +-------------------+\r
+| BaseCryptLib | | BaseCryptLib | | BaseCryptLib |\r
+| OnPpiProtocol/ | | OnPpiProtocol/ | | OnPpiProtocol/ |\r
+| PeiCryptLib.inf | | DxeCryptLib.inf | | SmmCryptLib.inf |\r
++===================+ +===================+ +===================+\r
+ ^ ^ ^\r
+ ||| (Dynamic) ||| (Dynamic) ||| (Dynamic)\r
+ v v v\r
++===================+ +===================+ +=====================+\r
+| Crypto PPI | | Crypto Protocol | | Crypto SMM Protocol |\r
++-------------------| |-------------------| |---------------------|\r
+| CryptoPei | | CryptoDxe | | CryptoSmm |\r
++===================+ +===================+ +=====================+\r
+ ^ ^ ^ ^ ^ ^\r
+ | | | | | |\r
+ v | v | v |\r
++========+ | +========+ | +========+ |\r
+| TlsLib | | | TlsLib | | | TlsLib | |\r
++========+ v +========+ v +========+ v\r
+ ^ +==============+ ^ +==============+ ^ +==============+\r
+ | | BaseCryptLib | | | BaseCryptLib | | | BaseCryptLib |\r
+ | +==============+ | +==============+ | +==============+\r
+ | ^ | ^ | ^\r
+ | | | | | |\r
+ v v v v v v\r
++===================+ +===================+ +===================+\r
+| OpensslLib | | OpensslLib | | OpensslLib |\r
++===================+ +===================+ +===================+\r
+ ^ ^ ^\r
+ | | |\r
+ v v v\r
++===================+ +===================+ +===================+\r
+| IntrinsicLib | | IntrinsicLib | | IntrinsicLib |\r
++===================+ +===================+ +===================+\r
+```\r
+\r
+## Supported Cryptographic Families and Services\r
+\r
+The table below provides a summary of the supported cryptographic services. It\r
+indicates if the family or service is deprecated or recommended to not be used.\r
+It also shows which *CryptLib library instances support the family or service.\r
+If a cell is blank then the service or family is always disabled and the\r
+`PcdCryptoServiceFamilyEnable` settings for that family or service is ignored.\r
+If the cell is not blank, then the service or family is configurable using\r
+`PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is\r
+also configured.\r
+\r
+|Key | Description |\r
+|---------|--------------------------------------------------------------------------------|\r
+| <blank> | Family or service is always disabled. |\r
+| C | Configurable using PcdCryptoServiceFamilyEnable. |\r
+| C-Tls | Configurable using PcdCryptoServiceFamilyEnable. Requires TlsLib.inf. |\r
+| C-Full | Configurable using PcdCryptoServiceFamilyEnable. Requires OpensslLibFull*.inf. |\r
+\r
+|Family/Service | Deprecated | Don't Use | SecCryptLib | PeiCryptLib | BaseCryptLib | SmmCryptLib | RuntimeCryptLib |\r
+|:--------------------------------|:----------:|:---------:|:-----------:|:-----------:|:------------:|:-----------:|:---------------:|\r
+| HmacMd5 | Y | Y | | | | | |\r
+| HmacSha1 | Y | Y | | | | | |\r
+| HmacSha256 | N | N | | C | C | C | C |\r
+| HmacSha384 | N | N | | C | C | C | C |\r
+| Md4 | Y | Y | | | | | |\r
+| Md5 | Y | Y | | C | C | C | C |\r
+| Pkcs.Pkcs1v2Encrypt | N | N | | | C | C | |\r
+| Pkcs.Pkcs5HashPassword | N | N | | | C | C | |\r
+| Pkcs.Pkcs7Verify | N | N | | C | C | C | C |\r
+| Pkcs.VerifyEKUsInPkcs7Signature | N | N | | C | C | C | |\r
+| Pkcs.Pkcs7GetSigners | N | N | | C | C | C | C |\r
+| Pkcs.Pkcs7FreeSigners | N | N | | C | C | C | C |\r
+| Pkcs.Pkcs7Sign | N | N | | | C | | |\r
+| Pkcs.Pkcs7GetAttachedContent | N | N | | C | C | C | |\r
+| Pkcs.Pkcs7GetCertificatesList | N | N | | C | C | C | C |\r
+| Pkcs.AuthenticodeVerify | N | N | | | C | | |\r
+| Pkcs.ImageTimestampVerify | N | N | | | C | | |\r
+| Dh | N | N | | | C | | |\r
+| Random | N | N | | | C | C | C |\r
+| Rsa.VerifyPkcs1 | Y | Y | | | | | |\r
+| Rsa.New | N | N | | C | C | C | C |\r
+| Rsa.Free | N | N | | C | C | C | C |\r
+| Rsa.SetKey | N | N | | C | C | C | C |\r
+| Rsa.GetKey | N | N | | | C | | |\r
+| Rsa.GenerateKey | N | N | | | C | | |\r
+| Rsa.CheckKey | N | N | | | C | | |\r
+| Rsa.Pkcs1Sign | N | N | | | C | | |\r
+| Rsa.Pkcs1Verify | N | N | | C | C | C | C |\r
+| Sha1 | N | Y | | C | C | C | C |\r
+| Sha256 | N | N | | C | C | C | C |\r
+| Sha384 | N | N | C | C | C | C | C |\r
+| Sha512 | N | N | C | C | C | C | C |\r
+| X509 | N | N | | | C | C | C |\r
+| Tdes | Y | Y | | | | | |\r
+| Aes.GetContextSize | N | N | | | C | C | C |\r
+| Aes.Init | N | N | | | C | C | C |\r
+| Aes.EcbEncrypt | Y | Y | | | | | |\r
+| Aes.EcbDecrypt | Y | Y | | | | | |\r
+| Aes.CbcEncrypt | N | N | | | C | C | C |\r
+| Aes.CbcDecrypt | N | N | | | C | C | C |\r
+| Arc4 | Y | Y | | | | | |\r
+| Sm3 | N | N | | C | C | C | C |\r
+| Hkdf | N | N | | C | C | | C |\r
+| Tls | N | N | | | C-Tls | | |\r
+| TlsSet | N | N | | | C-Tls | | |\r
+| TlsGet | N | N | | | C-Tls | | |\r
+| RsaPss.Sign | N | N | | | C | | |\r
+| RsaPss.Verify | N | N | | C | C | C | |\r
+| ParallelHash | N | N | | | | C | |\r
+| AeadAesGcm | N | N | | | C | | |\r
+| Bn | N | N | | | C | | |\r
+| Ec | N | N | | | C-Full | | |\r
+\r
+## Platform Configuration of Cryptographic Services\r
+\r
+Configuring the cryptographic services requires library mappings and PCD\r
+settings in a platform DSC file. This must be done for each of the firmware\r
+phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT).\r
+\r
+The following table can be used to help select the best OpensslLib instance for\r
+each phase. The Size column only shows the estimated size increase for a\r
+compressed IA32/X64 modules that uses the cryptographic services with\r
+`OpensslLib.inf` as the baseline size. The actual size increase depends on the\r
+specific set of enabled cryptographic services. If ECC services are not\r
+required, then size can be reduced by using OpensslLib.inf instead of\r
+`OpensslLibFull.inf`. Performance optimization requires a size increase.\r
+\r
+| OpensslLib Instance | SSL | ECC | Perf Opt | CPU Arch | Size |\r
+|:------------------------|:---:|:---:|:--------:|:--------:|:-----:|\r
+| OpensslLibCrypto.inf | N | N | N | All | +0K |\r
+| OpensslLib.inf | Y | N | N | All | +0K |\r
+| OpensslLibAccel.inf | Y | N | Y | IA32/X64 | +20K |\r
+| OpensslLibFull.inf | Y | Y | N | All | +115K |\r
+| OpensslLibFullAccel.inf | Y | Y | Y | IA32/X64 | +135K |\r
+\r
+### SEC Phase Library Mappings\r
+\r
+The SEC Phase only supports static linking of cryptographic services. The\r
+following library mappings are recommended for the SEC Phase. It uses the SEC\r
+specific version of the BaseCryptLib and the null version of the TlsLib because\r
+TLS services are not typically used in SEC.\r
+\r
+```\r
+[LibraryClasses.common.SEC]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+```\r
+\r
+### PEI Phase Library Mappings\r
+\r
+The PEI Phase supports either static or dynamic linking of cryptographic\r
+services. The following library mappings are recommended for the PEI Phase. It\r
+uses the PEI specific version of the BaseCryptLib and the null version of the\r
+TlsLib because TLS services are not typically used in PEI.\r
+\r
+```\r
+[LibraryClasses.common.PEIM]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+```\r
+\r
+If dynamic linking is used, then all PEIMs except CryptoPei use the following\r
+library mappings. The CryptoPei module uses the static linking settings.\r
+\r
+```\r
+[LibraryClasses.common.PEIM]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf\r
+\r
+[Components]\r
+ CryptoPkg/Driver/CryptoPei.inf {\r
+ <LibraryClasses>\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+ }\r
+```\r
+\r
+### DXE Phase, UEFI Driver, UEFI Application Library Mappings\r
+\r
+The DXE/UEFI Phase supports either static or dynamic linking of cryptographic\r
+services. The following library mappings are recommended for the DXE/UEFI Phase.\r
+It uses the DXE specific version of the BaseCryptLib and the full version of the\r
+OpensslLib and TlsLib. If ECC services are not required then a smaller\r
+OpensslLib instance can be used.\r
+\r
+```\r
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+```\r
+\r
+If dynamic linking is used, then all DXE Drivers except CryptoDxe use the\r
+following library mappings. The CryptoDxe module uses the static linking\r
+settings.\r
+\r
+```\r
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf\r
+\r
+[Components]\r
+ CryptoPkg/Driver/CryptoDxe.inf {\r
+ <LibraryClasses>\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+ }\r
+```\r
+\r
+### SMM Phase Library Mappings\r
+\r
+The SMM Phase supports either static or dynamic linking of cryptographic\r
+services. The following library mappings are recommended for the SMM Phase. It\r
+uses the SMM specific version of the BaseCryptLib and the null version of the\r
+TlsLib.\r
+\r
+```\r
+[LibraryClasses.common.DXE_SMM_DRIVER]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+```\r
+\r
+If dynamic linking is used, then all SMM Drivers except CryptoSmm use the\r
+following library mappings. The CryptoDxe module uses the static linking\r
+settings.\r
+\r
+```\r
+[LibraryClasses.common.DXE_SMM_DRIVER]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf\r
+\r
+[Components]\r
+ CryptoPkg/Driver/CryptoSmm.inf {\r
+ <LibraryClasses>\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+ }\r
+```\r
+\r
+### UEFI Runtime Driver Library Mappings\r
+\r
+UEFI Runtime Drivers only supports static linking of cryptographic services.\r
+The following library mappings are recommended for UEFI Runtime Drivers. It uses\r
+the runtime specific version of the BaseCryptLib and the null version of the\r
+TlsLib because TLS services are not typically used in runtime.\r
+\r
+```\r
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]\r
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf\r
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf\r
+ TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf\r
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf\r
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf\r
+```\r
+\r
+### PCD Configuration Settings\r
+\r
+There are 2 PCD settings that are used to configure cryptographic services.\r
+`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the\r
+BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to\r
+configure the cryptographic services supported by the CryptoPei, CryptoDxe,\r
+and CryptoSmm modules.\r
+\r
+* `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the\r
+ HASH algorithm to to use in the BaseHashApiLib to calculate hash of data. The\r
+ default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256.\r
+ | Setting | Algorithm |\r
+ |------------|------------------|\r
+ | 0x00000001 | HASH_ALG_SHA1 |\r
+ | 0x00000002 | HASH_ALG_SHA256 |\r
+ | 0x00000004 | HASH_ALG_SHA384 |\r
+ | 0x00000008 | HASH_ALG_SHA512 |\r
+ | 0x00000010 | HASH_ALG_SM3_256 |\r
+\r
+* `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable\r
+ the families and individual services produced by the EDK II Crypto\r
+ Protocols/PPIs. The default is all services disabled. This Structured PCD is\r
+ associated with `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that defined in\r
+ `Include/Pcd/PcdCryptoServiceFamilyEnable.h`.\r
+\r
+ There are three layers of priority that determine if a specific family or\r
+ individual cryptographic service is actually enabled in the CryptoPei,\r
+ CryptoDxe, and CryptoSmm modules.\r
+\r
+ 1) OpensslLib instance selection. When the CryptoPei, CryptoDxe, or CryptoSmm\r
+ drivers are built, they are statically linked to an OpensslLib library\r
+ instance. If the required cryptographic service is not enabled in the\r
+ OpensslLib instance linked, then the service is always disabled.\r
+ 2) BaseCryptLib instance selection.\r
+ * CryptoPei is always linked with the PeiCryptLib instance of the\r
+ BaseCryptLib library class. The table above have a column for the\r
+ PeiCryptLib. If the family or service is blank, then that family or\r
+ service is always disabled.\r
+ * CryptoDxe is always linked with the BaseCryptLib instance of the\r
+ BaseCryptLib library class. The table above have a column for the\r
+ BaseCryptLib. If the family or service is blank, then that family or\r
+ service is always disabled.\r
+ * CryptoSmm is always linked with the SmmCryptLib instance of the\r
+ BaseCryptLib library class. The table above have a column for the\r
+ SmmCryptLib. If the family or service is blank, then that family or\r
+ service is always disabled.\r
+ 3) If a family or service is enabled in the OpensslLib instance and it is\r
+ enabled in the BaseCryptLib instance, then it can be enabled/disabled\r
+ using `PcdCryptoServiceFamilyEnable`. This structured PCD is associated\r
+ with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` data structure that contains\r
+ bit fields for each family of services. All of the families are disabled\r
+ by default. An entire family of services can be enabled by setting the\r
+ family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual\r
+ services can be enabled by setting a single service name to `TRUE`.\r
+ Settings listed later in the DSC file have priority over settings earlier\r
+ in the DSC file, so it is legal for an entire family to be enabled first\r
+ and then a few individual services disabled by setting the service name to\r
+ `FALSE`.\r
+\r
+#### Common PEI PcdCryptoServiceFamilyEnable Settings\r
+\r
+```\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE\r
+```\r
+\r
+#### Common DXE and SMM PcdCryptoServiceFamilyEnable Settings\r
+\r
+```\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7Verify | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.VerifyEKUsInPkcs7Signature | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7GetSigners | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7FreeSigners | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.AuthenticodeVerify | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.GetPublicKeyFromX509 | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Services.HashAll | FALSE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetSubjectName | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetCommonName | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetOrganizationName | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetTBSCert | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Encrypt | TRUE\r
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Decrypt | TRUE\r
+```\r