From d7d9866ef49e2043f3c20b31a7b782abd6d847ab Mon Sep 17 00:00:00 2001 From: Michael D Kinney Date: Thu, 29 Sep 2022 09:32:54 -0700 Subject: [PATCH] CryptoPkg: Document and disable deprecated crypto services Also note services that are recommended to be disabled and update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings to disable all deprecated services. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Christopher Zurcher Signed-off-by: Michael D Kinney Reviewed-by: Jiewen Yao --- CryptoPkg/CryptoPkg.dsc | 10 +- .../Pcd/PcdCryptoServiceFamilyEnable.h | 122 ++++++++++-------- 2 files changed, 77 insertions(+), 55 deletions(-) diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index 8c6906acf0..032b9e6377 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -151,7 +151,6 @@ !if $(CRYPTO_SERVICES) IN "PACKAGE ALL" gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -161,8 +160,10 @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -173,7 +174,7 @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | 0 + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif !if $(CRYPTO_SERVICES) == MIN_PEI @@ -217,6 +218,7 @@ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index f1f5084e70..74eaf44cca 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -1,6 +1,26 @@ /** @file Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable. + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used + to enable/disable crypto services at either the family scope or the + individual service scope. Platforms can minimize the number of enabled + services to reduce size. + + The following services have been deprecated and must never be enabled. + The associated fields in this data structure are never removed or replaced + to preseve the binary layout of the data structure. New services are + always added to the end of the data structure. + * HmacMd5 family + * HmacSha1 family + * Md4 family + * Md5 family + * Tdes family + * Arc4 family + * Aes.Services.EcbEncrypt service + * Aes.Services.EcbDecrypt service + + Is is recommended that the following services always be disabled and may + be deprecated in the future. + * Sha1 family Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent @@ -25,25 +45,25 @@ typedef struct { union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacMd5; union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacSha1; union { struct { @@ -71,26 +91,26 @@ typedef struct { } HmacSha384; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Md4; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; UINT32 Family; - } Md5; + } Md5; // Deprecated union { struct { UINT8 Pkcs1v2Encrypt : 1; @@ -143,14 +163,14 @@ typedef struct { } Rsa; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Recommend disable + UINT8 Init : 1; // Recommend disable + UINT8 Duplicate : 1; // Recommend disable + UINT8 Update : 1; // Recommend disable + UINT8 Final : 1; // Recommend disable + UINT8 HashAll : 1; // Recommend disable } Services; - UINT32 Family; + UINT32 Family; // Recommend disable } Sha1; union { struct { @@ -216,21 +236,21 @@ typedef struct { } X509; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; - UINT8 CbcEncrypt : 1; - UINT8 CbcDecrypt : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated + UINT8 CbcEncrypt : 1; // Deprecated + UINT8 CbcDecrypt : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Tdes; union { struct { UINT8 GetContextSize : 1; UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated UINT8 CbcEncrypt : 1; UINT8 CbcDecrypt : 1; } Services; @@ -238,13 +258,13 @@ typedef struct { } Aes; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Encrypt : 1; - UINT8 Decrypt : 1; - UINT8 Reset : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Encrypt : 1; // Deprecated + UINT8 Decrypt : 1; // Deprecated + UINT8 Reset : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Arc4; union { struct { -- 2.39.2