Re: [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of OpensslLib


Matthew Carlson
 

Hi Samer,

 

(I added you, zhiguang, because you had a similar question)

 

There’s some instructions in the patch series about how to enable RngLib to be used by OpenSSL (on the cover letter)

 

Since this changes the dependencies of OpenSSL, this has the potential of being
a breaking change for platforms in edk2-platforms. The easiest solution is just
to use the RngLib that uses the TimerLib as this closely mimics the behavior of
OpenSSL prior to this patch series. There is also a null version of RngLib for
CI environments that need this change
(https://edk2.groups.io/g/devel/message/50432). Though it should be pointed out
that in CI environments, the null version of BaseCryptLib or OpenSSL should be
used.

 

If you simply want the behavior that existed prior to this commit, you can just add the TimerLib based RngLib. It is not a good source of randomness but is arguably slightly better than what OpenSSL was using before.

You can see that’s what was done for OvmfPkg and ArmVirtualPkg (https://github.com/tianocore/edk2/commit/a09df5d2e1a7126e45198200628e388564f74668#diff-76767f2fe9e8f4acca7cbeb049bc8152).

I’d recommend adding a platform specific RngLib that leverages platform capabilities. If your platforms has a driver that published the RngProtocol,

you can leverage the new library at MdePkg/Library/DxeRngLib/DxeRngLib.inf (https://github.com/tianocore/edk2/commit/ed0dce7d5466b6b22ff9e0923f3a3e885540bbfc).

It will add whatever driver that produces the RngProtocol as a depex on any module that consumes crypto, so you might need to be careful not to introduce a circular depex chain, so this might not be an option for some platforms.

 

On the note of adding Azure Platform CI, OvmfPkg recently added PlatformCI and it could be a good jumping off point. https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI

In a nutshell, you’ll create a new Python build file that stuart/pytools can leverage (https://github.com/tianocore/edk2-pytool-extensions) (https://github.com/tianocore/edk2-pytool-extensions/blob/master/docs/using.md)

Here’s actually an example I wrote where I ported RPi to use Pytools (https://github.com/tianocore/edk2-pytool-extensions/blob/master/docs/usability/porting_a_platform.md)

 

Once you have a platform that’s building, you can use the platform build pipeline (https://github.com/tianocore/edk2/tree/master/OvmfPkg/PlatformCI/.azurepipelines)

 

Of course, it is totally possible use a different tool like edkrepo or uefi-tools to not have to create a build file. You’d just call that from the build pipeline. I personally haven’t used them, but I’m sure there’s some folks on the mailing list that could point you in the right direction.

You’re also welcome to use something other azure pipelines, there are plenty of options out there. Azure pipelines is nice since it provides a good number of build agents for free to open source projects. But I’ve used TravisCI and Circle before (though not in EDK2) and liked the experience.

 

You’d likely need to setup a new project in the devops for tianocore (https://dev.azure.com/tianocore/) since the pipelines for edk2-ci should remain in one project. Perhaps edk2-platforms-ci?

 

  • Matthew Carlson

 

From: Samer El-Haj-Mahmoud
Sent: Wednesday, September 23, 2020 6:43 AM
To: devel@edk2.groups.io; divneil.r.wadhawan@...; matthewfcarlson@...
Cc: Ni, Ray; gaoliming; Andrew Fish; Justen, Jordan L; Kinney, Michael D; Laszlo Ersek; Yao, Jiewen; Ard Biesheuvel
Subject: RE: [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of OpensslLib

 

Divneil,

 

Thanks for this patch.

 

However, it looks like multiple edk2-platforms are broken because of the OpensslLib change. I verified at least the following are broken:

- RaspberryPi/RPi3

- RaspberryPi/RPi4

- Qemu/SbsaQemu

- Socionext/DeveloperBox

- SolidRun/Armada80x0McBin

- Hisilicon/D0*

Etc.. Others are probably impacted. A quick search across edk2 and edk2-platform shows openssllib used in 26 DSC files, but RngLib is implicitly used in only 13 of them.

 

Mathew,

 

I think the offending commit (b5701a4c7a0fb185e0c5b9db9525939c78664bfd) needs to be reverted, and re-submitted with a series that fixes the build for all impacted platforms.

 

Also, what would it take to add the Azure pipeline CI that is currently used in edk2 to edk2-platform? I imagine some platform maintainers would appreciate that capability. Or should every platform look for their own CI/CD (possibly outside TianoCore)?

 

Thanks,

--Samer

 

 

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R via groups.io

Sent: Saturday, September 19, 2020 1:39 AM

To: devel@edk2.groups.io

Cc: Ni, Ray <ray.ni@...>; gaoliming <gaoliming@...>; 'Andrew Fish' <afish@...>; Justen, Jordan L <jordan.l.justen@...>; Kinney, Michael D <michael.d.kinney@...>; Wadhawan, Divneil R <divneil.r.wadhawan@...>

Subject: [edk2-devel] [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of OpensslLib

 

 

o Recently, OpensslLib [LibraryClasses] has been changed

  to include RngLib which causes the SECURE_BOOT_ENABLE

  build to fail in want of RngLib

 

o This patch adds the RngLib for OpensslLib

 

Signed-off-by: Divneil Rai Wadhawan <mailto:divneil.r.wadhawan@...>

---

EmulatorPkg/EmulatorPkg.dsc | 1 +

1 file changed, 1 insertion(+)

 

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index c6e25c745e..a27cb1beb0 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -113,6 +113,7 @@

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 

!if $(SECURE_BOOT_ENABLE) == TRUE

+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf

   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

--

2.16.2.windows.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

 

Join devel@edk2.groups.io to automatically receive all group messages.