diff --git a/OneCryptoPkg/Docs/Architecture.md b/OneCryptoPkg/Docs/Architecture.md index 1b9109cfe..f63c33b2b 100644 --- a/OneCryptoPkg/Docs/Architecture.md +++ b/OneCryptoPkg/Docs/Architecture.md @@ -5,9 +5,10 @@ OneCryptoPkg uses a **Bin + Loader** pattern to provide crypto services. A OpenSSL) and a **Loader** module discovers the Bin, injects runtime dependencies, and installs the public `gOneCryptoProtocolGuid` for consumers. -Today only X64 supports the phase agnostic crypto implementation. -See [Why the Difference?](#why-the-difference) for details on AARCH64. -However this is something we want to support in the long term for AARCH64. +X64 supports a single stored MM binary consumed by DXE. +AARCH64 historically used a separate DXE Bin, and now also has an +MM-provider based single-copy prototype path. See +[Why the Difference?](#why-the-difference) for details. ## X64 @@ -52,45 +53,78 @@ Both StandaloneMm and SupvMm follow the same two-driver pattern: ## AARCH64 -AARCH64 produces **4 drivers**: 2 from `OneCryptoBin` and 2 from -`OneCryptoLoaders`. +AARCH64 currently has two integration modes: -| Environment | Bin | Loader | -|-----------------|----------------------------|-----------------------------------| -| DXE | `OneCryptoBinDxe` | `OneCryptoLoaderDxeByProtocol` | -| StandaloneMm | `OneCryptoBinStandaloneMm` | `OneCryptoLoaderStandaloneMm` | +1. Legacy dual-bin mode (default): dedicated DXE Bin + protocol-based DXE loader. +2. Single-copy AARCH64 mode: secure-world MM Bin is the only stored + OneCrypto image; DXE fetches image bytes from MM and LoadImage()s them. + +### Driver Set by AARCH64 Mode + +Legacy dual-bin mode: + +- DXE: `OneCryptoBinDxe` + `OneCryptoLoaderDxeByProtocol` +- StandaloneMm: `OneCryptoBinStandaloneMm` + `OneCryptoLoaderStandaloneMm` + +Single-copy AARCH64 mode: + +- DXE: `OneCryptoLoaderDxeFromMm` +- StandaloneMm: `OneCryptoImageProviderStandaloneMm` + + `OneCryptoBinStandaloneMm` + `OneCryptoLoaderStandaloneMm` ### DXE Flow (AARCH64) -On AARCH64 the DXE Loader **cannot** reach into the secure-world firmware -volume to load the StandaloneMm binary. Instead, a dedicated `OneCryptoBinDxe` -(`DXE_DRIVER`) is included in the normal-world FV: +#### Legacy dual-bin mode + +On AARCH64 the DXE Loader cannot directly read the secure-world FV, so this +mode uses a dedicated `OneCryptoBinDxe` (`DXE_DRIVER`) in the normal-world FV: -1. `OneCryptoBinDxe` is dispatched normally by the UEFI DXE dispatcher. Its - entry point installs `gOneCryptoPrivateProtocolGuid` with the crypto - constructor. +1. `OneCryptoBinDxe` is dispatched by DXE and installs + `gOneCryptoPrivateProtocolGuid`. 2. `OneCryptoLoaderDxeByProtocol` has a `[Depex]` on - `gOneCryptoPrivateProtocolGuid`. It calls `LocateProtocol()` to find the - private protocol, invokes the constructor, and installs the public - `gOneCryptoProtocolGuid`. + `gOneCryptoPrivateProtocolGuid`, calls `LocateProtocol()`, invokes the + constructor, and installs `gOneCryptoProtocolGuid`. + +This protocol-based approach avoids PE/COFF export parsing. + +#### Single-copy AARCH64 mode -This protocol-based approach avoids PE/COFF export parsing entirely. +This mode removes `OneCryptoBinDxe` from the normal-world FV and uses +`OneCryptoLoaderDxeFromMm`: + +1. Loader uses `EFI_MM_COMMUNICATION2_PROTOCOL` and + `gOneCryptoImageProviderGuid` to query total image size. +2. Loader fetches OneCrypto PE32 bytes in chunks from MM. +3. Loader calls `LoadImage()` on the fetched bytes, resolves `CryptoEntry`, + injects dependencies, and installs `gOneCryptoProtocolGuid`. ### MM Flow (AARCH64) -The MM two-driver pattern (Bin + Loader) is the same as X64 — -`OneCryptoBinStandaloneMm` and `OneCryptoLoaderStandaloneMm` are the same -source modules on both architectures. See -[Why the Difference?](#why-the-difference) for why AARCH64 needs a separate -`OneCryptoBinDxe` instead of reusing the MM binary during DXE. +`OneCryptoBinStandaloneMm` + `OneCryptoLoaderStandaloneMm` follow the same MM +Bin+Loader pattern as X64. + +In single-copy AARCH64 mode, `OneCryptoImageProviderStandaloneMm` is an additional +MM module that registers an MM communication handler and serves OneCrypto PE32 +bytes to DXE. It is intentionally separate from `OneCryptoLoaderStandaloneMm`: + +1. Separation of concerns: transport/provider path vs protocol construction path. +2. Earlier/independent availability: provider can be dispatched without coupling + to MM loader behavior. +3. Better failure isolation and debugging for MM-communicate contract issues. ## Why the Difference? On AARCH64, StandaloneMm runs inside TrustZone and the secure-world firmware volume is not accessible from normal-world DXE. On X64, `GetSectionFromAnyFv()` can reach the MM firmware volume, so the DXE Loader reuses the MM binary -directly. On AARCH64, a separate `OneCryptoBinDxe` must be included in the -normal-world FV. +directly. + +On AARCH64 there are two valid designs: + +1. Legacy dual-bin mode: include separate `OneCryptoBinDxe` in normal-world FV. +2. Single-copy AARCH64 mode: keep the single stored MM Bin and bridge + secure/non-secure separation using MM communication + (`OneCryptoImageProvider` and `OneCryptoLoaderDxeFromMm`). ## Module Summary @@ -104,6 +138,15 @@ normal-world FV. | `OneCryptoLoaderDxe` | `DXE_DRIVER` | ✓ | | | `OneCryptoLoaderDxeByProtocol` | `DXE_DRIVER` | | ✓ | +Single-copy mode modules on AARCH64: + +- `OneCryptoLoaderDxeFromMm` (`DXE_DRIVER`) +- `OneCryptoImageProviderStandaloneMm` (`MM_STANDALONE`) + +This mode originated as the QAV-A prototype on QemuArmVirtPkg, but the design +is intended for real AARCH64 platforms and mainline integration. The current +feature branch implementation is the bring-up/prototype vehicle. + ## Dependency Injection The crypto Bin binary statically links BaseCryptLib, TlsLib, and OpenSSL, but diff --git a/OneCryptoPkg/Docs/FAQs.md b/OneCryptoPkg/Docs/FAQs.md index 8fb74be1d..7247b979c 100644 --- a/OneCryptoPkg/Docs/FAQs.md +++ b/OneCryptoPkg/Docs/FAQs.md @@ -8,10 +8,10 @@ updating the DSC. ## Where can I see OneCryptoPkg integrated into a platform? -QemuQ35Pkg and QemuSbsaPkg on [mu_tiano_platforms](https://github.com/microsoft/mu_tiano_platforms) -uses the OneCrypto binary drivers. See pull request -[Platforms: Wire up OneCrypto binary drivers -](https://github.com/microsoft/mu_tiano_platforms/pull/1278). +QemuQ35Pkg and QemuSbsaPkg on +[mu_tiano_platforms](https://github.com/microsoft/mu_tiano_platforms) use the +OneCrypto binary drivers. See pull request +[Platforms: Wire up OneCrypto binary drivers](https://github.com/microsoft/mu_tiano_platforms/pull/1278). ## OneCryptoBinSupvMm is MODULE_TYPE MM_STANDALONE — how does it run in DXE? @@ -20,9 +20,14 @@ On X64, the DXE Loader (`OneCryptoLoaderDxe`) calls `LoadImage()` on the applied, then parses the PE/COFF exports to find and invoke the `CryptoEntry` function. -On AARCH64 the approach is different — a dedicated `OneCryptoBinDxe` -(`DXE_DRIVER`) is used instead because the secure-world FV is not accessible -from DXE. +On AARCH64 there are now two approaches: + +1. Legacy dual-bin mode: a dedicated `OneCryptoBinDxe` (`DXE_DRIVER`) is used + because the secure-world FV is not directly accessible from DXE. +2. Single-copy AARCH64 mode: DXE uses + `OneCryptoLoaderDxeFromMm` to fetch OneCrypto + PE32 bytes from `OneCryptoImageProviderStandaloneMm` over + `EFI_MM_COMMUNICATION2_PROTOCOL`, then calls `LoadImage()`. See [Architecture.md](Architecture.md) for the full Bin + Loader pattern and the differences between X64 and AARCH64. @@ -42,7 +47,7 @@ not match the executing environment. The Loader must call `SetupEntry` instead, which manually initializes the library constructors before providing the crypto protocol. -## Why are there two DXE Loaders (OneCryptoLoaderDxe vs OneCryptoLoaderDxeByProtocol)? +## Why are there multiple DXE Loaders (OneCryptoLoaderDxe, OneCryptoLoaderDxeByProtocol, OneCryptoLoaderDxeFromMm)? They serve different architectures with fundamentally different loading strategies: @@ -59,4 +64,10 @@ strategies: to find it. No `LoadImage()` or PE/COFF parsing is needed, and it uses `NoSetupEntry` since constructors already ran during normal dispatch. +- **`OneCryptoLoaderDxeFromMm`** (AARCH64 single-copy mode) — DXE cannot read the + secure-world FV directly, so this loader requests OneCrypto image bytes from + StandaloneMM (`OneCryptoImageProviderStandaloneMm`) via + `EFI_MM_COMMUNICATION2_PROTOCOL`, then `LoadImage()`s the fetched PE32 and + resolves `CryptoEntry`. + See [Architecture.md](Architecture.md) for the full X64 vs AARCH64 breakdown. diff --git a/OneCryptoPkg/Docs/README.md b/OneCryptoPkg/Docs/README.md index fa0ae5bf8..21e807b55 100644 --- a/OneCryptoPkg/Docs/README.md +++ b/OneCryptoPkg/Docs/README.md @@ -53,3 +53,5 @@ To consume OneCryptoPkg in a platform: - [Architecture.md](Architecture.md) — Bin + Loader pattern, X64 vs AARCH64, dependency injection - [FAQs.md](FAQs.md) — Common questions about OneCryptoPkg +- [QAV-A-Task-Notes.md](QAV-A-Task-Notes.md) — branch bring-up notes for + the single-copy AARCH64 mode diff --git a/OneCryptoPkg/DriverBuild.py b/OneCryptoPkg/DriverBuild.py index 90a60102a..0f309d373 100644 --- a/OneCryptoPkg/DriverBuild.py +++ b/OneCryptoPkg/DriverBuild.py @@ -167,12 +167,16 @@ def AddCommandLineOptions(self, parserObj): help="skip OneCrypto packaging after build") parserObj.add_argument("--version", dest="version", default="0.0.0", type=str, help="The version of OneCryptoPkg to use for the SBOM. Default is 0.0.0") + parserObj.add_argument("--disable-tls", dest="disable_tls", + action="store_true", default=False, + help="Build OneCrypto without TLS (TlsLibNull + crypto-only OpenSSL) to slim the binary") def RetrieveCommandLineOptions(self, args): self.target = list(set(args.target)) if args.target else list(CommonPlatform.TargetsSupported) self.arch = args.arch if args.arch else list(CommonPlatform.ArchSupported) self.skip_packaging = args.skip_packaging self.version = args.version + self.disable_tls = args.disable_tls def GetWorkspaceRoot(self): ''' get WorkspacePath ''' @@ -212,6 +216,9 @@ def SetPlatformEnv(self): self.env.SetValue("TARGET_ARCH", " ".join(self.arch), "CLI args") self.env.SetValue("TOOL_CHAIN_TAG", "CLANGPDB", "Platform Hardcoded") + if self.disable_tls: + self.env.SetValue("BLD_*_ONE_CRYPTO_DISABLE_TLS", "TRUE", "CLI --disable-tls") + # Default turn on build reporting. self.env.SetValue("BUILDREPORTING", "TRUE", "Enabling build report") self.env.SetValue("BUILDREPORT_TYPES", diff --git a/OneCryptoPkg/Include/Guid/OneCryptoImageProviderGuid.h b/OneCryptoPkg/Include/Guid/OneCryptoImageProviderGuid.h new file mode 100644 index 000000000..c663e4d29 --- /dev/null +++ b/OneCryptoPkg/Include/Guid/OneCryptoImageProviderGuid.h @@ -0,0 +1,20 @@ +/** @file + + GUID definition for the OneCrypto MM image provider communication handler. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef ONE_CRYPTO_IMAGE_PROVIDER_GUID_H_ +#define ONE_CRYPTO_IMAGE_PROVIDER_GUID_H_ + +#define ONE_CRYPTO_IMAGE_PROVIDER_GUID \ + { \ + 0x5B9B9A72, 0xA4DF, 0x4D57, { 0xA1, 0xD3, 0x3A, 0x88, 0xEF, 0xB2, 0x5B, 0x9E } \ + } + +extern EFI_GUID gOneCryptoImageProviderGuid; + +#endif // ONE_CRYPTO_IMAGE_PROVIDER_GUID_H_ diff --git a/OneCryptoPkg/Include/Private/OneCryptoImageProviderMessage.h b/OneCryptoPkg/Include/Private/OneCryptoImageProviderMessage.h new file mode 100644 index 000000000..528d7c77d --- /dev/null +++ b/OneCryptoPkg/Include/Private/OneCryptoImageProviderMessage.h @@ -0,0 +1,41 @@ +/** @file + + Shared message format for OneCrypto image-provider MM communication. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef ONE_CRYPTO_IMAGE_PROVIDER_MESSAGE_H_ +#define ONE_CRYPTO_IMAGE_PROVIDER_MESSAGE_H_ + +#define ONE_CRYPTO_IMAGE_PROVIDER_VERSION 2U +#define ONE_CRYPTO_IMAGE_PROVIDER_SIGNATURE SIGNATURE_32 ('O', 'C', 'I', 'P') + +// +// Payload format served by the provider (ONE_CRYPTO_IMAGE_PROVIDER_MSG.Format). +// +// PE32 - Data is the raw OneCrypto PE32 image; DXE LoadImage()s it directly. +// LZMA_FV - Data is the LZMA-compressed payload of the GUIDed section that wraps +// the nested FV containing the OneCrypto PE32. Secure world (MM) lacks +// the memory budget to decompress the ~2 MB FV, so it hands the small +// compressed stream to the resource-rich normal world (DXE), which +// decompresses it and extracts the OneCrypto PE32. +// +#define ONE_CRYPTO_IMAGE_FORMAT_PE32 0U +#define ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV 1U + +typedef struct { + UINT32 Signature; + UINT32 Version; + UINT64 Offset; + UINT32 RequestedSize; + UINT32 ReturnedSize; + UINT32 TotalImageSize; + UINT32 Format; + EFI_GUID ImageGuid; + UINT8 Data[1]; +} ONE_CRYPTO_IMAGE_PROVIDER_MSG; + +#endif // ONE_CRYPTO_IMAGE_PROVIDER_MESSAGE_H_ diff --git a/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoImageProviderStandaloneMm.inf b/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoImageProviderStandaloneMm.inf new file mode 100644 index 000000000..a8319f0cc --- /dev/null +++ b/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoImageProviderStandaloneMm.inf @@ -0,0 +1,24 @@ +## @file +# OneCrypto image provider in StandaloneMM for QAV fetch path. +# +# Copyright (C) Microsoft Corporation. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OneCryptoImageProviderStandaloneMm + FILE_GUID = 60A67696-D50D-488E-B436-82D0D3A11E8F + MODULE_TYPE = MM_STANDALONE + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x00010032 + ENTRY_POINT = MmEntry + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[Binaries] + PE32|OneCryptoImageProviderStandaloneMm.efi + SMM_DEPEX|OneCryptoImageProviderStandaloneMm.depex diff --git a/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderMm.c b/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderMm.c new file mode 100644 index 000000000..49d436b59 --- /dev/null +++ b/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderMm.c @@ -0,0 +1,395 @@ +/** @file + OneCryptoImageProviderMm.c + + Locates OneCrypto in the StandaloneMM firmware volumes and serves its bytes to + the DXE loader over MM communication. + + OneCrypto may be present either as a raw PE32 image + (ONE_CRYPTO_IMAGE_FORMAT_PE32) or -- as on Soundwave -- inside an + LZMA-compressed nested firmware volume (ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV). + Secure world does not have the ~2 MB heap budget to LZMA-decode that FV, so in + the compressed case it simply hands the (small) compressed stream to the + resource-rich normal world (DXE), which decompresses it and extracts the PE32. + + The provider therefore never decompresses anything: it only *finds* OneCrypto + and tells DXE, via the message Format field, how to consume what it is given. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +STATIC EFI_GUID mOneCryptoBinaryGuid = ONE_CRYPTO_BINARY_GUID; +EFI_GUID gOneCryptoImageProviderGuid = ONE_CRYPTO_IMAGE_PROVIDER_GUID; + +// +// Located OneCrypto payload: a pointer into resident MM firmware (either the raw +// PE32 image, or the compressed LZMA stream of the nested FV) plus the format +// that tells DXE how to consume it. Cached after the first successful lookup. +// +STATIC VOID *mOneCryptoImageData = NULL; +STATIC UINTN mOneCryptoImageSize = 0; +STATIC UINT32 mOneCryptoImageFormat = ONE_CRYPTO_IMAGE_FORMAT_PE32; + +/** + Whether a GUID_DEFINED section uses the LZMA custom-decompress GUID. + + @param[in] Section Candidate section header. + + @retval TRUE Section is an LZMA-compressed GUID_DEFINED section. + @retval FALSE Otherwise. +**/ +STATIC +BOOLEAN +IsLzmaGuidedSection ( + IN CONST EFI_COMMON_SECTION_HEADER *Section + ) +{ + if (Section == NULL) { + return FALSE; + } + + if (IS_SECTION2 (Section)) { + return CompareGuid ( + &((CONST EFI_GUID_DEFINED_SECTION2 *)Section)->SectionDefinitionGuid, + &gLzmaCustomDecompressGuid + ); + } + + return CompareGuid ( + &((CONST EFI_GUID_DEFINED_SECTION *)Section)->SectionDefinitionGuid, + &gLzmaCustomDecompressGuid + ); +} + +/** + Scan one firmware volume for OneCrypto. + + Two shapes are recognised: + - the OneCrypto file carrying a direct PE32 section (uncompressed platforms), + served as ONE_CRYPTO_IMAGE_FORMAT_PE32; and + - an LZMA-compressed GUID_DEFINED section wrapping the nested FV that holds + OneCrypto (Soundwave), whose raw compressed stream is served as + ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV for DXE to decode. + + A direct PE32 is preferred when both are present. + + @param[in] FvHeader Firmware volume to scan. + + @retval EFI_SUCCESS OneCrypto located; module globals populated. + @retval EFI_NOT_FOUND Not found in this FV. +**/ +STATIC +EFI_STATUS +ScanFvForOneCrypto ( + IN EFI_FIRMWARE_VOLUME_HEADER *FvHeader + ) +{ + EFI_STATUS Status; + EFI_FFS_FILE_HEADER *FileHeader; + EFI_COMMON_SECTION_HEADER *Section; + EFI_COMMON_SECTION_HEADER *CompressedSection; + VOID *SectionData; + UINTN SectionDataSize; + UINTN DataOffset; + UINTN SectionSize; + + if (FvHeader == NULL) { + return EFI_INVALID_PARAMETER; + } + + CompressedSection = NULL; + FileHeader = NULL; + while (TRUE) { + Status = FfsFindNextFile (EFI_FV_FILETYPE_ALL, FvHeader, &FileHeader); + if (EFI_ERROR (Status)) { + break; + } + + // + // Preferred: the OneCrypto file carrying a direct PE32 image. + // + if (CompareGuid (&FileHeader->Name, &mOneCryptoBinaryGuid)) { + Status = FfsFindSectionData (EFI_SECTION_PE32, FileHeader, &SectionData, &SectionDataSize); + if (!EFI_ERROR (Status) && (SectionData != NULL) && (SectionDataSize != 0)) { + mOneCryptoImageData = SectionData; + mOneCryptoImageSize = SectionDataSize; + mOneCryptoImageFormat = ONE_CRYPTO_IMAGE_FORMAT_PE32; + DEBUG (( + DEBUG_INFO, + "OneCryptoImageProviderMm: Found direct OneCrypto PE32 size=0x%Lx\n", + (UINT64)SectionDataSize + )); + return EFI_SUCCESS; + } + } + + // + // Otherwise remember the first LZMA-compressed section. On compressed + // platforms the nested FV it wraps is where OneCrypto lives. + // + if (CompressedSection == NULL) { + Status = FfsFindSection (EFI_SECTION_GUID_DEFINED, FileHeader, &Section); + if (!EFI_ERROR (Status) && IsLzmaGuidedSection (Section)) { + CompressedSection = Section; + } + } + } + + if (CompressedSection != NULL) { + if (IS_SECTION2 (CompressedSection)) { + DataOffset = ((CONST EFI_GUID_DEFINED_SECTION2 *)CompressedSection)->DataOffset; + SectionSize = SECTION2_SIZE (CompressedSection); + } else { + DataOffset = ((CONST EFI_GUID_DEFINED_SECTION *)CompressedSection)->DataOffset; + SectionSize = SECTION_SIZE (CompressedSection); + } + + if ((DataOffset < SectionSize) && (SectionSize > sizeof (EFI_COMMON_SECTION_HEADER))) { + // + // Hand DXE the raw LZMA stream (the section payload after its header). + // + mOneCryptoImageData = (UINT8 *)CompressedSection + DataOffset; + mOneCryptoImageSize = SectionSize - DataOffset; + mOneCryptoImageFormat = ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV; + DEBUG (( + DEBUG_INFO, + "OneCryptoImageProviderMm: Serving compressed LZMA payload to DXE size=0x%Lx\n", + (UINT64)mOneCryptoImageSize + )); + return EFI_SUCCESS; + } + } + + return EFI_NOT_FOUND; +} + +/** + Locate OneCrypto across the StandaloneMM FV and FV2 HOBs. The result is cached + in module globals for subsequent chunked requests. + + @retval EFI_SUCCESS OneCrypto located. + @retval EFI_NOT_FOUND OneCrypto not present in any MM firmware volume. +**/ +STATIC +EFI_STATUS +LocateOneCryptoImage ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + + if ((mOneCryptoImageData != NULL) && (mOneCryptoImageSize != 0)) { + return EFI_SUCCESS; + } + + for (Hob.Raw = GetNextHob (EFI_HOB_TYPE_FV, GetHobList ()); + Hob.Raw != NULL; + Hob.Raw = GetNextHob (EFI_HOB_TYPE_FV, GET_NEXT_HOB (Hob))) + { + if ((Hob.FirmwareVolume == NULL) || (Hob.FirmwareVolume->Length == 0)) { + continue; + } + + if (!EFI_ERROR (ScanFvForOneCrypto ((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)Hob.FirmwareVolume->BaseAddress))) { + return EFI_SUCCESS; + } + } + + for (Hob.Raw = GetNextHob (EFI_HOB_TYPE_FV2, GetHobList ()); + Hob.Raw != NULL; + Hob.Raw = GetNextHob (EFI_HOB_TYPE_FV2, GET_NEXT_HOB (Hob))) + { + if ((Hob.FirmwareVolume2 == NULL) || (Hob.FirmwareVolume2->Length == 0)) { + continue; + } + + if (!EFI_ERROR (ScanFvForOneCrypto ((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)Hob.FirmwareVolume2->BaseAddress))) { + return EFI_SUCCESS; + } + } + + DEBUG ((DEBUG_ERROR, "OneCryptoImageProviderMm: OneCrypto not found in any MM FV HOB\n")); + return EFI_NOT_FOUND; +} + +/** + MM communication handler that provides OneCrypto image bytes to DXE. + + Request protocol (ONE_CRYPTO_IMAGE_PROVIDER_MSG): + - RequestedSize == 0 : size query. Returns TotalImageSize + Format. + - RequestedSize > 0 : returns up to RequestedSize bytes at Offset. + + @param[in] DispatchHandle Dispatch handle for this handler. + @param[in] Context Handler context (unused). + @param[in, out] CommBuffer Message payload buffer. + @param[in, out] CommBufferSize Input/output payload buffer size. + + @retval EFI_SUCCESS Request serviced (including "not found", surfaced as an + empty successful response so StandaloneMmCore never sees + an error status). +**/ +STATIC +EFI_STATUS +EFIAPI +OneCryptoImageProviderHandler ( + IN EFI_HANDLE DispatchHandle, + IN CONST VOID *Context OPTIONAL, + IN OUT VOID *CommBuffer OPTIONAL, + IN OUT UINTN *CommBufferSize OPTIONAL + ) +{ + ONE_CRYPTO_IMAGE_PROVIDER_MSG *Msg; + UINTN HeaderSize; + UINTN InputBufferSize; + UINTN MaxPayload; + UINTN Remaining; + UINTN CopySize; + UINT64 LocalOffset; + UINT32 LocalRequestedSize; + EFI_STATUS Status; + + if ((CommBuffer == NULL) || (CommBufferSize == NULL)) { + return EFI_INVALID_PARAMETER; + } + + HeaderSize = OFFSET_OF (ONE_CRYPTO_IMAGE_PROVIDER_MSG, Data); + + // + // Snapshot *CommBufferSize once before use: on AARCH64 CommBuffer lives in + // Non-Secure DRAM and could be changed concurrently by Normal World. + // + InputBufferSize = *CommBufferSize; + if (InputBufferSize < HeaderSize) { + return EFI_BAD_BUFFER_SIZE; + } + + if ((InputBufferSize - HeaderSize) > MAX_UINT32) { + return EFI_BAD_BUFFER_SIZE; + } + + Msg = (ONE_CRYPTO_IMAGE_PROVIDER_MSG *)CommBuffer; + ZeroMem (&Msg->ImageGuid, sizeof (Msg->ImageGuid)); + Msg->TotalImageSize = 0; + Msg->ReturnedSize = 0; + + if ((Msg->Signature != ONE_CRYPTO_IMAGE_PROVIDER_SIGNATURE) || + (Msg->Version != ONE_CRYPTO_IMAGE_PROVIDER_VERSION)) + { + DEBUG ((DEBUG_ERROR, "OneCryptoImageProviderMm: Invalid request header\n")); + return EFI_INVALID_PARAMETER; + } + + // + // Snapshot caller-supplied fields before validation/use. + // + LocalOffset = Msg->Offset; + LocalRequestedSize = Msg->RequestedSize; + + Status = LocateOneCryptoImage (); + if (EFI_ERROR (Status)) { + // + // Never propagate lookup failure to StandaloneMmCore: an EFI error here + // trips the Mmi.c(268) assert and aborts the secure VM. Surface "not found" + // to the caller as an empty successful response instead. + // + *CommBufferSize = HeaderSize; + return EFI_SUCCESS; + } + + // + // TotalImageSize is UINT32; guard against >4 GiB payloads. + // + if (mOneCryptoImageSize > MAX_UINT32) { + DEBUG ((DEBUG_ERROR, "OneCryptoImageProviderMm: Image size 0x%Lx exceeds UINT32 max\n", (UINT64)mOneCryptoImageSize)); + return EFI_UNSUPPORTED; + } + + Msg->ImageGuid = mOneCryptoBinaryGuid; + Msg->TotalImageSize = (UINT32)mOneCryptoImageSize; + Msg->Format = mOneCryptoImageFormat; + Msg->ReturnedSize = 0; + + // + // Size query: return total size + format, no payload. + // + if (LocalRequestedSize == 0) { + *CommBufferSize = HeaderSize; + return EFI_SUCCESS; + } + + if (LocalOffset > mOneCryptoImageSize) { + DEBUG ((DEBUG_ERROR, "OneCryptoImageProviderMm: Invalid offset 0x%Lx for size 0x%Lx\n", LocalOffset, (UINT64)mOneCryptoImageSize)); + return EFI_INVALID_PARAMETER; + } + + MaxPayload = InputBufferSize - HeaderSize; + Remaining = mOneCryptoImageSize - (UINTN)LocalOffset; + CopySize = LocalRequestedSize; + + if (CopySize > MaxPayload) { + CopySize = MaxPayload; + } + + if (CopySize > Remaining) { + CopySize = Remaining; + } + + if (CopySize > 0) { + CopyMem (Msg->Data, (CONST UINT8 *)mOneCryptoImageData + (UINTN)LocalOffset, CopySize); + } + + Msg->ReturnedSize = (UINT32)CopySize; + *CommBufferSize = HeaderSize + CopySize; + + return EFI_SUCCESS; +} + +/** + Module entry point. Registers the OneCrypto image-provider MM handler. + + @param[in] ImageHandle Image handle. + @param[in] MmSystemTable MM system table. + + @retval EFI_SUCCESS Handler registered. +**/ +EFI_STATUS +EFIAPI +MmEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_MM_SYSTEM_TABLE *MmSystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DispatchHandle; + + DispatchHandle = NULL; + Status = gMmst->MmiHandlerRegister ( + OneCryptoImageProviderHandler, + &gOneCryptoImageProviderGuid, + &DispatchHandle + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoImageProviderMm: Failed to register handler: %r\n", Status)); + return Status; + } + + DEBUG ((DEBUG_INFO, "OneCryptoImageProviderMm: Handler registered for %g\n", &gOneCryptoImageProviderGuid)); + return EFI_SUCCESS; +} diff --git a/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm.inf b/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm.inf new file mode 100644 index 000000000..52513e2b9 --- /dev/null +++ b/OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm.inf @@ -0,0 +1,42 @@ +## @file +# Provides OneCrypto PE32 image bytes from StandaloneMM over MM communication. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OneCryptoImageProviderStandaloneMm + FILE_GUID = 60A67696-D50D-488E-B436-82D0D3A11E8F + MODULE_TYPE = MM_STANDALONE + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x00010032 + ENTRY_POINT = MmEntry + +[Sources] + OneCryptoImageProviderMm.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + StandaloneMmPkg/StandaloneMmPkg.dec + OneCryptoPkg/OneCryptoPkg.dec + +[LibraryClasses] + StandaloneMmDriverEntryPoint + BaseLib + BaseMemoryLib + DebugLib + MmServicesTableLib + HobLib + FvLib + +[Guids] + gLzmaCustomDecompressGuid ## CONSUMES + +[Depex] + TRUE + +[BuildOptions] + GCC:*_CLANGPDB_*_DLINK_FLAGS = /ALIGN:4096 diff --git a/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.c b/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.c new file mode 100644 index 000000000..fa113b7cb --- /dev/null +++ b/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.c @@ -0,0 +1,712 @@ +/** @file + OneCryptoLoaderDxeFromMm.c + + DXE loader that fetches OneCrypto image bytes from StandaloneMM via + EFI_MM_COMMUNICATION2_PROTOCOL, then LoadImage()s the fetched PE32 image. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include + +#include +#include + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include +#include + +STATIC EFI_GUID mOneCryptoBinaryGuid = ONE_CRYPTO_BINARY_GUID; + +// The dependencies of the shared library, must live as long as the shared code is used. +STATIC ONE_CRYPTO_DEPENDENCIES *mOneCryptoDepends = NULL; + +// Crypto protocol for the shared library. Using VOID* to be agnostic about protocol structure size/layout. +STATIC VOID *mOneCryptoProtocol = NULL; + +// Lazy RNG state tracking. +STATIC EFI_RNG_PROTOCOL *mCachedRngProtocol = NULL; + +/** + Lazy RNG implementation that locates EFI_RNG_PROTOCOL on first use. +**/ +BOOLEAN +EFIAPI +LazyPlatformGetRandomNumber64 ( + OUT UINT64 *Rand + ) +{ + EFI_STATUS Status; + + if (Rand == NULL) { + DEBUG ((DEBUG_ERROR, "LazyPlatformGetRandomNumber64: Null Rand pointer\n")); + return FALSE; + } + + if (mCachedRngProtocol == NULL) { + Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&mCachedRngProtocol); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_WARN, "LazyPlatformGetRandomNumber64: EFI_RNG_PROTOCOL not available: %r\n", Status)); + return FALSE; + } + } + + Status = mCachedRngProtocol->GetRNG (mCachedRngProtocol, NULL, sizeof (UINT64), (UINT8 *)Rand); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "LazyPlatformGetRandomNumber64: GetRNG failed: %r\n", Status)); + return FALSE; + } + + return TRUE; +} + +/** + Installs shared dependencies required for the crypto entrypoint. +**/ +STATIC +VOID +InstallSharedDependencies ( + OUT ONE_CRYPTO_DEPENDENCIES *OneCryptoDepends + ) +{ + OneCryptoDepends->Major = ONE_CRYPTO_DEPENDENCIES_VERSION_MAJOR; + OneCryptoDepends->Minor = ONE_CRYPTO_DEPENDENCIES_VERSION_MINOR; + OneCryptoDepends->Reserved = 0; + OneCryptoDepends->AllocatePool = AllocatePool; + OneCryptoDepends->FreePool = FreePool; + OneCryptoDepends->DebugPrint = DebugPrint; + OneCryptoDepends->GetTime = gRT->GetTime; + OneCryptoDepends->GetRandomNumber64 = LazyPlatformGetRandomNumber64; + OneCryptoDepends->MicroSecondDelay = gBS->Stall; +} + +/** + Gets exported CryptoEntry from a loaded image. +**/ +STATIC +EFI_STATUS +EFIAPI +GetEntryFromLoadedImage ( + IN EFI_LOADED_IMAGE_PROTOCOL *LoadedImage, + OUT CRYPTO_ENTRY *Entry + ) +{ + EFI_STATUS Status; + UINT32 Rva; + INTERNAL_IMAGE_CONTEXT Image; + EFI_IMAGE_EXPORT_DIRECTORY *Exports; + + if ((LoadedImage == NULL) || (Entry == NULL) || (LoadedImage->ImageBase == NULL)) { + return EFI_INVALID_PARAMETER; + } + + ZeroMem (&Image, sizeof (Image)); + Image.Context.ImageAddress = (EFI_PHYSICAL_ADDRESS)(UINTN)LoadedImage->ImageBase; + Image.Context.ImageSize = (UINT64)LoadedImage->ImageSize; + Image.Context.Handle = LoadedImage->ImageBase; + Image.Context.ImageRead = PeCoffLoaderImageReadFromMemory; + + Status = PeCoffLoaderGetImageInfo (&Image.Context); + if (EFI_ERROR (Status)) { + return Status; + } + + if (Image.Context.ImageType != EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER) { + DEBUG ((DEBUG_ERROR, "Invalid image type: %d\n", Image.Context.ImageType)); + return EFI_UNSUPPORTED; + } + + Status = GetExportDirectoryInPeCoffImage (&Image, &Exports); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = FindExportedFunction (&Image, Exports, EXPORTED_ENTRY_NAME, &Rva); + if (EFI_ERROR (Status)) { + return Status; + } + + *Entry = (CRYPTO_ENTRY)((EFI_PHYSICAL_ADDRESS)LoadedImage->ImageBase + Rva); + return EFI_SUCCESS; +} + +/** + Sends one image-provider request to MM and handles optional comm-buffer resize. +**/ +STATIC +EFI_STATUS +SendImageProviderRequest ( + IN EFI_MM_COMMUNICATION2_PROTOCOL *MmComm, + IN OUT VOID **CommBuffer, + IN OUT UINTN *CommBufferAllocSize, + IN UINT64 Offset, + IN UINT32 RequestedSize, + OUT ONE_CRYPTO_IMAGE_PROVIDER_MSG **Msg, + OUT UINTN *MsgSize + ) +{ + EFI_MM_COMMUNICATE_HEADER *CommHeader; + ONE_CRYPTO_IMAGE_PROVIDER_MSG *LocalMsg; + UINTN HeaderSize; + UINTN CommSize; + EFI_STATUS Status; + + HeaderSize = OFFSET_OF (ONE_CRYPTO_IMAGE_PROVIDER_MSG, Data); + +Retry: + CommHeader = (EFI_MM_COMMUNICATE_HEADER *)(*CommBuffer); + ZeroMem (CommHeader, *CommBufferAllocSize); + + CopyGuid (&CommHeader->HeaderGuid, &gOneCryptoImageProviderGuid); + CommHeader->MessageLength = *CommBufferAllocSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data); + + LocalMsg = (ONE_CRYPTO_IMAGE_PROVIDER_MSG *)CommHeader->Data; + LocalMsg->Signature = ONE_CRYPTO_IMAGE_PROVIDER_SIGNATURE; + LocalMsg->Version = ONE_CRYPTO_IMAGE_PROVIDER_VERSION; + LocalMsg->Offset = Offset; + LocalMsg->RequestedSize = RequestedSize; + + CommSize = *CommBufferAllocSize; + Status = MmComm->Communicate (MmComm, *CommBuffer, *CommBuffer, &CommSize); + DEBUG (( + DEBUG_INFO, + "OneCryptoLoaderDxeFromMm: MmComm->Communicate offset=0x%Lx req=0x%x status=%r commSize=0x%Lx\n", + Offset, + RequestedSize, + Status, + (UINT64)CommSize + )); + if (Status == EFI_BAD_BUFFER_SIZE) { + if (CommSize <= *CommBufferAllocSize) { + return Status; + } + + FreePool (*CommBuffer); + *CommBuffer = AllocateZeroPool (CommSize); + if (*CommBuffer == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + *CommBufferAllocSize = CommSize; + goto Retry; + } + + if (EFI_ERROR (Status)) { + return Status; + } + + if (CommSize < (OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data) + HeaderSize)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: Response too small commSize=0x%Lx required>=0x%Lx\n", + (UINT64)CommSize, + (UINT64)(OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data) + HeaderSize) + )); + return EFI_PROTOCOL_ERROR; + } + + *Msg = (ONE_CRYPTO_IMAGE_PROVIDER_MSG *)((EFI_MM_COMMUNICATE_HEADER *)(*CommBuffer))->Data; + *MsgSize = CommSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data); + return EFI_SUCCESS; +} + +/** + Decompresses the LZMA-compressed nested FV payload handed over by the MM + provider, locates the OneCrypto file within it, and returns a standalone copy + of its PE32 image bytes. + + Secure world cannot afford the ~2 MB LZMA dictionary + decode buffer, so the + provider ships the small compressed stream (ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV) + and DXE -- with ample memory -- expands it here. + + @param[in] Compressed LZMA-compressed FV payload bytes. + @param[in] CompressedSize Size of the compressed payload. + @param[out] Pe32Data Newly allocated buffer holding the OneCrypto PE32. + @param[out] Pe32Size Size of the returned PE32 image. + + @retval EFI_SUCCESS PE32 image extracted and returned in Pe32Data. +**/ +STATIC +EFI_STATUS +ExtractOneCryptoPe32FromLzmaFv ( + IN VOID *Compressed, + IN UINTN CompressedSize, + OUT VOID **Pe32Data, + OUT UINTN *Pe32Size + ) +{ + EFI_STATUS Status; + UINT32 DecodedSize; + UINT32 ScratchSize; + VOID *Decoded; + VOID *Scratch; + EFI_FIRMWARE_VOLUME_HEADER *FvHeader; + EFI_COMMON_SECTION_HEADER *FvSection; + EFI_FFS_FILE_HEADER *FileHeader; + VOID *SectionData; + UINTN SectionDataSize; + VOID *Pe32Copy; + + *Pe32Data = NULL; + *Pe32Size = 0; + Decoded = NULL; + Scratch = NULL; + + // + // Minimum LZMA stream: 5-byte props + 8-byte uncompressed size = 13 bytes. + // + if ((Compressed == NULL) || (CompressedSize < 13)) { + return EFI_INVALID_PARAMETER; + } + + Status = LzmaUefiDecompressGetInfo (Compressed, (UINT32)CompressedSize, &DecodedSize, &ScratchSize); + if (EFI_ERROR (Status) || (DecodedSize == 0)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: LzmaUefiDecompressGetInfo failed: %r size=0x%x\n", Status, DecodedSize)); + return EFI_COMPROMISED_DATA; + } + + Decoded = AllocatePool (DecodedSize); + if (Decoded == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Cleanup; + } + + if (ScratchSize != 0) { + Scratch = AllocatePool (ScratchSize); + if (Scratch == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Cleanup; + } + } + + Status = LzmaUefiDecompress (Compressed, CompressedSize, Decoded, Scratch); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: LzmaUefiDecompress failed: %r\n", Status)); + Status = EFI_COMPROMISED_DATA; + goto Cleanup; + } + + // + // The decoded payload is the nested FV -- either the raw FV image, or a + // FIRMWARE_VOLUME_IMAGE section wrapping it. Resolve to the FV header. + // + if (((EFI_FIRMWARE_VOLUME_HEADER *)Decoded)->Signature == EFI_FVH_SIGNATURE) { + FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)Decoded; + } else { + FvSection = NULL; + Status = FindFfsSectionInSections ( + Decoded, + DecodedSize, + EFI_SECTION_FIRMWARE_VOLUME_IMAGE, + &FvSection + ); + if (EFI_ERROR (Status) || (FvSection == NULL)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: Decoded payload is not an FV: %r\n", Status)); + Status = EFI_VOLUME_CORRUPTED; + goto Cleanup; + } + + if (IS_SECTION2 (FvSection)) { + FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)((EFI_COMMON_SECTION_HEADER2 *)FvSection + 1); + } else { + FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(FvSection + 1); + } + } + + // + // Find the OneCrypto file and its PE32 section within the decoded FV. + // + FileHeader = NULL; + Status = EFI_NOT_FOUND; + while (TRUE) { + if (EFI_ERROR (FfsFindNextFile (EFI_FV_FILETYPE_ALL, FvHeader, &FileHeader))) { + break; + } + + if (!CompareGuid (&FileHeader->Name, &mOneCryptoBinaryGuid)) { + continue; + } + + if (!EFI_ERROR (FfsFindSectionData (EFI_SECTION_PE32, FileHeader, &SectionData, &SectionDataSize)) && + (SectionData != NULL) && (SectionDataSize != 0)) + { + Pe32Copy = AllocateCopyPool (SectionDataSize, SectionData); + if (Pe32Copy == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Cleanup; + } + + *Pe32Data = Pe32Copy; + *Pe32Size = SectionDataSize; + Status = EFI_SUCCESS; + DEBUG (( + DEBUG_INFO, + "OneCryptoLoaderDxeFromMm: Extracted OneCrypto PE32 from decoded FV size=0x%Lx\n", + (UINT64)SectionDataSize + )); + goto Cleanup; + } + } + + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: OneCrypto PE32 not found in decoded FV\n")); + +Cleanup: + if (Decoded != NULL) { + FreePool (Decoded); + } + + if (Scratch != NULL) { + FreePool (Scratch); + } + + return Status; +} + +/** + Fetches complete OneCrypto PE32 image from MM provider using chunked requests. +**/ +STATIC +EFI_STATUS +FetchImageFromMm ( + OUT VOID **ImageData, + OUT UINTN *ImageSize, + OUT UINT32 *Format + ) +{ + EFI_MM_COMMUNICATION2_PROTOCOL *MmComm; + EFI_STATUS Status; + VOID *CommBuffer; + UINTN CommBufferAllocSize; + ONE_CRYPTO_IMAGE_PROVIDER_MSG *Msg; + UINTN MsgSize; + VOID *LocalImage; + UINTN HeaderSize; + UINTN ChunkCapacity; + UINTN Offset; + UINTN Remaining; + UINTN ThisChunk; + UINT32 ExpectedTotal; + + *ImageData = NULL; + *ImageSize = 0; + *Format = ONE_CRYPTO_IMAGE_FORMAT_PE32; + + Status = gBS->LocateProtocol (&gEfiMmCommunication2ProtocolGuid, NULL, (VOID **)&MmComm); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: gEfiMmCommunication2ProtocolGuid not found: %r\n", Status)); + return Status; + } + + CommBufferAllocSize = 0x30000; // QAV default MM communication buffer size. + CommBuffer = AllocateZeroPool (CommBufferAllocSize); + if (CommBuffer == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + HeaderSize = OFFSET_OF (ONE_CRYPTO_IMAGE_PROVIDER_MSG, Data); + + // Size query. + Status = SendImageProviderRequest ( + MmComm, + &CommBuffer, + &CommBufferAllocSize, + 0, + 0, + &Msg, + &MsgSize + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: Size query request failed: %r\n", Status)); + goto Exit; + } + + if ((Msg->TotalImageSize == 0) || (Msg->ReturnedSize != 0)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: Invalid size-query response total=0x%x returned=0x%x msgSize=0x%Lx\n", + Msg->TotalImageSize, + Msg->ReturnedSize, + (UINT64)MsgSize + )); + Status = EFI_PROTOCOL_ERROR; + goto Exit; + } + + // Validate ImageGuid in size-query response for consistency with chunk validation. + if (!CompareGuid (&Msg->ImageGuid, &mOneCryptoBinaryGuid)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: ImageGuid mismatch in size-query response\n" + )); + Status = EFI_COMPROMISED_DATA; + goto Exit; + } + + // Snapshot TotalImageSize from the size-query response into a local variable. + // All subsequent loop logic and the final *ImageSize use this value exclusively + // to detect mid-transfer tampering and prevent heap-overflow via inflated totals. + ExpectedTotal = Msg->TotalImageSize; + *Format = Msg->Format; + + LocalImage = AllocatePool (ExpectedTotal); + if (LocalImage == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Exit; + } + + ChunkCapacity = CommBufferAllocSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data) - HeaderSize; + if (ChunkCapacity == 0) { + Status = EFI_BAD_BUFFER_SIZE; + FreePool (LocalImage); + goto Exit; + } + + Offset = 0; + while (Offset < ExpectedTotal) { + Remaining = ExpectedTotal - Offset; + ThisChunk = (Remaining < ChunkCapacity) ? Remaining : ChunkCapacity; + + Status = SendImageProviderRequest ( + MmComm, + &CommBuffer, + &CommBufferAllocSize, + Offset, + (UINT32)ThisChunk, + &Msg, + &MsgSize + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: Chunk request failed offset=0x%Lx req=0x%Lx status=%r\n", + (UINT64)Offset, + (UINT64)ThisChunk, + Status + )); + FreePool (LocalImage); + goto Exit; + } + + ChunkCapacity = CommBufferAllocSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data) - HeaderSize; + if (ChunkCapacity == 0) { + Status = EFI_BAD_BUFFER_SIZE; + FreePool (LocalImage); + goto Exit; + } + + if ((Msg->ReturnedSize == 0) || (Msg->ReturnedSize > ThisChunk)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: Invalid chunk response offset=0x%Lx requested=0x%Lx returned=0x%x total=0x%x msgSize=0x%Lx\n", + (UINT64)Offset, + (UINT64)ThisChunk, + Msg->ReturnedSize, + Msg->TotalImageSize, + (UINT64)MsgSize + )); + Status = EFI_PROTOCOL_ERROR; + FreePool (LocalImage); + goto Exit; + } + + // Reject any chunk response where TotalImageSize differs from the + // size-query value — indicates a tampered or inconsistent MM provider. + if (Msg->TotalImageSize != ExpectedTotal) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: TotalImageSize changed mid-transfer expected=0x%x got=0x%x\n", + ExpectedTotal, + Msg->TotalImageSize + )); + Status = EFI_COMPROMISED_DATA; + FreePool (LocalImage); + goto Exit; + } + + if (!CompareGuid (&Msg->ImageGuid, &mOneCryptoBinaryGuid)) { + DEBUG (( + DEBUG_ERROR, + "OneCryptoLoaderDxeFromMm: ImageGuid mismatch in chunk response offset=0x%Lx\n", + (UINT64)Offset + )); + Status = EFI_COMPROMISED_DATA; + FreePool (LocalImage); + goto Exit; + } + + CopyMem ((UINT8 *)LocalImage + Offset, Msg->Data, Msg->ReturnedSize); + Offset += Msg->ReturnedSize; + } + + *ImageData = LocalImage; + *ImageSize = ExpectedTotal; + Status = EFI_SUCCESS; + +Exit: + if (CommBuffer != NULL) { + FreePool (CommBuffer); + } + + return Status; +} + +/** + DXE entry point. +**/ +EFI_STATUS +EFIAPI +DxeEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + VOID *SectionData; + UINTN SectionSize; + CRYPTO_ENTRY Entry; + EFI_LOADED_IMAGE_PROTOCOL *LoadedImage; + EFI_HANDLE LoadedImageHandle; + UINT32 CryptoSize; + UINT32 ImageFormat; + + LoadedImageHandle = NULL; + LoadedImage = NULL; + SectionData = NULL; + SectionSize = 0; + CryptoSize = 0; + ImageFormat = ONE_CRYPTO_IMAGE_FORMAT_PE32; + + if (mOneCryptoDepends == NULL) { + mOneCryptoDepends = AllocatePool (sizeof (*mOneCryptoDepends)); + if (mOneCryptoDepends == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + InstallSharedDependencies (mOneCryptoDepends); + } + + Status = FetchImageFromMm (&SectionData, &SectionSize, &ImageFormat); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: FetchImageFromMm failed: %r\n", Status)); + return Status; + } + + // + // When the secure-world provider cannot afford to LZMA-decode the nested FV, + // it hands over the compressed stream instead. Decompress it here (normal + // world has ample memory) and extract the OneCrypto PE32 to load. + // + if (ImageFormat == ONE_CRYPTO_IMAGE_FORMAT_LZMA_FV) { + VOID *Pe32Data; + UINTN Pe32Size; + + Status = ExtractOneCryptoPe32FromLzmaFv (SectionData, SectionSize, &Pe32Data, &Pe32Size); + FreePool (SectionData); + SectionData = NULL; + SectionSize = 0; + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: ExtractOneCryptoPe32FromLzmaFv failed: %r\n", Status)); + return Status; + } + + SectionData = Pe32Data; + SectionSize = Pe32Size; + } + + Status = SystemTable->BootServices->LoadImage ( + FALSE, + ImageHandle, + NULL, + SectionData, + SectionSize, + &LoadedImageHandle + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: LoadImage failed: %r\n", Status)); + goto Exit; + } + + Status = SystemTable->BootServices->HandleProtocol ( + LoadedImageHandle, + &gEfiLoadedImageProtocolGuid, + (VOID **)&LoadedImage + ); + if (EFI_ERROR (Status) || (LoadedImage == NULL)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: HandleProtocol(LoadedImage) failed: %r\n", Status)); + goto Exit; + } + + Status = GetEntryFromLoadedImage (LoadedImage, &Entry); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: GetEntryFromLoadedImage failed: %r\n", Status)); + goto Exit; + } + + Status = Entry (mOneCryptoDepends, NULL, &CryptoSize); + if ((Status != EFI_BUFFER_TOO_SMALL) || (CryptoSize == 0)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: Failed to query crypto protocol size: %r\n", Status)); + goto Exit; + } + + mOneCryptoProtocol = AllocatePool (CryptoSize); + if (mOneCryptoProtocol == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Exit; + } + + Status = Entry (mOneCryptoDepends, &mOneCryptoProtocol, &CryptoSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: Crypto entry failed: %r\n", Status)); + FreePool (mOneCryptoProtocol); + mOneCryptoProtocol = NULL; + goto Exit; + } + + Status = SystemTable->BootServices->InstallMultipleProtocolInterfaces ( + &ImageHandle, + &gOneCryptoProtocolGuid, + mOneCryptoProtocol, + NULL + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "OneCryptoLoaderDxeFromMm: InstallProtocol failed: %r\n", Status)); + goto Exit; + } + + Status = EFI_SUCCESS; + +Exit: + if (SectionData != NULL) { + FreePool (SectionData); + } + + if ((Status != EFI_SUCCESS) && (mOneCryptoDepends != NULL)) { + FreePool (mOneCryptoDepends); + mOneCryptoDepends = NULL; + } + + return Status; +} diff --git a/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.inf b/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.inf new file mode 100644 index 000000000..b753c8d00 --- /dev/null +++ b/OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.inf @@ -0,0 +1,54 @@ +## @file +# Loads OneCrypto from StandaloneMM image provider and installs OneCrypto protocol. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OneCryptoLoaderDxeFromMm + FILE_GUID = 9CAAC6D7-7A89-4A1D-AB95-08CD20B8E44A + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = DxeEntryPoint + +[Sources] + OneCryptoLoaderDxeFromMm.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + CryptoPkg/CryptoPkg.dec + OneCryptoPkg/OneCryptoPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + DebugLib + BaseMemoryLib + MemoryAllocationLib + DxeServicesLib + FvLib + LzmaDecompressLib + PeCoffGetEntryPointLib + PeCoffLib + PeCoffExtraActionLib + PeCoffExtendedLib + UefiBootServicesTableLib + UefiRuntimeServicesTableLib + SafeIntLib + RngLib + +[Protocols] + gOneCryptoProtocolGuid ## PRODUCES + gEfiRngProtocolGuid ## CONSUMES + gEfiMmCommunication2ProtocolGuid ## CONSUMES + +[Guids] + gOneCryptoImageProviderGuid ## CONSUMES + +[Depex] + gEfiMmCommunication2ProtocolGuid + +[BuildOptions] + GCC:*_CLANGPDB_*_DLINK_FLAGS = /ALIGN:4096 diff --git a/OneCryptoPkg/OneCryptoPkg.dec b/OneCryptoPkg/OneCryptoPkg.dec index 89fd9f8f3..871a997e7 100644 --- a/OneCryptoPkg/OneCryptoPkg.dec +++ b/OneCryptoPkg/OneCryptoPkg.dec @@ -26,6 +26,9 @@ [Guids] gOneCryptoPkgTokenSpaceGuid = { 0x36470E80, 0x36F2, 0x4BA0, { 0x8C, 0xC8, 0x93, 0x7C, 0x7D, 0x9F, 0xF8, 0x88 } } + ## OneCrypto image provider MM communication handler GUID + gOneCryptoImageProviderGuid = { 0x5B9B9A72, 0xA4DF, 0x4D57, { 0xA1, 0xD3, 0x3A, 0x88, 0xEF, 0xB2, 0x5B, 0x9E } } + [Protocols] ## OneCrypto Private Protocol ## diff --git a/OneCryptoPkg/OneCryptoPkg.dsc b/OneCryptoPkg/OneCryptoPkg.dsc index c17d3c20a..644f5be7b 100644 --- a/OneCryptoPkg/OneCryptoPkg.dsc +++ b/OneCryptoPkg/OneCryptoPkg.dsc @@ -1,384 +1,500 @@ -## @file -# OneCryptoPkg DSC file -# -# Copyright (c) Microsoft Corporation. -# SPDX-License-Identifier: BSD-2-Clause-Patent -# - -[Defines] - PLATFORM_NAME = OneCryptoPkg - PLATFORM_GUID = 36470E85-36F2-4BA0-8CC8-937C7D9FF888 - PLATFORM_VERSION = 1.0 - DSC_SPECIFICATION = 0x00010005 - OUTPUT_DIRECTORY = Build/OneCryptoPkg - SUPPORTED_ARCHITECTURES = X64|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE|NOOPT - SKUID_IDENTIFIER = DEFAULT - -!ifndef NON_ACCEL - DEFINE NON_ACCEL = FALSE -!endif - - -[PcdsPatchableInModule.X64] - gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 - -[PcdsFeatureFlag.X64] - # Enable NASM assembly source style for accelerated OpenSSL crypto - gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStyleNasm|TRUE - -[PcdsPatchableInModule.AARCH64] - gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 - -[PcdsFeatureFlag.AARCH64] - # - # Use the PE target assembly source files when building with the CLANGPDB - # toolchain. - # GCC and CLANGDWARF use the default PCD value of ELF target assembly source files. - # - !if "$(TOOL_CHAIN_TAG)" == "CLANGPDB" - gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStylePe|TRUE - !endif - -[PcdsFixedAtBuild.X64] - # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F) - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F - gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F - - # OneCryptoPkg Debug Configuration - # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06 - # RELEASE builds: Disable all debug features = 0x00 - # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds -!if $(TARGET) == DEBUG - gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06 - gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF -!else - gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00 - gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000 -!endif - -[PcdsFixedAtBuild.AARCH64] - # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F) - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F - gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F - - # OneCryptoPkg Debug Configuration - # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06 - # RELEASE builds: Disable all debug features = 0x00 - # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds -!if $(TARGET) == DEBUG - gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06 - gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF -!else - gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00 - gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000 -!endif - -[LibraryClasses.AARCH64] - CompilerIntrinsicsLib|MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf - -[Components.X64] - - ## OneCryptBin meant for StandaloneMm - # - # This binary provides the crypto for a StandaloneMm based platform. - ## - OneCryptoPkg/OneCryptoBin/OneCryptoBinStandaloneMm.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf - TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf - IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf - StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - ############################################################################# - ## Crypto Provider - ############################################################################# - FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf - RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf - DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf - MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf - RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf - TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf - !if $(NON_ACCEL) == TRUE - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf - !else - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf - !endif - } - - OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderStandaloneMm.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf - HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf - PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf - PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf - CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf - StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf - MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf - HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf - FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf - } - - ## OneCryptBin meant for SupvMm - # - # This binary provides the crypto for a SupvMm based platform. - ## - OneCryptoPkg/OneCryptoBin/OneCryptoBinSupvMm.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf - TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf - IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf - StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/SupvStandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - ############################################################################# - ## Crypto Provider - ############################################################################# - FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf - RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf - DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf - MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf - RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf - TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf - !if $(NON_ACCEL) == TRUE - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf - !else - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf - !endif - } - - OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxe.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - UefiLib | MdePkg/Library/UefiLib/UefiLib.inf - UefiRuntimeServicesTableLib | MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf - DevicePathLib | MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLibDevicePathProtocol.inf - RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. - PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf - PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf - PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf - CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf - NULL | MdePkg/Library/StackCheckLib/StackCheckLib.inf - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf - HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf - UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf - MemoryAllocationLib | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf - DxeServicesLib | MdePkg/Library/DxeServicesLib/DxeServicesLib.inf - DxeServicesTableLib | MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf ## NOT NEEDED - DebugLib | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf - DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf - AdvancedLoggerLib | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf - AssertLib | AdvLoggerPkg/Library/AssertLib/AssertLib.inf - } - - OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderSupvMm.inf { - - BaseLib | MmSupervisorPkg/Library/BaseLibSysCall/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf - HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf - PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf - PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf - CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf - SysCallLib | MmSupervisorPkg/Library/SysCallLib/SysCallLib.inf - StandaloneMmDriverEntryPoint | MmSupervisorPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - MmServicesTableLib | MmSupervisorPkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf - MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf - HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf - FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf - } - -[Components.AARCH64] - - ## OneCryptBin meant for StandaloneMm - # - # This binary provides the crypto for a StandaloneMm based platform. - ## - OneCryptoPkg/OneCryptoBin/OneCryptoBinStandaloneMm.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf - TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf - IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf - StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - ############################################################################# - ## Crypto Provider - ############################################################################# - FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf - RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf - DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf - MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf - RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf - TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf - !if $(NON_ACCEL) == TRUE - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf - !else - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf - !endif - NULL | MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf - } - - OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderStandaloneMm.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf - HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf - PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf - PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf - CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf - StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf - MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf - MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf - HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf - FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf - } - - ############################################################################# - ## AARCH64 OneCryptoBin START - ## - ## AARCH64 requires 4 binaries instead of the normal 3 for X64: - ## 1. OneCryptoBinDxe - DXE binary that installs private protocol - ## 2. OneCryptoLoaderDxeProtocol - DXE loader (consumes private protocol) - ## 3. OneCryptoBinStandaloneMm - MM binary for secure world - ## 4. OneCryptoLoaderStandaloneMm - MM loader - ## - ## This is because the DXE loader cannot locate the StMM binary due to - ## secure world layout differences on AARCH64. - ############################################################################# - - ## OneCryptoBinDxe for AARCH64 - # - # This binary provides the crypto for DXE phase on AARCH64 platforms. - # It installs gOneCryptoPrivateProtocolGuid for the protocol-based loader. - ## - OneCryptoPkg/OneCryptoBin/OneCryptoBinDxe.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf - TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf - IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf - OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf - UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf - UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf - ############################################################################# - ## Crypto Provider - ############################################################################# - FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf - RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf - DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf - MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf - RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf - TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf - !if $(NON_ACCEL) == TRUE - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf - !else - OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf - !endif - NULL | MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf - } - - ## OneCryptoLoaderDxeByProtocol for AARCH64 - # - # This loader consumes gOneCryptoPrivateProtocolGuid installed by OneCryptoBinDxe - # and produces gOneCryptoProtocolGuid for consumers. - ## - OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeByProtocol.inf { - - BaseLib | MdePkg/Library/BaseLib/BaseLib.inf - BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf - PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf - PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf - UefiLib | MdePkg/Library/UefiLib/UefiLib.inf - UefiRuntimeServicesTableLib | MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf - DevicePathLib | MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLibDevicePathProtocol.inf - RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. - RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf - HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf - StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf - StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf - UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf - UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf - MemoryAllocationLib | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf - DebugLib | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf - DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf - AdvancedLoggerLib | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf - AssertLib | AdvLoggerPkg/Library/AssertLib/AssertLib.inf - } - - ############################################################################# - ## AARCH64 OneCryptoBin END - ############################################################################# - -[BuildOptions] - *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES -D ENABLE_MD5_DEPRECATED_INTERFACES - MSFT:*_*_*_DLINK_FLAGS = /IGNORE:4217 - RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG - -[BuildOptions.AARCH64] - GCC:*_*_*_CC_FLAGS = -mbranch-protection=standard +## @file +# OneCryptoPkg DSC file +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# + +[Defines] + PLATFORM_NAME = OneCryptoPkg + PLATFORM_GUID = 36470E85-36F2-4BA0-8CC8-937C7D9FF888 + PLATFORM_VERSION = 1.0 + DSC_SPECIFICATION = 0x00010005 + OUTPUT_DIRECTORY = Build/OneCryptoPkg + SUPPORTED_ARCHITECTURES = X64|AARCH64 + BUILD_TARGETS = DEBUG|RELEASE|NOOPT + SKUID_IDENTIFIER = DEFAULT + +!ifndef NON_ACCEL + DEFINE NON_ACCEL = FALSE +!ifndef ONE_CRYPTO_DISABLE_TLS + DEFINE ONE_CRYPTO_DISABLE_TLS = FALSE # Set TRUE to build OneCrypto without TLS (TlsLibNull + crypto-only OpenSSL) to slim the binary +!endif +!endif + + +[PcdsPatchableInModule.X64] + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 + +[PcdsFeatureFlag.X64] + # Enable NASM assembly source style for accelerated OpenSSL crypto + gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStyleNasm|TRUE + +[PcdsPatchableInModule.AARCH64] + gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 + +[PcdsFeatureFlag.AARCH64] + # + # Use the PE target assembly source files when building with the CLANGPDB + # toolchain. + # GCC and CLANGDWARF use the default PCD value of ELF target assembly source files. + # + !if "$(TOOL_CHAIN_TAG)" == "CLANGPDB" + gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStylePe|TRUE + !endif + +[PcdsFixedAtBuild.X64] + # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F) + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F + + # OneCryptoPkg Debug Configuration + # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06 + # RELEASE builds: Disable all debug features = 0x00 + # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds +!if $(TARGET) == DEBUG + gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06 + gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF +!else + gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00 + gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000 +!endif + +[PcdsFixedAtBuild.AARCH64] + # Platform override for AARCH64 StandaloneMM serial debug output + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0xFEDCA000 + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate|3000000 + + # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F) + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F + # StandaloneMM under Hafnium uses SVC conduit for FF-A calls. + gEfiMdeModulePkgTokenSpaceGuid.PcdFfaLibConduitSmc|FALSE + + # OneCryptoPkg Debug Configuration + # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06 + # RELEASE builds: Disable all debug features = 0x00 + # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds +!if $(TARGET) == DEBUG + gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06 + gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF +!else + gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00 + gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000 +!endif + +[LibraryClasses.AARCH64] + CompilerIntrinsicsLib|MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf + +[Components.X64] + + ## OneCryptBin meant for StandaloneMm + # + # This binary provides the crypto for a StandaloneMm based platform. + ## + OneCryptoPkg/OneCryptoBin/OneCryptoBinStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf +!if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + TlsLib | CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!else + TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf +!endif + IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf + StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + ############################################################################# + ## Crypto Provider + ############################################################################# + FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf + RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf + DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf + MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf + RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf + TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf + !if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf + !else + !if $(NON_ACCEL) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf + !else + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf + !endif + !endif + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + SerialPortLib | MdeModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf + IoLib | MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + PlatformHookLib | MdeModulePkg/Library/BasePlatformHookLibNull/BasePlatformHookLibNull.inf + PciLib | MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + PciCf8Lib | MdePkg/Library/BasePciCf8Lib/BasePciCf8Lib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf + PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf + CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf + StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + SerialPortLib | MdeModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf + IoLib | MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + PlatformHookLib | MdeModulePkg/Library/BasePlatformHookLibNull/BasePlatformHookLibNull.inf + PciLib | MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + PciCf8Lib | MdePkg/Library/BasePciCf8Lib/BasePciCf8Lib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf + ExtractGuidedSectionLib | StandaloneMmPkg/Library/StandaloneMmExtractGuidedSectionLib/StandaloneMmExtractGuidedSectionLib.inf + } + + ## OneCryptBin meant for SupvMm + # + # This binary provides the crypto for a SupvMm based platform. + ## + OneCryptoPkg/OneCryptoBin/OneCryptoBinSupvMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf +!if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + TlsLib | CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!else + TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf +!endif + IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf + StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/SupvStandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + ############################################################################# + ## Crypto Provider + ############################################################################# + FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf + RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf + DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf + MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf + RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf + TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf + !if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf + !else + !if $(NON_ACCEL) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf + !else + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf + !endif + !endif + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxe.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + UefiLib | MdePkg/Library/UefiLib/UefiLib.inf + UefiRuntimeServicesTableLib | MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf + DevicePathLib | MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLibDevicePathProtocol.inf + RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. + PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf + PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf + CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf + NULL | MdePkg/Library/StackCheckLib/StackCheckLib.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf + UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf + MemoryAllocationLib | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf + DxeServicesLib | MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + DxeServicesTableLib | MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf ## NOT NEEDED + DebugLib | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + AdvancedLoggerLib | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf + AssertLib | AdvLoggerPkg/Library/AssertLib/AssertLib.inf + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderSupvMm.inf { + + BaseLib | MmSupervisorPkg/Library/BaseLibSysCall/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf + PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf + CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf + SysCallLib | MmSupervisorPkg/Library/SysCallLib/SysCallLib.inf + StandaloneMmDriverEntryPoint | MmSupervisorPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + MmServicesTableLib | MmSupervisorPkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf + } + +[Components.AARCH64] + + ## OneCryptBin meant for StandaloneMm + # + # This binary provides the crypto for a StandaloneMm based platform. + ## + OneCryptoPkg/OneCryptoBin/OneCryptoBinStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf +!if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + TlsLib | CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!else + TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf +!endif + IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf + StandaloneMmDriverEntryPoint | OneCryptoPkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + ############################################################################# + ## Crypto Provider + ############################################################################# + FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf + RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf + DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf + MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf + RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf + TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf + !if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf + !else + !if $(NON_ACCEL) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf + !else + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf + !endif + !endif + NULL | MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + DebugLib | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + SerialPortLib | ArmPlatformPkg/Library/PL011SerialPortLib/PL011SerialPortLib.inf + PL011UartClockLib | ArmPlatformPkg/Library/PL011UartClockLib/PL011UartClockLib.inf + PL011UartLib | ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf + IoLib | MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf + PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf + CacheMaintenanceLib | MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf + StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf + } + + OneCryptoPkg/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + DebugLib | MdeModulePkg/Library/ArmFfaConsoleDebugLib/ArmFfaConsoleDebugStandaloneMmLib.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + SerialPortLib | ArmPlatformPkg/Library/PL011SerialPortLib/PL011SerialPortLib.inf + PL011UartClockLib | ArmPlatformPkg/Library/PL011UartClockLib/PL011UartClockLib.inf + PL011UartLib | ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf + ArmSmcLib | MdePkg/Library/ArmSmcLib/ArmSmcLib.inf + ArmSvcLib | MdePkg/Library/ArmSvcLib/ArmSvcLib.inf + IoLib | MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + MemoryAllocationLib | StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf + StandaloneMmDriverEntryPoint | MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf + MmServicesTableLib | MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf + HobLib | StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLib.inf + FvLib | StandaloneMmPkg/Library/FvLib/FvLib.inf + ExtractGuidedSectionLib | StandaloneMmPkg/Library/StandaloneMmExtractGuidedSectionLib/StandaloneMmExtractGuidedSectionLib.inf + } + + ############################################################################# + ## AARCH64 OneCryptoBin START + ## + ## AARCH64 requires 4 binaries instead of the normal 3 for X64: + ## 1. OneCryptoBinDxe - DXE binary that installs private protocol + ## 2. OneCryptoLoaderDxeProtocol - DXE loader (consumes private protocol) + ## 3. OneCryptoBinStandaloneMm - MM binary for secure world + ## 4. OneCryptoLoaderStandaloneMm - MM loader + ## + ## This is because the DXE loader cannot locate the StMM binary due to + ## secure world layout differences on AARCH64. + ############################################################################# + + ## OneCryptoBinDxe for AARCH64 + # + # This binary provides the crypto for DXE phase on AARCH64 platforms. + # It installs gOneCryptoPrivateProtocolGuid for the protocol-based loader. + ## + OneCryptoPkg/OneCryptoBin/OneCryptoBinDxe.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + BaseCryptLib | OpensslPkg/Library/BaseCryptLib/BaseCryptLib.inf +!if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + TlsLib | CryptoPkg/Library/TlsLibNull/TlsLibNull.inf +!else + TlsLib | OpensslPkg/Library/TlsLib/TlsLib.inf +!endif + IntrinsicLib | CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OneCryptoCrtLib | OneCryptoPkg/Library/OneCryptoCrtLib/OneCryptoCrtLib.inf + UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf + UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf + ############################################################################# + ## Crypto Provider + ############################################################################# + FltUsedLib | MsCorePkg/Library/FltUsedLib/FltUsedLib.inf + RealTimeClockLib | OneCryptoPkg/Library/RealTimeClockLibOnOneCrypto/RealTimeClockLibOnOneCrypto.inf + DebugLib | OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.inf + MemoryAllocationLib | OneCryptoPkg/Library/MemoryAllocationLibOnOneCrypto/MemoryAllocationLibOnOneCrypto.inf + RngLib | OneCryptoPkg/Library/RngLibOnOneCrypto/RngLibOnOneCrypto.inf + TimerLib | OneCryptoPkg/Library/TimerLibOnOneCrypto/TimerLibOnOneCrypto.inf + !if $(ONE_CRYPTO_DISABLE_TLS) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf + !else + !if $(NON_ACCEL) == TRUE + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFull.inf + !else + OpensslLib | OpensslPkg/Library/OpensslLib/OpensslLibFullAccel.inf + !endif + !endif + NULL | MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf + } + + ## OneCryptoLoaderDxeFromMm for AARCH64 + # + # This loader fetches OneCrypto PE bytes from StandaloneMM over + # gEfiMmCommunication2ProtocolGuid, then LoadImage()s and publishes + # gOneCryptoProtocolGuid for DXE consumers. + ## + OneCryptoPkg/OneCryptoLoaders/OneCryptoLoaderDxeFromMm.inf { + + BaseLib | MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib | MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PcdLib | MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PrintLib | MdePkg/Library/BasePrintLib/BasePrintLib.inf + UefiLib | MdePkg/Library/UefiLib/UefiLib.inf + UefiRuntimeServicesTableLib | MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf + DevicePathLib | MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLibDevicePathProtocol.inf + RngLib | MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf # Drivers should use the protocol, GetRandomNumber64 will not work. + PeCoffLib | MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + PeCoffExtraActionLib | MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf + PeCoffExtendedLib | OneCryptoPkg/Library/PeCoffExtendedLib/PeCoffExtendedLib.inf + PeCoffGetEntryPointLib | MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf + DxeServicesLib | MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + FvLib | MdePkg/Library/FvLib/FvLib.inf + LzmaDecompressLib | MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLib.inf + RegisterFilterLib | MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf + HobLib | MdePkg/Library/DxeHobLib/DxeHobLib.inf + StackCheckFailureHookLib | MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf + StackCheckLib | MdePkg/Library/StackCheckLib/StackCheckLib.inf + SafeIntLib | MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + UefiDriverEntryPoint | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf + UefiBootServicesTableLib | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf + MemoryAllocationLib | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf + DebugLib | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf + DebugPrintErrorLevelLib | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf + AdvancedLoggerLib | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf + AssertLib | AdvLoggerPkg/Library/AssertLib/AssertLib.inf + } + + ############################################################################# + ## AARCH64 OneCryptoBin END + ############################################################################# + +[BuildOptions] + *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES -D ENABLE_MD5_DEPRECATED_INTERFACES + MSFT:*_*_*_DLINK_FLAGS = /IGNORE:4217 + RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG + +[BuildOptions.AARCH64] + GCC:*_*_*_CC_FLAGS = -mbranch-protection=standard diff --git a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py index 2a69a85d2..588e1b214 100644 --- a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py +++ b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py @@ -193,12 +193,15 @@ def driver_files(driver_dir, driver_name, new_name): (f"{workspace}/OneCryptoPkg/OneCryptoBin/Integration/OneCryptoBinStandaloneMm.inf", "OneCryptoBinStandaloneMm.inf"), ], "OneCryptoLoaders": [ - # OneCryptoBinDxeLoader (OneCryptoLoaderDxe) - *driver_files(f"{package_build_dir}/OneCryptoLoaders/OneCryptoLoaderDxeByProtocol", "OneCryptoLoaderDxe", "OneCryptoLoaderDxe"), + # OneCryptoBinDxeLoader (QAV path: OneCryptoLoaderDxeFromMm, packaged as OneCryptoLoaderDxe) + *driver_files(f"{package_build_dir}/OneCryptoLoaders/OneCryptoLoaderDxeFromMm", "OneCryptoLoaderDxeFromMm", "OneCryptoLoaderDxe"), (f"{workspace}/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoLoaderDxe.inf", "OneCryptoLoaderDxe.inf"), # OneCryptoBinStandaloneMmLoader (OneCryptoLoaderStandaloneMm) *driver_files(f"{package_build_dir}/OneCryptoLoaders/OneCryptoLoaderStandaloneMm", "OneCryptoLoaderStandaloneMm", "OneCryptoLoaderStandaloneMm"), (f"{workspace}/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoLoaderStandaloneMm.inf", "OneCryptoLoaderStandaloneMm.inf"), + # StandaloneMM image provider for QAV fetch path + *driver_files(f"{package_build_dir}/OneCryptoLoaders/OneCryptoImageProviderStandaloneMm", "OneCryptoImageProviderStandaloneMm", "OneCryptoImageProviderStandaloneMm"), + (f"{workspace}/OneCryptoPkg/OneCryptoLoaders/Integration/OneCryptoImageProviderStandaloneMm.inf", "OneCryptoImageProviderStandaloneMm.inf"), ], "BuildInfo": [ (f"{build_output}/BUILD_REPORT.TXT", "BUILD_REPORT.TXT"), diff --git a/OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf b/OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf new file mode 100644 index 000000000..75182c2d3 --- /dev/null +++ b/OpensslPkg/Library/OpensslLib/OpensslLibFullCrypto.inf @@ -0,0 +1,823 @@ +## @file +# This module provides OpenSSL Library implementation with full crypto +# (including ECC) but WITHOUT the TLS/libssl sources. +# +# This is OpensslLibFull minus the ssl/ source files (except the two +# constant-time CBC helpers that the crypto providers require), for modules +# that need the complete asymmetric crypto set (X509, PEM, ECDSA) but do not +# use TLS. Pairs with TlsLibNull to slim the binary (MU_CHANGE). +# +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.
+# (C) Copyright 2020 Hewlett Packard Enterprise Development LP
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = OpensslLibFullCrypto + FILE_GUID = FADCE083-63EF-4A8B-B904-6F7A1ABA7B11 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = OpensslLib + CONSTRUCTOR = OpensslLibConstructor + + DEFINE OPENSSL_PATH = openssl + DEFINE OPENSSL_GEN_PATH = OpensslGen + DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_ASM + DEFINE OPENSSL_FLAGS_NOASM = + +[Sources] + OpensslLibConstructor.c + $(OPENSSL_PATH)/ms/uplink.h +# Autogenerated files list starts here + $(OPENSSL_PATH)/crypto/aes/aes_cbc.c + $(OPENSSL_PATH)/crypto/aes/aes_cfb.c + $(OPENSSL_PATH)/crypto/aes/aes_core.c + $(OPENSSL_PATH)/crypto/aes/aes_ecb.c + $(OPENSSL_PATH)/crypto/aes/aes_ige.c + $(OPENSSL_PATH)/crypto/aes/aes_misc.c + $(OPENSSL_PATH)/crypto/aes/aes_ofb.c + $(OPENSSL_PATH)/crypto/aes/aes_wrap.c + $(OPENSSL_PATH)/crypto/asn1/a_bitstr.c + $(OPENSSL_PATH)/crypto/asn1/a_d2i_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_digest.c + $(OPENSSL_PATH)/crypto/asn1/a_dup.c + $(OPENSSL_PATH)/crypto/asn1/a_gentm.c + $(OPENSSL_PATH)/crypto/asn1/a_i2d_fp.c + $(OPENSSL_PATH)/crypto/asn1/a_int.c + $(OPENSSL_PATH)/crypto/asn1/a_mbstr.c + $(OPENSSL_PATH)/crypto/asn1/a_object.c + $(OPENSSL_PATH)/crypto/asn1/a_octet.c + $(OPENSSL_PATH)/crypto/asn1/a_print.c + $(OPENSSL_PATH)/crypto/asn1/a_sign.c + $(OPENSSL_PATH)/crypto/asn1/a_strex.c + $(OPENSSL_PATH)/crypto/asn1/a_strnid.c + $(OPENSSL_PATH)/crypto/asn1/a_time.c + $(OPENSSL_PATH)/crypto/asn1/a_type.c + $(OPENSSL_PATH)/crypto/asn1/a_utctm.c + $(OPENSSL_PATH)/crypto/asn1/a_utf8.c + $(OPENSSL_PATH)/crypto/asn1/a_verify.c + $(OPENSSL_PATH)/crypto/asn1/ameth_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_err.c + $(OPENSSL_PATH)/crypto/asn1/asn1_gen.c + $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.c + $(OPENSSL_PATH)/crypto/asn1/asn1_lib.c + $(OPENSSL_PATH)/crypto/asn1/asn1_parse.c + $(OPENSSL_PATH)/crypto/asn1/asn_mime.c + $(OPENSSL_PATH)/crypto/asn1/asn_moid.c + $(OPENSSL_PATH)/crypto/asn1/asn_mstbl.c + $(OPENSSL_PATH)/crypto/asn1/asn_pack.c + $(OPENSSL_PATH)/crypto/asn1/bio_asn1.c + $(OPENSSL_PATH)/crypto/asn1/bio_ndef.c + $(OPENSSL_PATH)/crypto/asn1/d2i_param.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pr.c + $(OPENSSL_PATH)/crypto/asn1/d2i_pu.c + $(OPENSSL_PATH)/crypto/asn1/evp_asn1.c + $(OPENSSL_PATH)/crypto/asn1/f_int.c + $(OPENSSL_PATH)/crypto/asn1/f_string.c + $(OPENSSL_PATH)/crypto/asn1/i2d_evp.c + $(OPENSSL_PATH)/crypto/asn1/nsseq.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbe.c + $(OPENSSL_PATH)/crypto/asn1/p5_pbev2.c + $(OPENSSL_PATH)/crypto/asn1/p5_scrypt.c + $(OPENSSL_PATH)/crypto/asn1/p8_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_bitst.c + $(OPENSSL_PATH)/crypto/asn1/t_pkey.c + $(OPENSSL_PATH)/crypto/asn1/t_spki.c + $(OPENSSL_PATH)/crypto/asn1/tasn_dec.c + $(OPENSSL_PATH)/crypto/asn1/tasn_enc.c + $(OPENSSL_PATH)/crypto/asn1/tasn_fre.c + $(OPENSSL_PATH)/crypto/asn1/tasn_new.c + $(OPENSSL_PATH)/crypto/asn1/tasn_prn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_scn.c + $(OPENSSL_PATH)/crypto/asn1/tasn_typ.c + $(OPENSSL_PATH)/crypto/asn1/tasn_utl.c + $(OPENSSL_PATH)/crypto/asn1/x_algor.c + $(OPENSSL_PATH)/crypto/asn1/x_bignum.c + $(OPENSSL_PATH)/crypto/asn1/x_info.c + $(OPENSSL_PATH)/crypto/asn1/x_int64.c + $(OPENSSL_PATH)/crypto/asn1/x_long.c + $(OPENSSL_PATH)/crypto/asn1/x_pkey.c + $(OPENSSL_PATH)/crypto/asn1/x_sig.c + $(OPENSSL_PATH)/crypto/asn1/x_spki.c + $(OPENSSL_PATH)/crypto/asn1/x_val.c + $(OPENSSL_PATH)/crypto/async/arch/async_null.c + $(OPENSSL_PATH)/crypto/async/arch/async_posix.c + $(OPENSSL_PATH)/crypto/async/arch/async_win.c + $(OPENSSL_PATH)/crypto/async/async.c + $(OPENSSL_PATH)/crypto/async/async_err.c + $(OPENSSL_PATH)/crypto/async/async_wait.c + $(OPENSSL_PATH)/crypto/bio/bf_buff.c + $(OPENSSL_PATH)/crypto/bio/bf_lbuf.c + $(OPENSSL_PATH)/crypto/bio/bf_nbio.c + $(OPENSSL_PATH)/crypto/bio/bf_null.c + $(OPENSSL_PATH)/crypto/bio/bf_prefix.c + $(OPENSSL_PATH)/crypto/bio/bf_readbuff.c + $(OPENSSL_PATH)/crypto/bio/bio_addr.c + $(OPENSSL_PATH)/crypto/bio/bio_cb.c + $(OPENSSL_PATH)/crypto/bio/bio_dump.c + $(OPENSSL_PATH)/crypto/bio/bio_err.c + $(OPENSSL_PATH)/crypto/bio/bio_lib.c + $(OPENSSL_PATH)/crypto/bio/bio_meth.c + $(OPENSSL_PATH)/crypto/bio/bio_print.c + $(OPENSSL_PATH)/crypto/bio/bio_sock.c + $(OPENSSL_PATH)/crypto/bio/bio_sock2.c + $(OPENSSL_PATH)/crypto/bio/bss_acpt.c + $(OPENSSL_PATH)/crypto/bio/bss_bio.c + $(OPENSSL_PATH)/crypto/bio/bss_conn.c + $(OPENSSL_PATH)/crypto/bio/bss_core.c + $(OPENSSL_PATH)/crypto/bio/bss_dgram.c + $(OPENSSL_PATH)/crypto/bio/bss_dgram_pair.c + $(OPENSSL_PATH)/crypto/bio/bss_fd.c + $(OPENSSL_PATH)/crypto/bio/bss_file.c + $(OPENSSL_PATH)/crypto/bio/bss_log.c + $(OPENSSL_PATH)/crypto/bio/bss_mem.c + $(OPENSSL_PATH)/crypto/bio/bss_null.c + $(OPENSSL_PATH)/crypto/bio/bss_sock.c + $(OPENSSL_PATH)/crypto/bio/ossl_core_bio.c + $(OPENSSL_PATH)/crypto/bn/bn_add.c + $(OPENSSL_PATH)/crypto/bn/bn_asm.c + $(OPENSSL_PATH)/crypto/bn/bn_blind.c + $(OPENSSL_PATH)/crypto/bn/bn_const.c + $(OPENSSL_PATH)/crypto/bn/bn_conv.c + $(OPENSSL_PATH)/crypto/bn/bn_ctx.c + $(OPENSSL_PATH)/crypto/bn/bn_dh.c + $(OPENSSL_PATH)/crypto/bn/bn_div.c + $(OPENSSL_PATH)/crypto/bn/bn_err.c + $(OPENSSL_PATH)/crypto/bn/bn_exp.c + $(OPENSSL_PATH)/crypto/bn/bn_exp2.c + $(OPENSSL_PATH)/crypto/bn/bn_gcd.c + $(OPENSSL_PATH)/crypto/bn/bn_gf2m.c + $(OPENSSL_PATH)/crypto/bn/bn_intern.c + $(OPENSSL_PATH)/crypto/bn/bn_kron.c + $(OPENSSL_PATH)/crypto/bn/bn_lib.c + $(OPENSSL_PATH)/crypto/bn/bn_mod.c + $(OPENSSL_PATH)/crypto/bn/bn_mont.c + $(OPENSSL_PATH)/crypto/bn/bn_mpi.c + $(OPENSSL_PATH)/crypto/bn/bn_mul.c + $(OPENSSL_PATH)/crypto/bn/bn_nist.c + $(OPENSSL_PATH)/crypto/bn/bn_prime.c + $(OPENSSL_PATH)/crypto/bn/bn_print.c + $(OPENSSL_PATH)/crypto/bn/bn_rand.c + $(OPENSSL_PATH)/crypto/bn/bn_recp.c + $(OPENSSL_PATH)/crypto/bn/bn_rsa_fips186_4.c + $(OPENSSL_PATH)/crypto/bn/bn_shift.c + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c + $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c + $(OPENSSL_PATH)/crypto/bn/bn_srp.c + $(OPENSSL_PATH)/crypto/bn/bn_word.c + $(OPENSSL_PATH)/crypto/bn/bn_x931p.c + $(OPENSSL_PATH)/crypto/buffer/buf_err.c + $(OPENSSL_PATH)/crypto/buffer/buffer.c + $(OPENSSL_PATH)/crypto/comp/c_brotli.c + $(OPENSSL_PATH)/crypto/comp/c_zlib.c + $(OPENSSL_PATH)/crypto/comp/c_zstd.c + $(OPENSSL_PATH)/crypto/comp/comp_err.c + $(OPENSSL_PATH)/crypto/comp/comp_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_api.c + $(OPENSSL_PATH)/crypto/conf/conf_def.c + $(OPENSSL_PATH)/crypto/conf/conf_err.c + $(OPENSSL_PATH)/crypto/conf/conf_lib.c + $(OPENSSL_PATH)/crypto/conf/conf_mall.c + $(OPENSSL_PATH)/crypto/conf/conf_mod.c + $(OPENSSL_PATH)/crypto/conf/conf_sap.c + $(OPENSSL_PATH)/crypto/conf/conf_ssl.c + $(OPENSSL_PATH)/crypto/dh/dh_ameth.c + $(OPENSSL_PATH)/crypto/dh/dh_asn1.c + $(OPENSSL_PATH)/crypto/dh/dh_backend.c + $(OPENSSL_PATH)/crypto/dh/dh_check.c + $(OPENSSL_PATH)/crypto/dh/dh_err.c + $(OPENSSL_PATH)/crypto/dh/dh_gen.c + $(OPENSSL_PATH)/crypto/dh/dh_group_params.c + $(OPENSSL_PATH)/crypto/dh/dh_kdf.c + $(OPENSSL_PATH)/crypto/dh/dh_key.c + $(OPENSSL_PATH)/crypto/dh/dh_lib.c + $(OPENSSL_PATH)/crypto/dh/dh_meth.c + $(OPENSSL_PATH)/crypto/dh/dh_pmeth.c + $(OPENSSL_PATH)/crypto/dh/dh_prn.c + $(OPENSSL_PATH)/crypto/dh/dh_rfc5114.c + $(OPENSSL_PATH)/crypto/dso/dso_dl.c + $(OPENSSL_PATH)/crypto/dso/dso_dlfcn.c + $(OPENSSL_PATH)/crypto/dso/dso_err.c + $(OPENSSL_PATH)/crypto/dso/dso_lib.c + $(OPENSSL_PATH)/crypto/dso/dso_openssl.c + $(OPENSSL_PATH)/crypto/dso/dso_vms.c + $(OPENSSL_PATH)/crypto/dso/dso_win32.c + $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl32.c + $(OPENSSL_PATH)/crypto/ec/curve448/arch_64/f_impl64.c + $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c + $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c + $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c + $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c + $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c + $(OPENSSL_PATH)/crypto/ec/curve25519.c + $(OPENSSL_PATH)/crypto/ec/ec2_oct.c + $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c + $(OPENSSL_PATH)/crypto/ec/ec_ameth.c + $(OPENSSL_PATH)/crypto/ec/ec_asn1.c + $(OPENSSL_PATH)/crypto/ec/ec_backend.c + $(OPENSSL_PATH)/crypto/ec/ec_check.c + $(OPENSSL_PATH)/crypto/ec/ec_curve.c + $(OPENSSL_PATH)/crypto/ec/ec_cvt.c + $(OPENSSL_PATH)/crypto/ec/ec_deprecated.c + $(OPENSSL_PATH)/crypto/ec/ec_err.c + $(OPENSSL_PATH)/crypto/ec/ec_key.c + $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c + $(OPENSSL_PATH)/crypto/ec/ec_lib.c + $(OPENSSL_PATH)/crypto/ec/ec_mult.c + $(OPENSSL_PATH)/crypto/ec/ec_oct.c + $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c + $(OPENSSL_PATH)/crypto/ec/ec_print.c + $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c + $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c + $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c + $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c + $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c + $(OPENSSL_PATH)/crypto/ec/eck_prn.c + $(OPENSSL_PATH)/crypto/ec/ecp_mont.c + $(OPENSSL_PATH)/crypto/ec/ecp_nist.c + $(OPENSSL_PATH)/crypto/ec/ecp_oct.c + $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c + $(OPENSSL_PATH)/crypto/ec/ecx_backend.c + $(OPENSSL_PATH)/crypto/ec/ecx_key.c + $(OPENSSL_PATH)/crypto/ec/ecx_meth.c + $(OPENSSL_PATH)/crypto/encode_decode/decoder_err.c + $(OPENSSL_PATH)/crypto/encode_decode/decoder_lib.c + $(OPENSSL_PATH)/crypto/encode_decode/decoder_meth.c + $(OPENSSL_PATH)/crypto/encode_decode/decoder_pkey.c + $(OPENSSL_PATH)/crypto/err/err.c + $(OPENSSL_PATH)/crypto/err/err_all.c + $(OPENSSL_PATH)/crypto/err/err_all_legacy.c + $(OPENSSL_PATH)/crypto/err/err_blocks.c + $(OPENSSL_PATH)/crypto/err/err_mark.c + $(OPENSSL_PATH)/crypto/err/err_prn.c + $(OPENSSL_PATH)/crypto/err/err_save.c + $(OPENSSL_PATH)/crypto/ess/ess_asn1.c + $(OPENSSL_PATH)/crypto/ess/ess_err.c + $(OPENSSL_PATH)/crypto/ess/ess_lib.c + $(OPENSSL_PATH)/crypto/evp/asymcipher.c + $(OPENSSL_PATH)/crypto/evp/bio_b64.c + $(OPENSSL_PATH)/crypto/evp/bio_enc.c + $(OPENSSL_PATH)/crypto/evp/bio_md.c + $(OPENSSL_PATH)/crypto/evp/bio_ok.c + $(OPENSSL_PATH)/crypto/evp/c_allc.c + $(OPENSSL_PATH)/crypto/evp/c_alld.c + $(OPENSSL_PATH)/crypto/evp/cmeth_lib.c + $(OPENSSL_PATH)/crypto/evp/ctrl_params_translate.c + $(OPENSSL_PATH)/crypto/evp/dh_ctrl.c + $(OPENSSL_PATH)/crypto/evp/dh_support.c + $(OPENSSL_PATH)/crypto/evp/digest.c + $(OPENSSL_PATH)/crypto/evp/dsa_ctrl.c + $(OPENSSL_PATH)/crypto/evp/e_aes.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha1.c + $(OPENSSL_PATH)/crypto/evp/e_aes_cbc_hmac_sha256.c + $(OPENSSL_PATH)/crypto/evp/e_aria.c + $(OPENSSL_PATH)/crypto/evp/e_bf.c + $(OPENSSL_PATH)/crypto/evp/e_cast.c + $(OPENSSL_PATH)/crypto/evp/e_chacha20_poly1305.c + $(OPENSSL_PATH)/crypto/evp/e_des.c + $(OPENSSL_PATH)/crypto/evp/e_des3.c + $(OPENSSL_PATH)/crypto/evp/e_idea.c + $(OPENSSL_PATH)/crypto/evp/e_null.c + $(OPENSSL_PATH)/crypto/evp/e_rc2.c + $(OPENSSL_PATH)/crypto/evp/e_rc4.c + $(OPENSSL_PATH)/crypto/evp/e_rc4_hmac_md5.c + $(OPENSSL_PATH)/crypto/evp/e_rc5.c + $(OPENSSL_PATH)/crypto/evp/e_sm4.c + $(OPENSSL_PATH)/crypto/evp/e_xcbc_d.c + $(OPENSSL_PATH)/crypto/evp/ec_ctrl.c + $(OPENSSL_PATH)/crypto/evp/ec_support.c + $(OPENSSL_PATH)/crypto/evp/encode.c + $(OPENSSL_PATH)/crypto/evp/evp_cnf.c + $(OPENSSL_PATH)/crypto/evp/evp_enc.c + $(OPENSSL_PATH)/crypto/evp/evp_err.c + $(OPENSSL_PATH)/crypto/evp/evp_fetch.c + $(OPENSSL_PATH)/crypto/evp/evp_key.c + $(OPENSSL_PATH)/crypto/evp/evp_lib.c + $(OPENSSL_PATH)/crypto/evp/evp_pbe.c + $(OPENSSL_PATH)/crypto/evp/evp_pkey.c + $(OPENSSL_PATH)/crypto/evp/evp_rand.c + $(OPENSSL_PATH)/crypto/evp/evp_utils.c + $(OPENSSL_PATH)/crypto/evp/exchange.c + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c + $(OPENSSL_PATH)/crypto/evp/kdf_meth.c + $(OPENSSL_PATH)/crypto/evp/kem.c + $(OPENSSL_PATH)/crypto/evp/keymgmt_lib.c + $(OPENSSL_PATH)/crypto/evp/keymgmt_meth.c + $(OPENSSL_PATH)/crypto/evp/legacy_md5.c + $(OPENSSL_PATH)/crypto/evp/legacy_md5_sha1.c + $(OPENSSL_PATH)/crypto/evp/legacy_sha.c + $(OPENSSL_PATH)/crypto/evp/m_null.c + $(OPENSSL_PATH)/crypto/evp/m_sigver.c + $(OPENSSL_PATH)/crypto/evp/mac_lib.c + $(OPENSSL_PATH)/crypto/evp/mac_meth.c + $(OPENSSL_PATH)/crypto/evp/names.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt.c + $(OPENSSL_PATH)/crypto/evp/p5_crpt2.c + $(OPENSSL_PATH)/crypto/evp/p_dec.c + $(OPENSSL_PATH)/crypto/evp/p_enc.c + $(OPENSSL_PATH)/crypto/evp/p_legacy.c + $(OPENSSL_PATH)/crypto/evp/p_lib.c + $(OPENSSL_PATH)/crypto/evp/p_open.c + $(OPENSSL_PATH)/crypto/evp/p_seal.c + $(OPENSSL_PATH)/crypto/evp/p_sign.c + $(OPENSSL_PATH)/crypto/evp/p_verify.c + $(OPENSSL_PATH)/crypto/evp/pbe_scrypt.c + $(OPENSSL_PATH)/crypto/evp/pmeth_check.c + $(OPENSSL_PATH)/crypto/evp/pmeth_gn.c + $(OPENSSL_PATH)/crypto/evp/pmeth_lib.c + $(OPENSSL_PATH)/crypto/evp/s_lib.c + $(OPENSSL_PATH)/crypto/evp/signature.c + $(OPENSSL_PATH)/crypto/evp/skeymgmt_meth.c + $(OPENSSL_PATH)/crypto/ffc/ffc_backend.c + $(OPENSSL_PATH)/crypto/ffc/ffc_dh.c + $(OPENSSL_PATH)/crypto/ffc/ffc_key_generate.c + $(OPENSSL_PATH)/crypto/ffc/ffc_key_validate.c + $(OPENSSL_PATH)/crypto/ffc/ffc_params.c + $(OPENSSL_PATH)/crypto/ffc/ffc_params_generate.c + $(OPENSSL_PATH)/crypto/ffc/ffc_params_validate.c + $(OPENSSL_PATH)/crypto/hashtable/hashfunc.c + $(OPENSSL_PATH)/crypto/hashtable/hashtable.c + $(OPENSSL_PATH)/crypto/hmac/hmac.c + $(OPENSSL_PATH)/crypto/hpke/hpke.c + $(OPENSSL_PATH)/crypto/hpke/hpke_util.c + $(OPENSSL_PATH)/crypto/http/http_client.c + $(OPENSSL_PATH)/crypto/http/http_err.c + $(OPENSSL_PATH)/crypto/http/http_lib.c + $(OPENSSL_PATH)/crypto/kdf/kdf_err.c + $(OPENSSL_PATH)/crypto/lhash/lh_stats.c + $(OPENSSL_PATH)/crypto/lhash/lhash.c + $(OPENSSL_PATH)/crypto/asn1_dsa.c + $(OPENSSL_PATH)/crypto/bsearch.c + $(OPENSSL_PATH)/crypto/comp_methods.c + $(OPENSSL_PATH)/crypto/context.c + $(OPENSSL_PATH)/crypto/core_algorithm.c + $(OPENSSL_PATH)/crypto/core_fetch.c + $(OPENSSL_PATH)/crypto/core_namemap.c + $(OPENSSL_PATH)/crypto/cpt_err.c + $(OPENSSL_PATH)/crypto/cpuid.c + $(OPENSSL_PATH)/crypto/cryptlib.c + $(OPENSSL_PATH)/crypto/ctype.c + $(OPENSSL_PATH)/crypto/cversion.c + $(OPENSSL_PATH)/crypto/defaults.c + $(OPENSSL_PATH)/crypto/der_writer.c + $(OPENSSL_PATH)/crypto/deterministic_nonce.c + $(OPENSSL_PATH)/crypto/ebcdic.c + $(OPENSSL_PATH)/crypto/ex_data.c + $(OPENSSL_PATH)/crypto/getenv.c + $(OPENSSL_PATH)/crypto/indicator_core.c + $(OPENSSL_PATH)/crypto/info.c + $(OPENSSL_PATH)/crypto/init.c + $(OPENSSL_PATH)/crypto/initthread.c + $(OPENSSL_PATH)/crypto/mem.c + $(OPENSSL_PATH)/crypto/mem_clr.c + $(OPENSSL_PATH)/crypto/mem_sec.c + $(OPENSSL_PATH)/crypto/o_dir.c + $(OPENSSL_PATH)/crypto/o_fopen.c + $(OPENSSL_PATH)/crypto/o_init.c + $(OPENSSL_PATH)/crypto/o_str.c + $(OPENSSL_PATH)/crypto/o_time.c + $(OPENSSL_PATH)/crypto/packet.c + $(OPENSSL_PATH)/crypto/param_build.c + $(OPENSSL_PATH)/crypto/param_build_set.c + $(OPENSSL_PATH)/crypto/params.c + $(OPENSSL_PATH)/crypto/params_dup.c + $(OPENSSL_PATH)/crypto/params_from_text.c + $(OPENSSL_PATH)/crypto/passphrase.c + $(OPENSSL_PATH)/crypto/provider.c + $(OPENSSL_PATH)/crypto/provider_child.c + $(OPENSSL_PATH)/crypto/provider_conf.c + $(OPENSSL_PATH)/crypto/provider_core.c + $(OPENSSL_PATH)/crypto/punycode.c + $(OPENSSL_PATH)/crypto/quic_vlint.c + $(OPENSSL_PATH)/crypto/self_test_core.c + $(OPENSSL_PATH)/crypto/sleep.c + $(OPENSSL_PATH)/crypto/sparse_array.c + $(OPENSSL_PATH)/crypto/ssl_err.c + $(OPENSSL_PATH)/crypto/threads_lib.c + $(OPENSSL_PATH)/crypto/threads_none.c + $(OPENSSL_PATH)/crypto/threads_pthread.c + $(OPENSSL_PATH)/crypto/threads_win.c + $(OPENSSL_PATH)/crypto/time.c + $(OPENSSL_PATH)/crypto/trace.c + $(OPENSSL_PATH)/crypto/uid.c + $(OPENSSL_PATH)/crypto/md5/md5_dgst.c + $(OPENSSL_PATH)/crypto/md5/md5_one.c + $(OPENSSL_PATH)/crypto/md5/md5_sha1.c + $(OPENSSL_PATH)/crypto/modes/cbc128.c + $(OPENSSL_PATH)/crypto/modes/ccm128.c + $(OPENSSL_PATH)/crypto/modes/cfb128.c + $(OPENSSL_PATH)/crypto/modes/ctr128.c + $(OPENSSL_PATH)/crypto/modes/cts128.c + $(OPENSSL_PATH)/crypto/modes/gcm128.c + $(OPENSSL_PATH)/crypto/modes/ocb128.c + $(OPENSSL_PATH)/crypto/modes/ofb128.c + $(OPENSSL_PATH)/crypto/modes/siv128.c + $(OPENSSL_PATH)/crypto/modes/wrap128.c + $(OPENSSL_PATH)/crypto/modes/xts128.c + $(OPENSSL_PATH)/crypto/modes/xts128gb.c + $(OPENSSL_PATH)/crypto/objects/o_names.c + $(OPENSSL_PATH)/crypto/objects/obj_dat.c + $(OPENSSL_PATH)/crypto/objects/obj_err.c + $(OPENSSL_PATH)/crypto/objects/obj_lib.c + $(OPENSSL_PATH)/crypto/objects/obj_xref.c + $(OPENSSL_PATH)/crypto/pem/pem_all.c + $(OPENSSL_PATH)/crypto/pem/pem_err.c + $(OPENSSL_PATH)/crypto/pem/pem_info.c + $(OPENSSL_PATH)/crypto/pem/pem_lib.c + $(OPENSSL_PATH)/crypto/pem/pem_oth.c + $(OPENSSL_PATH)/crypto/pem/pem_pk8.c + $(OPENSSL_PATH)/crypto/pem/pem_pkey.c + $(OPENSSL_PATH)/crypto/pem/pem_sign.c + $(OPENSSL_PATH)/crypto/pem/pem_x509.c + $(OPENSSL_PATH)/crypto/pem/pem_xaux.c + $(OPENSSL_PATH)/crypto/pem/pvkfmt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_add.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_asn.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_attr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crpt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_crt.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_decr.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_init.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_key.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_kiss.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_mutl.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_npas.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8d.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_p8e.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_sbag.c + $(OPENSSL_PATH)/crypto/pkcs12/p12_utl.c + $(OPENSSL_PATH)/crypto/pkcs12/pk12err.c + $(OPENSSL_PATH)/crypto/pkcs7/bio_pk7.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_asn1.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_attr.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_doit.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_lib.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_mime.c + $(OPENSSL_PATH)/crypto/pkcs7/pk7_smime.c + $(OPENSSL_PATH)/crypto/pkcs7/pkcs7err.c + $(OPENSSL_PATH)/crypto/property/defn_cache.c + $(OPENSSL_PATH)/crypto/property/property.c + $(OPENSSL_PATH)/crypto/property/property_err.c + $(OPENSSL_PATH)/crypto/property/property_parse.c + $(OPENSSL_PATH)/crypto/property/property_query.c + $(OPENSSL_PATH)/crypto/property/property_string.c + $(OPENSSL_PATH)/crypto/rand/prov_seed.c + $(OPENSSL_PATH)/crypto/rand/rand_deprecated.c + $(OPENSSL_PATH)/crypto/rand/rand_err.c + $(OPENSSL_PATH)/crypto/rand/rand_lib.c + $(OPENSSL_PATH)/crypto/rand/rand_meth.c + $(OPENSSL_PATH)/crypto/rand/rand_pool.c + $(OPENSSL_PATH)/crypto/rand/rand_uniform.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_backend.c + $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c + $(OPENSSL_PATH)/crypto/rsa/rsa_crpt.c + $(OPENSSL_PATH)/crypto/rsa/rsa_err.c + $(OPENSSL_PATH)/crypto/rsa/rsa_gen.c + $(OPENSSL_PATH)/crypto/rsa/rsa_lib.c + $(OPENSSL_PATH)/crypto/rsa/rsa_meth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_mp.c + $(OPENSSL_PATH)/crypto/rsa/rsa_mp_names.c + $(OPENSSL_PATH)/crypto/rsa/rsa_none.c + $(OPENSSL_PATH)/crypto/rsa/rsa_oaep.c + $(OPENSSL_PATH)/crypto/rsa/rsa_ossl.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pk1.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pmeth.c + $(OPENSSL_PATH)/crypto/rsa/rsa_prn.c + $(OPENSSL_PATH)/crypto/rsa/rsa_pss.c + $(OPENSSL_PATH)/crypto/rsa/rsa_saos.c + $(OPENSSL_PATH)/crypto/rsa/rsa_schemes.c + $(OPENSSL_PATH)/crypto/rsa/rsa_sign.c + $(OPENSSL_PATH)/crypto/rsa/rsa_sp800_56b_check.c + $(OPENSSL_PATH)/crypto/rsa/rsa_sp800_56b_gen.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931.c + $(OPENSSL_PATH)/crypto/rsa/rsa_x931g.c + $(OPENSSL_PATH)/crypto/sha/keccak1600.c + $(OPENSSL_PATH)/crypto/sha/sha1_one.c + $(OPENSSL_PATH)/crypto/sha/sha1dgst.c + $(OPENSSL_PATH)/crypto/sha/sha256.c + $(OPENSSL_PATH)/crypto/sha/sha3.c + $(OPENSSL_PATH)/crypto/sha/sha512.c + $(OPENSSL_PATH)/crypto/sm3/legacy_sm3.c + $(OPENSSL_PATH)/crypto/sm3/sm3.c + $(OPENSSL_PATH)/crypto/stack/stack.c + $(OPENSSL_PATH)/crypto/thread/arch/thread_win.c + $(OPENSSL_PATH)/crypto/thread/api.c + $(OPENSSL_PATH)/crypto/txt_db/txt_db.c + $(OPENSSL_PATH)/crypto/ui/ui_err.c + $(OPENSSL_PATH)/crypto/ui/ui_lib.c + $(OPENSSL_PATH)/crypto/ui/ui_null.c + $(OPENSSL_PATH)/crypto/ui/ui_openssl.c + $(OPENSSL_PATH)/crypto/ui/ui_util.c + $(OPENSSL_PATH)/crypto/x509/by_dir.c + $(OPENSSL_PATH)/crypto/x509/by_file.c + $(OPENSSL_PATH)/crypto/x509/by_store.c + $(OPENSSL_PATH)/crypto/x509/pcy_cache.c + $(OPENSSL_PATH)/crypto/x509/pcy_data.c + $(OPENSSL_PATH)/crypto/x509/pcy_lib.c + $(OPENSSL_PATH)/crypto/x509/pcy_map.c + $(OPENSSL_PATH)/crypto/x509/pcy_node.c + $(OPENSSL_PATH)/crypto/x509/pcy_tree.c + $(OPENSSL_PATH)/crypto/x509/t_acert.c + $(OPENSSL_PATH)/crypto/x509/t_crl.c + $(OPENSSL_PATH)/crypto/x509/t_req.c + $(OPENSSL_PATH)/crypto/x509/t_x509.c + $(OPENSSL_PATH)/crypto/x509/v3_aaa.c + $(OPENSSL_PATH)/crypto/x509/v3_ac_tgt.c + $(OPENSSL_PATH)/crypto/x509/v3_addr.c + $(OPENSSL_PATH)/crypto/x509/v3_admis.c + $(OPENSSL_PATH)/crypto/x509/v3_akeya.c + $(OPENSSL_PATH)/crypto/x509/v3_akid.c + $(OPENSSL_PATH)/crypto/x509/v3_asid.c + $(OPENSSL_PATH)/crypto/x509/v3_attrdesc.c + $(OPENSSL_PATH)/crypto/x509/v3_attrmap.c + $(OPENSSL_PATH)/crypto/x509/v3_audit_id.c + $(OPENSSL_PATH)/crypto/x509/v3_authattid.c + $(OPENSSL_PATH)/crypto/x509/v3_battcons.c + $(OPENSSL_PATH)/crypto/x509/v3_bcons.c + $(OPENSSL_PATH)/crypto/x509/v3_bitst.c + $(OPENSSL_PATH)/crypto/x509/v3_conf.c + $(OPENSSL_PATH)/crypto/x509/v3_cpols.c + $(OPENSSL_PATH)/crypto/x509/v3_crld.c + $(OPENSSL_PATH)/crypto/x509/v3_enum.c + $(OPENSSL_PATH)/crypto/x509/v3_extku.c + $(OPENSSL_PATH)/crypto/x509/v3_genn.c + $(OPENSSL_PATH)/crypto/x509/v3_group_ac.c + $(OPENSSL_PATH)/crypto/x509/v3_ia5.c + $(OPENSSL_PATH)/crypto/x509/v3_ind_iss.c + $(OPENSSL_PATH)/crypto/x509/v3_info.c + $(OPENSSL_PATH)/crypto/x509/v3_int.c + $(OPENSSL_PATH)/crypto/x509/v3_iobo.c + $(OPENSSL_PATH)/crypto/x509/v3_ist.c + $(OPENSSL_PATH)/crypto/x509/v3_lib.c + $(OPENSSL_PATH)/crypto/x509/v3_ncons.c + $(OPENSSL_PATH)/crypto/x509/v3_no_ass.c + $(OPENSSL_PATH)/crypto/x509/v3_no_rev_avail.c + $(OPENSSL_PATH)/crypto/x509/v3_pci.c + $(OPENSSL_PATH)/crypto/x509/v3_pcia.c + $(OPENSSL_PATH)/crypto/x509/v3_pcons.c + $(OPENSSL_PATH)/crypto/x509/v3_pku.c + $(OPENSSL_PATH)/crypto/x509/v3_pmaps.c + $(OPENSSL_PATH)/crypto/x509/v3_prn.c + $(OPENSSL_PATH)/crypto/x509/v3_purp.c + $(OPENSSL_PATH)/crypto/x509/v3_rolespec.c + $(OPENSSL_PATH)/crypto/x509/v3_san.c + $(OPENSSL_PATH)/crypto/x509/v3_sda.c + $(OPENSSL_PATH)/crypto/x509/v3_single_use.c + $(OPENSSL_PATH)/crypto/x509/v3_skid.c + $(OPENSSL_PATH)/crypto/x509/v3_soa_id.c + $(OPENSSL_PATH)/crypto/x509/v3_sxnet.c + $(OPENSSL_PATH)/crypto/x509/v3_timespec.c + $(OPENSSL_PATH)/crypto/x509/v3_tlsf.c + $(OPENSSL_PATH)/crypto/x509/v3_usernotice.c + $(OPENSSL_PATH)/crypto/x509/v3_utf8.c + $(OPENSSL_PATH)/crypto/x509/v3_utl.c + $(OPENSSL_PATH)/crypto/x509/v3err.c + $(OPENSSL_PATH)/crypto/x509/x509_acert.c + $(OPENSSL_PATH)/crypto/x509/x509_att.c + $(OPENSSL_PATH)/crypto/x509/x509_cmp.c + $(OPENSSL_PATH)/crypto/x509/x509_d2.c + $(OPENSSL_PATH)/crypto/x509/x509_def.c + $(OPENSSL_PATH)/crypto/x509/x509_err.c + $(OPENSSL_PATH)/crypto/x509/x509_ext.c + $(OPENSSL_PATH)/crypto/x509/x509_lu.c + $(OPENSSL_PATH)/crypto/x509/x509_meth.c + $(OPENSSL_PATH)/crypto/x509/x509_obj.c + $(OPENSSL_PATH)/crypto/x509/x509_r2x.c + $(OPENSSL_PATH)/crypto/x509/x509_req.c + $(OPENSSL_PATH)/crypto/x509/x509_set.c + $(OPENSSL_PATH)/crypto/x509/x509_trust.c + $(OPENSSL_PATH)/crypto/x509/x509_txt.c + $(OPENSSL_PATH)/crypto/x509/x509_v3.c + $(OPENSSL_PATH)/crypto/x509/x509_vfy.c + $(OPENSSL_PATH)/crypto/x509/x509_vpm.c + $(OPENSSL_PATH)/crypto/x509/x509aset.c + $(OPENSSL_PATH)/crypto/x509/x509cset.c + $(OPENSSL_PATH)/crypto/x509/x509name.c + $(OPENSSL_PATH)/crypto/x509/x509rset.c + $(OPENSSL_PATH)/crypto/x509/x509spki.c + $(OPENSSL_PATH)/crypto/x509/x509type.c + $(OPENSSL_PATH)/crypto/x509/x_all.c + $(OPENSSL_PATH)/crypto/x509/x_attrib.c + $(OPENSSL_PATH)/crypto/x509/x_crl.c + $(OPENSSL_PATH)/crypto/x509/x_exten.c + $(OPENSSL_PATH)/crypto/x509/x_ietfatt.c + $(OPENSSL_PATH)/crypto/x509/x_name.c + $(OPENSSL_PATH)/crypto/x509/x_pubkey.c + $(OPENSSL_PATH)/crypto/x509/x_req.c + $(OPENSSL_PATH)/crypto/x509/x_x509.c + $(OPENSSL_PATH)/crypto/x509/x_x509a.c + $(OPENSSL_PATH)/providers/nullprov.c + $(OPENSSL_PATH)/providers/prov_running.c + $(OPENSSL_PATH)/providers/common/der/der_rsa_sig.c + $(OPENSSL_PATH)/providers/common/bio_prov.c + $(OPENSSL_PATH)/providers/common/capabilities.c + $(OPENSSL_PATH)/providers/common/digest_to_nid.c + $(OPENSSL_PATH)/providers/common/provider_seeding.c + $(OPENSSL_PATH)/providers/common/provider_util.c + $(OPENSSL_PATH)/providers/common/securitycheck.c + $(OPENSSL_PATH)/providers/common/securitycheck_default.c + $(OPENSSL_PATH)/providers/implementations/asymciphers/rsa_enc.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_ccm.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_ccm_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_gcm.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_gcm_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_wrp.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_xts.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_xts_fips.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_aes_xts_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_cts.c + $(OPENSSL_PATH)/providers/implementations/ciphers/cipher_null.c + $(OPENSSL_PATH)/providers/implementations/digests/md5_prov.c + $(OPENSSL_PATH)/providers/implementations/digests/md5_sha1_prov.c + $(OPENSSL_PATH)/providers/implementations/digests/null_prov.c + $(OPENSSL_PATH)/providers/implementations/digests/sha2_prov.c + $(OPENSSL_PATH)/providers/implementations/digests/sha3_prov.c + $(OPENSSL_PATH)/providers/implementations/digests/sm3_prov.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_der2key.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_epki2pki.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_msblob2key.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pem2der.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_pvk2key.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/decode_spki2typespki.c + $(OPENSSL_PATH)/providers/implementations/encode_decode/endecoder_common.c + $(OPENSSL_PATH)/providers/implementations/exchange/dh_exch.c + $(OPENSSL_PATH)/providers/implementations/exchange/ecdh_exch.c + $(OPENSSL_PATH)/providers/implementations/exchange/ecx_exch.c + $(OPENSSL_PATH)/providers/implementations/exchange/kdf_exch.c + $(OPENSSL_PATH)/providers/implementations/kdfs/argon2.c + $(OPENSSL_PATH)/providers/implementations/kdfs/hkdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/hmacdrbg_kdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/kbkdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/krb5kdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2.c + $(OPENSSL_PATH)/providers/implementations/kdfs/pbkdf2_fips.c + $(OPENSSL_PATH)/providers/implementations/kdfs/pkcs12kdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/scrypt.c + $(OPENSSL_PATH)/providers/implementations/kdfs/sshkdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/sskdf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/tls1_prf.c + $(OPENSSL_PATH)/providers/implementations/kdfs/x942kdf.c + $(OPENSSL_PATH)/providers/implementations/kem/ec_kem.c + $(OPENSSL_PATH)/providers/implementations/kem/ecx_kem.c + $(OPENSSL_PATH)/providers/implementations/kem/kem_util.c + $(OPENSSL_PATH)/providers/implementations/kem/rsa_kem.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/dh_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/ec_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/ecx_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/kdf_legacy_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/mac_legacy_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/keymgmt/rsa_kmgmt.c + $(OPENSSL_PATH)/providers/implementations/macs/gmac_prov.c + $(OPENSSL_PATH)/providers/implementations/macs/hmac_prov.c + $(OPENSSL_PATH)/providers/implementations/macs/kmac_prov.c + $(OPENSSL_PATH)/providers/implementations/rands/drbg.c + $(OPENSSL_PATH)/providers/implementations/rands/drbg_ctr.c + $(OPENSSL_PATH)/providers/implementations/rands/drbg_hash.c + $(OPENSSL_PATH)/providers/implementations/rands/drbg_hmac.c + $(OPENSSL_PATH)/providers/implementations/rands/seed_src.c + $(OPENSSL_PATH)/providers/implementations/rands/seed_src_jitter.c + $(OPENSSL_PATH)/providers/implementations/rands/test_rng.c + $(OPENSSL_PATH)/providers/implementations/rands/seeding/rand_cpu_x86.c + $(OPENSSL_PATH)/providers/implementations/rands/seeding/rand_tsc.c + $(OPENSSL_PATH)/providers/implementations/rands/seeding/rand_unix.c + $(OPENSSL_PATH)/providers/implementations/rands/seeding/rand_win.c + $(OPENSSL_PATH)/providers/implementations/signature/ecdsa_sig.c + $(OPENSSL_PATH)/providers/implementations/signature/eddsa_sig.c + $(OPENSSL_PATH)/providers/implementations/signature/mac_legacy_sig.c + $(OPENSSL_PATH)/providers/implementations/signature/rsa_sig.c + $(OPENSSL_PATH)/providers/implementations/skeymgmt/aes_skmgmt.c + $(OPENSSL_PATH)/providers/implementations/skeymgmt/generic.c + $(OPENSSL_PATH)/ssl/record/methods/ssl3_cbc.c + $(OPENSSL_GEN_PATH)/crypto/params_idx.c + $(OPENSSL_PATH)/providers/common/der/der_ec_key.c + $(OPENSSL_PATH)/providers/common/der/der_ec_sig.c + $(OPENSSL_PATH)/providers/common/der/der_ecx_key.c + $(OPENSSL_PATH)/providers/common/der/der_rsa_key.c + $(OPENSSL_PATH)/providers/common/provider_ctx.c + $(OPENSSL_PATH)/providers/common/provider_err.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_block.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_ccm.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_ccm_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_gcm.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_gcm_hw.c + $(OPENSSL_PATH)/providers/implementations/ciphers/ciphercommon_hw.c + $(OPENSSL_PATH)/providers/implementations/digests/digestcommon.c + $(OPENSSL_PATH)/ssl/record/methods/tls_pad.c + $(OPENSSL_GEN_PATH)/providers/common/der/der_digests_gen.c + $(OPENSSL_GEN_PATH)/providers/common/der/der_ec_gen.c + $(OPENSSL_GEN_PATH)/providers/common/der/der_ecx_gen.c + $(OPENSSL_GEN_PATH)/providers/common/der/der_rsa_gen.c + $(OPENSSL_GEN_PATH)/providers/common/der/der_wrap_gen.c +# Autogenerated files list ends here + buildinf.h + buildinf.c + OpensslStub/ossl_store.c + OpensslStub/rand_pool.c +# OpensslStub/SslNull.c +# OpensslStub/EcSm2Null.c + OpensslStub/uefiprov.c + OpensslStub/EncoderNull.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + OpensslPkg/OpensslPkg.dec # MU_CHANGE + +[LibraryClasses] + BaseLib + DebugLib + RngLib + +[BuildOptions] + # + # Disables the following Visual Studio compiler warnings brought by openssl source, + # so we do not break the build with /WX option: + # C4090: 'function' : different 'const' qualifiers + # C4132: 'object' : const object should be initialized (tls13_enc.c) + # C4210: nonstandard extension used: function given file scope + # C4244: conversion from type1 to type2, possible loss of data + # C4245: conversion from type1 to type2, signed/unsigned mismatch + # C4267: conversion from size_t to type, possible loss of data + # C4306: 'identifier' : conversion from 'type1' to 'type2' of greater size + # C4310: cast truncates constant value + # C4389: 'operator' : signed/unsigned mismatch (xxxx) + # C4700: uninitialized local variable 'name' used. (conf_sap.c(71)) + # C4702: unreachable code + # C4706: assignment within conditional expression + # C4819: The file contains a character that cannot be represented in the current code page + # C4133: incompatible types - from 'ASN1_TYPE *' to 'const ASN1_STRING *' (v3_genn.c(101)) + # C4319: zero extending type to type of greater size + # + MSFT:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /wd4090 /wd4132 /wd4210 /wd4244 /wd4245 /wd4267 /wd4310 /wd4389 /wd4700 /wd4702 /wd4706 /wd4819 /wd4130 /wd4133 /wd4189 /wd4319 + MSFT:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /wd4090 /wd4132 /wd4210 /wd4244 /wd4245 /wd4267 /wd4306 /wd4310 /wd4700 /wd4389 /wd4702 /wd4706 /wd4819 /wd4130 /wd4133 /wd4189 /wd4319 + + # + # Disable following Visual Studio 2015 compiler warnings brought by openssl source, + # so we do not break the build with /WX option: + # C4718: recursive call has no side effects, deleting + # + MSFT:*_VS2015x86_IA32_CC_FLAGS = /wd4718 + MSFT:*_VS2015x86_X64_CC_FLAGS = /wd4718 + + INTEL:*_*_IA32_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /w + INTEL:*_*_X64_CC_FLAGS = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) /w + + # + # Suppress the following build warnings in openssl so we don't break the build with -Werror + # -Werror=maybe-uninitialized: there exist some other paths for which the variable is not initialized. + # -Werror=format: Check calls to printf and scanf, etc., to make sure that the arguments supplied have + # types appropriate to the format string specified. + # -Werror=unused-but-set-variable: Warn whenever a local variable is assigned to, but otherwise unused (aside from its declaration). + # + GCC:*_*_IA32_CC_FLAGS = -U_WIN32 -UWIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) -Wno-error=maybe-uninitialized -Wno-error=unused-but-set-variable + GCC:*_*_X64_CC_FLAGS = -U_WIN32 -UWIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -DNO_MSABI_VA_FUNCS + GCC:*_*_AARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable -Wno-error=format + GCC:*_*_RISCV64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_*_LOONGARCH64_CC_FLAGS = $(OPENSSL_FLAGS) -Wno-error=maybe-uninitialized -Wno-format -Wno-error=unused-but-set-variable + GCC:*_CLANGDWARF_*_CC_FLAGS = -std=c99 -Wno-error=uninitialized -Wno-error=incompatible-pointer-types -Wno-error=pointer-sign -Wno-error=implicit-function-declaration -Wno-error=ignored-pragma-optimize + GCC:*_CLANGPDB_*_CC_FLAGS = -U_WIN32 -UWIN32 -U_WIN64 -U_MSC_VER -std=c99 -Wno-error=uninitialized -Wno-error=incompatible-pointer-types -Wno-error=pointer-sign -Wno-error=implicit-function-declaration -Wno-error=ignored-pragma-optimize -Wno-error=unused-function + # Revisit after switching to 3.0 branch + GCC:*_GCC5_*_CC_FLAGS = -Wno-unused-but-set-variable + + # suppress the following warnings in openssl so we don't break the build with warnings-as-errors: + # 1295: Deprecated declaration - give arg types + # 550: was set but never used + # 1293: assignment in condition + # 111: statement is unreachable (invariably "break;" after "return X;" in case statement) + # 68: integer conversion resulted in a change of sign ("if (Status == -1)") + # 177: was declared but never referenced + # 223: function declared implicitly + # 144: a value of type cannot be used to initialize an entity of type + # 513: a value of type cannot be assigned to an entity of type + # 188: enumerated type mixed with another type (i.e. passing an integer as an enum without a cast) + # 1296: Extended constant initialiser used + # 128: loop is not reachable - may be emitted inappropriately if code follows a conditional return + # from the function that evaluates to true at compile time + # 546: transfer of control bypasses initialization - may be emitted inappropriately if the uninitialized + # variable is never referenced after the jump + # 1: ignore "#1-D: last line of file ends without a newline" + # 3017: may be used before being set (NOTE: This was fixed in OpenSSL 1.1 HEAD with + # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.) + XCODE:*_*_IA32_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) -w -std=c99 -Wno-error=uninitialized -DOPENSSL_NO_APPLE_CRYPTO_RANDOM + XCODE:*_*_X64_CC_FLAGS = -mmmx -msse -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_FLAGS_NOASM) -w -std=c99 -Wno-error=uninitialized -DOPENSSL_NO_APPLE_CRYPTO_RANDOM + + # + # AARCH64 uses strict alignment and avoids SIMD registers for code that may execute + # with the MMU off. This involves SEC, PEI_CORE and PEIM modules as well as BASE + # libraries, given that they may be included into such modules. + # This library, even though of the BASE type, is never used in such cases, and + # avoiding the SIMD register file (which is shared with the FPU) prevents the + # compiler from successfully building some of the OpenSSL source files that + # use floating point types, so clear the flags here. + # + GCC:*_*_AARCH64_CC_XIPFLAGS ==