Draft
Conversation
Flickdm
force-pushed
the
support/onecrypto
branch
2 times, most recently
from
1af5e20 to
4d1c60c
Compare
mu-automation
bot
added
the
language:python
Replace UefiRuntimeServicesTableLib and UefiBootServicesTableLib dependencies with RealTimeClockLib and TimerLib to enable phase-agnostic operation across DXE, Runtime, and MM environments. Update TimerWrapper.c to use LibGetTime() instead of gRT->GetTime() and MicroSecondDelay() instead of gBS->Stall(). Remove the unused timezone global variable. Add MdeModulePkg.dec to BaseCryptLib.inf and RuntimeCryptLib.inf for the RealTimeClockLib header. Add a RealTimeClockLib null instance mapping to OpensslPkg.dsc for CI builds. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Expand BaseCryptLib LIBRARY_CLASS to support DXE_RUNTIME_DRIVER, DXE_SMM_DRIVER, and MM_STANDALONE in addition to the existing module types. Comment out CryptParallelHash.c, CryptDispatchApDxe.c, SynchronizationLib, and gEfiMpServiceProtocolGuid which depend on DXE boot services not available in all target environments. Update TlsLib MODULE_TYPE from DXE_DRIVER to BASE and expand its LIBRARY_CLASS to include DXE_RUNTIME_DRIVER and MM_STANDALONE. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add Setup/BaseCryptInit.c which provides a BaseCryptInit() function that calls OpensslLibConstructor() for explicit library initialization. Add Info/CryptInfo.c which provides GetCryptoProviderVersionString() returning the OpenSSL version text identifier. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add MSFT /wd4090 to suppress C4090 const qualifier warnings, and MSFT AARCH64/ARM flags to define _M_MS_ARM64/_M_MS_ARM macros. Add GCC CLANG35 and CLANG38 -std=c99 flags for older Clang toolchains. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Replace UefiRuntimeServicesTableLib dependency with RealTimeClockLib and TimerLib to enable phase-agnostic operation. Update TimerWrapper.c to use LibGetTime() instead of gRT->GetTime() in both time() and mbedtls_ms_time(). Implement sleep() using MicroSecondDelay() instead of a no-op. Add MdeModulePkg.dec to BaseCryptLib.inf and RuntimeCryptLib.inf for the RealTimeClockLib header. Add a RealTimeClockLib null instance mapping to MbedTlsPkg.dsc for CI builds. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add #undef OPENSSL_NO_DEPRECATED before redefining the macro to avoid compiler warnings when the macro is already defined in OpenSSL headers. This is a temporary workaround until deprecated OpenSSL APIs are removed from BaseCryptLib. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add the OpensslLibConstructor.h header file which declares the OpensslLibConstructor function prototype. This header is required by modules that need to call the OpenSSL library constructor explicitly. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add OneCryptoPkg package declaration (.dec) and build configuration (.dsc). This package provides a shared cryptographic binary architecture that can be loaded at runtime to provide crypto services to multiple MM environments (StandaloneMm and SupvMm) and DXE. The shared binary approach reduces code duplication and ensures consistent crypto implementation across different execution environments.
Add OneCryptoDependencySupport.h to provide function pointer-based dependency injection for crypto binary initialization. This header defines the structure for routing debug, memory allocation, time, and RNG services from the hosting environment to the shared cryptographic binary. This enables the OneCryptoBin binary to use services from its hosting environment without direct dependencies on specific implementations.
Add OneCryptoCrtLib to provide minimal C runtime functions needed by the OneCrypto binary. This library implements essential CRT functions that are either not available or need custom implementation in the UEFI environment. The library provides a lightweight CRT layer specifically tailored for cryptographic operations within the shared binary architecture.
Add "OnOneCrypto" routing libraries that forward standard UEFI library calls to function pointers provided by the hosting environment: - DebugLibOnOneCrypto: Routes debug output - MemoryAllocationLibOnOneCrypto: Routes memory allocation/free - RealTimeClockLibOnOneCrypto: Routes time services - RngLibOnOneCrypto: Routes random number generation These libraries enable the OneCryptoBin binary to provide services to libraries (Such as its CryptoProvider) from its loader without linking against specific implementations, supporting the shared binary architecture across different execution environments.
Add PeCoffExtendedLib to provide extended PE/COFF image loading utilities. This library adds additional functionality beyond the standard PeCoffLib, enabling the loader drivers to load and relocate the OneCryptoBin shared binary into memory at runtime. Required for the OneCrypto loader architecture to dynamically load the shared cryptographic binary.
Add custom entry point libraries for both StandaloneMm and SupvMm: - StandaloneMmDriverEntryPoint: Entry point for standard StandaloneMm - SupvStandaloneMmDriverEntryPoint: Entry point for Supervisor MM These libraries provide the proper initialization sequence for the OneCryptoBin shared binary in each MM environment, handling environment-specific setup before calling the main binary initialization.
Add GUID definitions for OneCrypto file identification: - OneCryptoBin.h: GUID for the OneCryptoBin executable file These GUIDs are used to identify and locate the OneCryptoBin binary file in the firmware volume, enabling the loader drivers to find and load the shared cryptographic binary.
Add the OneCryptoBin shared cryptographic binary implementation: - OneCryptoBin.c: Main initialization and dependency injection handling - OneCryptoBinStandaloneMm.inf: Build configuration for StandaloneMm - OneCryptoBinSupvMm.inf: Build configuration for Supervisor MM The OneCryptoBin binary provides a shared cryptographic services implementation that can be loaded at runtime into different MM environments (StandaloneMm, SupvMm) and DXE. It receives function pointers for debug, memory, time, and RNG services from its loader, enabling environment-agnostic crypto operations. This architecture reduces code duplication and ensures consistent crypto implementation across execution environments.
Add loader drivers for loading OneCryptoBin in different environments: - DxeOneCryptoLoader: Loads OneCryptoBin in DXE phase - StandaloneMmOneCryptoLoader: Loads OneCryptoBin in StandaloneMm - SupvStandaloneMmOneCryptoLoader: Loads OneCryptoBin in Supervisor MM Each loader is responsible for: 1. Locating the OneCryptoBin binary in the firmware volume using the GUID 2. Loading and relocating the binary into memory using PeCoffExtendedLib 3. Providing function pointers for debug, memory, time, and RNG services 4. Calling the binary's initialization function with the dependency structure This enables the shared binary architecture where one crypto implementation can serve multiple execution environments.
Add integration INFs for OneCrypto binary usage.
Add Python automation for packaging OneCryptoBin binaries: - package_onecrypto.py: Automated packaging script that builds all MM variants and creates external dependency packages - OneCrypto_ext_dep.json.template: Template for external dependency metadata - readme.md: Documentation for the packaging process These scripts automate the process of building and distributing the OneCryptoBin binary as an external dependency, making it easy to share the precompiled crypto binary across projects without rebuilding from source.
Added a manual update guide to assist developers in updating the OneCryptoPkg. This document provides step-by-step instructions on how to properly update the package, ensuring consistency and reducing errors during the update process.
Adding TlsLib to OneCryptoPkg to provide TLS functionalities.
This change adds AARCH64 architecture support for the OneCryptoBin DXE driver by implementing a protocol-based approach instead of PE/COFF export parsing. Changes: - Add OneCryptoBinDxe.inf and OneCryptoBinDxeEntry.c for DXE driver that installs gOneCryptoPrivateProtocolGuid - Add OneCryptoBinMmEntry.c to separate MM entry point from main binary - Add OneCryptoBin.h header for shared declarations across entry points - Refactor OneCryptoBin.c to remove MM-specific code and includes - Update OneCryptoBinStandaloneMm.inf and OneCryptoBinSupvMm.inf to use new separate entry point source file - Update OneCryptoPkg.dec protocol description to document DXE usage - Reorganize OneCryptoPkg.dsc to support AARCH64 with new [Components.AARCH64] section and move common components to [Components] - Add OneCryptoBinDxe.inf for pre-built AARCH64 binary distribution The protocol-based approach is needed on AARCH64 because GCC/Clang toolchains do not generate PE/COFF export tables in the same way as MSVC, making export parsing unreliable.
architecture-specific file layouts for building release packages. Changes: Replace static FILE_LAYOUT with get_file_layout() function that returns architecture-specific layouts Add SUPPORTED_ARCHITECTURES list with X64 and AARCH64 AARCH64 layout includes OneCryptoBinDxe and OneCryptoLoaderDxe X64 layout includes OneCryptoBinSupvMm and OneCryptoLoaderSupvMm Add architecture validation with descriptive error messages Update list_layout() to accept arch parameter
- package_onecrypto.py: Update AARCH64 DXE loader path to use
OneCryptoLoaderDxeByProtocol build output
- package_onecrypto.py: Add multi-architecture packaging support with
repeatable --arch flag to package X64 and AARCH64 in a single zip
- package_onecrypto.py: Reorganize package structure to
<target>/<arch>/<folder>/ for multi-arch builds
- package_onecrypto.py: Rename default package to OneCrypto_Drivers_v{version}
- uefi_compress.py: Switch from TianoCompress to LzmaCompress for
compression analysis
- OneCrypto_ext_dep.json.template: Update source URL to use <ARCH>
placeholder for architecture-specific packages
- PlatformBuild.py: Update post-build packaging to create single
multi-architecture package with per-arch reporting
Add OneCryptoLoaderDxeByProtocol driver that uses a protocol-based approach for AARCH64 platforms instead of PE/COFF export parsing. - Add OneCryptoLoaderDxeByProtocol.c: DXE driver that consumes gOneCryptoPrivateProtocolGuid and produces gOneCryptoProtocolGuid - Add OneCryptoLoaderDxeByProtocol.inf: Module definition with DEPEX on gOneCryptoPrivateProtocolGuid - Add lazy RNG initialization to avoid boot-time hangs when EFI_RNG_PROTOCOL is not immediately available - OneCryptoPkg.dsc: Add OneCryptoLoaderDxeByProtocol to AARCH64 components section with required library class mappings
This commit adds the ability to export the CryptoEntry for GCC5. This requires changes to BaseTools in order to export the symbols from the ELF binary to the resulant PE32 EFI binary.
This is an initial commit while I investigate ways to do this cleanly.
Add a 4K Page size for GCC5 Support
Update INF files to use architecture-agnostic [Binaries] sections instead of [Binaries.X64] or [Binaries.AARCH64]. This enables the same INF files to work across multiple architectures. Additionally, add GCC5 linker build options to source-based loader INF files to set common-page-size=0x1000 for proper alignment. Files modified: - OneCryptoBin/Integration/OneCryptoBinDxe.inf - OneCryptoBin/Integration/OneCryptoBinStandaloneMm.inf - OneCryptoBin/Integration/OneCryptoBinSupvMm.inf - OneCryptoLoaders/Integration/OneCryptoLoaderDxe.inf - OneCryptoLoaders/Integration/OneCryptoLoaderStandaloneMm.inf - OneCryptoLoaders/Integration/OneCryptoLoaderSupvMm.inf - OneCryptoLoaders/OneCryptoLoaderDxe.inf - OneCryptoLoaders/OneCryptoLoaderDxeByProtocol.inf - OneCryptoLoaders/OneCryptoLoaderStandaloneMm.inf - OneCryptoLoaders/OneCryptoLoaderSupvMm.inf Signed-off-by: Doug Flick <dougflick@microsoft.com>
Refactor the build and packaging infrastructure to: - Move packaging logic from PlatformBuild.py into package_onecrypto.py for better separation of concerns - Add toolchain auto-detection from available build directories - Support packaging multiple targets (DEBUG/RELEASE) in a single archive - Add UEFI LzmaCompress analysis to show compressed EFI sizes - Use root logger for consistent Stuart logging integration - Build targets as subprocesses for clean environment isolation The package_onecrypto.py script can now be used standalone or invoked from PlatformBuild.py, with all output routed through Stuart's logging. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add BaseCpuTimerLib as TimerLib for all OneCryptoBin components to support sleep() function in OpenSSL's TimerWrapper.c, which uses MicroSecondDelay for phase-agnostic operation. Enable PcdOpensslLibAssemblySourceStyleNasm for X64 builds to include NASM assembly-optimized crypto routines (AES-NI, SHA, GCM, etc.) in OpensslLibFullAccel. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Reorder compiler detection to check __clang__ before __GNUC__ since clang also defines __GNUC__. Narrow GCC build options from GCC:*_*_* to GCC:*_GCC5_* to avoid applying GCC-specific linker flags when building with CLANGPDB. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add CLANGPDB-specific linker and GenFw flags to all OneCryptoBin and OneCryptoLoader INF files. For bins, use /EXPORT:CryptoEntry /ALIGN:4096 for DLINK and --keepoptionalheader for GENFW. For loaders, use /ALIGN:4096 for DLINK. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add MicroSecondDelay function pointer to the OneCrypto dependency injection framework, enabling TimerLib functionality through the dependency support interface. Add TimerLibOnOneCrypto library that implements TimerLib by delegating to the MicroSecondDelay function provided through OneCryptoCrtLib dependency injection. This replaces the direct BaseCpuTimerLib dependency with a phase-agnostic approach. Update all loaders to populate the MicroSecondDelay dependency when setting up the OneCrypto runtime environment. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add BuildOptions.AARCH64 section with -mbranch-protection=standard CC flag for GCC builds to enable ARM Branch Target Identification (BTI) and Pointer Authentication (PAC) security features. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Update IntrinsicLib references in OneCryptoPkg.dsc from OpensslPkg/Library/IntrinsicLib to CryptoPkg/Library/IntrinsicLib which resolves through MU_BASECORE as a PackagesPath entry. Update PlatformBuild.py to include MU_BASECORE in GetPackagesPath() for both SettingsManager and PlatformBuilder, ensuring MdePkg, MdeModulePkg, CryptoPkg, UefiCpuPkg et al. are discoverable during platform builds. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add NULL CompilerIntrinsicsLib dependency to OneCryptoBinStandaloneMm and OneCryptoBinDxe components. On AARCH64 with CLANGPDB, memcpy is not a compiler builtin and must be provided by CompilerIntrinsicsLib. Without this, the linker fails with undefined symbol: memcpy. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add GetDependencies() to CommonPlatform and SettingsManager to declare Git repository dependencies for stuart_update. This replaces hardcoded MU_BASECORE PackagesPath with a dependency list that includes MU_BASECORE, mu_silicon_arm_tiano, mu_feature_mm_supv, and mu_plus. Update GetPackagesPath() in both SettingsManager and PlatformBuilder to derive paths from the dependency list. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add build-onecrypto.yml workflow that builds OneCryptoPkg for both DEBUG and RELEASE configurations using CLANGPDB. The build produces X64 and AARCH64 binaries and publishes: - Driver zip package (OneCrypto_Drivers_*.zip) - PDB files for debugging - Build logs Triggered on changes to OneCryptoPkg, OpensslPkg, PlatformBuild.py, package_onecrypto.py, or the workflow file itself. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
support/onecrypto
branch
from
4d1c60c to
a2e2217
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For now this PR is for tracking. This is based on #190.
This #190 needs to go in first.