[openssl-dev] [RFC] Add UEFI target to OpenSSL
David Woodhouse
dwmw2 at infradead.org
Mon Jul 27 09:46:30 UTC 2015
EDK II is the reference implementation of UEFI, used by fairly much
everyone shipping UEFI firmware these days. It uses OpenSSL to provide
cryptographic functionality, used for Secure Boot.
This might make it one of the largest OpenSSL deployments ever. So it
would be quite useful for it to be supported out of the box, without
the need to rapidly update and reapply external patches each time it's
necessary to update OpenSSL.
I've been submitting patches last week to both OpenSSL and EDKII. Now
I'm looking at the build process itself. EDK II has its own build
system, and this is its build INF file for OpenSSL:
https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/OpensslLib.inf
Obviously, that list of filenames wants to be generated automatically
by something based on 'make files', and !included into the INF file.
And the litany of -DOPENSSL_NO_xxx probably just wants to be in
opensslconf.h with a proper ./Configure invocation. (For the Windows
users building EDKII, who can't be assumed to have a sane build setup,
we can ship preprepared versions of both.)
Here's a first attempt at making './Configure UEFI' do something sane.
The main question is what I should be doing about SIXTY_FOUR_BIT_LONG
et al.?
Using the *same* build INF file, we build for i386, x86_64, ARM,
AARCH64 and IA64. The current INF file will explicitly set
THIRTY_TWO_BIT or SIXTY_FOUR_BIT_LONG according to the platform. Hence
making that part of opensslconf.h inactive for OPENSSL_SYS_UEFI, in the
patch below. Better suggestions would be welcomed... since this isn't
entirely performance-critical, *perhaps* it might be acceptable just to
use THIRTY_TWO_BIT everywhere?
My other question, before I look too hard at the integration: is it
worth providing an OpenSSL build target that can build OpenSSL and its
tools as standalone UEFI executables? That way, the UEFI build target
has some meaning (and can perhaps at least be build tested) within
OpenSSL directly, rather than only when imported into an EDK II build.
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index b5d32b6..2dcc82d 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -1207,6 +1207,13 @@
shared_extension => ".dll.a",
},
+#### UEFI
+ "UEFI" => {
+ cc => "cc",
+ cflags => "-DL_ENDIAN -O",
+ sys_id => "UEFI",
+ },
+
#### UWIN
"UWIN" => {
cc => "cc",
diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index 4429c91..2ce2e48 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -79,11 +79,13 @@
/* Should we define BN_DIV2W here? */
+#ifndef OPENSSL_SYS_UEFI /* This is defined in the EDK2 build INF */
/* Only one for the following should be defined */
#undef SIXTY_FOUR_BIT_LONG
#undef SIXTY_FOUR_BIT
#define THIRTY_TWO_BIT
#endif
+#endif
#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
#define CONFIG_HEADER_RC4_LOCL_H
diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h
index 177b098..6327a64 100644
--- a/include/openssl/e_os2.h
+++ b/include/openssl/e_os2.h
@@ -76,6 +76,11 @@ extern "C" {
# define OPENSSL_SYS_NETWARE
# endif
+/* -------------------------------- UEFI ---------------------------------- */
+# if defined(OPENSSL_SYS_UEFI)
+# undef OPENSSL_SYS_UNIX
+# endif
+
/* --------------------- Microsoft operating systems ---------------------- */
/*
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
More information about the openssl-dev
mailing list