Readme.md

Last change on this file was 105670, checked in by vboxsync, 5 months ago
Devices/EFI/FirmwareNew: Merge edk2-stable-202405 and make it build on aarch64, bugref:4643
Property svn:eol-style set to `native`
File size: 32.0 KB

Line
1	# Crypto Package
2
3	This package provides cryptographic services that are used to implement firmware
4	features such as UEFI Secure Boot, Measured Boot, firmware image authentication,
5	and network boot. The cryptographic service implementation in this package uses
6	services from the [OpenSSL](https://www.openssl.org/) project and
7	[MbedTLS](https://www.trustedfirmware.org/projects/mbed-tls/) project.
8
9	EDK II firmware modules/libraries that requires the use of cryptographic
10	services can either statically link all the required services, or the EDK II
11	firmware module/library can use a dynamic Protocol/PPI service to call
12	cryptographic services. The dynamic Protocol/PPI services are only available to
13	PEIMs, DXE Drivers, UEFI Drivers, and SMM Drivers, and only if the cryptographic
14	modules are included in the platform firmware image.
15
16	There may be firmware image size differences between the static and dynamic
17	options. Some experimentation may be required to find the solution that
18	provides the smallest overall firmware overhead.
19
20	# Public Library Classes
21
22	* BaseCryptLib - Provides library functions based on OpenSSL for
23	cryptographic primitives.
24	* BaseCryptLibMbedTls - Provides library functions based on MbedTLS for
25	cryptographic primitives.
26	* TlsLib - Provides TLS library functions for EFI TLS protocol.
27	* HashApiLib - Provides Unified API for different hash implementations.
28
29	# Private Library Classes
30
31	* OpensslLib - Provides library functions from the openssl project.
32	* MbedTlsLib - Provides library functions from the mbedtls project.
33	* IntrinsicLib - Provides C runtime library (CRT) required by openssl
34	and mbedtls.
35
36	# Private Protocols and PPIs
37
38	* EDK II Crypto PPI - PPI that provides all the services from
39	the BaseCryptLib and TlsLib library classes.
40	* EDK II Crypto Protocol - Protocol that provides all the services from
41	the BaseCryptLib and TlsLib library classes.
42	* EDK II SMM Crypto Protocol - SMM Protocol that provides all the services
43	from the BaseCryptLib and TlsLib library
44	classes.
45
46	## Statically Linking Cryptographic Services
47
48	The figure below shows an example of a firmware module that requires the use of
49	cryptographic services. The cryptographic services are provided by three library
50	classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are
51	implemented using APIs from the OpenSSL project that are abstracted by the
52	private library class called OpensslLib. The OpenSSL project implementation
53	depends on C runtime library services. The EDK II project does not provide a
54	full C runtime library for firmware components. Instead, the CryptoPkg includes
55	the smallest subset of services required to build the OpenSSL project in the
56	private library class called IntrinsicLib.
57
58	The CryptoPkg provides several instances of the BaseCryptLib and OpensslLib with
59	different cryptographic service features and performance optimizations. The
60	platform developer must select the correct instances based on cryptographic
61	service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI,
62	UEFI RT, and SMM), firmware image size requirements, and firmware boot
63	performance requirements.
64
65	```
66	+================================+
67	\| EDK II Firmware Module/Library \|
68	+================================+
69	^ ^ ^
70	\| \| \|
71	\| \| v
72	\| \| +============+
73	\| \| \| HashApiLib \|
74	\| \| +============+
75	\| \| ^
76	\| \| \|
77	v v v
78	+========+ +====================+
79	\| TlsLib \| \| BaseCryptLib \|
80	+========+ +====================+
81	^ ^
82	\| \|
83	v v
84	+================================+
85	\| OpensslLib (Private) \|
86	+================================+
87	^
88	\|
89	v
90	+================================+
91	\| IntrinsicLib (Private) \|
92	+================================+
93	```
94
95	## Dynamically Linking Cryptographic Services
96
97	The figure below shows the entire stack when dynamic linking is used with
98	cryptographic services produced by the CryptoPei, CryptoDxe, or CryptoSmm module
99	through a PPI/Protocol. This solution requires the CryptoPei, CryptoDxe, and
100	CryptoSmm modules to be configured with the set of cryptographic services
101	required by all the PEIMs, DXE Drivers, UEFI Drivers, and SMM Drivers. Dynamic
102	linking is not available for SEC or UEFI RT modules.
103
104	The EDK II modules/libraries that require cryptographic services use the same
105	BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required
106	to use static linking or dynamic linking. It is a platform configuration option
107	to select static linking or dynamic linking. This choice can be made globally,
108	per firmware module type, or for individual modules.
109
110	```
111	+===================+ +===================+ +===================+
112	\| EDK II PEI \| \| EDK II DXE/UEFI \| \| EDK II SMM \|
113	\| Module/Library \| \| Module/Library \| \| Module/Library \|
114	+===================+ +===================+ +===================+
115	^ ^ ^ ^ ^ ^ ^ ^ ^
116	\| \| \| \| \| \| \| \| \|
117	\| \| v \| \| v \| \| v
118	\| \| +==========+ \| \| +==========+ \| \| +==========+
119	\| \| \|HashApiLib\| \| \| \|HashApiLib\| \| \| \|HashApiLib\|
120	\| \| +==========+ \| \| +==========+ \| \| +==========+
121	\| \| ^ \| \| ^ \| \| ^
122	\| \| \| \| \| \| \| \| \|
123	v v v v v v v v v
124	+===================+ +===================+ +===================+
125	\|TlsLib\|BaseCryptLib\| \|TlsLib\|BaseCryptLib\| \|TlsLib\|BaseCryptLib\|
126	+-------------------+ +-------------------+ +-------------------+
127	\| BaseCryptLib \| \| BaseCryptLib \| \| BaseCryptLib \|
128	\| OnPpiProtocol/ \| \| OnPpiProtocol/ \| \| OnPpiProtocol/ \|
129	\| PeiCryptLib.inf \| \| DxeCryptLib.inf \| \| SmmCryptLib.inf \|
130	+===================+ +===================+ +===================+
131	^ ^ ^
132	\|\|\| (Dynamic) \|\|\| (Dynamic) \|\|\| (Dynamic)
133	v v v
134	+===================+ +===================+ +=====================+
135	\| Crypto PPI \| \| Crypto Protocol \| \| Crypto SMM Protocol \|
136	+-------------------\| \|-------------------\| \|---------------------\|
137	\| CryptoPei \| \| CryptoDxe \| \| CryptoSmm \|
138	+===================+ +===================+ +=====================+
139	^ ^ ^ ^ ^ ^
140	\| \| \| \| \| \|
141	v \| v \| v \|
142	+========+ \| +========+ \| +========+ \|
143	\| TlsLib \| \| \| TlsLib \| \| \| TlsLib \| \|
144	+========+ v +========+ v +========+ v
145	^ +==============+ ^ +==============+ ^ +==============+
146	\| \| BaseCryptLib \| \| \| BaseCryptLib \| \| \| BaseCryptLib \|
147	\| +==============+ \| +==============+ \| +==============+
148	\| ^ \| ^ \| ^
149	\| \| \| \| \| \|
150	v v v v v v
151	+===================+ +===================+ +===================+
152	\| OpensslLib \| \| OpensslLib \| \| OpensslLib \|
153	+===================+ +===================+ +===================+
154	^ ^ ^
155	\| \| \|
156	v v v
157	+===================+ +===================+ +===================+
158	\| IntrinsicLib \| \| IntrinsicLib \| \| IntrinsicLib \|
159	+===================+ +===================+ +===================+
160	```
161
162	## Supported Cryptographic Families and Services
163
164	The table below provides a summary of the supported cryptographic services. It
165	indicates if the family or service is deprecated or recommended to not be used.
166	It also shows which *CryptLib library instances support the family or service.
167	If a cell is blank then the service or family is always disabled and the
168	`PcdCryptoServiceFamilyEnable` setting for that family or service is ignored.
169	If the cell is not blank, then the service or family is configurable using
170	`PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is
171	also configured.
172
173	\|Key \| Description \|
174	\|---------\|--------------------------------------------------------------------------------\|
175	\| <blank> \| Family or service is always disabled. \|
176	\| C \| Configurable using PcdCryptoServiceFamilyEnable. \|
177	\| C-Tls \| Configurable using PcdCryptoServiceFamilyEnable. Requires TlsLib.inf. \|
178	\| C-Full \| Configurable using PcdCryptoServiceFamilyEnable. Requires OpensslLibFull*.inf. \|
179
180	\|Family/Service \| Deprecated \| Don't Use \| SecCryptLib \| PeiCryptLib \| BaseCryptLib \| SmmCryptLib \| RuntimeCryptLib \|
181	\|:--------------------------------\|:----------:\|:---------:\|:-----------:\|:-----------:\|:------------:\|:-----------:\|:---------------:\|
182	\| HmacMd5 \| Y \| Y \| \| \| \| \| \|
183	\| HmacSha1 \| Y \| Y \| \| \| \| \| \|
184	\| HmacSha256 \| N \| N \| \| C \| C \| C \| C \|
185	\| HmacSha384 \| N \| N \| \| C \| C \| C \| C \|
186	\| Md4 \| Y \| Y \| \| \| \| \| \|
187	\| Md5 \| Y \| Y \| \| C \| C \| C \| C \|
188	\| Pkcs.Pkcs1v2Encrypt \| N \| N \| \| \| C \| C \| \|
189	\| Pkcs.Pkcs5HashPassword \| N \| N \| \| \| C \| C \| \|
190	\| Pkcs.Pkcs7Verify \| N \| N \| \| C \| C \| C \| C \|
191	\| Pkcs.VerifyEKUsInPkcs7Signature \| N \| N \| \| C \| C \| C \| \|
192	\| Pkcs.Pkcs7GetSigners \| N \| N \| \| C \| C \| C \| C \|
193	\| Pkcs.Pkcs7FreeSigners \| N \| N \| \| C \| C \| C \| C \|
194	\| Pkcs.Pkcs7Sign \| N \| N \| \| \| C \| \| \|
195	\| Pkcs.Pkcs7GetAttachedContent \| N \| N \| \| C \| C \| C \| \|
196	\| Pkcs.Pkcs7GetCertificatesList \| N \| N \| \| C \| C \| C \| C \|
197	\| Pkcs.AuthenticodeVerify \| N \| N \| \| \| C \| \| \|
198	\| Pkcs.ImageTimestampVerify \| N \| N \| \| \| C \| \| \|
199	\| Dh \| N \| N \| \| \| C \| \| \|
200	\| Random \| N \| N \| \| \| C \| C \| C \|
201	\| Rsa.VerifyPkcs1 \| Y \| Y \| \| \| \| \| \|
202	\| Rsa.New \| N \| N \| \| C \| C \| C \| C \|
203	\| Rsa.Free \| N \| N \| \| C \| C \| C \| C \|
204	\| Rsa.SetKey \| N \| N \| \| C \| C \| C \| C \|
205	\| Rsa.GetKey \| N \| N \| \| \| C \| \| \|
206	\| Rsa.GenerateKey \| N \| N \| \| \| C \| \| \|
207	\| Rsa.CheckKey \| N \| N \| \| \| C \| \| \|
208	\| Rsa.Pkcs1Sign \| N \| N \| \| \| C \| \| \|
209	\| Rsa.Pkcs1Verify \| N \| N \| \| C \| C \| C \| C \|
210	\| Sha1 \| N \| Y \| \| C \| C \| C \| C \|
211	\| Sha256 \| N \| N \| \| C \| C \| C \| C \|
212	\| Sha384 \| N \| N \| C \| C \| C \| C \| C \|
213	\| Sha512 \| N \| N \| C \| C \| C \| C \| C \|
214	\| X509 \| N \| N \| \| \| C \| C \| C \|
215	\| Tdes \| Y \| Y \| \| \| \| \| \|
216	\| Aes.GetContextSize \| N \| N \| \| C \| C \| C \| C \|
217	\| Aes.Init \| N \| N \| \| C \| C \| C \| C \|
218	\| Aes.EcbEncrypt \| Y \| Y \| \| \| \| \| \|
219	\| Aes.EcbDecrypt \| Y \| Y \| \| \| \| \| \|
220	\| Aes.CbcEncrypt \| N \| N \| \| C \| C \| C \| C \|
221	\| Aes.CbcDecrypt \| N \| N \| \| C \| C \| C \| C \|
222	\| Arc4 \| Y \| Y \| \| \| \| \| \|
223	\| Sm3 \| N \| N \| \| C \| C \| C \| C \|
224	\| Hkdf \| N \| N \| \| C \| C \| C \| C \|
225	\| Tls \| N \| N \| \| \| C-Tls \| \| \|
226	\| TlsSet \| N \| N \| \| \| C-Tls \| \| \|
227	\| TlsGet \| N \| N \| \| \| C-Tls \| \| \|
228	\| RsaPss.Sign \| N \| N \| \| \| C \| \| \|
229	\| RsaPss.Verify \| N \| N \| \| C \| C \| C \| \|
230	\| ParallelHash \| N \| N \| \| \| \| C \| \|
231	\| AeadAesGcm \| N \| N \| \| \| C \| \| \|
232	\| Bn \| N \| N \| \| \| C \| \| \|
233	\| Ec \| N \| N \| \| \| C-Full \| \| \|
234
235	## Platform Configuration of Cryptographic Services
236
237	Configuring the cryptographic services requires library mappings and PCD
238	settings in a platform DSC file. This must be done for each of the firmware
239	phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT).
240
241	The following table can be used to help select the best OpensslLib instance for
242	each phase. The Size column only shows the estimated size increase for a
243	compressed IA32/X64 module that uses the cryptographic services with
244	`OpensslLib.inf` as the baseline size. The actual size increase depends on the
245	specific set of enabled cryptographic services. If ECC services are not
246	required, then the size can be reduced by using OpensslLib.inf instead of
247	`OpensslLibFull.inf`. Performance optimization requires a size increase.
248
249	\| OpensslLib Instance \| SSL \| ECC \| Perf Opt \| CPU Arch \| Size \|
250	\|:------------------------\|:---:\|:---:\|:--------:\|:--------:\|:-----:\|
251	\| OpensslLibCrypto.inf \| N \| N \| N \| All \| +0K \|
252	\| OpensslLib.inf \| Y \| N \| N \| All \| +0K \|
253	\| OpensslLibAccel.inf \| Y \| N \| Y \| IA32/X64 \| +20K \|
254	\| OpensslLibFull.inf \| Y \| Y \| N \| All \| +115K \|
255	\| OpensslLibFullAccel.inf \| Y \| Y \| Y \| IA32/X64 \| +135K \|
256
257	### SEC Phase Library Mappings
258
259	The SEC Phase only supports static linking of cryptographic services. The
260	following library mappings are recommended for the SEC Phase. It uses the SEC
261	specific version of the BaseCryptLib and the null version of the TlsLib because
262	TLS services are not typically used in SEC.
263
264	```
265	[LibraryClasses.common.SEC]
266	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
267	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
268	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
269	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
270	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
271	```
272
273	### PEI Phase Library Mappings
274
275	The PEI Phase supports either static or dynamic linking of cryptographic
276	services. The following library mappings are recommended for the PEI Phase. It
277	uses the PEI specific version of the BaseCryptLib and the null version of the
278	TlsLib because TLS services are not typically used in PEI.
279
280	```
281	[LibraryClasses.common.PEIM]
282	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
283	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
284	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
285	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
286	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
287	```
288
289	If dynamic linking is used, then all PEIMs except CryptoPei use the following
290	library mappings. The CryptoPei module uses the static linking settings.
291
292	```
293	[LibraryClasses.common.PEIM]
294	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
295	BaseCryptLib\|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf
296
297	[Components]
298	CryptoPkg/Driver/CryptoPei.inf {
299	<LibraryClasses>
300	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
301	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
302	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
303	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
304	}
305	```
306
307	### DXE Phase, UEFI Driver, UEFI Application Library Mappings
308
309	The DXE/UEFI Phase supports either static or dynamic linking of cryptographic
310	services. The following library mappings are recommended for the DXE/UEFI Phase.
311	It uses the DXE specific version of the BaseCryptLib and the full version of the
312	OpensslLib and TlsLib. If ECC services are not required then a smaller
313	OpensslLib instance can be used.
314
315	```
316	[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
317	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
318	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
319	TlsLib\|CryptoPkg/Library/TlsLib/TlsLib.inf
320	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
321	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
322	```
323
324	If dynamic linking is used, then all DXE Drivers except CryptoDxe use the
325	following library mappings. The CryptoDxe module uses the static linking
326	settings.
327
328	```
329	[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
330	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
331	BaseCryptLib\|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/DxeCryptLib.inf
332
333	[Components]
334	CryptoPkg/Driver/CryptoDxe.inf {
335	<LibraryClasses>
336	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
337	TlsLib\|CryptoPkg/Library/TlsLib/TlsLib.inf
338	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
339	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
340	}
341	```
342
343	### SMM Phase Library Mappings
344
345	The SMM Phase supports either static or dynamic linking of cryptographic
346	services. The following library mappings are recommended for the SMM Phase. It
347	uses the SMM specific version of the BaseCryptLib and the null version of the
348	TlsLib.
349
350	```
351	[LibraryClasses.common.DXE_SMM_DRIVER]
352	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
353	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
354	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
355	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
356	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
357	```
358
359	If dynamic linking is used, then all SMM Drivers except CryptoSmm use the
360	following library mappings. The CryptoDxe module uses the static linking
361	settings.
362
363	```
364	[LibraryClasses.common.DXE_SMM_DRIVER]
365	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
366	BaseCryptLib\|CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf
367
368	[Components]
369	CryptoPkg/Driver/CryptoSmm.inf {
370	<LibraryClasses>
371	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
372	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
373	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
374	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
375	}
376	```
377
378	### UEFI Runtime Driver Library Mappings
379
380	UEFI Runtime Drivers only support static linking of cryptographic services.
381	The following library mappings are recommended for UEFI Runtime Drivers. They
382	use the runtime specific version of the BaseCryptLib and the null version of the
383	TlsLib because TLS services are not typically used at runtime.
384
385	```
386	[LibraryClasses.common.DXE_RUNTIME_DRIVER]
387	HashApiLib\|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
388	BaseCryptLib\|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
389	TlsLib\|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
390	OpensslLib\|CryptoPkg/Library/OpensslLib/OpensslLib.inf
391	IntrinsicLib\|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
392	```
393
394	### PCD Configuration Settings
395
396	There are 2 PCD settings that are used to configure cryptographic services.
397	`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the
398	BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to
399	configure the cryptographic services supported by the CryptoPei, CryptoDxe,
400	and CryptoSmm modules.
401
402	* `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the
403	HASH algorithm to use in the BaseHashApiLib to calculate hash of data. The
404	default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256.
405	\| Setting \| Algorithm \|
406	\|------------\|------------------\|
407	\| 0x00000001 \| HASH_ALG_SHA1 \|
408	\| 0x00000002 \| HASH_ALG_SHA256 \|
409	\| 0x00000004 \| HASH_ALG_SHA384 \|
410	\| 0x00000008 \| HASH_ALG_SHA512 \|
411	\| 0x00000010 \| HASH_ALG_SM3_256 \|
412
413	* `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable
414	the families and individual services produced by the EDK II Crypto
415	Protocols/PPIs. The default is all services disabled. This Structured PCD is
416	associated with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that is
417	defined in `Include/Pcd/PcdCryptoServiceFamilyEnable.h`.
418
419	There are three layers of priority that determine if a specific family or
420	individual cryptographic service is actually enabled in the CryptoPei,
421	CryptoDxe, and CryptoSmm modules.
422
423	1) OpensslLib instance selection. When the CryptoPei, CryptoDxe, or CryptoSmm
424	drivers are built, they are statically linked to an OpensslLib library
425	instance. If the required cryptographic service is not enabled in the
426	OpensslLib instance linked, then the service is always disabled.
427	2) BaseCryptLib instance selection.
428	* CryptoPei is always linked with the PeiCryptLib instance of the
429	BaseCryptLib library class. The table above has a column for the
430	PeiCryptLib. If the family or service is blank, then that family or
431	service is always disabled.
432	* CryptoDxe is always linked with the BaseCryptLib instance of the
433	BaseCryptLib library class. The table above has a column for the
434	BaseCryptLib. If the family or service is blank, then that family or
435	service is always disabled.
436	* CryptoSmm is always linked with the SmmCryptLib instance of the
437	BaseCryptLib library class. The table above has a column for the
438	SmmCryptLib. If the family or service is blank, then that family or
439	service is always disabled.
440	3) If a family or service is enabled in the OpensslLib instance and it is
441	enabled in the BaseCryptLib instance, then it can be enabled/disabled
442	using `PcdCryptoServiceFamilyEnable`. This structured PCD is associated
443	with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` data structure that contains
444	bit fields for each family of services. All of the families are disabled
445	by default. An entire family of services can be enabled by setting the
446	family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual
447	services can be enabled by setting a single service name (bit) to `TRUE`.
448	Settings listed later in the DSC file have priority over settings listed
449	earlier in the DSC file, so it is valid for an entire family to be enabled
450	first and then for a few individual services to be disabled by setting
451	those service names to `FALSE`.
452
453	#### Common PEI PcdCryptoServiceFamilyEnable Settings
454
455	```
456	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
457	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
458	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
459	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
460	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
461	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
462	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
463	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
464	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify \| TRUE
465	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New \| TRUE
466	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free \| TRUE
467	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey \| TRUE
468	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword \| TRUE
469	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
470	```
471
472	#### Common DXE and SMM PcdCryptoServiceFamilyEnable Settings
473
474	```
475	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
476	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
477	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
478	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt \| TRUE
479	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword \| TRUE
480	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7Verify \| TRUE
481	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.VerifyEKUsInPkcs7Signature \| TRUE
482	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7GetSigners \| TRUE
483	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs7FreeSigners \| TRUE
484	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.AuthenticodeVerify \| TRUE
485	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
486	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify \| TRUE
487	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New \| TRUE
488	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free \| TRUE
489	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey \| TRUE
490	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.GetPublicKeyFromX509 \| TRUE
491	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
492	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
493	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Services.HashAll \| FALSE
494	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetSubjectName \| TRUE
495	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetCommonName \| TRUE
496	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetOrganizationName \| TRUE
497	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Services.GetTBSCert \| TRUE
498	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
499	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
500	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family \| PCD_CRYPTO_SERVICE_ENABLE_FAMILY
501	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize \| TRUE
502	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init \| TRUE
503	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt \| TRUE
504	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt \| TRUE
505	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Encrypt \| TRUE
506	gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Decrypt \| TRUE
507	```

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format