*1) Old issue refresh - https://github.com/tianocore/edk2/issues/12561* *AR: Doug* will confirm.
*2) Old issue refresh - https://github.com/tianocore/edk2/issues/12574* https://github.com/vathpela/silver-doodle/compare/main...no-owner-guid A) Minor comment: "new entries should prefer that format." -> "new entries should prefer the EFI_CERT_V2_X509_GUID format." *AR: Peter* to update. b) *AR: Doug* , please review to ensure the V2 proposal is OK for BitLocker. C) Open: how we support transition: e,g, V1 -> V2, and V2 -> V1. Some thought: * A platform firmware needs to support mixed V1&V2 entries in db storage, if it reports both in ECIT. * The new entry will be rejected if the platform BIOS does not report its format in ECIT. * The platform firmware may convert the old entry to new format during firmware update. (That is OEM specific behavior) *3) Doug: edk2-crypto redesign for OneCrypto* Some resource: * RFC proposal: https://github.com/tianocore/tianocore-wiki.github.io/pull/8 * BaseCryptLibOnOneCrypto Architecture: https://github.com/microsoft/mu_basecore/tree/release/202511/CryptoPkg/Library/BaseCryptLibOnOneCrypto * Crypto API Usage Scan script: https://github.com/microsoft/mu_crypto_release/pull/241/changes Repo Position: * EDK2: Move crypto detail out of EDK2. EDK2 only has crypto interface. * EDK2-crypto: provide crypto source + crypto bin. EDk2-Crypto Feature: * Produce phase independent crypto API, loaded by the crypto loader. * Support Reproducible build, auditable * May sign the binary * Support different implementation, e.g. OpenSSL, MbedTls * May support SBOM * May support FIPS * Reduce EDK2 build time (using binary) * May provide UEFI defined feature (PKCS7_PROTOCOL, HASH2_PROTOCOL), then OS loader may use it directly. Open: A) API Scope: 2 Different directions: * Minimal API set - only provide the one defined in spec (UEFI, TCG). Only RSA, PKCS7 and HASH are needed. * Scope is clear, but if a platform need more, it must include crypto (maybe in EDK2) again. * Full API set - equivalent to the existing CryptoLib. * What to do if EDK2 need to add a new API in crypto lib? Old Binary will return UNSUPPORTED. B) Any prototype in EDK2, such as OvmfPkg? Not yet. Currently it is only enabled in project-MU. *AR: All* , please review the proposal, and provide feedback. Thank you Yao, Jiewen -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121969): https://edk2.groups.io/g/devel/message/121969 Mute This Topic: https://groups.io/mt/119417787/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
