EDK II is the reference implementation of UEFI, used by fairly much everyone shipping UEFI firmware these days. It uses OpenSSL to provide cryptographic functionality, used for Secure Boot.
This might make it one of the largest OpenSSL deployments ever. So it would be quite useful for it to be supported out of the box, without the need to rapidly update and reapply external patches each time it's necessary to update OpenSSL. I've been submitting patches last week to both OpenSSL and EDKII. Now I'm looking at the build process itself. EDK II has its own build system, and this is its build INF file for OpenSSL: https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/OpensslLib.inf Obviously, that list of filenames wants to be generated automatically by something based on 'make files', and !included into the INF file. And the litany of -DOPENSSL_NO_xxx probably just wants to be in opensslconf.h with a proper ./Configure invocation. (For the Windows users building EDKII, who can't be assumed to have a sane build setup, we can ship preprepared versions of both.) Here's a first attempt at making './Configure UEFI' do something sane. The main question is what I should be doing about SIXTY_FOUR_BIT_LONG et al.? Using the *same* build INF file, we build for i386, x86_64, ARM, AARCH64 and IA64. The current INF file will explicitly set THIRTY_TWO_BIT or SIXTY_FOUR_BIT_LONG according to the platform. Hence making that part of opensslconf.h inactive for OPENSSL_SYS_UEFI, in the patch below. Better suggestions would be welcomed... since this isn't entirely performance-critical, *perhaps* it might be acceptable just to use THIRTY_TWO_BIT everywhere? My other question, before I look too hard at the integration: is it worth providing an OpenSSL build target that can build OpenSSL and its tools as standalone UEFI executables? That way, the UEFI build target has some meaning (and can perhaps at least be build tested) within OpenSSL directly, rather than only when imported into an EDK II build. diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index b5d32b6..2dcc82d 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1207,6 +1207,13 @@ shared_extension => ".dll.a", }, +#### UEFI + "UEFI" => { + cc => "cc", + cflags => "-DL_ENDIAN -O", + sys_id => "UEFI", + }, + #### UWIN "UWIN" => { cc => "cc", diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in index 4429c91..2ce2e48 100644 --- a/crypto/opensslconf.h.in +++ b/crypto/opensslconf.h.in @@ -79,11 +79,13 @@ /* Should we define BN_DIV2W here? */ +#ifndef OPENSSL_SYS_UEFI /* This is defined in the EDK2 build INF */ /* Only one for the following should be defined */ #undef SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT #define THIRTY_TWO_BIT #endif +#endif #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) #define CONFIG_HEADER_RC4_LOCL_H diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 177b098..6327a64 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -76,6 +76,11 @@ extern "C" { # define OPENSSL_SYS_NETWARE # endif +/* -------------------------------- UEFI ---------------------------------- */ +# if defined(OPENSSL_SYS_UEFI) +# undef OPENSSL_SYS_UNIX +# endif + /* --------------------- Microsoft operating systems ---------------------- */ /* -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
