Remove the openssl library and it's associated files from CryptoPkg. (m…

…icrosoft#680)

Project MU has encouraged the use of a crypto binaries for several years
now but has allowed platforms to use the traditional DIY crypto
implementations if they want to. This change finally removes Openssl
from CryptoPkg along with its associated wrapper libraries and the
BaseCryptLib implementation of it. Only the NULL implementation of
BaseCryptLib will be available by default in CryptoPkg but it outlines
the APIs to use for platforms.

All Openssl files have been moved to the MU_CRYPTO_RELEASE repo that you
can find
[here](https://github.com/microsoft/mu_crypto_release/tree/release/202302)

- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware
functions?
- Examples: Add a new library, publish a new PPI, update an algorithm,
...
- [x] Impacts security?
- **Security** - Does the change have a direct security impact on an
application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- [x] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a
break
    in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo,
call
    a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
  - **Tests** - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- [x] Includes documentation?
- **Documentation** - Does the change contain explicit documentation
additions
    outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to
documentation
    on an a separate Web page, ...

Tested on Intel physical platforms and the Q35 QEMU virtual platform.

First you'll need to remove all references to the OpensslLib and
IntrinsicLib libraries in your platform dsc file. Additionally, any
non-NULL instance of BaseCryptLib needs to removed as well.

To use the crypto binary you need to make a few adjustments on your
platform:
1. Define the service level that you want for each phase of UEFI in the
defines sections of your DSC.

```
    [Defines]
        DEFINE PEI_CRYPTO_SERVICES = TINY_SHA
        DEFINE DXE_CRYPTO_SERVICES = STANDARD
        DEFINE SMM_CRYPTO_SERVICES = STANDARD
        DEFINE STANDALONEMM_CRYPTO_SERVICES = STANDARD
        DEFINE PEI_CRYPTO_ARCH = IA32
        DEFINE DXE_CRYPTO_ARCH = X64
        DEFINE SMM_CRYPTO_ARCH = X64
        DEFINE STANDALONEMM_CRYPTO_ARCH = X64
```

2. Add the DSC include.

    `!include CryptoPkg/Driver/Bin/CryptoDriver.inc.dsc`

3.  Add the FDF includes to your platform FDF.

```
    [FV.FVBOOTBLOCK]
    !include CryptoPkg/Driver/Bin/CryptoDriver.PEI.inc.fdf

    [FV.FVDXE]
      !include CryptoPkg/Driver/Bin/CryptoDriver.DXE.inc.fdf
      !include CryptoPkg/Driver/Bin/CryptoDriver.SMM.inc.fdf
      !include CryptoPkg/Driver/Bin/CryptoDriver.STANDALONEMM.inc.fdf
```

For the fdf includes you don't need both the `STANDALONEMM` and `SMM`
versions. You typically should include only one of them.

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "CryptoPkg/Library/OpensslLib/openssl"]
-	path = CryptoPkg/Library/OpensslLib/openssl
-	url = https://github.com/openssl/openssl
 [submodule "UnitTestFrameworkPkg/Library/CmockaLib/cmocka"]
 	path = UnitTestFrameworkPkg/Library/CmockaLib/cmocka
 	url = https://github.com/tianocore/edk2-cmocka.git

.pytool/CISettings.py

@@ -207,8 +207,6 @@ def GetRequiredSubmodules(self):
         If no RequiredSubmodules return an empty iterable
         '''
         rs = []
-        rs.append(RequiredSubmodule(
-            "CryptoPkg/Library/OpensslLib/openssl", False))
         rs.append(RequiredSubmodule(
             "UnitTestFrameworkPkg/Library/CmockaLib/cmocka", False))
         rs.append(RequiredSubmodule(

CodeQlFilters.yml

@@ -16,11 +16,6 @@
 {
   "Filters": [
     "-**/CryptoPkg/Library/**:cpp/missing-header-guard",
-    "-**/CryptoPkg/Library/BaseCryptLib/**/*.c:SM02690",
-    "-**/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c:SM02311",
-    "-**/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c:SM02311",
-    "-**/CryptoPkg/Library/BaseCryptLib/SysCall/TimerWrapper.c:SM02320",
-    "-**/CryptoPkg/Library/OpensslLib/**/*.c:*",
     "-**/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c:SM02311",
     "-**/MdeModulePkg/Core/Pei/Ppi/Ppi.c:cpp/overflow-buffer",
     "-**/MdeModulePkg/Core/PiSmmCore/MemoryAttributesTable.c:cpp/unused-static-function",

CryptoPkg/CryptoPkg.ci.yaml

@@ -10,10 +10,7 @@
         "DscPath": "CryptoPkg.dsc",
     },
     "LicenseCheck": {
-        "IgnoreFiles": [
-            # These directories contain auto-generated OpenSSL content
-            "Library/OpensslLib/OpensslGen"
-        ]
+        "IgnoreFiles": []
     },
     "EccCheck": {
         ## Exception sample looks like below:
@@ -28,41 +25,16 @@
         ],
         ## Both file path and directory path are accepted.
         "IgnoreFiles": [
-            "Library/OpensslLib/openssl",
-            "Library/OpensslLib/OpensslGen",
             # The unit testing folder is not to be checked
-            "Test/UnitTest",
-            # This has OpenSSL interfaces that aren't UEFI spec compliant
-            "Library/BaseCryptLib/SysCall",
-            # This has OpenSSL interfaces that aren't UEFI spec compliant
-            "Library/OpensslLib/OpensslStub",
-            # This has OpenSSL interfaces that aren't UEFI spec compliant
-            "Library/Include/CrtLibSupport.h",
-            # This has OpenSSL interfaces that aren't UEFI spec compliant
-            "Library/BaseCryptLib/Hash/CryptParallelHash.h",
-            "Library/Include/fcntl.h",
-            # This has Mbedtls interfaces that aren't UEFI spec compliant
-            "Library/Include/stdint.h",
-            "Library/Include/stubs-32.h",
-            # These directories contain auto-generated OpenSSL content
-            "Library/OpensslLib",
-            "Library/IntrinsicLib",
-            "Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c",
-            # mbedtls
-            "Library/MbedTlsLib/mbedtls",
-            # This has mbedtls interfaces that aren't UEFI spec compliant
-            "Library/MbedTlsLib/EcSm2Null.c",
-            "Library/MbedTlsLib/CrtWrapper.c",
-            "Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h",
-            "Library/BaseCryptLibMbedTls/SysCall"
+            "Test/UnitTest"
         ]
     },
     "CompilerPlugin": {
         "DscPath": "CryptoPkg.dsc"
     },
     ## options defined .pytool/Plugin/HostUnitTestCompilerPlugin
     "HostUnitTestCompilerPlugin": {
-        "DscPath": "Test/CryptoPkgHostUnitTest.dsc"
+        #"DscPath": "Test/CryptoPkgHostUnitTest.dsc"  # MU_CHANGE - Disable temporarily while transitioning crypto
     },
     "CharEncodingCheck": {
         "IgnoreFiles": []
@@ -82,9 +54,6 @@
     "DscCompleteCheck": {
         "DscPath": "CryptoPkg.dsc",
         "IgnoreInf": [
-            "CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf",
-            "CryptoPkg/Library/OpensslLib/OpensslLibFull.inf",
-            "CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf",
             ## MU_CHANGE [BEGIN] Ignore CryptBin Autogenerated Files
             "CryptoPkg/Driver/Bin/CryptoDriverBin_MINIMAL_SHA_SM3_Dxe_DEBUG_AARCH64.inf",
             "CryptoPkg/Driver/Bin/CryptoDriverBin_MINIMAL_SHA_SM3_Dxe_DEBUG_IA32.inf",
@@ -171,11 +140,7 @@
     },
     "MarkdownLintCheck": {
         "AuditOnly": False,          # If True, log all errors and then mark as skipped
-        "IgnoreFiles": [
-            "Library/OpensslLib/openssl",
-            "Library/OpensslLib/OpensslGen",
-            "Library/MbedTlsLib/mbedtls"
-        ]            # package root relative file, folder, or glob pattern to ignore
+        "IgnoreFiles": []            # package root relative file, folder, or glob pattern to ignore
     },
 
     ## options defined ci/Plugin/SpellCheck
@@ -190,46 +155,7 @@
     # options defined in .pytool/Plugin/UncrustifyCheck
     "UncrustifyCheck": {
         "IgnoreFiles": [
-            "Library/OpensslLib/OpensslGen/include/crypto/bn_conf.h",
-            "Library/OpensslLib/OpensslGen/include/crypto/dso_conf.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/asn1.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/asn1t.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/bio.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/cmp.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/cms.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/conf.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/configuration-ec.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/configuration-noec.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/configuration.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/crmf.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/crypto.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/ct.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/err.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/ess.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/fipskey.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/lhash.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/ocsp.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/opensslv.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/pkcs12.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/pkcs7.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/safestack.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/srp.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/ssl.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/ui.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/x509.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/x509v3.h",
-            "Library/OpensslLib/OpensslGen/include/openssl/x509_vfy.h",
-            "Library/OpensslLib/OpensslGen/providers/common/der/der_digests_gen.c",
-            "Library/OpensslLib/OpensslGen/providers/common/der/der_ecx_gen.c",
-            "Library/OpensslLib/OpensslGen/providers/common/der/der_ec_gen.c",
-            "Library/OpensslLib/OpensslGen/providers/common/der/der_rsa_gen.c",
-            "Library/OpensslLib/OpensslGen/providers/common/der/der_wrap_gen.c",
-            "Library/OpensslLib/OpensslGen/providers/common/include/prov/der_digests.h",
-            "Library/OpensslLib/OpensslGen/providers/common/include/prov/der_ec.h",
-            "Library/OpensslLib/OpensslGen/providers/common/include/prov/der_ecx.h",
-            "Library/OpensslLib/OpensslGen/providers/common/include/prov/der_rsa.h",
-            "Library/OpensslLib/OpensslGen/providers/common/include/prov/der_wrap.h",
-            "Library/OpensslLib/OpensslStub/uefiprov.c"
+            "opensslconf.h"
         ]
     }
 }

CryptoPkg/CryptoPkg.dec

@@ -19,19 +19,6 @@
 [Includes]
   Include
 
-[Includes.Common.Private]
-  Private
-  Library/Include
-  Library/OpensslLib/openssl/include
-  Library/OpensslLib/openssl/providers/common/include
-  Library/OpensslLib/openssl/providers/implementations/include
-  Library/OpensslLib/OpensslGen/include
-  Library/OpensslLib/OpensslGen/providers/common/include
-  Library/MbedTlsLib/Include
-  Library/MbedTlsLib/mbedtls/include
-  Library/MbedTlsLib/mbedtls/include/mbedtls
-  Library/MbedTlsLib/mbedtls/library
-
 [LibraryClasses]
   ##  @libraryclass  Provides basic library functions for cryptographic primitives.
   ##
@@ -49,16 +36,6 @@
   #
   HmacSha1Lib|Include/Library/HmacSha1Lib.h
 
-[LibraryClasses.common.Private]
-  ##  @libraryclass  Provides library functions from the openssl project.
-  #
-  OpensslLib|Private/Library/OpensslLib.h
-  MbedTlsLib|Private/Library/MbedTlsLib.h
-
-  ##  @libraryclass  Provides compiler intrinsic functions required to link openssl project.
-  #
-  InstrinsicLib|Private/Library/IntrinsicLib.h
-
 [Protocols]
   ## EDK II Crypto DXE protocol
   # 2C2275C9-3A7B-426F-BE54-2D22BD9D1092

CryptoPkg/CryptoPkg.dsc

@@ -58,8 +58,6 @@
   UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
   PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
-  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
-  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
   TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf
   SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
@@ -106,7 +104,6 @@
   HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
   TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
 
 [LibraryClasses.common.DXE_SMM_DRIVER]
@@ -118,7 +115,6 @@
   ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
 
 [LibraryClasses.common.SEC]
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
   TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
 
 [LibraryClasses.IA32.PEIM, LibraryClasses.X64.PEIM]
@@ -134,16 +130,13 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
   DebugLib|MdePkg/Library/UefiDebugLibDebugPortProtocol/UefiDebugLibDebugPortProtocol.inf # MU_CHANGE add debug lib
 
 [LibraryClasses.common.DXE_SMM_DRIVER]
   UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
   UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
   MmServicesTableLib|MdePkg/Library/MmServicesTableLib/MmServicesTableLib.inf
   ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
   TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
   DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf # MU_CHANGE add debug lib
 !endif
@@ -157,7 +150,6 @@
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
 
 [LibraryClasses.common.MM_STANDALONE]
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
   DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
   MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAllocationLib/StandaloneMmMemoryAllocationLib.inf
   MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/StandaloneMmServicesTableLib.inf
@@ -202,12 +194,8 @@
   #
   # Build verification of all library instances
   #
-  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  CryptoPkg/Library/HmacSha1Lib/HmacSha1Lib.inf
+
   CryptoPkg/Library/HmacSha1Lib/HmacSha1LibNull.inf
-  CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
-  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
-  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
   CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf
   CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf
   CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf
@@ -217,12 +205,7 @@
   CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf
   CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf
   CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
-  CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-  CryptoPkg/Library/TlsLib/TlsLib.inf
   CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
-  CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
-  CryptoPkg/Library/OpensslLib/OpensslLib.inf
-  #CryptoPkg/Library/OpensslLib/OpensslLibFull.inf
   CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
 
   CryptoPkg/Library/BaseCryptLibOnProtocolPpi/PeiCryptLib.inf
@@ -236,15 +219,12 @@
 
 # MU_CHANGE START
 [Components.X64, Components.IA32]
-  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
   CryptoPkg/Library/BaseCryptLibOnProtocolPpi/SmmCryptLib.inf
 
 [Components.IA32, Components.X64]
   #
   # Build verification of IA32/X64 specific libraries
   #
-  #CryptoPkg/Library/OpensslLib/OpensslLibAccel.inf
-  #CryptoPkg/Library/OpensslLib/OpensslLibFullAccel.inf
 
 [Components.IA32, Components.X64] # MU_CHANGE remove ARM and AARCH64
   CryptoPkg/Driver/CryptoPei.inf {
@@ -280,11 +260,8 @@
       DebugLib|MdePkg/Library/UefiDebugLibDebugPortProtocol/UefiDebugLibDebugPortProtocol.inf # MU_CHANGE add debug lib
       DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf # MU_CHANGE add debug lib
       UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
-      OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
-      IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
       ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
       MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
-      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
     <PcdsFixedAtBuild>
       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0xFFFFFFFF
       !include CryptoPkg/Test/Crypto.pcd.ALL.inc.dsc