BaseCryptOnOneCrypto Support #1570
Open
+13,144
−517
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
from
ebff900 to
d50126f
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release/202502 #1570 +/- ##
=================================================
Coverage ? 0.66%
=================================================
Files ? 939
Lines ? 329534
Branches ? 2647
=================================================
Hits ? 2195
Misses ? 327161
Partials ? 178
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
3 times, most recently
from
5193c91 to
97a90e5
Compare
Flickdm
commented
Nov 18, 2025
CryptoPkg/Library/BaseCryptLibOnOneCrypto/StandaloneMmCryptLib.inf
Outdated
Show resolved
Hide resolved
Member
Author
|
Working on fixing the failing gates - uncrustify is failing. |
os-d
reviewed
Nov 20, 2025
This was referenced Nov 21, 2025
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
from
1847faa to
8818fc3
Compare
makubacki
reviewed
Nov 21, 2025
makubacki
reviewed
Nov 21, 2025
makubacki
reviewed
Nov 22, 2025
makubacki
reviewed
Nov 22, 2025
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
3 times, most recently
from
faed009 to
acbc9d3
Compare
spbrogan
reviewed
Nov 24, 2025
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
from
44569c4 to
cc0e40d
Compare
…ffixes Remove _EX suffix from crypto macro names in unit tests to align with standardized naming conventions. This simplifies the API and makes it consistent across all cryptographic functions. Changes: - Remove _EX from HMAC, hash, and cipher function calls - Update test variable naming for clarity - Delete obsolete Crypto.pcd.ALL.inc.dsc file - Update TestBaseCryptLibHost.inf to reflect current test structure
Add comprehensive OneCrypto.h protocol header defining a unified interface for cryptographic operations across all firmware phases (DXE, SMM, MM). Features: - 171+ cryptographic function typedefs organized into 14 functional groups: * HMAC (SHA256, SHA384) * Big Number operations * AES operations * Hash functions (MD5, SHA1, SHA256, SHA384, SHA512, SM3) * Key derivation (HKDF) * Asymmetric crypto (RSA, EC, DH) * PKCS operations * X.509 certificate handling * TLS primitives * Random number generation * Timestamp verification * Provider version info - Complete doxygen documentation with @SInCE version tags - Protocol versioning support (Major.Minor) - Support for Asn1GetTag and X509CompareDateTime - Buffer-based GetCryptoProviderVersionText API The protocol enables a single cryptographic binary to serve all firmware phases, reducing code duplication and improving security consistency.
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
from
b53141d to
e2c6d15
Compare
Contributor
|
A couple notes on the mermaid diagram for clarity: 
I would label this as the library class/interface that is used. In the current diagram it could be seen that BaseCryptLib is different than BaseCryptLibOnOneCrypto, when it is not, the latter implements the former. Just want to make sure this is correct: 
HashApiLib doesn't interact with BaseCryptLib at all? |
os-d
reviewed
Dec 2, 2025
Comment on lines
+2
to
+3
| Implements the BaseCryptLib and TlsLib using the services of the OneCrypto | ||
| Protocol/PPI. |
Contributor
There was a problem hiding this comment.
Suggested change
| Implements the BaseCryptLib and TlsLib using the services of the OneCrypto | |
| Protocol/PPI. | |
| Implements the backend crypto services of BaseCryptLib and TlsLib using the OneCrypto | |
| Protocol. |
Add GetCryptoProviderVersionText function declaration to BaseCryptLib.h with buffer-based API design. Changes: - Add GetCryptoProviderVersionText function with buffer/size parameters - Function supports query mode (Buffer=NULL returns required size) - Returns EFI_SUCCESS, EFI_BUFFER_TOO_SMALL, or EFI_INVALID_PARAMETER - Replaces previous pointer-returning API for better safety - Enables callers to control memory allocation This API allows cryptographic provider version information (e.g., OpenSSL version) to be retrieved safely without exposing internal string pointers.
Add library implementations that wrap the OneCrypto protocol for use across DXE, SMM, and Standalone MM firmware phases. New libraries: - DxeCryptLib: DXE phase wrapper (locates gOneCryptoDxeProtocolGuid) - SmmCryptLib: SMM phase wrapper (locates gOneCryptoSmmProtocolGuid) - StandaloneMmCryptLib: Standalone MM wrapper (locates gOneCryptoMmProtocolGuid) All libraries share common implementation: - OneCryptoLib.c (6520 lines): Complete BaseCryptLib API wrappers * All 171+ functions call through protocol using CALL_CRYPTO_SERVICE macro * Version checking ensures protocol supports requested operations * Automatic fallback to 'not available' for unsupported operations * Includes Asn1GetTag and X509CompareDateTime support * Buffer-based GetCryptoProviderVersionText implementation - Phase-specific constructors locate the appropriate protocol variant - Unified GetCryptoServices() API returns protocol pointer - Complete error handling with DEBUG output Benefits: - Single protocol implementation serves all phases - Consistent crypto behavior across firmware - Reduced code duplication - Simplified maintenance and updates - Version-aware protocol consumption
- Add gOneCryptoSmmProtocolGuid to CryptoPkg.dec [Protocols] section - Add GuidCheck exception for OneCryptoBinStandaloneMm and OneCryptoBinSupvMm which intentionally share the same GUID for loader identification
Moved the GetCryptoServices() function definition to a new private header file OneCryptoLib.h to improve code organization. Updated all consumers in DxeCryptLib, OneCryptoLib, SmmCryptLib, and StandaloneMmCryptLib to include the new header.
Removes the Dxe and Mm specific OneCrypto protocol GUIDs and replaces them with a single OneCrypto protocol GUID. This simplifies the protocol usage and reduces redundancy.
Fix compiler warning C4319 where bitwise NOT was being applied to a UINT32 before zero-extending to PHYSICAL_ADDRESS. Move the UINTN cast to wrap the entire expression before the bitwise NOT operation to ensure proper width handling across 32-bit and 64-bit platforms. This resolves the "zero extending 'UINT32' to 'PHYSICAL_ADDRESS' of greater size" warning when compiling for IA32 with VS2022.
Flickdm
force-pushed
the
dev/onecrypto-rebase
branch
from
b9fdcac to
4fe2038
Compare
Flickdm
commented
Dec 3, 2025
Member
Author
There was a problem hiding this comment.
convert this to an extern and drop the function
Flickdm
commented
Dec 3, 2025
| PI_SPECIFICATION_VERSION = 0x00010032 | ||
| MODULE_TYPE = MM_STANDALONE | ||
| LIBRARY_CLASS = BaseCryptLib | MM_STANDALONE | ||
| LIBRARY_CLASS = TlsLib | MM_STANDALONE |
Member
Author
There was a problem hiding this comment.
Suggested change
| LIBRARY_CLASS = TlsLib | MM_STANDALONE | |
| LIBRARY_CLASS = TlsLib | MM_STANDALONE |
Member
Author
There was a problem hiding this comment.
Add document to top level level of CryptoPkg describing what the options are for backing and write out that if a function is added to BaseCryptLib.h that all providers (specifically OneCrypto) needs to be updated to create the WYSIWYG contract
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request adds support for forwarding cryptographic library calls to the new OneCrypto protocol across DXE, SMM, and Standalone MM phases, enabling modular and version-aware cryptographic provider integration. It introduces new protocol GUIDs, implements library constructors for protocol lookup, and updates build configuration to support these changes. Additionally, it provides documentation and abstracts for the new libraries, and adds a disabled external binary dependency descriptor.
OneCrypto Protocol Integration:
CryptoPkg.decto support phase-specific cryptographic operations.DxeCryptLib.c,SmmCryptLib.c,StandaloneMmCryptLib.c) that locate and expose the OneCrypto protocol for cryptographic services, with corresponding INF build files for each phase. [1] [2] [3] [4] [5] [6]Documentation and Descriptions:
--- config: layout: elk --- classDiagram namespace Protocol { class OneCrypto:::highlight { <<Protocol Interface>> UINT16 Major; UINT16 Minor; // v1.0 ------------------------------------------ ONE_CRYPTO_PROVIDED_FUNC ONE_CRYPTO_PROVIDED_FUNC; // ... } } namespace Library { class BaseCryptLib:::highlight { } class TlsLib:::library { } class HashApiLib:::library { } } namespace LibraryInstance { class BaseCryptOnOneCrypto:::highlight { <<Library Interface>> EFI_STATUS CryptoFunc(..) } } namespace Driver { class OneCryptoBinSupvMm:::driver { <<Driver>> Phase Agnostic Crypto Driver Shared across Phases Crypto Entry(..) // phase agnostic code SupvMm Entry(..) // stub entry } class OneCryptoLoaderSupvMm:::driver { <<Driver>> } class OneCryptoLoaderDxe:::driver { <<Driver>> } } namespace GenericModules { class GenericDriver:::module { <<Driver>> Any driver that needs crypto } class GenericLibrary:::module { <<Library Interface>> Any library that needs crypto } } OneCryptoLoaderSupvMm --> OneCryptoBinSupvMm : Loads Phase Agnostic Code OneCryptoLoaderDxe --> OneCryptoBinSupvMm : Loads Phase Agnostic Code OneCryptoBinSupvMm ..> OneCryptoLoaderSupvMm : Provides Crypto OneCryptoBinSupvMm ..> OneCryptoLoaderDxe : Provides Crypto OneCryptoLoaderSupvMm ..|> OneCrypto : Publishes OneCryptoLoaderDxe ..|> OneCrypto : Publishes BaseCryptOnOneCrypto ..|> OneCrypto : Locates BaseCryptOnOneCrypto <.. BaseCryptLib : Backed By BaseCryptOnOneCrypto <.. TlsLib : Backed By TlsLib ..> BaseCryptLib : Uses HashApiLib ..> BaseCryptLib : Uses GenericLibrary ..> BaseCryptLib : Uses GenericDriver ..> BaseCryptLib : Uses GenericLibrary ..> TlsLib : Uses GenericDriver ..> HashApiLib : Uses classDef driver fill:#187286,stroke:#333,stroke-width:2px classDef protocol fill:#d63230,stroke:#333,stroke-width:2px classDef library fill:#1c77c3,stroke:#333,stroke-width:2px classDef module fill:#ff8c00,stroke:#333,stroke-width:2px classDef highlight fill:#69995d,stroke:#333,stroke-width:2pxSpecifically this PR is addressing the following (sage green in the chart):
Build and Configuration Updates:
OneCrypto_ext_dep.json.disabled.BaseCryptLib API Enhancements:
BaseCryptLib.h, improving diagnostics and compatibility checks.Code Organization and Comments:
CryptoPkg.decregarding deprecated usage and auto-generated sections for cryptographic provider configuration.BaseCryptOnOneCrypto
OneCryptoProtocol
How This Was Tested
QemuQ35
Integration Instructions
N/A