OneCryptoPkg Documentation#163
Conversation
Add comprehensive architecture documentation explaining the OneCrypto dependency injection model and how it enables shared crypto binaries.
Add documentation for the CreateCryptoProtocol API and how platforms use it to provide crypto services to the shared crypto binary.
Add platform integration guide explaining how to integrate OneCrypto into UEFI platforms and configure the dependency injection.
Add main documentation index explaining the OneCrypto project and providing links to detailed documentation files.
Add RNG security model documentation explaining how random number generation is handled securely in the OneCrypto architecture.
github-actions
bot
added
impact:non-functional
| @@ -0,0 +1,309 @@ | |||
| # OneCrypto RNG Security Model | |||
|
|
|||
| This document describes the Random Number Generation (RNG) security model implemented across different UEFI execution phases, including the technic### Library Dependencies | |||
There was a problem hiding this comment.
Text is messed up here technic###.
|
|
||
| This approach was developed to solve critical boot hanging issues while maintaining security when possible. | ||
|
|
||
| ## Technical Problem Solved |
There was a problem hiding this comment.
This section seems out of place in the security model document. It's talking about an implementation issue that existed in the past.
…nsive document - Combined Architectural.md and Architecture.md into Architecture.md - Added X64-only platform warning at top - Integrated platform integration section with FV placement diagrams - Added platform and architecture considerations (X64 vs AArch64) - Added troubleshooting section with common issues - Added build process details - Maintained well-organized structure from Architectural.md - Preserved all mermaid diagrams and detailed runtime behavior - Removed duplicate Architectural.md file
|
I recommend calling "OneCryptoBinMm" just "OneCryptoBin". |
| Platforms using OneCrypto must include the following components: | ||
|
|
||
| ### 1. **OneCryptoMmBin** - Phase Independent Binary (REQUIRED) | ||
| - **Path**: `$(SHARED_SHARED_CRYPTO_PATH)/bin/shared/OneCryptoMmBin.inf` |
There was a problem hiding this comment.
I suggest dropping SHARED_SHARED, that's confusing in itself but also now that "OneCrypto" is being used more often.
|
|
||
| - **`OneCryptoMmBin/`** | ||
| - Main binary application that provides crypto services | ||
| - Links against OpensslPkg's BaseCryptLib and OpensslLib |
There was a problem hiding this comment.
To clarify: This should just be BaseCryptLib. How that instance is satisfied (whether with OpenSSL or something else) is beyond the scope of this module's details.
| - Null implementation that returns errors for all functions | ||
| - Used when crypto is not available or during early boot phases | ||
|
|
||
| ### CryptoBinPkg |
There was a problem hiding this comment.
From what you've mentioned before, CryptoBinPkg is planned to be dropped so it should be removed from here.
| ### Key Benefits | ||
|
|
||
| 1. **Simplified Updates**: Make it much easier to update crypto for many platforms and stay current with minimal validation | ||
| 2. **Reduced Build Cost**: No need to download and compile OpenSSL for every platform build |
There was a problem hiding this comment.
I'd reduce directly referencing OpenSSL throughout the document since the design is intended to allow crypto providers to be swapped out.
| 2. **Reduced Build Cost**: No need to download and compile OpenSSL for every platform build | |
| 2. **Reduced Build Cost**: No need to download and compile a crypto provider like OpenSSL for every platform build |
| - Publishes `ONE_CRYPTO_PROTOCOL` | ||
|
|
||
| - **`Support/OneCryptoDxeLoader.inf`** and **`Support/OneCryptoLoaderMm.inf`** | ||
| - Library-style INF files for platform integration |
There was a problem hiding this comment.
If these are not actual libraries, then refrain from "library-style inf". My understanding is that the loader INF is just collecting the FFS sections for a module build.
| - **`Library/BaseCryptCrtLibOneCrypto/`** | ||
| - CRT (C Runtime) library implementation using injected dependencies | ||
| - Stores `ONE_CRYPTO_DEPENDENCIES` pointer as static member | ||
| - Provides malloc, free, memcpy, etc. using dependency functions |
There was a problem hiding this comment.
| - Provides malloc, free, memcpy, etc. using dependency functions | |
| - Provides malloc, free, memcpy, etc. using dynamically linked functions |
| - Routes to dependency-provided functions | ||
|
|
||
| **Build Output:** | ||
| - `OneCryptoMmBin.efi` - Standalone MM binary (~1.4 MB) |
There was a problem hiding this comment.
The main role of OneCryptoMmBin, is to export functionality. I think simple descriptions like this should focus on that.
There was a problem hiding this comment.
It also prevents conflict with descriptions like "Phase-independent, relocatable PE32 binary" in the list below describing it.
There was a problem hiding this comment.
Some information is repeated. Can you please check for places to reduce duplication to make the file easier to read through?
|
This PR has been automatically marked as stale because it has not had activity in 60 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions. |
2 participants
Description
This PR is just documentation and can be merged in any order.
Each file here is another description of how OneCryptoPkg works and can be referenced during the review.
For any additional information request, this repo will be updated to add the additional documentation.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
N/A
Integration Instructions
N/A