summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWenxing Hou <wenxing.hou@intel.com>2023-08-18 16:32:16 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2023-10-12 05:31:19 +0000
commit4049ca493c4ec8399ba95c06db49e45247fd5ad7 (patch)
treea3133030b4f1257a3ac7720b77bf736ee4161dfe
parentb26f7dfe2927a276bf5c3238bec363abadd5a52f (diff)
downloadedk2-4049ca493c4ec8399ba95c06db49e45247fd5ad7.tar.gz
edk2-4049ca493c4ec8399ba95c06db49e45247fd5ad7.tar.bz2
edk2-4049ca493c4ec8399ba95c06db49e45247fd5ad7.zip
CryptoPkg: Add Null functions for building pass
Add Null functions to build. These feature are not supported now. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4177 Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Yi Li <yi1.li@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Wenxing Hou <wenxing.hou@intel.com> Reviewed-by: Yi Li <yi1.li@intel.com>
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c520
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c100
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c159
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c163
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c40
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c166
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c162
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c275
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c164
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c69
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c45
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c150
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c578
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c51
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c48
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h83
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c53
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c152
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c56
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c163
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c38
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c42
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c753
-rw-r--r--CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c56
24 files changed, 4086 insertions, 0 deletions
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c
new file mode 100644
index 0000000000..80f36dc71f
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c
@@ -0,0 +1,520 @@
+/** @file
+ Big number API implementation based on MbedTLS
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+
+/**
+ Allocate new Big Number.
+
+ @retval New BigNum opaque structure or NULL on failure.
+**/
+VOID *
+EFIAPI
+BigNumInit (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Allocate new Big Number and assign the provided value to it.
+
+ @param[in] Buf Big endian encoded buffer.
+ @param[in] Len Buffer length.
+
+ @retval New BigNum opaque structure or NULL on failure.
+**/
+VOID *
+EFIAPI
+BigNumFromBin (
+ IN CONST UINT8 *Buf,
+ IN UINTN Len
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Convert the absolute value of Bn into big-endian form and store it at Buf.
+ The Buf array should have at least BigNumBytes() in it.
+
+ @param[in] Bn Big number to convert.
+ @param[out] Buf Output buffer.
+
+ @retval The length of the big-endian number placed at Buf or -1 on error.
+**/
+INTN
+EFIAPI
+BigNumToBin (
+ IN CONST VOID *Bn,
+ OUT UINT8 *Buf
+ )
+{
+ ASSERT (FALSE);
+ return -1;
+}
+
+/**
+ Free the Big Number.
+
+ @param[in] Bn Big number to free.
+ @param[in] Clear TRUE if the buffer should be cleared.
+**/
+VOID
+EFIAPI
+BigNumFree (
+ IN VOID *Bn,
+ IN BOOLEAN Clear
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Calculate the sum of two Big Numbers.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[out] BnRes The result of BnA + BnB.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumAdd (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Subtract two Big Numbers.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[out] BnRes The result of BnA - BnB.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumSub (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Calculate remainder: BnRes = BnA % BnB.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[out] BnRes The result of BnA % BnB.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Compute BnA to the BnP-th power modulo BnM.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnP Big number (power).
+ @param[in] BnM Big number (modulo).
+ @param[out] BnRes The result of (BnA ^ BnP) % BnM.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumExpMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnP,
+ IN CONST VOID *BnM,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Compute BnA inverse modulo BnM.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnM Big number (modulo).
+ @param[out] BnRes The result, such that (BnA * BnRes) % BnM == 1.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumInverseMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnM,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Divide two Big Numbers.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[out] BnRes The result, such that BnA / BnB.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumDiv (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Multiply two Big Numbers modulo BnM.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[in] BnM Big number (modulo).
+ @param[out] BnRes The result, such that (BnA * BnB) % BnM.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumMulMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ IN CONST VOID *BnM,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Compare two Big Numbers.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+
+ @retval 0 BnA == BnB.
+ @retval 1 BnA > BnB.
+ @retval -1 BnA < BnB.
+**/
+INTN
+EFIAPI
+BigNumCmp (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Get number of bits in Bn.
+
+ @param[in] Bn Big number.
+
+ @retval Number of bits.
+**/
+UINTN
+EFIAPI
+BigNumBits (
+ IN CONST VOID *Bn
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Get number of bytes in Bn.
+
+ @param[in] Bn Big number.
+
+ @retval Number of bytes.
+**/
+UINTN
+EFIAPI
+BigNumBytes (
+ IN CONST VOID *Bn
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Checks if Big Number equals to the given Num.
+
+ @param[in] Bn Big number.
+ @param[in] Num Number.
+
+ @retval TRUE iff Bn == Num.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumIsWord (
+ IN CONST VOID *Bn,
+ IN UINTN Num
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Checks if Big Number is odd.
+
+ @param[in] Bn Big number.
+
+ @retval TRUE Bn is odd (Bn % 2 == 1).
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumIsOdd (
+ IN CONST VOID *Bn
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Copy Big number.
+
+ @param[out] BnDst Destination.
+ @param[in] BnSrc Source.
+
+ @retval BnDst on success.
+ @retval NULL otherwise.
+**/
+VOID *
+EFIAPI
+BigNumCopy (
+ OUT VOID *BnDst,
+ IN CONST VOID *BnSrc
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Get constant Big number with value of "1".
+ This may be used to save expensive allocations.
+
+ @retval Big Number with value of 1.
+**/
+CONST VOID *
+EFIAPI
+BigNumValueOne (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Shift right Big Number.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] Bn Big number.
+ @param[in] N Number of bits to shift.
+ @param[out] BnRes The result.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumRShift (
+ IN CONST VOID *Bn,
+ IN UINTN N,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Mark Big Number for constant time computations.
+ This function should be called before any constant time computations are
+ performed on the given Big number.
+
+ @param[in] Bn Big number
+**/
+VOID
+EFIAPI
+BigNumConstTime (
+ IN VOID *Bn
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Calculate square modulo.
+ Please note, all "out" Big number arguments should be properly initialized
+ by calling to BigNumInit() or BigNumFromBin() functions.
+
+ @param[in] BnA Big number.
+ @param[in] BnM Big number (modulo).
+ @param[out] BnRes The result, such that (BnA ^ 2) % BnM.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumSqrMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnM,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Create new Big Number computation context. This is an opaque structure
+ which should be passed to any function that requires it. The BN context is
+ needed to optimize calculations and expensive allocations.
+
+ @retval Big Number context struct or NULL on failure.
+**/
+VOID *
+EFIAPI
+BigNumNewContext (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Free Big Number context that was allocated with BigNumNewContext().
+
+ @param[in] BnCtx Big number context to free.
+**/
+VOID
+EFIAPI
+BigNumContextFree (
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Set Big Number to a given value.
+
+ @param[in] Bn Big number to set.
+ @param[in] Val Value to set.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumSetUint (
+ IN VOID *Bn,
+ IN UINTN Val
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Add two Big Numbers modulo BnM.
+
+ @param[in] BnA Big number.
+ @param[in] BnB Big number.
+ @param[in] BnM Big number (modulo).
+ @param[out] BnRes The result, such that (BnA + BnB) % BnM.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+BigNumAddMod (
+ IN CONST VOID *BnA,
+ IN CONST VOID *BnB,
+ IN CONST VOID *BnM,
+ OUT VOID *BnRes
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c
new file mode 100644
index 0000000000..9a8f81c169
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c
@@ -0,0 +1,100 @@
+/** @file
+ AEAD Wrapper Implementation which does not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Performs AEAD AES-GCM authenticated encryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be encrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[out] TagOut Pointer to a buffer that receives the authentication tag output.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the encryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated encryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmEncrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ OUT UINT8 *TagOut,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AEAD AES-GCM authenticated decryption on a data buffer and additional authenticated data (AAD).
+
+ IvSize must be 12, otherwise FALSE is returned.
+ KeySize must be 16, 24 or 32, otherwise FALSE is returned.
+ TagSize must be 12, 13, 14, 15, 16, otherwise FALSE is returned.
+ If additional authenticated data verification fails, FALSE is returned.
+
+ @param[in] Key Pointer to the encryption key.
+ @param[in] KeySize Size of the encryption key in bytes.
+ @param[in] Iv Pointer to the IV value.
+ @param[in] IvSize Size of the IV value in bytes.
+ @param[in] AData Pointer to the additional authenticated data (AAD).
+ @param[in] ADataSize Size of the additional authenticated data (AAD) in bytes.
+ @param[in] DataIn Pointer to the input data buffer to be decrypted.
+ @param[in] DataInSize Size of the input data buffer in bytes.
+ @param[in] Tag Pointer to a buffer that contains the authentication tag.
+ @param[in] TagSize Size of the authentication tag in bytes.
+ @param[out] DataOut Pointer to a buffer that receives the decryption output.
+ @param[out] DataOutSize Size of the output data buffer in bytes.
+
+ @retval TRUE AEAD AES-GCM authenticated decryption succeeded.
+ @retval FALSE AEAD AES-GCM authenticated decryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+AeadAesGcmDecrypt (
+ IN CONST UINT8 *Key,
+ IN UINTN KeySize,
+ IN CONST UINT8 *Iv,
+ IN UINTN IvSize,
+ IN CONST UINT8 *AData,
+ IN UINTN ADataSize,
+ IN CONST UINT8 *DataIn,
+ IN UINTN DataInSize,
+ IN CONST UINT8 *Tag,
+ IN UINTN TagSize,
+ OUT UINT8 *DataOut,
+ OUT UINTN *DataOutSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c
new file mode 100644
index 0000000000..ad93d56492
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c
@@ -0,0 +1,159 @@
+/** @file
+ AES Wrapper Implementation which does not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for AES operations.
+
+ Return zero to indicate this interface is not supported.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+AesGetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory as AES context for subsequent use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] AesContext Pointer to AES context being initialized.
+ @param[in] Key Pointer to the user-supplied AES key.
+ @param[in] KeyLength Length of AES key in bits.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AesInit (
+ OUT VOID *AesContext,
+ IN CONST UINT8 *Key,
+ IN UINTN KeyLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AES encryption on a data buffer of the specified size in ECB mode.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AesContext Pointer to the AES context.
+ @param[in] Input Pointer to the buffer containing the data to be encrypted.
+ @param[in] InputSize Size of the Input buffer in bytes.
+ @param[out] Output Pointer to a buffer that receives the AES encryption output.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AesEcbEncrypt (
+ IN VOID *AesContext,
+ IN CONST UINT8 *Input,
+ IN UINTN InputSize,
+ OUT UINT8 *Output
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AES decryption on a data buffer of the specified size in ECB mode.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AesContext Pointer to the AES context.
+ @param[in] Input Pointer to the buffer containing the data to be decrypted.
+ @param[in] InputSize Size of the Input buffer in bytes.
+ @param[out] Output Pointer to a buffer that receives the AES decryption output.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AesEcbDecrypt (
+ IN VOID *AesContext,
+ IN CONST UINT8 *Input,
+ IN UINTN InputSize,
+ OUT UINT8 *Output
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AES encryption on a data buffer of the specified size in CBC mode.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AesContext Pointer to the AES context.
+ @param[in] Input Pointer to the buffer containing the data to be encrypted.
+ @param[in] InputSize Size of the Input buffer in bytes.
+ @param[in] Ivec Pointer to initialization vector.
+ @param[out] Output Pointer to a buffer that receives the AES encryption output.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AesCbcEncrypt (
+ IN VOID *AesContext,
+ IN CONST UINT8 *Input,
+ IN UINTN InputSize,
+ IN CONST UINT8 *Ivec,
+ OUT UINT8 *Output
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Performs AES decryption on a data buffer of the specified size in CBC mode.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AesContext Pointer to the AES context.
+ @param[in] Input Pointer to the buffer containing the data to be encrypted.
+ @param[in] InputSize Size of the Input buffer in bytes.
+ @param[in] Ivec Pointer to initialization vector.
+ @param[out] Output Pointer to a buffer that receives the AES encryption output.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AesCbcDecrypt (
+ IN VOID *AesContext,
+ IN CONST UINT8 *Input,
+ IN UINTN InputSize,
+ IN CONST UINT8 *Ivec,
+ OUT UINT8 *Output
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c
new file mode 100644
index 0000000000..4048cc7718
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c
@@ -0,0 +1,163 @@
+/** @file
+
+MD5 Digest Wrapper Null Implementation.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
+
+ @return The size, in bytes, of the context buffer required for MD5 hash operations.
+
+**/
+UINTN
+EFIAPI
+Md5GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Md5Context as MD5 hash context for
+ subsequent use.
+
+ If Md5Context is NULL, then return FALSE.
+
+ @param[out] Md5Context Pointer to MD5 context being initialized.
+
+ @retval TRUE MD5 context initialization succeeded.
+ @retval FALSE MD5 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Md5Init (
+ OUT VOID *Md5Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing MD5 context.
+
+ If Md5Context is NULL, then return FALSE.
+ If NewMd5Context is NULL, then return FALSE.
+
+ @param[in] Md5Context Pointer to MD5 context being copied.
+ @param[out] NewMd5Context Pointer to new MD5 context.
+
+ @retval TRUE MD5 context copy succeeded.
+ @retval FALSE MD5 context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+Md5Duplicate (
+ IN CONST VOID *Md5Context,
+ OUT VOID *NewMd5Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates MD5 context.
+
+ This function performs MD5 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ MD5 context should be already correctly intialized by Md5Init(), and should not be finalized
+ by Md5Final(). Behavior with invalid context is undefined.
+
+ If Md5Context is NULL, then return FALSE.
+
+ @param[in, out] Md5Context Pointer to the MD5 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE MD5 data digest succeeded.
+ @retval FALSE MD5 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Md5Update (
+ IN OUT VOID *Md5Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the MD5 digest value.
+
+ This function completes MD5 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the MD5 context cannot
+ be used again.
+ MD5 context should be already correctly intialized by Md5Init(), and should not be
+ finalized by Md5Final(). Behavior with invalid MD5 context is undefined.
+
+ If Md5Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Md5Context Pointer to the MD5 context.
+ @param[out] HashValue Pointer to a buffer that receives the MD5 digest
+ value (16 bytes).
+
+ @retval TRUE MD5 digest computation succeeded.
+ @retval FALSE MD5 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Md5Final (
+ IN OUT VOID *Md5Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+Computes the MD5 message digest of a input data buffer.
+
+This function performs the MD5 message digest of a given data buffer, and places
+the digest value into the specified memory.
+
+If this interface is not supported, then return FALSE.
+
+@param[in] Data Pointer to the buffer containing the data to be hashed.
+@param[in] DataSize Size of Data buffer in bytes.
+@param[out] HashValue Pointer to a buffer that receives the MD5 digest
+value (16 bytes).
+
+@retval TRUE MD5 digest computation succeeded.
+@retval FALSE MD5 digest computation failed.
+@retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Md5HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c
new file mode 100644
index 0000000000..334c251bda
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c
@@ -0,0 +1,40 @@
+/** @file
+ ParallelHash Implementation which does not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Parallel hash function ParallelHash256, as defined in NIST's Special Publication 800-185,
+ published December 2016.
+
+ @param[in] Input Pointer to the input message (X).
+ @param[in] InputByteLen The number(>0) of input bytes provided for the input data.
+ @param[in] BlockSize The size of each block (B).
+ @param[out] Output Pointer to the output buffer.
+ @param[in] OutputByteLen The desired number of output bytes (L).
+ @param[in] Customization Pointer to the customization string (S).
+ @param[in] CustomByteLen The length of the customization string in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+ParallelHash256HashAll (
+ IN CONST VOID *Input,
+ IN UINTN InputByteLen,
+ IN UINTN BlockSize,
+ OUT VOID *Output,
+ IN UINTN OutputByteLen,
+ IN CONST VOID *Customization,
+ IN UINTN CustomByteLen
+ )
+{
+ // ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c
new file mode 100644
index 0000000000..a590261747
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c
@@ -0,0 +1,166 @@
+/** @file
+ SHA-1 Digest Wrapper Null Implementation.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations.
+
+ @return The size, in bytes, of the context buffer required for SHA-1 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha1GetContextSize (
+ VOID
+ )
+{
+ //
+ // Retrieves SHA Context Size
+ //
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for
+ subsequent use.
+
+ If Sha1Context is NULL, then return FALSE.
+
+ @param[out] Sha1Context Pointer to SHA-1 context being initialized.
+
+ @retval TRUE SHA-1 context initialization succeeded.
+ @retval FALSE SHA-1 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha1Init (
+ OUT VOID *Sha1Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-1 context.
+
+ If Sha1Context is NULL, then return FALSE.
+ If NewSha1Context is NULL, then return FALSE.
+
+ @param[in] Sha1Context Pointer to SHA-1 context being copied.
+ @param[out] NewSha1Context Pointer to new SHA-1 context.
+
+ @retval TRUE SHA-1 context copy succeeded.
+ @retval FALSE SHA-1 context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha1Duplicate (
+ IN CONST VOID *Sha1Context,
+ OUT VOID *NewSha1Context
+ )
+{
+ ASSERT (FALSE);
+
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-1 context.
+
+ This function performs SHA-1 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized
+ by Sha1Final(). Behavior with invalid context is undefined.
+
+ If Sha1Context is NULL, then return FALSE.
+
+ @param[in, out] Sha1Context Pointer to the SHA-1 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SHA-1 data digest succeeded.
+ @retval FALSE SHA-1 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha1Update (
+ IN OUT VOID *Sha1Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-1 digest value.
+
+ This function completes SHA-1 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SHA-1 context cannot
+ be used again.
+ SHA-1 context should be already correctly initialized by Sha1Init(), and should not be
+ finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined.
+
+ If Sha1Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Sha1Context Pointer to the SHA-1 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest
+ value (20 bytes).
+
+ @retval TRUE SHA-1 digest computation succeeded.
+ @retval FALSE SHA-1 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha1Final (
+ IN OUT VOID *Sha1Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the SHA-1 message digest of a input data buffer.
+
+ This function performs the SHA-1 message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest
+ value (20 bytes).
+
+ @retval TRUE SHA-1 digest computation succeeded.
+ @retval FALSE SHA-1 digest computation failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha1HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c
new file mode 100644
index 0000000000..6d284516b5
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c
@@ -0,0 +1,162 @@
+/** @file
+ SHA-256 Digest Wrapper Null Implementation.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
+
+ @return The size, in bytes, of the context buffer required for SHA-256 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sha256GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for
+ subsequent use.
+
+ If Sha256Context is NULL, then return FALSE.
+
+ @param[out] Sha256Context Pointer to SHA-256 context being initialized.
+
+ @retval TRUE SHA-256 context initialization succeeded.
+ @retval FALSE SHA-256 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha256Init (
+ OUT VOID *Sha256Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-256 context.
+
+ If Sha256Context is NULL, then return FALSE.
+ If NewSha256Context is NULL, then return FALSE.
+
+ @param[in] Sha256Context Pointer to SHA-256 context being copied.
+ @param[out] NewSha256Context Pointer to new SHA-256 context.
+
+ @retval TRUE SHA-256 context copy succeeded.
+ @retval FALSE SHA-256 context copy failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha256Duplicate (
+ IN CONST VOID *Sha256Context,
+ OUT VOID *NewSha256Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-256 context.
+
+ This function performs SHA-256 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized
+ by Sha256Final(). Behavior with invalid context is undefined.
+
+ If Sha256Context is NULL, then return FALSE.
+
+ @param[in, out] Sha256Context Pointer to the SHA-256 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SHA-256 data digest succeeded.
+ @retval FALSE SHA-256 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha256Update (
+ IN OUT VOID *Sha256Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-256 digest value.
+
+ This function completes SHA-256 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SHA-256 context cannot
+ be used again.
+ SHA-256 context should be already correctly initialized by Sha256Init(), and should not be
+ finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined.
+
+ If Sha256Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Sha256Context Pointer to the SHA-256 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest
+ value (32 bytes).
+
+ @retval TRUE SHA-256 digest computation succeeded.
+ @retval FALSE SHA-256 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sha256Final (
+ IN OUT VOID *Sha256Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the SHA-256 message digest of a input data buffer.
+
+ This function performs the SHA-256 message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest
+ value (32 bytes).
+
+ @retval TRUE SHA-256 digest computation succeeded.
+ @retval FALSE SHA-256 digest computation failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha256HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c
new file mode 100644
index 0000000000..47e2433d11
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c
@@ -0,0 +1,275 @@
+/** @file
+ SHA-384 and SHA-512 Digest Wrapper Implementations which does not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
+
+ Return zero to indicate this interface is not supported.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+Sha384GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha384Context as SHA-384 hash context for
+ subsequent use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] Sha384Context Pointer to SHA-384 context being initialized.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Init (
+ OUT VOID *Sha384Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-384 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Sha384Context Pointer to SHA-384 context being copied.
+ @param[out] NewSha384Context Pointer to new SHA-384 context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Duplicate (
+ IN CONST VOID *Sha384Context,
+ OUT VOID *NewSha384Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-384 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Update (
+ IN OUT VOID *Sha384Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-384 digest value.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha384Context Pointer to the SHA-384 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest
+ value (48 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384Final (
+ IN OUT VOID *Sha384Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the SHA-384 message digest of a input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-384 digest
+ value (48 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha384HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SHA-512 hash operations.
+
+ Return zero to indicate this interface is not supported.
+
+ @retval 0 This interface is not supported.
+
+**/
+UINTN
+EFIAPI
+Sha512GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sha512Context as SHA-512 hash context for
+ subsequent use.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] Sha512Context Pointer to SHA-512 context being initialized.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Init (
+ OUT VOID *Sha512Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SHA-512 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Sha512Context Pointer to SHA-512 context being copied.
+ @param[out] NewSha512Context Pointer to new SHA-512 context.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Duplicate (
+ IN CONST VOID *Sha512Context,
+ OUT VOID *NewSha512Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SHA-512 context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Update (
+ IN OUT VOID *Sha512Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SHA-512 digest value.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] Sha512Context Pointer to the SHA-512 context.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest
+ value (64 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512Final (
+ IN OUT VOID *Sha512Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the SHA-512 message digest of a input data buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SHA-512 digest
+ value (64 bytes).
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sha512HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c
new file mode 100644
index 0000000000..de5be1a3ef
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c
@@ -0,0 +1,164 @@
+/** @file
+ SM3 Digest Wrapper Null Implementation.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for SM3 hash operations.
+
+ @return The size, in bytes, of the context buffer required for SM3 hash operations.
+
+**/
+UINTN
+EFIAPI
+Sm3GetContextSize (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/**
+ Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for
+ subsequent use.
+
+ If Sm3Context is NULL, then return FALSE.
+
+ @param[out] Sm3Context Pointer to SM3 context being initialized.
+
+ @retval TRUE SM3 context initialization succeeded.
+ @retval FALSE SM3 context initialization failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sm3Init (
+ OUT VOID *Sm3Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Makes a copy of an existing SM3 context.
+
+ If Sm3Context is NULL, then return FALSE.
+ If NewSm3Context is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Sm3Context Pointer to SM3 context being copied.
+ @param[out] NewSm3Context Pointer to new SM3 context.
+
+ @retval TRUE SM3 context copy succeeded.
+ @retval FALSE SM3 context copy failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sm3Duplicate (
+ IN CONST VOID *Sm3Context,
+ OUT VOID *NewSm3Context
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Digests the input data and updates SM3 context.
+
+ This function performs SM3 digest on a data buffer of the specified size.
+ It can be called multiple times to compute the digest of long or discontinuous data streams.
+ SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized
+ by Sm3Final(). Behavior with invalid context is undefined.
+
+ If Sm3Context is NULL, then return FALSE.
+
+ @param[in, out] Sm3Context Pointer to the SM3 context.
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+
+ @retval TRUE SM3 data digest succeeded.
+ @retval FALSE SM3 data digest failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sm3Update (
+ IN OUT VOID *Sm3Context,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Completes computation of the SM3 digest value.
+
+ This function completes SM3 hash computation and retrieves the digest value into
+ the specified memory. After this function has been called, the SM3 context cannot
+ be used again.
+ SM3 context should be already correctly initialized by Sm3Init(), and should not be
+ finalized by Sm3Final(). Behavior with invalid SM3 context is undefined.
+
+ If Sm3Context is NULL, then return FALSE.
+ If HashValue is NULL, then return FALSE.
+
+ @param[in, out] Sm3Context Pointer to the SM3 context.
+ @param[out] HashValue Pointer to a buffer that receives the SM3 digest
+ value (32 bytes).
+
+ @retval TRUE SM3 digest computation succeeded.
+ @retval FALSE SM3 digest computation failed.
+
+**/
+BOOLEAN
+EFIAPI
+Sm3Final (
+ IN OUT VOID *Sm3Context,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes the SM3 message digest of a input data buffer.
+
+ This function performs the SM3 message digest of a given data buffer, and places
+ the digest value into the specified memory.
+
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Data Pointer to the buffer containing the data to be hashed.
+ @param[in] DataSize Size of Data buffer in bytes.
+ @param[out] HashValue Pointer to a buffer that receives the SM3 digest
+ value (32 bytes).
+
+ @retval TRUE SM3 digest computation succeeded.
+ @retval FALSE SM3 digest computation failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Sm3HashAll (
+ IN CONST VOID *Data,
+ IN UINTN DataSize,
+ OUT UINT8 *HashValue
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c
new file mode 100644
index 0000000000..b3adf2f7d1
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c
@@ -0,0 +1,69 @@
+/** @file
+ PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieve the RSA Private Key from the password-protected PEM key data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
+ @param[in] PemSize Size of the PEM key data in bytes.
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
+ RSA private key component. Use RsaFree() function to free the
+ resource.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetPrivateKeyFromPem (
+ IN CONST UINT8 *PemData,
+ IN UINTN PemSize,
+ IN CONST CHAR8 *Password,
+ OUT VOID **RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the EC Private Key from the password-protected PEM key data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
+ @param[in] PemSize Size of the PEM key data in bytes.
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
+ @param[out] EcContext Pointer to new-generated EC context which contain the retrieved
+ EC private key component. Use EcFree() function to free the
+ resource.
+
+ If PemData is NULL, then return FALSE.
+ If EcContext is NULL, then return FALSE.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+EcGetPrivateKeyFromPem (
+ IN CONST UINT8 *PemData,
+ IN UINTN PemSize,
+ IN CONST CHAR8 *Password,
+ OUT VOID **EcContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c
new file mode 100644
index 0000000000..9be5b4296e
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c
@@ -0,0 +1,45 @@
+/** @file
+ Authenticode Portable Executable Signature Verification which does not provide
+ real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows
+ Authenticode Portable Executable Signature Format".
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed
+ PE/COFF image to be verified.
+ @param[in] DataSize Size of the Authenticode Signature in bytes.
+ @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
+ is used for certificate chain verification.
+ @param[in] CertSize Size of the trusted certificate in bytes.
+ @param[in] ImageHash Pointer to the original image file hash value. The procedure
+ for calculating the image hash value is described in Authenticode
+ specification.
+ @param[in] HashSize Size of Image hash value in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+AuthenticodeVerify (
+ IN CONST UINT8 *AuthData,
+ IN UINTN DataSize,
+ IN CONST UINT8 *TrustedCert,
+ IN UINTN CertSize,
+ IN CONST UINT8 *ImageHash,
+ IN UINTN HashSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c
new file mode 100644
index 0000000000..daaf818250
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c
@@ -0,0 +1,150 @@
+/** @file
+ Diffie-Hellman Wrapper Implementation which does not provide
+ real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and Initializes one Diffie-Hellman Context for subsequent use.
+
+ @return Pointer to the Diffie-Hellman Context that has been initialized.
+ If the interface is not supported, DhNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+DhNew (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Release the specified DH context.
+
+ If the interface is not supported, then ASSERT().
+
+ @param[in] DhContext Pointer to the DH context to be released.
+
+**/
+VOID
+EFIAPI
+DhFree (
+ IN VOID *DhContext
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Generates DH parameter.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] DhContext Pointer to the DH context.
+ @param[in] Generator Value of generator.
+ @param[in] PrimeLength Length in bits of prime to be generated.
+ @param[out] Prime Pointer to the buffer to receive the generated prime number.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DhGenerateParameter (
+ IN OUT VOID *DhContext,
+ IN UINTN Generator,
+ IN UINTN PrimeLength,
+ OUT UINT8 *Prime
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Sets generator and prime parameters for DH.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] DhContext Pointer to the DH context.
+ @param[in] Generator Value of generator.
+ @param[in] PrimeLength Length in bits of prime to be generated.
+ @param[in] Prime Pointer to the prime number.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DhSetParameter (
+ IN OUT VOID *DhContext,
+ IN UINTN Generator,
+ IN UINTN PrimeLength,
+ IN CONST UINT8 *Prime
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Generates DH public key.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] DhContext Pointer to the DH context.
+ @param[out] PublicKey Pointer to the buffer to receive generated public key.
+ @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes.
+ On output, the size of data returned in PublicKey buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DhGenerateKey (
+ IN OUT VOID *DhContext,
+ OUT UINT8 *PublicKey,
+ IN OUT UINTN *PublicKeySize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes exchanged common key.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] DhContext Pointer to the DH context.
+ @param[in] PeerPublicKey Pointer to the peer's public key.
+ @param[in] PeerPublicKeySize Size of peer's public key in bytes.
+ @param[out] Key Pointer to the buffer to receive generated key.
+ @param[in, out] KeySize On input, the size of Key buffer in bytes.
+ On output, the size of data returned in Key buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DhComputeKey (
+ IN OUT VOID *DhContext,
+ IN CONST UINT8 *PeerPublicKey,
+ IN UINTN PeerPublicKeySize,
+ OUT UINT8 *Key,
+ IN OUT UINTN *KeySize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c
new file mode 100644
index 0000000000..b9c08379c0
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c
@@ -0,0 +1,578 @@
+/** @file
+ Elliptic Curve and ECDH API implementation based on MbedTLS
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+
+/**
+ Initialize new opaque EcGroup object. This object represents an EC curve and
+ and is used for calculation within this group. This object should be freed
+ using EcGroupFree() function.
+
+ @param[in] CryptoNid Identifying number for the ECC curve (Defined in
+ BaseCryptLib.h).
+
+ @retval EcGroup object On success.
+ @retval NULL On failure.
+**/
+VOID *
+EFIAPI
+EcGroupInit (
+ IN UINTN CryptoNid
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Get EC curve parameters. While elliptic curve equation is Y^2 mod P = (X^3 + AX + B) Mod P.
+ This function will set the provided Big Number objects to the corresponding
+ values. The caller needs to make sure all the "out" BigNumber parameters
+ are properly initialized.
+
+ @param[in] EcGroup EC group object.
+ @param[out] BnPrime Group prime number.
+ @param[out] BnA A coefficient.
+ @param[out] BnB B coefficient..
+ @param[in] BnCtx BN context.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcGroupGetCurve (
+ IN CONST VOID *EcGroup,
+ OUT VOID *BnPrime,
+ OUT VOID *BnA,
+ OUT VOID *BnB,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Get EC group order.
+ This function will set the provided Big Number object to the corresponding
+ value. The caller needs to make sure that the "out" BigNumber parameter
+ is properly initialized.
+
+ @param[in] EcGroup EC group object.
+ @param[out] BnOrder Group prime number.
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcGroupGetOrder (
+ IN VOID *EcGroup,
+ OUT VOID *BnOrder
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Free previously allocated EC group object using EcGroupInit().
+
+ @param[in] EcGroup EC group object to free.
+**/
+VOID
+EFIAPI
+EcGroupFree (
+ IN VOID *EcGroup
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Initialize new opaque EC Point object. This object represents an EC point
+ within the given EC group (curve).
+
+ @param[in] EC Group, properly initialized using EcGroupInit().
+
+ @retval EC Point object On success.
+ @retval NULL On failure.
+**/
+VOID *
+EFIAPI
+EcPointInit (
+ IN CONST VOID *EcGroup
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Free previously allocated EC Point object using EcPointInit().
+
+ @param[in] EcPoint EC Point to free.
+ @param[in] Clear TRUE iff the memory should be cleared.
+**/
+VOID
+EFIAPI
+EcPointDeInit (
+ IN VOID *EcPoint,
+ IN BOOLEAN Clear
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Get EC point affine (x,y) coordinates.
+ This function will set the provided Big Number objects to the corresponding
+ values. The caller needs to make sure all the "out" BigNumber parameters
+ are properly initialized.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPoint EC point object.
+ @param[out] BnX X coordinate.
+ @param[out] BnY Y coordinate.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointGetAffineCoordinates (
+ IN CONST VOID *EcGroup,
+ IN CONST VOID *EcPoint,
+ OUT VOID *BnX,
+ OUT VOID *BnY,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Set EC point affine (x,y) coordinates.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPoint EC point object.
+ @param[in] BnX X coordinate.
+ @param[in] BnY Y coordinate.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointSetAffineCoordinates (
+ IN CONST VOID *EcGroup,
+ IN VOID *EcPoint,
+ IN CONST VOID *BnX,
+ IN CONST VOID *BnY,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ EC Point addition. EcPointResult = EcPointA + EcPointB.
+
+ @param[in] EcGroup EC group object.
+ @param[out] EcPointResult EC point to hold the result. The point should
+ be properly initialized.
+ @param[in] EcPointA EC Point.
+ @param[in] EcPointB EC Point.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointAdd (
+ IN CONST VOID *EcGroup,
+ OUT VOID *EcPointResult,
+ IN CONST VOID *EcPointA,
+ IN CONST VOID *EcPointB,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Variable EC point multiplication. EcPointResult = EcPoint * BnPScalar.
+
+ @param[in] EcGroup EC group object.
+ @param[out] EcPointResult EC point to hold the result. The point should
+ be properly initialized.
+ @param[in] EcPoint EC Point.
+ @param[in] BnPScalar P Scalar.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointMul (
+ IN CONST VOID *EcGroup,
+ OUT VOID *EcPointResult,
+ IN CONST VOID *EcPoint,
+ IN CONST VOID *BnPScalar,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Calculate the inverse of the supplied EC point.
+
+ @param[in] EcGroup EC group object.
+ @param[in,out] EcPoint EC point to invert.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointInvert (
+ IN CONST VOID *EcGroup,
+ IN OUT VOID *EcPoint,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Check if the supplied point is on EC curve.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPoint EC point to check.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On curve.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointIsOnCurve (
+ IN CONST VOID *EcGroup,
+ IN CONST VOID *EcPoint,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Check if the supplied point is at infinity.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPoint EC point to check.
+
+ @retval TRUE At infinity.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointIsAtInfinity (
+ IN CONST VOID *EcGroup,
+ IN CONST VOID *EcPoint
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Check if EC points are equal.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPointA EC point A.
+ @param[in] EcPointB EC point B.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE A == B.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointEqual (
+ IN CONST VOID *EcGroup,
+ IN CONST VOID *EcPointA,
+ IN CONST VOID *EcPointB,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Set EC point compressed coordinates. Points can be described in terms of
+ their compressed coordinates. For a point (x, y), for any given value for x
+ such that the point is on the curve there will only ever be two possible
+ values for y. Therefore, a point can be set using this function where BnX is
+ the x coordinate and YBit is a value 0 or 1 to identify which of the two
+ possible values for y should be used.
+
+ @param[in] EcGroup EC group object.
+ @param[in] EcPoint EC Point.
+ @param[in] BnX X coordinate.
+ @param[in] YBit 0 or 1 to identify which Y value is used.
+ @param[in] BnCtx BN context, created with BigNumNewContext().
+
+ @retval TRUE On success.
+ @retval FALSE Otherwise.
+**/
+BOOLEAN
+EFIAPI
+EcPointSetCompressedCoordinates (
+ IN CONST VOID *EcGroup,
+ IN VOID *EcPoint,
+ IN CONST VOID *BnX,
+ IN UINT8 YBit,
+ IN VOID *BnCtx
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Allocates and Initializes one Elliptic Curve Context for subsequent use
+ with the NID.
+
+ @param[in] Nid cipher NID
+ @return Pointer to the Elliptic Curve Context that has been initialized.
+ If the allocations fails, EcNewByNid() returns NULL.
+**/
+VOID *
+EFIAPI
+EcNewByNid (
+ IN UINTN Nid
+ )
+{
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Release the specified EC context.
+
+ @param[in] EcContext Pointer to the EC context to be released.
+**/
+VOID
+EFIAPI
+EcFree (
+ IN VOID *EcContext
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Generates EC key and returns EC public key (X, Y), Please note, this function uses
+ pseudo random number generator. The caller must make sure RandomSeed()
+ function was properly called before.
+ The Ec context should be correctly initialized by EcNewByNid.
+ This function generates random secret, and computes the public key (X, Y), which is
+ returned via parameter Public, PublicSize.
+ X is the first half of Public with size being PublicSize / 2,
+ Y is the second half of Public with size being PublicSize / 2.
+ EC context is updated accordingly.
+ If the Public buffer is too small to hold the public X, Y, FALSE is returned and
+ PublicSize is set to the required buffer size to obtain the public X, Y.
+ For P-256, the PublicSize is 64. First 32-byte is X, Second 32-byte is Y.
+ For P-384, the PublicSize is 96. First 48-byte is X, Second 48-byte is Y.
+ For P-521, the PublicSize is 132. First 66-byte is X, Second 66-byte is Y.
+ If EcContext is NULL, then return FALSE.
+ If PublicSize is NULL, then return FALSE.
+ If PublicSize is large enough but Public is NULL, then return FALSE.
+ @param[in, out] EcContext Pointer to the EC context.
+ @param[out] PublicKey Pointer to t buffer to receive generated public X,Y.
+ @param[in, out] PublicKeySize On input, the size of Public buffer in bytes.
+ On output, the size of data returned in Public buffer in bytes.
+ @retval TRUE EC public X,Y generation succeeded.
+ @retval FALSE EC public X,Y generation failed.
+ @retval FALSE PublicKeySize is not large enough.
+**/
+BOOLEAN
+EFIAPI
+EcGenerateKey (
+ IN OUT VOID *EcContext,
+ OUT UINT8 *PublicKey,
+ IN OUT UINTN *PublicKeySize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Gets the public key component from the established EC context.
+ The Ec context should be correctly initialized by EcNewByNid, and successfully
+ generate key pair from EcGenerateKey().
+ For P-256, the PublicSize is 64. First 32-byte is X, Second 32-byte is Y.
+ For P-384, the PublicSize is 96. First 48-byte is X, Second 48-byte is Y.
+ For P-521, the PublicSize is 132. First 66-byte is X, Second 66-byte is Y.
+ @param[in, out] EcContext Pointer to EC context being set.
+ @param[out] PublicKey Pointer to t buffer to receive generated public X,Y.
+ @param[in, out] PublicKeySize On input, the size of Public buffer in bytes.
+ On output, the size of data returned in Public buffer in bytes.
+ @retval TRUE EC key component was retrieved successfully.
+ @retval FALSE Invalid EC key component.
+**/
+BOOLEAN
+EFIAPI
+EcGetPubKey (
+ IN OUT VOID *EcContext,
+ OUT UINT8 *PublicKey,
+ IN OUT UINTN *PublicKeySize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Computes exchanged common key.
+ Given peer's public key (X, Y), this function computes the exchanged common key,
+ based on its own context including value of curve parameter and random secret.
+ X is the first half of PeerPublic with size being PeerPublicSize / 2,
+ Y is the second half of PeerPublic with size being PeerPublicSize / 2.
+ If EcContext is NULL, then return FALSE.
+ If PeerPublic is NULL, then return FALSE.
+ If PeerPublicSize is 0, then return FALSE.
+ If Key is NULL, then return FALSE.
+ If KeySize is not large enough, then return FALSE.
+ For P-256, the PeerPublicSize is 64. First 32-byte is X, Second 32-byte is Y.
+ For P-384, the PeerPublicSize is 96. First 48-byte is X, Second 48-byte is Y.
+ For P-521, the PeerPublicSize is 132. First 66-byte is X, Second 66-byte is Y.
+ @param[in, out] EcContext Pointer to the EC context.
+ @param[in] PeerPublic Pointer to the peer's public X,Y.
+ @param[in] PeerPublicSize Size of peer's public X,Y in bytes.
+ @param[in] CompressFlag Flag of PeerPublic is compressed or not.
+ @param[out] Key Pointer to the buffer to receive generated key.
+ @param[in, out] KeySize On input, the size of Key buffer in bytes.
+ On output, the size of data returned in Key buffer in bytes.
+ @retval TRUE EC exchanged key generation succeeded.
+ @retval FALSE EC exchanged key generation failed.
+ @retval FALSE KeySize is not large enough.
+**/
+BOOLEAN
+EFIAPI
+EcDhComputeKey (
+ IN OUT VOID *EcContext,
+ IN CONST UINT8 *PeerPublic,
+ IN UINTN PeerPublicSize,
+ IN CONST INT32 *CompressFlag,
+ OUT UINT8 *Key,
+ IN OUT UINTN *KeySize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Carries out the EC-DSA signature.
+
+ This function carries out the EC-DSA signature.
+ If the Signature buffer is too small to hold the contents of signature, FALSE
+ is returned and SigSize is set to the required buffer size to obtain the signature.
+
+ If EcContext is NULL, then return FALSE.
+ If MessageHash is NULL, then return FALSE.
+ If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512.
+ If SigSize is large enough but Signature is NULL, then return FALSE.
+
+ For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S.
+ For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S.
+ For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S.
+
+ @param[in] EcContext Pointer to EC context for signature generation.
+ @param[in] HashNid hash NID
+ @param[in] MessageHash Pointer to octet message hash to be signed.
+ @param[in] HashSize Size of the message hash in bytes.
+ @param[out] Signature Pointer to buffer to receive EC-DSA signature.
+ @param[in, out] SigSize On input, the size of Signature buffer in bytes.
+ On output, the size of data returned in Signature buffer in bytes.
+
+ @retval TRUE Signature successfully generated in EC-DSA.
+ @retval FALSE Signature generation failed.
+ @retval FALSE SigSize is too small.
+
+**/
+BOOLEAN
+EFIAPI
+EcDsaSign (
+ IN VOID *EcContext,
+ IN UINTN HashNid,
+ IN CONST UINT8 *MessageHash,
+ IN UINTN HashSize,
+ OUT UINT8 *Signature,
+ IN OUT UINTN *SigSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Verifies the EC-DSA signature.
+
+ If EcContext is NULL, then return FALSE.
+ If MessageHash is NULL, then return FALSE.
+ If Signature is NULL, then return FALSE.
+ If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512.
+
+ For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S.
+ For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S.
+ For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S.
+
+ @param[in] EcContext Pointer to EC context for signature verification.
+ @param[in] HashNid hash NID
+ @param[in] MessageHash Pointer to octet message hash to be checked.
+ @param[in] HashSize Size of the message hash in bytes.
+ @param[in] Signature Pointer to EC-DSA signature to be verified.
+ @param[in] SigSize Size of signature in bytes.
+
+ @retval TRUE Valid signature encoded in EC-DSA.
+ @retval FALSE Invalid signature or invalid EC context.
+
+**/
+BOOLEAN
+EFIAPI
+EcDsaVerify (
+ IN VOID *EcContext,
+ IN UINTN HashNid,
+ IN CONST UINT8 *MessageHash,
+ IN UINTN HashSize,
+ IN CONST UINT8 *Signature,
+ IN UINTN SigSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
new file mode 100644
index 0000000000..a686308652
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
@@ -0,0 +1,51 @@
+/** @file
+ This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+ encrypted message in a newly allocated buffer.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PublicKey A pointer to the DER-encoded X509 certificate that
+ will be used to encrypt the data.
+ @param[in] PublicKeySize Size of the X509 cert buffer.
+ @param[in] InData Data to be encrypted.
+ @param[in] InDataSize Size of the data buffer.
+ @param[in] PrngSeed [Optional] If provided, a pointer to a random seed buffer
+ to be used when initializing the PRNG. NULL otherwise.
+ @param[in] PrngSeedSize [Optional] If provided, size of the random seed buffer.
+ 0 otherwise.
+ @param[out] EncryptedData Pointer to an allocated buffer containing the encrypted
+ message.
+ @param[out] EncryptedDataSize Size of the encrypted message buffer.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+ IN CONST UINT8 *PublicKey,
+ IN UINTN PublicKeySize,
+ IN UINT8 *InData,
+ IN UINTN InDataSize,
+ IN CONST UINT8 *PrngSeed,
+ OPTIONAL
+ IN UINTN PrngSeedSize,
+ OPTIONAL
+ OUT UINT8 **EncryptedData,
+ OUT UINTN *EncryptedDataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c
new file mode 100644
index 0000000000..24c284b98c
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c
@@ -0,0 +1,48 @@
+/** @file
+ PBKDF2 Key Derivation Function Wrapper Implementation which does not provide real
+ capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Derives a key from a password using a salt and iteration count, based on PKCS#5 v2.0
+ password based encryption key derivation function PBKDF2, as specified in RFC 2898.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PasswordLength Length of input password in bytes.
+ @param[in] Password Pointer to the array for the password.
+ @param[in] SaltLength Size of the Salt in bytes.
+ @param[in] Salt Pointer to the Salt.
+ @param[in] IterationCount Number of iterations to perform. Its value should be
+ greater than or equal to 1.
+ @param[in] DigestSize Size of the message digest to be used (eg. SHA256_DIGEST_SIZE).
+ NOTE: DigestSize will be used to determine the hash algorithm.
+ Only SHA1_DIGEST_SIZE or SHA256_DIGEST_SIZE is supported.
+ @param[in] KeyLength Size of the derived key buffer in bytes.
+ @param[out] OutKey Pointer to the output derived key buffer.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs5HashPassword (
+ IN UINTN PasswordLength,
+ IN CONST CHAR8 *Password,
+ IN UINTN SaltLength,
+ IN CONST UINT8 *Salt,
+ IN UINTN IterationCount,
+ IN UINTN DigestSize,
+ IN UINTN KeyLength,
+ OUT UINT8 *OutKey
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
new file mode 100644
index 0000000000..207f493cbb
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
@@ -0,0 +1,83 @@
+/** @file
+ PKCS#7 SignedData Sign Wrapper and PKCS#7 SignedData Verification Wrapper
+ Implementation over mbedtls, Internal headers.
+
+ RFC 2315 - PKCS #7: Cryptographic Message Syntax Version 1.5
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef CRYPT_PKCS7_INTERNAL_H_
+#define CRYPT_PKCS7_INTERNAL_H_
+
+#include "InternalCryptLib.h"
+
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crt.h"
+
+///
+/// PKCS7 OID
+///
+#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07"
+#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01"
+#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02"
+#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03"
+#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04"
+#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05"
+#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06"
+
+typedef mbedtls_asn1_buf MBEDTLSPKCS7BUF;
+typedef mbedtls_asn1_named_data MBEDTLSPKCS7NAME;
+typedef mbedtls_asn1_sequence MBEDTLSPKCS7SEQUENCE;
+
+///
+/// PKCS7 SignerInfo type
+/// https://tools.ietf.org/html/rfc2315#section-9.2
+///
+typedef struct MbedtlsPkcs7SignerInfo {
+ INT32 Version;
+ mbedtls_x509_buf Serial;
+ mbedtls_x509_name Issuer;
+ mbedtls_x509_buf IssuerRaw;
+ mbedtls_x509_buf AlgIdentifier;
+ mbedtls_x509_buf SigAlgIdentifier;
+ mbedtls_x509_buf AuthAttr;
+ mbedtls_x509_buf Sig;
+ struct MBEDTLSPKCS7SIGNERINFO *Next;
+} MBEDTLSPKCS7SIGNERINFO;
+
+///
+/// PKCS7 signed data attached data format
+///
+typedef struct MbedtlsPkcs7Data {
+ mbedtls_asn1_buf Oid;
+ mbedtls_asn1_buf Data;
+} MBEDTLSPKCS7DATA;
+
+///
+/// Signed Data
+/// https://tools.ietf.org/html/rfc2315#section-9.1
+///
+typedef struct MbedtlsPkcs7SignedData {
+ INT32 Version;
+ mbedtls_asn1_buf DigestAlgorithms;
+ struct MBEDTLSPKCS7DATA ContentInfo;
+ mbedtls_x509_crt Certificates;
+ mbedtls_x509_crl Crls;
+ struct MbedtlsPkcs7SignerInfo SignerInfos;
+} MBEDTLSPKCS7SIGNEDDATA;
+
+///
+/// PKCS7 struct, only support SignedData
+///
+typedef struct MbedtlsPkcs7 {
+ mbedtls_asn1_buf ContentTypeOid;
+ struct MBEDTLSPKCS7SIGNEDDATA SignedData;
+} MBEDTLSPKCS7;
+
+#endif
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c
new file mode 100644
index 0000000000..03032592a1
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c
@@ -0,0 +1,53 @@
+/** @file
+ PKCS#7 SignedData Sign Wrapper Implementation which does not provide real
+ capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
+ Syntax Standard, version 1.5". This interface is only intended to be used for
+ application to perform PKCS#7 functionality validation.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PrivateKey Pointer to the PEM-formatted private key data for
+ data signing.
+ @param[in] PrivateKeySize Size of the PEM private key data in bytes.
+ @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
+ key data.
+ @param[in] InData Pointer to the content to be signed.
+ @param[in] InDataSize Size of InData in bytes.
+ @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
+ @param[in] OtherCerts Pointer to an optional additional set of certificates to
+ include in the PKCS#7 signedData (e.g. any intermediate
+ CAs in the chain).
+ @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
+ responsibility to free the buffer with FreePool().
+ @param[out] SignedDataSize Size of SignedData in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Sign (
+ IN CONST UINT8 *PrivateKey,
+ IN UINTN PrivateKeySize,
+ IN CONST UINT8 *KeyPassword,
+ IN UINT8 *InData,
+ IN UINTN InDataSize,
+ IN UINT8 *SignCert,
+ IN UINT8 *OtherCerts OPTIONAL,
+ OUT UINT8 **SignedData,
+ OUT UINTN *SignedDataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c
new file mode 100644
index 0000000000..63d7a23af3
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c
@@ -0,0 +1,152 @@
+/** @file
+ PKCS7 Verify Null implementation.
+
+ Copyright (C) Microsoft Corporation. All Rights Reserved.
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ This function will return the leaf signer certificate in a chain. This is
+ required because certificate chains are not guaranteed to have the
+ certificates in the order that they were issued.
+
+ A typical certificate chain looks like this:
+
+
+ ----------------------------
+ | Root |
+ ----------------------------
+ ^
+ |
+ ----------------------------
+ | Policy CA | <-- Typical Trust Anchor.
+ ----------------------------
+ ^
+ |
+ ----------------------------
+ | Issuing CA |
+ ----------------------------
+ ^
+ |
+ -----------------------------
+ / End-Entity (leaf) signer / <-- Bottom certificate.
+ ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
+ (Firmware Signing)
+
+
+ @param[in] CertChain Certificate chain.
+
+ @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
+ this will be the end-entity (leaf) signer cert.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND The number of signers found was not 1.
+
+**/
+EFI_STATUS
+GetSignerCertificate (
+ IN CONST VOID *CertChain,
+ OUT VOID **SignerCert
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ Determines if the specified EKU represented in ASN1 form is present
+ in a given certificate.
+
+ @param[in] Cert The certificate to check.
+
+ @param[in] Asn1ToFind The EKU to look for.
+
+ @retval EFI_SUCCESS We successfully identified the signing type.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+IsEkuInCertificate (
+ IN CONST VOID *Cert,
+ IN VOID *Asn1ToFind
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ Determines if the specified EKUs are present in a signing certificate.
+
+ @param[in] SignerCert The certificate to check.
+ @param[in] RequiredEKUs The EKUs to look for.
+ @param[in] RequiredEKUsSize The number of EKUs
+ @param[in] RequireAllPresent If TRUE, then all the specified EKUs
+ must be present in the certificate.
+
+ @retval EFI_SUCCESS We successfully identified the signing type.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+**/
+EFI_STATUS
+CheckEKUs (
+ IN CONST VOID *SignerCert,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ This function receives a PKCS#7 formatted signature blob,
+ looks for the EKU SEQUENCE blob, and if found then looks
+ for all the required EKUs. This function was created so that
+ the Surface team can cut down on the number of Certificate
+ Authorities (CA's) by checking EKU's on leaf signers for
+ a specific product. This prevents one product's certificate
+ from signing another product's firmware or unlock blobs.
+
+ Note that this function does not validate the certificate chain.
+ That needs to be done before using this function.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c
new file mode 100644
index 0000000000..91273cbdb9
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c
@@ -0,0 +1,56 @@
+/** @file
+ This module verifies that Enhanced Key Usages (EKU's) are present within
+ a PKCS7 signature blob using MbedTLS.
+
+ Copyright (C) Microsoft Corporation. All Rights Reserved.
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ This function receives a PKCS#7 formatted signature blob,
+ looks for the EKU SEQUENCE blob, and if found then looks
+ for all the required EKUs. This function was created so that
+ the Surface team can cut down on the number of Certificate
+ Authorities (CA's) by checking EKU's on leaf signers for
+ a specific product. This prevents one product's certificate
+ from signing another product's firmware or unlock blobs.
+
+ Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in pPkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ All specified EKU's must be present in order to
+ succeed.
+ @param[in] RequiredEKUsSize Number of elements in the rgRequiredEKUs string.
+ This parameter has a maximum of MAX_EKU_SEARCH.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c
new file mode 100644
index 0000000000..82b2b07991
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c
@@ -0,0 +1,163 @@
+/** @file
+ PKCS#7 SignedData Verification Wrapper Implementation which does not provide
+ real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
+ @param[out] StackLength Length of signer's certificates in bytes.
+ @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
+ It's caller's responsibility to free the buffer with
+ Pkcs7FreeSigners().
+ @param[out] CertLength Length of the trusted certificate in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSigners (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT UINT8 **CertStack,
+ OUT UINTN *StackLength,
+ OUT UINT8 **TrustedCert,
+ OUT UINTN *CertLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Wrap function to use free() to free allocated memory for certificates.
+
+ If the interface is not supported, then ASSERT().
+
+ @param[in] Certs Pointer to the certificates to be freed.
+
+**/
+VOID
+EFIAPI
+Pkcs7FreeSigners (
+ IN UINT8 *Certs
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate lists chained and
+ unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7Data Pointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SignerChainCerts Pointer to the certificates list chained to signer's
+ certificate. It's caller's responsibility to free the buffer
+ with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
+ @param[out] ChainLength Length of the chained certificates list buffer in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
+ responsibility to free the buffer with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
+ @param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSE Error occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT UINT8 **SignerChainCerts,
+ OUT UINTN *ChainLength,
+ OUT UINT8 **UnchainCerts,
+ OUT UINTN *UnchainLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Verifies the validity of a PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
+ is used for certificate chain verification.
+ @param[in] CertLength Length of the trusted certificate in bytes.
+ @param[in] InData Pointer to the content to be verified.
+ @param[in] DataLength Length of InData in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Verify (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ IN CONST UINT8 *TrustedCert,
+ IN UINTN CertLength,
+ IN CONST UINT8 *InData,
+ IN UINTN DataLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Extracts the attached content from a PKCS#7 signed data if existed. The input signed
+ data could be wrapped in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 signed data to process.
+ @param[in] P7Length Length of the PKCS#7 signed data in bytes.
+ @param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
+ It's caller's responsibility to free the buffer with FreePool().
+ @param[out] ContentSize The size of the extracted content in bytes.
+
+ @retval TRUE The P7Data was correctly formatted for processing.
+ @retval FALSE The P7Data was not correctly formatted for processing.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetAttachedContent (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT VOID **Content,
+ OUT UINTN *ContentSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c
new file mode 100644
index 0000000000..518a769ed3
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c
@@ -0,0 +1,38 @@
+/** @file
+ Runtime specific implementation of PKCS#7 SignedData Verification Wrapper.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Extracts the attached content from a PKCS#7 signed data if existed. The input signed
+ data could be wrapped in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 signed data to process.
+ @param[in] P7Length Length of the PKCS#7 signed data in bytes.
+ @param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
+ It's caller's responsibility to free the buffer with FreePool().
+ @param[out] ContentSize The size of the extracted content in bytes.
+
+ @retval TRUE The P7Data was correctly formatted for processing.
+ @retval FALSE The P7Data was not correctly formatted for processing.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetAttachedContent (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT VOID **Content,
+ OUT UINTN *ContentSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c
new file mode 100644
index 0000000000..fcde333a6d
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c
@@ -0,0 +1,42 @@
+/** @file
+ RFC3161 Timestamp Countersignature Verification Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
+ signature.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed
+ PE/COFF image to be verified.
+ @param[in] DataSize Size of the Authenticode Signature in bytes.
+ @param[in] TsaCert Pointer to a trusted/root TSA certificate encoded in DER, which
+ is used for TSA certificate chain verification.
+ @param[in] CertSize Size of the trusted certificate in bytes.
+ @param[out] SigningTime Return the time of timestamp generation time if the timestamp
+ signature is valid.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+ImageTimestampVerify (
+ IN CONST UINT8 *AuthData,
+ IN UINTN DataSize,
+ IN CONST UINT8 *TsaCert,
+ IN UINTN CertSize,
+ OUT EFI_TIME *SigningTime
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
new file mode 100644
index 0000000000..8ee3d44435
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
@@ -0,0 +1,753 @@
+/** @file
+ X.509 Certificate Handler Wrapper Implementation which does not provide
+ real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Construct a X509 object from DER-encoded certificate data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded certificate data.
+ @param[in] CertSize The size of certificate data in bytes.
+ @param[out] SingleX509Cert The generated X509 object.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509ConstructCertificate (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 **SingleX509Cert
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Construct a X509 stack object from a list of DER-encoded certificate data.
+
+ If X509Stack is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object.
+ On output, pointer to the X509 stack object with new
+ inserted X509 certificate.
+ @param[in] Args VA_LIST marker for the variable argument list.
+ A list of DER-encoded single certificate data followed
+ by certificate size. A NULL terminates the list. The
+ pairs are the arguments to X509ConstructCertificate().
+
+ @retval TRUE The X509 stack construction succeeded.
+ @retval FALSE The construction operation failed.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509ConstructCertificateStackV (
+ IN OUT UINT8 **X509Stack,
+ IN VA_LIST Args
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Construct a X509 stack object from a list of DER-encoded certificate data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object.
+ On output, pointer to the X509 stack object with new
+ inserted X509 certificate.
+ @param ... A list of DER-encoded single certificate data followed
+ by certificate size. A NULL terminates the list. The
+ pairs are the arguments to X509ConstructCertificate().
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509ConstructCertificateStack (
+ IN OUT UINT8 **X509Stack,
+ ...
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Release the specified X509 object.
+
+ If the interface is not supported, then ASSERT().
+
+ @param[in] X509Cert Pointer to the X509 object to be released.
+
+**/
+VOID
+EFIAPI
+X509Free (
+ IN VOID *X509Cert
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Release the specified X509 stack object.
+
+ If the interface is not supported, then ASSERT().
+
+ @param[in] X509Stack Pointer to the X509 stack object to be released.
+
+**/
+VOID
+EFIAPI
+X509StackFree (
+ IN VOID *X509Stack
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Retrieve the subject bytes from one X.509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CertSubject Pointer to the retrieved certificate subject bytes.
+ @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input,
+ and the size of buffer returned CertSubject on output.
+
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetSubjectName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 *CertSubject,
+ IN OUT UINTN *SubjectSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate common
+ name string (UTF8). At most CommonNameSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,
+ and the size of buffer returned CommonName on output.
+ If CommonName is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName OPTIONAL,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
+/**
+ Retrieve the organization name (ON) string from one X.509 certificate.
+
+ Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] NameBuffer Buffer to contain the retrieved certificate organization
+ name string. At most NameBufferSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] NameBufferSize The size in bytes of the Name buffer on input,
+ and the size of buffer returned Name on output.
+ If NameBuffer is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetOrganizationName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *NameBuffer OPTIONAL,
+ IN OUT UINTN *NameBufferSize
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
+/**
+ Retrieve the RSA Public Key from one DER-encoded X509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
+ RSA public key component. Use RsaFree() function to free the
+ resource.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetPublicKeyFromX509 (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT VOID **RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Verify one X509 certificate was issued by the trusted CA.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[in] CACert Pointer to the DER-encoded trusted CA certificate.
+ @param[in] CACertSize Size of the CA Certificate in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509VerifyCert (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ IN CONST UINT8 *CACert,
+ IN UINTN CACertSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the TBSCertificate from one given X.509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the given DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] TBSCert DER-Encoded To-Be-Signed certificate.
+ @param[out] TBSCertSize Size of the TBS certificate in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetTBSCert (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 **TBSCert,
+ OUT UINTN *TBSCertSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the EC Public Key from one DER-encoded X509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] EcContext Pointer to new-generated EC DSA context which contain the retrieved
+ EC public key component. Use EcFree() function to free the
+ resource.
+
+ If Cert is NULL, then return FALSE.
+ If EcContext is NULL, then return FALSE.
+
+ @retval TRUE EC Public Key was retrieved successfully.
+ @retval FALSE Fail to retrieve EC public key from X509 certificate.
+
+**/
+BOOLEAN
+EFIAPI
+EcGetPublicKeyFromX509 (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT VOID **EcContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the version from one X.509 certificate.
+
+ If Cert is NULL, then return FALSE.
+ If CertSize is 0, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] Version Pointer to the retrieved version integer.
+
+ @retval TRUE The certificate version retrieved successfully.
+ @retval FALSE If Cert is NULL or CertSize is Zero.
+ @retval FALSE The operation is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetVersion (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINTN *Version
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the serialNumber from one X.509 certificate.
+
+ If Cert is NULL, then return FALSE.
+ If CertSize is 0, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] SerialNumber Pointer to the retrieved certificate SerialNumber bytes.
+ @param[in, out] SerialNumberSize The size in bytes of the SerialNumber buffer on input,
+ and the size of buffer returned SerialNumber on output.
+
+ @retval TRUE The certificate serialNumber retrieved successfully.
+ @retval FALSE If Cert is NULL or CertSize is Zero.
+ If SerialNumberSize is NULL.
+ If Certificate is invalid.
+ @retval FALSE If no SerialNumber exists.
+ @retval FALSE If the SerialNumber is NULL. The required buffer size
+ (including the final null) is returned in the
+ SerialNumberSize parameter.
+ @retval FALSE The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetSerialNumber (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 *SerialNumber,
+ OPTIONAL
+ IN OUT UINTN *SerialNumberSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the issuer bytes from one X.509 certificate.
+
+ If Cert is NULL, then return FALSE.
+ If CertIssuerSize is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CertIssuer Pointer to the retrieved certificate subject bytes.
+ @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buffer on input,
+ and the size of buffer returned CertSubject on output.
+
+ @retval TRUE The certificate issuer retrieved successfully.
+ @retval FALSE Invalid certificate, or the CertIssuerSize is too small for the result.
+ The CertIssuerSize will be updated with the required size.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetIssuerName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 *CertIssuer,
+ IN OUT UINTN *CertIssuerSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the Signature Algorithm from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] Oid Signature Algorithm Object identifier buffer.
+ @param[in,out] OidSize Signature Algorithm Object identifier buffer size
+
+ @retval TRUE The certificate Extension data retrieved successfully.
+ @retval FALSE If Cert is NULL.
+ If OidSize is NULL.
+ If Oid is not NULL and *OidSize is 0.
+ If Certificate is invalid.
+ @retval FALSE If no SignatureType.
+ @retval FALSE If the Oid is NULL. The required buffer size
+ is returned in the OidSize.
+ @retval FALSE The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetSignatureAlgorithm (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 *Oid,
+ OPTIONAL
+ IN OUT UINTN *OidSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve Extension data from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[in] Oid Object identifier buffer
+ @param[in] OidSize Object identifier buffer size
+ @param[out] ExtensionData Extension bytes.
+ @param[in, out] ExtensionDataSize Extension bytes size.
+
+ @retval TRUE The certificate Extension data retrieved successfully.
+ @retval FALSE If Cert is NULL.
+ If ExtensionDataSize is NULL.
+ If ExtensionData is not NULL and *ExtensionDataSize is 0.
+ If Certificate is invalid.
+ @retval FALSE If no Extension entry match Oid.
+ @retval FALSE If the ExtensionData is NULL. The required buffer size
+ is returned in the ExtensionDataSize parameter.
+ @retval FALSE The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetExtensionData (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ IN CONST UINT8 *Oid,
+ IN UINTN OidSize,
+ OUT UINT8 *ExtensionData,
+ IN OUT UINTN *ExtensionDataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the Extended Key Usage from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] Usage Key Usage bytes.
+ @param[in, out] UsageSize Key Usage buffer sizs in bytes.
+
+ @retval TRUE The Usage bytes retrieve successfully.
+ @retval FALSE If Cert is NULL.
+ If CertSize is NULL.
+ If Usage is not NULL and *UsageSize is 0.
+ If Cert is invalid.
+ @retval FALSE If the Usage is NULL. The required buffer size
+ is returned in the UsageSize parameter.
+ @retval FALSE The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetExtendedKeyUsage (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINT8 *Usage,
+ IN OUT UINTN *UsageSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the Validity from one X.509 certificate
+
+ If Cert is NULL, then return FALSE.
+ If CertIssuerSize is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[in] From notBefore Pointer to DateTime object.
+ @param[in,out] FromSize notBefore DateTime object size.
+ @param[in] To notAfter Pointer to DateTime object.
+ @param[in,out] ToSize notAfter DateTime object size.
+
+ Note: X509CompareDateTime to compare DateTime oject
+ x509SetDateTime to get a DateTime object from a DateTimeStr
+
+ @retval TRUE The certificate Validity retrieved successfully.
+ @retval FALSE Invalid certificate, or Validity retrieve failed.
+ @retval FALSE This interface is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetValidity (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ IN UINT8 *From,
+ IN OUT UINTN *FromSize,
+ IN UINT8 *To,
+ IN OUT UINTN *ToSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Format a DateTimeStr to DataTime object in DataTime Buffer
+
+ If DateTimeStr is NULL, then return FALSE.
+ If DateTimeSize is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ
+ Ref: https://www.w3.org/TR/NOTE-datetime
+ Z stand for UTC time
+ @param[out] DateTime Pointer to a DateTime object.
+ @param[in,out] DateTimeSize DateTime object buffer size.
+
+ @retval TRUE The DateTime object create successfully.
+ @retval FALSE If DateTimeStr is NULL.
+ If DateTimeSize is NULL.
+ If DateTime is not NULL and *DateTimeSize is 0.
+ If Year Month Day Hour Minute Second combination is invalid datetime.
+ @retval FALSE If the DateTime is NULL. The required buffer size
+ (including the final null) is returned in the
+ DateTimeSize parameter.
+ @retval FALSE The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509FormatDateTime (
+ IN CONST CHAR8 *DateTimeStr,
+ OUT VOID *DateTime,
+ IN OUT UINTN *DateTimeSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Compare DateTime1 object and DateTime2 object.
+
+ If DateTime1 is NULL, then return -2.
+ If DateTime2 is NULL, then return -2.
+ If DateTime1 == DateTime2, then return 0
+ If DateTime1 > DateTime2, then return 1
+ If DateTime1 < DateTime2, then return -1
+
+ @param[in] DateTime1 Pointer to a DateTime Ojbect
+ @param[in] DateTime2 Pointer to a DateTime Object
+
+ @retval 0 If DateTime1 == DateTime2
+ @retval 1 If DateTime1 > DateTime2
+ @retval -1 If DateTime1 < DateTime2
+**/
+INT32
+EFIAPI
+X509CompareDateTime (
+ IN CONST VOID *DateTime1,
+ IN CONST VOID *DateTime2
+ )
+{
+ ASSERT (FALSE);
+ return -3;
+}
+
+/**
+ Retrieve the Key Usage from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] Usage Key Usage (CRYPTO_X509_KU_*)
+
+ @retval TRUE The certificate Key Usage retrieved successfully.
+ @retval FALSE Invalid certificate, or Usage is NULL
+ @retval FALSE This interface is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509GetKeyUsage (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT UINTN *Usage
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Verify one X509 certificate was issued by the trusted CA.
+ @param[in] RootCert Trusted Root Certificate buffer
+
+ @param[in] RootCertLength Trusted Root Certificate buffer length
+ @param[in] CertChain One or more ASN.1 DER-encoded X.509 certificates
+ where the first certificate is signed by the Root
+ Certificate or is the Root Cerificate itself. and
+ subsequent cerificate is signed by the preceding
+ cerificate.
+ @param[in] CertChainLength Total length of the certificate chain, in bytes.
+
+ @retval TRUE All cerificates was issued by the first certificate in X509Certchain.
+ @retval FALSE Invalid certificate or the certificate was not issued by the given
+ trusted CA.
+**/
+BOOLEAN
+EFIAPI
+X509VerifyCertChain (
+ IN CONST UINT8 *RootCert,
+ IN UINTN RootCertLength,
+ IN CONST UINT8 *CertChain,
+ IN UINTN CertChainLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Get one X509 certificate from CertChain.
+
+ @param[in] CertChain One or more ASN.1 DER-encoded X.509 certificates
+ where the first certificate is signed by the Root
+ Certificate or is the Root Cerificate itself. and
+ subsequent cerificate is signed by the preceding
+ cerificate.
+ @param[in] CertChainLength Total length of the certificate chain, in bytes.
+
+ @param[in] CertIndex Index of certificate.
+
+ @param[out] Cert The certificate at the index of CertChain.
+ @param[out] CertLength The length certificate at the index of CertChain.
+
+ @retval TRUE Success.
+ @retval FALSE Failed to get certificate from certificate chain.
+**/
+BOOLEAN
+EFIAPI
+X509GetCertFromCertChain (
+ IN CONST UINT8 *CertChain,
+ IN UINTN CertChainLength,
+ IN CONST INT32 CertIndex,
+ OUT CONST UINT8 **Cert,
+ OUT UINTN *CertLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the tag and length of the tag.
+
+ @param Ptr The position in the ASN.1 data
+ @param End End of data
+ @param Length The variable that will receive the length
+ @param Tag The expected tag
+
+ @retval TRUE Get tag successful
+ @retval FALSe Failed to get tag or tag not match
+**/
+BOOLEAN
+EFIAPI
+Asn1GetTag (
+ IN OUT UINT8 **Ptr,
+ IN CONST UINT8 *End,
+ OUT UINTN *Length,
+ IN UINT32 Tag
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Retrieve the basic constraints from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize size of the X509 certificate in bytes.
+ @param[out] BasicConstraints basic constraints bytes.
+ @param[in, out] BasicConstraintsSize basic constraints buffer sizs in bytes.
+
+ @retval TRUE The basic constraints retrieve successfully.
+ @retval FALSE If cert is NULL.
+ If cert_size is NULL.
+ If basic_constraints is not NULL and *basic_constraints_size is 0.
+ If cert is invalid.
+ @retval FALSE The required buffer size is small.
+ The return buffer size is basic_constraints_size parameter.
+ @retval FALSE If no Extension entry match oid.
+ @retval FALSE The operation is not supported.
+ **/
+BOOLEAN
+EFIAPI
+X509GetExtendedBasicConstraints (
+ CONST UINT8 *Cert,
+ UINTN CertSize,
+ UINT8 *BasicConstraints,
+ UINTN *BasicConstraintsSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c
new file mode 100644
index 0000000000..d5c66291ed
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c
@@ -0,0 +1,56 @@
+/** @file
+ Pseudorandom Number Generator Wrapper Implementation which does not provide
+ real capabilities.
+
+Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Sets up the seed value for the pseudorandom number generator.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Seed Pointer to seed value.
+ If NULL, default seed is used.
+ @param[in] SeedSize Size of seed value.
+ If Seed is NULL, this parameter is ignored.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RandomSeed (
+ IN CONST UINT8 *Seed OPTIONAL,
+ IN UINTN SeedSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Generates a pseudorandom byte stream of the specified size.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[out] Output Pointer to buffer to receive random value.
+ @param[in] Size Size of random bytes to generate.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RandomBytes (
+ OUT UINT8 *Output,
+ IN UINTN Size
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}