public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Jordan Justen <jordan.l.justen@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
	edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Subject: Re: [PATCH 2/3] OvmfPkg: introduce FD_SIZE_4MB (mainly) for Windows HCK
Date: Mon, 01 May 2017 10:23:29 -0700	[thread overview]
Message-ID: <149365940885.25909.1007719045522991203@jljusten-skl> (raw)
In-Reply-To: <c010a543-1d66-05f1-a441-59e2c06c98c6@redhat.com>

On 2017-05-01 03:51:42, Laszlo Ersek wrote:
> On 04/30/17 23:16, Jordan Justen wrote:
> > On 2017-04-30 07:42:36, Laszlo Ersek wrote:
> > 
> >> $ build \
> >>   -b DEBUG \
> >>   -a IA32 -a X64 \
> >>   -p OvmfPkg/OvmfPkgIa32X64.dsc \
> >>   -t GCC48 \
> >>   -D SMM_REQUIRE \
> >>   -D SECURE_BOOT_ENABLE \
> >>   -D HTTP_BOOT_ENABLE \
> >>   -D NETWORK_IP6_ENABLE \
> >>   -D TLS_ENABLE
> > 
> > Do you enable the last 3 in your production builds? I didn't think it
> > was the case, but it would change things...
> 
> That's a very good question, and I expected it.
> 
> Any sane person being responsible for supporting a package will strive
> very hard to minimize the features enabled in the package, in order to
> minimize the problem surface / support burden. I tend to consider myself
> a sane person, so no, HTTP_BOOT_ENABLE, NETWORK_IP6_ENABLE, and
> TLS_ENABLE are not turned on.
> 
> (TLS_ENABLE carries even more weight, because it increases the security
> attack surface, so turning *that* off is very desirable.)
> 
> *But*, I certainly want to keep the *ability* to turn these features on
> (and maybe later features, in 2-3 years' time) if a customer or a
> partner requests it.

It sounds like you don't expect to 'support' this. At least not to the
same level as the rest of the firmware.

I think it is fine to say, if you want to enable these, you may have
to disable debug on some other features, or remove some other
features.

In other words, at this point I don't think the size of these should
be added into the equation for how 'full' the 2MB image is.

-Jordan


  parent reply	other threads:[~2017-05-01 17:23 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-29 20:14 [PATCH 0/3] OvmfPkg: add FD_SIZE_4MB for Windows HCK SB tests, and for future proofing Laszlo Ersek
2017-04-29 20:14 ` [PATCH 1/3] OvmfPkg/OvmfPkg.fdf.inc: extract VARS_LIVE_SIZE and VARS_SPARE_SIZE macros Laszlo Ersek
2017-04-29 20:14 ` [PATCH 2/3] OvmfPkg: introduce FD_SIZE_4MB (mainly) for Windows HCK Laszlo Ersek
2017-04-30  0:48   ` Jordan Justen
2017-04-30 14:42     ` Laszlo Ersek
2017-04-30 21:16       ` Jordan Justen
2017-05-01 10:51         ` Laszlo Ersek
2017-05-01 17:15           ` Jordan Justen
2017-05-01 17:23           ` Jordan Justen [this message]
2017-05-01 18:40             ` Laszlo Ersek
2017-05-01 19:20               ` Jordan Justen
2017-05-01 23:07                 ` Laszlo Ersek
2017-05-01 23:38                   ` Jordan Justen
2017-05-02 14:39                     ` Laszlo Ersek
2017-05-02 18:22                       ` Jordan Justen
2017-05-02 19:31                         ` Laszlo Ersek
2017-05-02 21:45                           ` Jordan Justen
2017-05-03 13:46                             ` Laszlo Ersek
2017-05-01  0:06     ` Laszlo Ersek
2017-04-29 20:15 ` [PATCH 3/3] OvmfPkg: raise max variable size (auth & non-auth) to 33KB for FD_SIZE_4MB Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=149365940885.25909.1007719045522991203@jljusten-skl \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox