From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 26B4B2195DA7F for ; Mon, 1 May 2017 10:23:31 -0700 (PDT) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 May 2017 10:23:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.37,401,1488873600"; d="scan'208";a="1163210615" Received: from pguermon-mobl3.ger.corp.intel.com (HELO localhost) ([10.255.77.18]) by fmsmga002.fm.intel.com with ESMTP; 01 May 2017 10:23:29 -0700 MIME-Version: 1.0 To: Laszlo Ersek , edk2-devel-01 Message-ID: <149365940885.25909.1007719045522991203@jljusten-skl> From: Jordan Justen In-Reply-To: Cc: Gary Ching-Pang Lin References: <20170429201500.18496-1-lersek@redhat.com> <20170429201500.18496-3-lersek@redhat.com> <149351328512.20670.1563878734495138189@jljusten-skl> <030f8312-35ce-5c86-205c-2ee6c0b5ab8b@redhat.com> <149358697668.23065.6363402854761002239@jljusten-skl> User-Agent: alot/0.5.1 Date: Mon, 01 May 2017 10:23:29 -0700 Subject: Re: [PATCH 2/3] OvmfPkg: introduce FD_SIZE_4MB (mainly) for Windows HCK X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2017 17:23:31 -0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 2017-05-01 03:51:42, Laszlo Ersek wrote: > On 04/30/17 23:16, Jordan Justen wrote: > > On 2017-04-30 07:42:36, Laszlo Ersek wrote: > > = > >> $ build \ > >> -b DEBUG \ > >> -a IA32 -a X64 \ > >> -p OvmfPkg/OvmfPkgIa32X64.dsc \ > >> -t GCC48 \ > >> -D SMM_REQUIRE \ > >> -D SECURE_BOOT_ENABLE \ > >> -D HTTP_BOOT_ENABLE \ > >> -D NETWORK_IP6_ENABLE \ > >> -D TLS_ENABLE > > = > > Do you enable the last 3 in your production builds? I didn't think it > > was the case, but it would change things... > = > That's a very good question, and I expected it. > = > Any sane person being responsible for supporting a package will strive > very hard to minimize the features enabled in the package, in order to > minimize the problem surface / support burden. I tend to consider myself > a sane person, so no, HTTP_BOOT_ENABLE, NETWORK_IP6_ENABLE, and > TLS_ENABLE are not turned on. > = > (TLS_ENABLE carries even more weight, because it increases the security > attack surface, so turning *that* off is very desirable.) > = > *But*, I certainly want to keep the *ability* to turn these features on > (and maybe later features, in 2-3 years' time) if a customer or a > partner requests it. It sounds like you don't expect to 'support' this. At least not to the same level as the rest of the firmware. I think it is fine to say, if you want to enable these, you may have to disable debug on some other features, or remove some other features. In other words, at this point I don't think the size of these should be added into the equation for how 'full' the 2MB image is. -Jordan