From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web08.10188.1636635960501238487
 for <devel@edk2.groups.io>;
 Thu, 11 Nov 2021 05:06:00 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gS9UxucY;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1636635959;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=gPbq3MThYGJV4x5UT9fBfNiTwGyoQtfAea2gmNkLTBQ=;
	b=gS9UxucYcUlc24/8e0PJE7CUVHsAinEY7ARq0bfJUBC5fsHZjkrC8Q8YlV/7cTi2gDSjkr
	gyv1pSedzr1U7O64oJ3fbRqsnKdvSNC1tR/pya2Xtl1zcTzoYs5zGDCpvuE9SWgpf/hgIM
	S4RDCNoLXhDl+yhwPRVZ0Jr/5RCe7Is=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-176-x5RIojE4PUyuBOCLy6O30A-1; Thu, 11 Nov 2021 08:05:56 -0500
X-MC-Unique: x5RIojE4PUyuBOCLy6O30A-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4ED311966321;
	Thu, 11 Nov 2021 13:05:55 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.193.245])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id F1DFD5DF56;
	Thu, 11 Nov 2021 13:05:54 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id DE06D1800925; Thu, 11 Nov 2021 14:05:52 +0100 (CET)
Date: Thu, 11 Nov 2021 14:05:52 +0100
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Cc: devel@edk2.groups.io, "Yao, Jiewen" <jiewen.yao@intel.com>,
	"vineelko@microsoft.com" <vineelko@microsoft.com>
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms
Message-ID: <20211111130552.qo5a33ki7ikipqpf@sirius.home.kraxel.org>
References: <CABG47Q-PcbYndFrYpwA=Soaw_xUMpHA4yj_vBjT77j1WSzza-w@mail.gmail.com>
 <23891.1636410576311055186@groups.io>
 <PH0PR11MB48852FB048DFFCBE18E70F1D8C929@PH0PR11MB4885.namprd11.prod.outlook.com>
 <20211109085809.22kqmzd6zxu465ua@sirius.home.kraxel.org>
 <CABG47Q_1cE1t+LzqGWKrwzafw6UNa4oucfhAvCGyETpc_1JG5A@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CABG47Q_1cE1t+LzqGWKrwzafw6UNa4oucfhAvCGyETpc_1JG5A@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

  Hi,

> The difference I see without ecc change and with the change is the increase
> in file sizes for below ffs files,(other .ffs files remained unchanged)
> 
> Without ecc change:
> 794742
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
> 653470
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
> 1174654
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
> 872594
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs
> 
> With ecc change:
> 1058678
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
> 917214
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
> 1470718
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
> 1134738
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

Uh.  So each driver which needs openssl has its own copy of the library?

I wasn't aware of that, but yes, given we don't have dynamic linking
this makes sense and also easily explains why we see such a big jump in
size.

> I am wondering, removing existing ciphers might impact other platforms.
> Could you please suggest any less intrusive options without impacting
> other platforms.

I was thinking more about reviewing the chipers added.  Pick the most
commonly used ones instead of just adding them all for example.

> I am new to EDK and what compile time options are you referring to? Please
> let me know if any other information is needed from the build.

Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.

But I think Jiewen meant something else with "2 profiles":

We could create two OpensslLib variants.  One full-featured build with
ecc enabled which TlsDxe could use (assuming better TLS support is your
use case).  And one less-featured variant for VariableSmm +
SecureBootConfigDxe + SecurityStubDxe.

That way we have the ecc code only once not four times in the firmware
build.  Possibly the less-featured could be stripped down even more when
it doesn't need to support TLS any more.

I'm also wondering why SecurityStubDxe needs OpensslLib ...

take care & HTH,
  Gerd