From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web08.10113.1642420029526971509
 for <devel@edk2.groups.io>;
 Mon, 17 Jan 2022 03:47:09 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hi1ZR2d9;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1642420028;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=8cM2V7fL9XAxz8fWdGb/uywQfRc8zFVo2/4Zs0A6+aM=;
	b=Hi1ZR2d9zYwe+MiNrw/pse8rvec132OF5nuySKx0DhWyx3v3+TtmYDTs6Dm9Z9ZO6bEykY
	Lh6lJSSBAVKVfLsPMHvbolK0tQwN1L1USFooUpV0xfIh/GdmVN4OPfQ3NPWMZOIGI214Mr
	XJXtmidHgTw3leqnm2xzUkwIWIQ36wU=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-22-0eTCeFYvMeyROlqu-uChRQ-1; Mon, 17 Jan 2022 06:47:03 -0500
X-MC-Unique: 0eTCeFYvMeyROlqu-uChRQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3086F101D61E;
	Mon, 17 Jan 2022 11:46:30 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.49])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id A2A457CAF1;
	Mon, 17 Jan 2022 11:46:29 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id B5E9D180060F; Mon, 17 Jan 2022 12:46:27 +0100 (CET)
Date: Mon, 17 Jan 2022 12:46:27 +0100
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: devel@edk2.groups.io, jiewen.yao@intel.com
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Jiang, Guomin" <guomin.jiang@intel.com>,
	Pawel Polawski <ppolawsk@redhat.com>,
	"Lu, XiaoyuX" <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0
Message-ID: <20220117114627.ji5cyqxkca6bmiaf@sirius.home.kraxel.org>
References: <20211203160748.866150-1-kraxel@redhat.com>
 <CO1PR11MB492971FF08656705C08844A8D26A9@CO1PR11MB4929.namprd11.prod.outlook.com>
 <MW4PR11MB5872F7FE1CD55B75691C9F348C6A9@MW4PR11MB5872.namprd11.prod.outlook.com>
MIME-Version: 1.0
In-Reply-To: <MW4PR11MB5872F7FE1CD55B75691C9F348C6A9@MW4PR11MB5872.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

  Hi,

I've continued working on this over the last weeks.  Time for a status
update.  All applies to the latest tree, sneak preview is here:
	https://github.com/kraxel/edk2/commits/openssl3

> Also, assuming you have done enough test, would you please provide:
> 1) size difference, Including PEI, SMM, DXE.

No changes in SEC and PEI. DXE:

openssl 1.1
-  399582 SecureBootConfigDxe
-  472182 SecurityStubDxe
-  532626 VariableSmm
-  656382 TlsDxe

openssl 3.0
+  809886 SecureBootConfigDxe
+  912310 SecurityStubDxe
+  970898 VariableSmm
+ 1125758 TlsDxe

Most of that seems to come from some openssl core changes (the new
'provider' concept) and I don't see an easy way to cut that down.

That is with the same feature set we have right now (i.e. no elliptic
curves and thus no TLS 1.3 support).

> 2) performance difference, Including PEI, SMM, DXE.

Suggestions how to measure that?

> 3) what unit test you have done (such as each crypto API)

CryptoPkg/UnitTest passes.

> 4) what system test you have done (such as secure boot, trusted boot)

Secure boot works.
TlsDxe (boot from https server) works.
TPM not tested yet.


I still have a bunch of failures in CI, for some of them I'm not sure
how to handle them best:

(1) 32-bit builds on windows fail:

INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external symbol __allmul
INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external symbol __aulldiv
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external symbol __aulldvrm
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external symbol __ftol2_sse

Those symbols look like they reference helper functions to do 64bit math
on 32bit architecture.  Any hints how to fix that?


(2) va_arg is not working with floats due to SEE being disabled:

INFO - /home/vsts/work/1/s/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bio_print.c:265:28: error: SSE register argument with SSE disabled
INFO -                      fvalue = va_arg(args, LDOUBLE);

I can't see a way to fix that given that va_arg typically refers to a
compiler builtin so I don't think there is a way to declare that a
EFIAPI function to change the calling convention.  Not all builds fail
though, possibly because the compiler inlines with optimization turned
on.

Suggestions anyone?


(3) Some NOOPT builds are failing due to the size growing ...


take care,
  Gerd