From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>,
Andrew Fish <afish@apple.com>,
"KILIAN_KEGEL@outlook.com" <KILIAN_KEGEL@outlook.com>,
Mike Kinney <michael.d.kinney@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Bret Barkelew <Bret.Barkelew@microsoft.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
Pawel Polawski <ppolawsk@redhat.com>,
"Lu, XiaoyuX" <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0
Date: Fri, 28 Jan 2022 11:14:29 +0100 [thread overview]
Message-ID: <20220128101429.s7sop6wz2ictnmuw@sirius.home.kraxel.org> (raw)
In-Reply-To: <CAKbZUD3FfkYK-3Axe40YeFyu2F_7Q1Ctq9zPhyzV51SYPHGuog@mail.gmail.com>
Hi,
> I think that maybe "Why are we bringing in so much third-party code to
> firmware?" is a way better question than "is it feasible to implement all
> the required builtins?". Why can my firmware speak TLS, and why does it
> have a whole copy of *OpenSSL*, which is a huge library with a big attack
> surface and was never written to be run in a firmware/kernel/bare metal
> environment like UEFI.
crypto is needed for:
(1) network boot (tls for https)
(2) iscsi (tls too).
(3) secure boot.
(4) tpm support.
(5) secure firmware updates.
And possibly more.
> Note: If there's a big need for something like internal TLS I would
> recommend BearSSL as a very small TLS implementation that was actually
> written for embedded systems.
Well, that doesn't look like an actively maintained project. One commit
in 2021. Four commits in 2020. Features like TLS-1.3 support on the
TODO-List but apparently nobody working on it.
take care,
Gerd
next prev parent reply other threads:[~2022-01-28 10:14 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 16:07 [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0 Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 01/24] CryptoPkg/openssl: update submodule to 3.0 Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 02/24] CryptoPkg/openssl: process_files.pl: drop UefiAsm.conf Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 03/24] CryptoPkg/openssl: process_files.pl: expand *.a Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 04/24] CryptoPkg/openssl: process_files.pl: set api to 1.1.1 Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 05/24] CryptoPkg/openssl: process_files.pl: change config header handling Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 06/24] CryptoPkg/openssl: process_files.pl: provider headers Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 07/24] CryptoPkg/openssl: process_files.pl: skip unused files Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 08/24] CryptoPkg/openssl: process_files.pl: clean up when done Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 09/24] CryptoPkg/openssl: process_files.pl: filter out crypto/buildinf.h Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 10/24] CryptoPkg/openssl: update generated files Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 11/24] CryptoPkg/BaseCryptLib: no openssl deprecation warnings please Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 12/24] CryptoPkg/BaseCryptLib; adapt CryptSm3.c to openssl 3.0 changes Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 13/24] CryptoPkg/BaseCryptLib: add more bio print dummies Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 14/24] CryptoPkg/openssl: adapt rand_pool.c to openssl 3.0 changes Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 15/24] CryptoPkg/openssl: add dummy file store Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 16/24] CryptoPkg/openssl: move compiler_flags to buildinf.c Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 17/24] CryptoPkg/CrtLibSupport: add fcntl.h Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 18/24] CryptoPkg/CrtLibSupport: add strstr() Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 19/24] CryptoPkg/CrtLibSupport: add INT_MIN Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 20/24] CryptoPkg/CrtLibSupport: add UINT_MAX Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 21/24] CryptoPkg/CrtLibSupport: add MODULESDIR Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 22/24] CryptoPkg/openssl: process_files.pl: copy generated der/*.c source files Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 23/24] CryptoPkg/openssl: add generated files der " Gerd Hoffmann
2021-12-03 16:07 ` [PATCH 24/24] [hack] turn off -Werror Gerd Hoffmann
2021-12-03 16:27 ` [edk2-devel] " Michael D Kinney
2021-12-03 17:57 ` Pedro Falcato
2021-12-03 18:38 ` Michael D Kinney
2021-12-06 7:38 ` Gerd Hoffmann
2021-12-06 7:23 ` Gerd Hoffmann
2021-12-08 8:06 ` Gerd Hoffmann
2021-12-03 16:32 ` [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0 Michael D Kinney
2021-12-03 16:42 ` Yao, Jiewen
2022-01-17 11:46 ` Gerd Hoffmann
2022-01-18 11:12 ` Yao, Jiewen
2022-01-18 16:12 ` Michael D Kinney
2022-01-21 8:33 ` Gerd Hoffmann
2022-01-21 16:34 ` Michael D Kinney
2022-01-21 8:30 ` Gerd Hoffmann
2022-01-21 16:38 ` Michael D Kinney
2022-01-24 16:24 ` Kilian Kegel
2022-01-24 17:28 ` Michael D Kinney
2022-01-24 19:58 ` Pedro Falcato
2022-01-26 11:02 ` Gerd Hoffmann
2022-01-27 22:26 ` Kilian Kegel
2022-01-28 0:55 ` Andrew Fish
2022-01-28 9:06 ` Pedro Falcato
2022-01-28 10:14 ` Gerd Hoffmann [this message]
2022-01-28 11:23 ` Pedro Falcato
2022-01-28 9:51 ` Gerd Hoffmann
2022-01-30 20:17 ` Kilian Kegel
2022-02-01 9:55 ` Gerd Hoffmann
2022-02-02 12:07 ` Kilian Kegel
2022-01-25 20:05 ` Kilian Kegel
2022-01-23 8:41 ` Yao, Jiewen
2021-12-06 8:05 ` Gerd Hoffmann
-- strict thread matches above, loose matches on Subject: below --
2022-01-28 14:07 Gerd Hoffmann
2022-01-28 14:14 ` Gerd Hoffmann
2022-01-28 15:54 ` Pedro Falcato
2022-02-01 9:39 ` Gerd Hoffmann
2022-01-28 16:00 ` Pedro Falcato
2022-01-28 16:12 ` Kilian Kegel
2022-02-01 9:50 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220128101429.s7sop6wz2ictnmuw@sirius.home.kraxel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox