From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web12.6275.1646220115651828840 for ; Wed, 02 Mar 2022 03:21:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iVcTWygt; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646220114; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LV3KzpK2AdGc9InM4CfHG9gUGGHpF4I51AMxjIbIbzA=; b=iVcTWygtVJftm3bXRptFfHvloPsSjOmTtyBlCKbKnvVoOaGptVXSsmge3oJgFRyXPWnJhq LbbArESN/m5nMZ6wMOeR+xb2rklDKv4gi++AnQ2vAyXSx5U7htVJI4iUhaVCe7IgkxB/Yr eUEg3ep4zdo6qm4PhemKf1sSqNfNx5A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-260-5KG7uvK9NNuOH1ohKhBSFA-1; Wed, 02 Mar 2022 06:21:53 -0500 X-MC-Unique: 5KG7uvK9NNuOH1ohKhBSFA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5EACA1006AA7; Wed, 2 Mar 2022 11:21:52 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.194.40]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 265BD23769; Wed, 2 Mar 2022 11:21:52 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5CFB218003A7; Wed, 2 Mar 2022 08:42:02 +0100 (CET) Date: Wed, 2 Mar 2022 08:42:02 +0100 From: "Gerd Hoffmann" To: "Yao, Jiewen" Cc: "Li, Yi1" , "devel@edk2.groups.io" , "Kovvuri, Vineel" , "Luo, Heng" Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Message-ID: <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org> References: <26433.1645811519240546455@groups.io> <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote: > I think another option to pursue is to how to control the openssl configuration from module or platform level. > > E.g. what if platform-A has enough size and wants to use ECC, while platform-B has size constrain and wants to disable ECC ? > > We can let platform choose if ECC is needed or not? I hope so. Not so easy. Would require to put the way openssl is integrated upside down. Today openssl is configured and the results (header files etc) are committed to the repo, so the openssl config is the same for everybody. Also I expect there is no way around ecc long-term. WPA3 was mentioned elsewhere in the thread. For TLS it will most likely be a requirement too at some point in the future. With TLS 1.2 it is possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandatory though. So I doubt making ECC optional is worth the trouble. take care, Gerd