public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	Pawel Polawski <ppolawsk@redhat.com>,
	"Li, Yi1" <yi1.li@intel.com>,
	Oliver Steffen <osteffen@redhat.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Jiang, Guomin" <guomin.jiang@intel.com>,
	"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>
Subject: Re: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Date: Thu, 5 May 2022 10:06:38 +0200	[thread overview]
Message-ID: <20220505080638.rmrw3f773rkw3ljl@sirius.home.kraxel.org> (raw)
In-Reply-To: <MW4PR11MB58724592EC5CAC17CD8FE28F8CC09@MW4PR11MB5872.namprd11.prod.outlook.com>

  Hi,

> However, I do have concern for crypto package to enable ECC *unconditionally*.
> I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
> A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).

Well, the PcdEcEnabled switch we have in the tree right now enables or
disables EC for everybody, it doesn't support enabling EC for DXE only.

In we want change that we'll need two different *.inf files I guess,
one for openssl with ec and one for openssl without ec.

I'll check the effect on image sizes.

> C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used.

Yes, today this isn't much of a problem.  But I expect that will change
in the future as browsers fade out support for older TLS versions to
improve security.  Recent firefox versions have TLS 1.0 and 1.1 disabled
by default.  So while this isn't urgent it is still something we should
consider and keep on our radar.

take care,
  Gerd


  reply	other threads:[~2022-05-05  8:06 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-02 10:34 [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 1/5] Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming OpensslLib" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 2/5] Revert "CryptoPkg: Make EC source file config-able" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 3/5] OvmfPkg: make DXEFV larger Gerd Hoffmann
2022-05-02 19:39   ` Ard Biesheuvel
2022-05-02 10:34 ` [PATCH 4/5] CryptoPkg/openssl: update generated files Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 5/5] CryptoPkg/openssl: disable codestyle checks for " Gerd Hoffmann
2022-05-03 15:39 ` [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Yao, Jiewen
2022-05-05  8:06   ` Gerd Hoffmann [this message]
2022-05-05  9:15     ` [edk2-devel] " Gerd Hoffmann
2022-05-09  1:38       ` Yao, Jiewen
2022-05-09  9:45         ` Gerd Hoffmann
2022-05-09 10:17           ` Yao, Jiewen
2022-05-09 11:27             ` Gerd Hoffmann
2022-05-09 11:47               ` James Bottomley
2022-05-09 12:03                 ` Yao, Jiewen
2022-05-09 13:41                   ` James Bottomley
2022-05-10 10:40                     ` Gerd Hoffmann
2022-05-10 11:20                       ` Yao, Jiewen
2022-05-10 14:31                       ` James Bottomley
     [not found]                 ` <16ED6E30C7B1AB9D.18911@groups.io>
2022-05-09 12:12                   ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220505080638.rmrw3f773rkw3ljl@sirius.home.kraxel.org \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox