[PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

Re-opening the elliptic curves debate after running into the recent
openssl changes.  The current implementation is IMHO rather messy.
It adds manual changes to a auto-generated files, which will make
any updates a rather hard and error-prone process.

I see two possible options how we can move forward:

  (1) Drop the idea to make EC configurable and just enable it
      unconditionally.  I think long-term there is no way around
      this anyway as EC is a hard requirement for TLS 1.3.
  (2) Keep the EC config option, but update process_files.pl to
      automatically add the PcdEcEnabled config option handling
      to the files it generates.

This patch set does (1).  It also tweaks ovmf firmware volumes
to make CI tests pass and it also excludes generated files from
codestyle checks.

take care,
  Gerd

Gerd Hoffmann (5):
  Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming
    OpensslLib"
  Revert "CryptoPkg: Make EC source file config-able"
  OvmfPkg: make DXEFV larger
  CryptoPkg/openssl: update generated files
  CryptoPkg/openssl: disable codestyle checks for generated files

 CryptoPkg/CryptoPkg.dec                       |   4 -
 OvmfPkg/OvmfPkgIa32.fdf                       |   6 +-
 OvmfPkg/OvmfPkgIa32X64.fdf                    |   6 +-
 OvmfPkg/OvmfPkgX64.fdf                        |   6 +-
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 -
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 -
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 -
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 -
 .../BaseCryptLib/UnitTestHostBaseCryptLib.inf |   3 -
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  99 ++++----
 .../Library/OpensslLib/OpensslLibCrypto.inf   |  99 ++++----
 CryptoPkg/Library/TlsLib/TlsLib.inf           |   3 -
 CryptoPkg/Library/Include/crypto/dso_conf.h   |   7 +-
 .../Library/Include/openssl/opensslconf.h     | 240 ++++++++----------
 CryptoPkg/CryptoPkg.ci.yaml                   |  10 +
 15 files changed, 234 insertions(+), 261 deletions(-)

-- 
2.35.1

[PATCH 1/5] Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming OpensslLib"

[Gerd Hoffmann]

This reverts commit b06a007b6471b6eba6d1c38ff1bcfff183b57488.

Remove PcdEcEnabled switch, not needed when EC is
enabled unconditionally.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf             | 3 ---
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf              | 3 ---
 CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf          | 3 ---
 CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf              | 3 ---
 CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf | 3 ---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf                 | 2 +-
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf           | 2 +-
 CryptoPkg/Library/TlsLib/TlsLib.inf                         | 3 ---
 8 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 5bbdb387d6ba..15cf3dab105c 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -88,9 +88,6 @@ [LibraryClasses]
   IntrinsicLib
   PrintLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 #
 # Remove these [BuildOptions] after this library is cleaned up
 #
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index fd500e61ec99..bf1563b06407 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -77,9 +77,6 @@ [LibraryClasses]
   OpensslLib
   IntrinsicLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 #
 # Remove these [BuildOptions] after this library is cleaned up
 #
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 3e4524896c45..6742da0be4fe 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -93,9 +93,6 @@ [LibraryClasses]
   IntrinsicLib
   PrintLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 #
 # Remove these [BuildOptions] after this library is cleaned up
 #
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index ae75bc87b5e5..8f39517f78b7 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -92,9 +92,6 @@ [LibraryClasses]
   MmServicesTableLib
   SynchronizationLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 #
 # Remove these [BuildOptions] after this library is cleaned up
 #
diff --git a/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
index 44c183b90563..b98f9635b27b 100644
--- a/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/UnitTestHostBaseCryptLib.inf
@@ -72,9 +72,6 @@ [LibraryClasses]
   DebugLib
   OpensslLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 #
 # Remove these [BuildOptions] after this library is cleaned up
 #
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index a97b3f5e8ff2..459ac4864a4e 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -633,7 +633,7 @@ [LibraryClasses]
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
-[FixedPcd]
+[Pcd]
   gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled      ## CONSUMES
 
 [BuildOptions]
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 490b83602be9..c9d69a368e3c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -582,7 +582,7 @@ [LibraryClasses]
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
-[FixedPcd]
+[Pcd]
   gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled      ## CONSUMES
 
 [BuildOptions]
diff --git a/CryptoPkg/Library/TlsLib/TlsLib.inf b/CryptoPkg/Library/TlsLib/TlsLib.inf
index 001e13e3990b..27209f4d7fe3 100644
--- a/CryptoPkg/Library/TlsLib/TlsLib.inf
+++ b/CryptoPkg/Library/TlsLib/TlsLib.inf
@@ -41,9 +41,6 @@ [LibraryClasses]
   OpensslLib
   SafeIntLib
 
-[FixedPcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-
 [BuildOptions]
   #
   # suppress the following warnings so we do not break the build with warnings-as-errors:
-- 
2.35.1

[PATCH 2/5] Revert "CryptoPkg: Make EC source file config-able"

[Gerd Hoffmann]

This reverts commit 0c901fcc200e411b78b9ca42d07d5ea4aaa13b21.

Patch introduces manual changes to files generated by process_files.pl.
Which is a rather bad idea, updates will be very error-prone with this.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 CryptoPkg/CryptoPkg.dec                       |  4 -
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 95 +++++++++----------
 .../Library/OpensslLib/OpensslLibCrypto.inf   | 95 +++++++++----------
 .../Library/Include/openssl/opensslconf.h     |  7 +-
 4 files changed, 93 insertions(+), 108 deletions(-)

diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index ebec64050b71..5888941bab4c 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -81,9 +81,5 @@ [PcdsFixedAtBuild]
   # @ValidList 0x80000001 | 0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010
   gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x00000002|UINT32|0x00000001
 
-  ## Enable/Disable the ECC feature in openssl library. The default is disabled.
-  #  If ECC feature is disabled, all related source files will not be compiled.
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled|FALSE|BOOLEAN|0x0000003
-
 [UserExtensions.TianoCore."ExtraFiles"]
   CryptoPkgExtra.uni
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 459ac4864a4e..1d67ed55e1b1 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,43 +199,43 @@ [Sources]
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
-  $(OPENSSL_PATH)/crypto/ec/curve25519.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_check.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_curve.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_err.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_key.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_lib.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_mult.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_oct.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_print.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/eck_prn.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -533,15 +533,15 @@ [Sources]
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
-  $(OPENSSL_PATH)/crypto/ec/ec_local.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/field.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/word.h     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h      |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h     |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
@@ -633,9 +633,6 @@ [LibraryClasses]
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
-[Pcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled      ## CONSUMES
-
 [BuildOptions]
   #
   # Disables the following Visual Studio compiler warnings brought by openssl source,
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index c9d69a368e3c..66ca5b1250c1 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,43 +199,43 @@ [Sources]
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
-  $(OPENSSL_PATH)/crypto/ec/curve25519.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_check.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_curve.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_err.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_key.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_lib.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_mult.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_oct.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ec_print.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/eck_prn.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -533,15 +533,15 @@ [Sources]
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
-  $(OPENSSL_PATH)/crypto/ec/ec_local.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/field.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/word.h   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h    |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
-  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h   |*|*|*|gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
@@ -582,9 +582,6 @@ [LibraryClasses]
 [LibraryClasses.ARM]
   ArmSoftFloatLib
 
-[Pcd]
-  gEfiCryptoPkgTokenSpaceGuid.PcdEcEnabled      ## CONSUMES
-
 [BuildOptions]
   #
   # Disables the following Visual Studio compiler warnings brought by openssl source,
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 1485b8c9f108..7ea976b2252e 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -9,7 +9,7 @@
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
  */
-#include <Library/PcdLib.h>
+
 #include <openssl/opensslv.h>
 
 #ifdef  __cplusplus
@@ -55,11 +55,6 @@ extern "C" {
 #ifndef OPENSSL_NO_DSA
 #define OPENSSL_NO_DSA
 #endif
-#if !FixedPcdGetBool (PcdEcEnabled)
-  #ifndef OPENSSL_NO_EC
-#define OPENSSL_NO_EC
-  #endif
-#endif
 #ifndef OPENSSL_NO_IDEA
 #define OPENSSL_NO_IDEA
 #endif
-- 
2.35.1

[PATCH 3/5] OvmfPkg: make DXEFV larger

[Gerd Hoffmann]

openssl with ec enabled needs more space.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.fdf    | 6 +++---
 OvmfPkg/OvmfPkgIa32X64.fdf | 6 +++---
 OvmfPkg/OvmfPkgX64.fdf     | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 3ab1755749d4..d9c4a7c8ad26 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -62,10 +62,10 @@ [FD.OVMF_CODE]
 
 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0
 
 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -83,7 +83,7 @@ [FD.MEMFD]
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV
 
-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV
 
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index e1638fa6ea38..5a366798ccbd 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -62,10 +62,10 @@ [FD.OVMF_CODE]
 
 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0
 
 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -86,7 +86,7 @@ [FD.MEMFD]
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV
 
-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV
 
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 6e72cdf3453e..2ce7a023f2d1 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -62,10 +62,10 @@ [FD.OVMF_CODE]
 
 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0
 
 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -101,7 +101,7 @@ [FD.MEMFD]
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV
 
-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV
 
-- 
2.35.1

[PATCH 4/5] CryptoPkg/openssl: update generated files

[Gerd Hoffmann]

Run process_files.pl with the current openssl submodule version.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   4 +
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   4 +
 CryptoPkg/Library/Include/crypto/dso_conf.h   |   7 +-
 .../Library/Include/openssl/opensslconf.h     | 233 +++++++++---------
 4 files changed, 122 insertions(+), 126 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 1d67ed55e1b1..bd3d9cc90f99 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -421,6 +421,10 @@ [Sources]
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 66ca5b1250c1..38ccf1a5b6ec 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -421,6 +421,10 @@ [Sources]
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
diff --git a/CryptoPkg/Library/Include/crypto/dso_conf.h b/CryptoPkg/Library/Include/crypto/dso_conf.h
index b9c38b416697..95f4db2b1586 100644
--- a/CryptoPkg/Library/Include/crypto/dso_conf.h
+++ b/CryptoPkg/Library/Include/crypto/dso_conf.h
@@ -1,6 +1,5 @@
 /* WARNING: do not edit! */
 /* Generated from include/crypto/dso_conf.h.in */
-
 /*
  * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -11,7 +10,7 @@
  */
 
 #ifndef OSSL_CRYPTO_DSO_CONF_H
-#define OSSL_CRYPTO_DSO_CONF_H
-#define DSO_NONE
-#define DSO_EXTENSION  ".so"
+# define OSSL_CRYPTO_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
 #endif
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 7ea976b2252e..09a6641ffcf9 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -17,7 +17,7 @@ extern "C" {
 #endif
 
 #ifdef OPENSSL_ALGORITHM_DEFINES
-  #error OPENSSL_ALGORITHM_DEFINES no longer supported
+# error OPENSSL_ALGORITHM_DEFINES no longer supported
 #endif
 
 /*
@@ -25,228 +25,217 @@ extern "C" {
  */
 
 #ifndef OPENSSL_SYS_UEFI
-#define OPENSSL_SYS_UEFI  1
+# define OPENSSL_SYS_UEFI 1
 #endif
-#define OPENSSL_MIN_API  0x10100000L
+#define OPENSSL_MIN_API 0x10100000L
 #ifndef OPENSSL_NO_BF
-#define OPENSSL_NO_BF
+# define OPENSSL_NO_BF
 #endif
 #ifndef OPENSSL_NO_BLAKE2
-#define OPENSSL_NO_BLAKE2
+# define OPENSSL_NO_BLAKE2
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-#define OPENSSL_NO_CAMELLIA
+# define OPENSSL_NO_CAMELLIA
 #endif
 #ifndef OPENSSL_NO_CAST
-#define OPENSSL_NO_CAST
+# define OPENSSL_NO_CAST
 #endif
 #ifndef OPENSSL_NO_CHACHA
-#define OPENSSL_NO_CHACHA
+# define OPENSSL_NO_CHACHA
 #endif
 #ifndef OPENSSL_NO_CMS
-#define OPENSSL_NO_CMS
+# define OPENSSL_NO_CMS
 #endif
 #ifndef OPENSSL_NO_CT
-#define OPENSSL_NO_CT
+# define OPENSSL_NO_CT
 #endif
 #ifndef OPENSSL_NO_DES
-#define OPENSSL_NO_DES
+# define OPENSSL_NO_DES
 #endif
 #ifndef OPENSSL_NO_DSA
-#define OPENSSL_NO_DSA
+# define OPENSSL_NO_DSA
 #endif
 #ifndef OPENSSL_NO_IDEA
-#define OPENSSL_NO_IDEA
+# define OPENSSL_NO_IDEA
 #endif
 #ifndef OPENSSL_NO_MD2
-#define OPENSSL_NO_MD2
+# define OPENSSL_NO_MD2
 #endif
 #ifndef OPENSSL_NO_MD4
-#define OPENSSL_NO_MD4
+# define OPENSSL_NO_MD4
 #endif
 #ifndef OPENSSL_NO_MDC2
-#define OPENSSL_NO_MDC2
+# define OPENSSL_NO_MDC2
 #endif
 #ifndef OPENSSL_NO_POLY1305
-#define OPENSSL_NO_POLY1305
+# define OPENSSL_NO_POLY1305
 #endif
 #ifndef OPENSSL_NO_RC2
-#define OPENSSL_NO_RC2
+# define OPENSSL_NO_RC2
 #endif
 #ifndef OPENSSL_NO_RC4
-#define OPENSSL_NO_RC4
+# define OPENSSL_NO_RC4
 #endif
 #ifndef OPENSSL_NO_RC5
-#define OPENSSL_NO_RC5
+# define OPENSSL_NO_RC5
 #endif
 #ifndef OPENSSL_NO_RMD160
-#define OPENSSL_NO_RMD160
+# define OPENSSL_NO_RMD160
 #endif
 #ifndef OPENSSL_NO_SEED
-#define OPENSSL_NO_SEED
-#endif
-#ifndef OPENSSL_NO_SM2
-#define OPENSSL_NO_SM2
+# define OPENSSL_NO_SEED
 #endif
 #ifndef OPENSSL_NO_SRP
-#define OPENSSL_NO_SRP
+# define OPENSSL_NO_SRP
 #endif
 #ifndef OPENSSL_NO_TS
-#define OPENSSL_NO_TS
+# define OPENSSL_NO_TS
 #endif
 #ifndef OPENSSL_NO_WHIRLPOOL
-#define OPENSSL_NO_WHIRLPOOL
+# define OPENSSL_NO_WHIRLPOOL
 #endif
 #ifndef OPENSSL_RAND_SEED_NONE
-#define OPENSSL_RAND_SEED_NONE
+# define OPENSSL_RAND_SEED_NONE
 #endif
 #ifndef OPENSSL_NO_AFALGENG
-#define OPENSSL_NO_AFALGENG
+# define OPENSSL_NO_AFALGENG
 #endif
 #ifndef OPENSSL_NO_APPS
-#define OPENSSL_NO_APPS
+# define OPENSSL_NO_APPS
 #endif
 #ifndef OPENSSL_NO_ASAN
-#define OPENSSL_NO_ASAN
+# define OPENSSL_NO_ASAN
 #endif
 #ifndef OPENSSL_NO_ASYNC
-#define OPENSSL_NO_ASYNC
+# define OPENSSL_NO_ASYNC
 #endif
 #ifndef OPENSSL_NO_AUTOERRINIT
-#define OPENSSL_NO_AUTOERRINIT
+# define OPENSSL_NO_AUTOERRINIT
 #endif
 #ifndef OPENSSL_NO_AUTOLOAD_CONFIG
-#define OPENSSL_NO_AUTOLOAD_CONFIG
+# define OPENSSL_NO_AUTOLOAD_CONFIG
 #endif
 #ifndef OPENSSL_NO_CAPIENG
-#define OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
 #endif
 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
-#define OPENSSL_NO_CRYPTO_MDEBUG
+# define OPENSSL_NO_CRYPTO_MDEBUG
 #endif
 #ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-#define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
+# define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
 #endif
 #ifndef OPENSSL_NO_DEPRECATED
-#define OPENSSL_NO_DEPRECATED
+# define OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_DEVCRYPTOENG
-#define OPENSSL_NO_DEVCRYPTOENG
+# define OPENSSL_NO_DEVCRYPTOENG
 #endif
 #ifndef OPENSSL_NO_DGRAM
-#define OPENSSL_NO_DGRAM
+# define OPENSSL_NO_DGRAM
 #endif
 #ifndef OPENSSL_NO_DTLS
-#define OPENSSL_NO_DTLS
+# define OPENSSL_NO_DTLS
 #endif
 #ifndef OPENSSL_NO_DTLS1
-#define OPENSSL_NO_DTLS1
+# define OPENSSL_NO_DTLS1
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
-#define OPENSSL_NO_DTLS1_2
+# define OPENSSL_NO_DTLS1_2
 #endif
 #ifndef OPENSSL_NO_EC2M
-#define OPENSSL_NO_EC2M
+# define OPENSSL_NO_EC2M
 #endif
 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-#define OPENSSL_NO_EC_NISTP_64_GCC_128
-#endif
-#ifndef OPENSSL_NO_ECDH
-#define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-#define OPENSSL_NO_ECDSA
+# define OPENSSL_NO_EC_NISTP_64_GCC_128
 #endif
 #ifndef OPENSSL_NO_EGD
-#define OPENSSL_NO_EGD
+# define OPENSSL_NO_EGD
 #endif
 #ifndef OPENSSL_NO_ENGINE
-#define OPENSSL_NO_ENGINE
+# define OPENSSL_NO_ENGINE
 #endif
 #ifndef OPENSSL_NO_ERR
-#define OPENSSL_NO_ERR
+# define OPENSSL_NO_ERR
 #endif
 #ifndef OPENSSL_NO_EXTERNAL_TESTS
-#define OPENSSL_NO_EXTERNAL_TESTS
+# define OPENSSL_NO_EXTERNAL_TESTS
 #endif
 #ifndef OPENSSL_NO_FILENAMES
-#define OPENSSL_NO_FILENAMES
+# define OPENSSL_NO_FILENAMES
 #endif
 #ifndef OPENSSL_NO_FUZZ_AFL
-#define OPENSSL_NO_FUZZ_AFL
+# define OPENSSL_NO_FUZZ_AFL
 #endif
 #ifndef OPENSSL_NO_FUZZ_LIBFUZZER
-#define OPENSSL_NO_FUZZ_LIBFUZZER
+# define OPENSSL_NO_FUZZ_LIBFUZZER
 #endif
 #ifndef OPENSSL_NO_GOST
-#define OPENSSL_NO_GOST
+# define OPENSSL_NO_GOST
 #endif
 #ifndef OPENSSL_NO_HEARTBEATS
-#define OPENSSL_NO_HEARTBEATS
+# define OPENSSL_NO_HEARTBEATS
 #endif
 #ifndef OPENSSL_NO_HW
-#define OPENSSL_NO_HW
+# define OPENSSL_NO_HW
 #endif
 #ifndef OPENSSL_NO_MSAN
-#define OPENSSL_NO_MSAN
+# define OPENSSL_NO_MSAN
 #endif
 #ifndef OPENSSL_NO_OCB
-#define OPENSSL_NO_OCB
+# define OPENSSL_NO_OCB
 #endif
 #ifndef OPENSSL_NO_POSIX_IO
-#define OPENSSL_NO_POSIX_IO
+# define OPENSSL_NO_POSIX_IO
 #endif
 #ifndef OPENSSL_NO_RFC3779
-#define OPENSSL_NO_RFC3779
+# define OPENSSL_NO_RFC3779
 #endif
 #ifndef OPENSSL_NO_SCRYPT
-#define OPENSSL_NO_SCRYPT
+# define OPENSSL_NO_SCRYPT
 #endif
 #ifndef OPENSSL_NO_SCTP
-#define OPENSSL_NO_SCTP
+# define OPENSSL_NO_SCTP
 #endif
 #ifndef OPENSSL_NO_SOCK
-#define OPENSSL_NO_SOCK
+# define OPENSSL_NO_SOCK
 #endif
 #ifndef OPENSSL_NO_SSL_TRACE
-#define OPENSSL_NO_SSL_TRACE
+# define OPENSSL_NO_SSL_TRACE
 #endif
 #ifndef OPENSSL_NO_SSL3
-#define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3
 #endif
 #ifndef OPENSSL_NO_SSL3_METHOD
-#define OPENSSL_NO_SSL3_METHOD
+# define OPENSSL_NO_SSL3_METHOD
 #endif
 #ifndef OPENSSL_NO_STDIO
-#define OPENSSL_NO_STDIO
+# define OPENSSL_NO_STDIO
 #endif
 #ifndef OPENSSL_NO_TESTS
-#define OPENSSL_NO_TESTS
-#endif
-#ifndef OPENSSL_NO_TLS1_3
-#define OPENSSL_NO_TLS1_3
+# define OPENSSL_NO_TESTS
 #endif
 #ifndef OPENSSL_NO_UBSAN
-#define OPENSSL_NO_UBSAN
+# define OPENSSL_NO_UBSAN
 #endif
 #ifndef OPENSSL_NO_UI_CONSOLE
-#define OPENSSL_NO_UI_CONSOLE
+# define OPENSSL_NO_UI_CONSOLE
 #endif
 #ifndef OPENSSL_NO_UNIT_TEST
-#define OPENSSL_NO_UNIT_TEST
+# define OPENSSL_NO_UNIT_TEST
 #endif
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-#define OPENSSL_NO_WEAK_SSL_CIPHERS
+# define OPENSSL_NO_WEAK_SSL_CIPHERS
 #endif
 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
-#define OPENSSL_NO_DYNAMIC_ENGINE
+# define OPENSSL_NO_DYNAMIC_ENGINE
 #endif
 
+
 /*
  * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers
  * don't like that.  This will hopefully silence them.
  */
-#define NON_EMPTY_TRANSLATION_UNIT  static void *dummy = &dummy;
+#define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy;
 
 /*
  * Applications should use -DOPENSSL_API_COMPAT=<version> to suppress the
@@ -255,37 +244,37 @@ extern "C" {
  * functions.
  */
 #ifndef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f)  f;
-  #ifdef __GNUC__
-    #if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
-      #undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f)  f __attribute__ ((deprecated));
-    #endif
-  #elif defined (__SUNPRO_C)
-    #if (__SUNPRO_C >= 0x5130)
-      #undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f)  f __attribute__ ((deprecated));
-    #endif
-  #endif
+# define DECLARE_DEPRECATED(f)   f;
+# ifdef __GNUC__
+#  if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#  endif
+# elif defined(__SUNPRO_C)
+#  if (__SUNPRO_C >= 0x5130)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#  endif
+# endif
 #endif
 
 #ifndef OPENSSL_FILE
-  #ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE  ""
-#define OPENSSL_LINE  0
-  #else
-#define OPENSSL_FILE  __FILE__
-#define OPENSSL_LINE  __LINE__
-  #endif
+# ifdef OPENSSL_NO_FILENAMES
+#  define OPENSSL_FILE ""
+#  define OPENSSL_LINE 0
+# else
+#  define OPENSSL_FILE __FILE__
+#  define OPENSSL_LINE __LINE__
+# endif
 #endif
 
 #ifndef OPENSSL_MIN_API
-#define OPENSSL_MIN_API  0
+# define OPENSSL_MIN_API 0
 #endif
 
-#if !defined (OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API
-  #undef OPENSSL_API_COMPAT
-#define OPENSSL_API_COMPAT  OPENSSL_MIN_API
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API
+# undef OPENSSL_API_COMPAT
+# define OPENSSL_API_COMPAT OPENSSL_MIN_API
 #endif
 
 /*
@@ -293,51 +282,51 @@ extern "C" {
  * OpenSSL version number matches.
  */
 #if OPENSSL_VERSION_NUMBER < 0x10200000L
-#define DEPRECATEDIN_1_2_0(f)  f;
+# define DEPRECATEDIN_1_2_0(f)   f;
 #elif OPENSSL_API_COMPAT < 0x10200000L
-#define DEPRECATEDIN_1_2_0(f)  DECLARE_DEPRECATED(f)
+# define DEPRECATEDIN_1_2_0(f)   DECLARE_DEPRECATED(f)
 #else
-#define DEPRECATEDIN_1_2_0(f)
+# define DEPRECATEDIN_1_2_0(f)
 #endif
 
 #if OPENSSL_API_COMPAT < 0x10100000L
-#define DEPRECATEDIN_1_1_0(f)  DECLARE_DEPRECATED(f)
+# define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
 #else
-#define DEPRECATEDIN_1_1_0(f)
+# define DEPRECATEDIN_1_1_0(f)
 #endif
 
 #if OPENSSL_API_COMPAT < 0x10000000L
-#define DEPRECATEDIN_1_0_0(f)  DECLARE_DEPRECATED(f)
+# define DEPRECATEDIN_1_0_0(f)   DECLARE_DEPRECATED(f)
 #else
-#define DEPRECATEDIN_1_0_0(f)
+# define DEPRECATEDIN_1_0_0(f)
 #endif
 
 #if OPENSSL_API_COMPAT < 0x00908000L
-#define DEPRECATEDIN_0_9_8(f)  DECLARE_DEPRECATED(f)
+# define DEPRECATEDIN_0_9_8(f)   DECLARE_DEPRECATED(f)
 #else
-#define DEPRECATEDIN_0_9_8(f)
+# define DEPRECATEDIN_0_9_8(f)
 #endif
 
 /* Generate 80386 code? */
 #undef I386_ONLY
 
 #undef OPENSSL_UNISTD
-#define OPENSSL_UNISTD  <unistd.h>
+#define OPENSSL_UNISTD <unistd.h>
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
 /*
  * The following are cipher-specific, but are part of the public API.
  */
-#if !defined (OPENSSL_SYS_UEFI)
-  #undef BN_LLONG
+#if !defined(OPENSSL_SYS_UEFI)
+# undef BN_LLONG
 /* Only one for the following should be defined */
-  #undef SIXTY_FOUR_BIT_LONG
-  #undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# define THIRTY_TWO_BIT
 #endif
 
-#define RC4_INT  unsigned int
+#define RC4_INT unsigned int
 
 #ifdef  __cplusplus
 }
-- 
2.35.1

[PATCH 5/5] CryptoPkg/openssl: disable codestyle checks for generated files

[Gerd Hoffmann]

Files generated by process_files.pl from openssl sources should
not be checked for edk2 code style.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 CryptoPkg/CryptoPkg.ci.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CryptoPkg/CryptoPkg.ci.yaml b/CryptoPkg/CryptoPkg.ci.yaml
index 396ca93dbe49..09fba0bcc685 100644
--- a/CryptoPkg/CryptoPkg.ci.yaml
+++ b/CryptoPkg/CryptoPkg.ci.yaml
@@ -26,6 +26,8 @@
         ## Both file path and directory path are accepted.
         "IgnoreFiles": [
             "Library/OpensslLib/openssl",
+            "Library/Include/openssl",
+            "Library/Include/crypto",
             # The unit testing folder is not to be checked
             "Test/UnitTest",
             # This has OpenSSL interfaces that aren't UEFI spec compliant
@@ -89,5 +91,13 @@
         "ExtendWords": [],           # words to extend to the dictionary for this package
         "IgnoreStandardPaths": [],   # Standard Plugin defined paths that should be ignore
         "AdditionalIncludePaths": [] # Additional paths to spell check (wildcards supported)
+    },
+
+    # options defined in .pytool/Plugin/UncrustifyCheck
+    "UncrustifyCheck": {
+        "IgnoreFiles": [
+            "opensslconf.h",
+            "dso_conf.h",
+        ]
     }
 }
-- 
2.35.1

Re: [PATCH 3/5] OvmfPkg: make DXEFV larger

[Ard Biesheuvel]

On Mon, 2 May 2022 at 12:34, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> openssl with ec enabled needs more space.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>  OvmfPkg/OvmfPkgIa32.fdf    | 6 +++---
>  OvmfPkg/OvmfPkgIa32X64.fdf | 6 +++---
>  OvmfPkg/OvmfPkgX64.fdf     | 6 +++---
>  3 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 3ab1755749d4..d9c4a7c8ad26 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -62,10 +62,10 @@ [FD.OVMF_CODE]
>
>  [FD.MEMFD]
>  BaseAddress   = $(MEMFD_BASE_ADDRESS)
> -Size          = 0xD00000
> +Size          = 0xE00000
>  ErasePolarity = 1
>  BlockSize     = 0x10000
> -NumBlocks     = 0xD0
> +NumBlocks     = 0xE0
>
>  0x000000|0x006000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
> @@ -83,7 +83,7 @@ [FD.MEMFD]
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
>  FV = PEIFV
>
> -0x100000|0xC00000
> +0x100000|0xD00000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
>  FV = DXEFV
>
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index e1638fa6ea38..5a366798ccbd 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -62,10 +62,10 @@ [FD.OVMF_CODE]
>
>  [FD.MEMFD]
>  BaseAddress   = $(MEMFD_BASE_ADDRESS)
> -Size          = 0xD00000
> +Size          = 0xE00000
>  ErasePolarity = 1
>  BlockSize     = 0x10000
> -NumBlocks     = 0xD0
> +NumBlocks     = 0xE0
>
>  0x000000|0x006000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
> @@ -86,7 +86,7 @@ [FD.MEMFD]
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
>  FV = PEIFV
>
> -0x100000|0xC00000
> +0x100000|0xD00000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
>  FV = DXEFV
>
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 6e72cdf3453e..2ce7a023f2d1 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -62,10 +62,10 @@ [FD.OVMF_CODE]
>
>  [FD.MEMFD]
>  BaseAddress   = $(MEMFD_BASE_ADDRESS)
> -Size          = 0xD00000
> +Size          = 0xE00000
>  ErasePolarity = 1
>  BlockSize     = 0x10000
> -NumBlocks     = 0xD0
> +NumBlocks     = 0xE0
>
>  0x000000|0x006000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
> @@ -101,7 +101,7 @@ [FD.MEMFD]
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
>  FV = PEIFV
>
> -0x100000|0xC00000
> +0x100000|0xD00000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
>  FV = DXEFV
>
> --
> 2.35.1
>

Re: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

Hi Gerd
Thanks for the patch. Some initial thought:
I have no concern on OVMF package update. We can update if we want.

However, I do have concern for crypto package to enable ECC *unconditionally*.
I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).
B) TLS1.3 is only for special feature such as HTTPS boot, WIFI TLS-EAP. But not all platform requires HTTPS boot or WIFI TLS-EAP.
C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used.

It would be great if you can consider the option 2) below.

I am in holiday now. And I am starting collecting feedback from Intel platform BIOS team.
I will give official feedback after 1 week.

Thank you
Yao Jiewen



> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Monday, May 2, 2022 6:35 PM
> To: devel@edk2.groups.io
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Oliver Steffen <osteffen@redhat.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>;
> Jiang, Guomin <guomin.jiang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>;
> Justen, Jordan L <jordan.l.justen@intel.com>; Gerd Hoffmann
> <kraxel@redhat.com>
> Subject: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
> 
> Re-opening the elliptic curves debate after running into the recent
> openssl changes.  The current implementation is IMHO rather messy.
> It adds manual changes to a auto-generated files, which will make
> any updates a rather hard and error-prone process.
> 
> I see two possible options how we can move forward:
> 
>   (1) Drop the idea to make EC configurable and just enable it
>       unconditionally.  I think long-term there is no way around
>       this anyway as EC is a hard requirement for TLS 1.3.
>   (2) Keep the EC config option, but update process_files.pl to
>       automatically add the PcdEcEnabled config option handling
>       to the files it generates.
> 
> This patch set does (1).  It also tweaks ovmf firmware volumes
> to make CI tests pass and it also excludes generated files from
> codestyle checks.
> 
> take care,
>   Gerd
> 
> Gerd Hoffmann (5):
>   Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming
>     OpensslLib"
>   Revert "CryptoPkg: Make EC source file config-able"
>   OvmfPkg: make DXEFV larger
>   CryptoPkg/openssl: update generated files
>   CryptoPkg/openssl: disable codestyle checks for generated files
> 
>  CryptoPkg/CryptoPkg.dec                       |   4 -
>  OvmfPkg/OvmfPkgIa32.fdf                       |   6 +-
>  OvmfPkg/OvmfPkgIa32X64.fdf                    |   6 +-
>  OvmfPkg/OvmfPkgX64.fdf                        |   6 +-
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 -
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 -
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 -
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 -
>  .../BaseCryptLib/UnitTestHostBaseCryptLib.inf |   3 -
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  99 ++++----
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |  99 ++++----
>  CryptoPkg/Library/TlsLib/TlsLib.inf           |   3 -
>  CryptoPkg/Library/Include/crypto/dso_conf.h   |   7 +-
>  .../Library/Include/openssl/opensslconf.h     | 240 ++++++++----------
>  CryptoPkg/CryptoPkg.ci.yaml                   |  10 +
>  15 files changed, 234 insertions(+), 261 deletions(-)
> 
> --
> 2.35.1

Re: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

  Hi,

> However, I do have concern for crypto package to enable ECC *unconditionally*.
> I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
> A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).

Well, the PcdEcEnabled switch we have in the tree right now enables or
disables EC for everybody, it doesn't support enabling EC for DXE only.

In we want change that we'll need two different *.inf files I guess,
one for openssl with ec and one for openssl without ec.

I'll check the effect on image sizes.

> C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used.

Yes, today this isn't much of a problem.  But I expect that will change
in the future as browsers fade out support for older TLS versions to
improve security.  Recent firefox versions have TLS 1.0 and 1.1 disabled
by default.  So while this isn't urgent it is still something we should
consider and keep on our radar.

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

  Hi,

> > I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
> > A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).
> 
> Well, the PcdEcEnabled switch we have in the tree right now enables or
> disables EC for everybody, it doesn't support enabling EC for DXE only.
> 
> In we want change that we'll need two different *.inf files I guess,
> one for openssl with ec and one for openssl without ec.
> 
> I'll check the effect on image sizes.

Here we go:

--- master.stats	2022-05-05 10:05:03.791368600 +0200
+++ openssl-ec.stats	2022-05-05 10:35:44.429412053 +0200
@@ -137,8 +137,8 @@
   124410 BdsDxe
   145534 DxeCore
   148078 UiApp
-  400158 SecureBootConfigDxe
-  472950 SecurityStubDxe
-  532626 VariableSmm
-  658174 TlsDxe
+  575390 SecureBootConfigDxe
+  643062 SecurityStubDxe
+  700562 VariableSmm
+  847422 TlsDxe
   946646 Shell

So no effect on PEI size but SMM is affected.

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

Thank you Gerd.

I collected feedback from Intel BIOS team, both client and server, both old platform and new platform.

In general, the new platform will leave enough space for crypto improvement. Size is not a big issue. The delta is acceptable.

However, the old launched platforms only has limited flash space. This patch will break the current build because of size increase. Option (1) is not acceptable.

In conclusion:
For OvmfPkg update: Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
For SecurityPkg update: I recommend we consider option (2).

  (1) Drop the idea to make EC configurable and just enable it
      unconditionally.  I think long-term there is no way around
      this anyway as EC is a hard requirement for TLS 1.3.
  (2) Keep the EC config option, but update process_files.pl to
      automatically add the PcdEcEnabled config option handling
      to the files it generates.

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Thursday, May 5, 2022 5:16 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Pawel Polawski
> <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver Steffen
> <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Jiang, Guomin <guomin.jiang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
> 
>   Hi,
> 
> > > I am not convinced that "EC is hard requirement for EDKII" just because "EC
> is a hard requirement for TLS 1.3". My reason below:
> > > A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact
> PEI/DXE. (Unless size of PEI/SMM is unchanged).
> >
> > Well, the PcdEcEnabled switch we have in the tree right now enables or
> > disables EC for everybody, it doesn't support enabling EC for DXE only.
> >
> > In we want change that we'll need two different *.inf files I guess,
> > one for openssl with ec and one for openssl without ec.
> >
> > I'll check the effect on image sizes.
> 
> Here we go:
> 
> --- master.stats	2022-05-05 10:05:03.791368600 +0200
> +++ openssl-ec.stats	2022-05-05 10:35:44.429412053 +0200
> @@ -137,8 +137,8 @@
>    124410 BdsDxe
>    145534 DxeCore
>    148078 UiApp
> -  400158 SecureBootConfigDxe
> -  472950 SecurityStubDxe
> -  532626 VariableSmm
> -  658174 TlsDxe
> +  575390 SecureBootConfigDxe
> +  643062 SecurityStubDxe
> +  700562 VariableSmm
> +  847422 TlsDxe
>    946646 Shell
> 
> So no effect on PEI size but SMM is affected.
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

On Mon, May 09, 2022 at 01:38:35AM +0000, Yao, Jiewen wrote:
> Thank you Gerd.
> 
> I collected feedback from Intel BIOS team, both client and server, both old platform and new platform.
> 
> In general, the new platform will leave enough space for crypto improvement. Size is not a big issue. The delta is acceptable.
> 
> However, the old launched platforms only has limited flash space. This patch will break the current build because of size increase. Option (1) is not acceptable.

Hmm.  Does that mean the old platform (what is "old" here btw?) wouldn't
be able to do the switch to openssl3 either?

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

Old == the launched platform, or the platform will be launched shortly where the flash size and layout are locked. It is huge risk to change the layout suddenly. And it is not practical to change the flash size. (E.g. How can you change your flash size on your laptop? )
New platform usually does not have such constrain, because it may include new feature and have more size, and the layout can be tuned later.

Talking about OPENSSL3.0.

First, I support the OPENSSL 3.0 enabling plan, because we should do that before OPENSSL 1.1 end of support.
You did a great job to enable OPENSSL3.0 in https://github.com/kraxel/edk2/tree/openssl3. I do appreciate that effort.

However, we also have size concern on OPENSSL3.0, according to the data you provided.
If we switch OPENSSL 1.1 to OPENSSL 3.0 immediately, then many platforms will be broken due to size issue. It is not practical.

I would recommend in this way:
1) Please keep the good work to enable OPENSSL3.0 in your personal branch.
2) If you have some way to control the size, then do it. If there is no much size difference by default, then you can submit to EDKII directly.
3) If there is significant size difference, we need figure out a way to resolve it. As temporary step, you may choose post OPENSSL3.0 to https://github.com/tianocore/edk2-staging, which is an official location for broader evaluation, collaboration and enhancement.
4) As enhancement, the basic idea is to make the library configurable. As such, if the old platform does not new functionality, it can still live with OPENSSL3.0.
The line is : same feature ==> same size (or minor reasonable increase), new feature ==> more size.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Monday, May 9, 2022 5:45 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver
> Steffen <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Jiang, Guomin
> <guomin.jiang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan
> L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
> 
> On Mon, May 09, 2022 at 01:38:35AM +0000, Yao, Jiewen wrote:
> > Thank you Gerd.
> >
> > I collected feedback from Intel BIOS team, both client and server, both old
> platform and new platform.
> >
> > In general, the new platform will leave enough space for crypto improvement.
> Size is not a big issue. The delta is acceptable.
> >
> > However, the old launched platforms only has limited flash space. This patch
> will break the current build because of size increase. Option (1) is not acceptable.
> 
> Hmm.  Does that mean the old platform (what is "old" here btw?) wouldn't
> be able to do the switch to openssl3 either?
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

  Hi,

> Old == the launched platform, or the platform will be launched shortly
> where the flash size and layout are locked.

So everything you can buy today.

> It is huge risk to change the layout suddenly. And it is not practical
> to change the flash size.  (E.g. How can you change your flash size on
> your laptop? )

Sure.

> However, we also have size concern on OPENSSL3.0, according to the data you provided.

Yes.

> 1) Please keep the good work to enable OPENSSL3.0 in your personal branch.
> 2) If you have some way to control the size, then do it. If there is
> no much size difference by default, then you can submit to EDKII
> directly.

I suspect I wouldn't get it down to 1.1.1 levels even if I find some
ways to make it smaller than it is in my branch today.  The code for
the new "provider" concept simply needs space and I think it also
makes LTO optimization less effective.

Maybe creating our own crypto providers which include only the
algorithms actually needed by edk2 gets the size down a bit.

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[James Bottomley]

On Mon, 2022-05-09 at 13:27 +0200, Gerd Hoffmann wrote:
[...]
> > 1) Please keep the good work to enable OPENSSL3.0 in your personal
> > branch.
> > 2) If you have some way to control the size, then do it. If there
> > is no much size difference by default, then you can submit to EDKII
> > directly.
> 
> I suspect I wouldn't get it down to 1.1.1 levels even if I find some
> ways to make it smaller than it is in my branch today.  The code for
> the new "provider" concept simply needs space and I think it also
> makes LTO optimization less effective.

Having just looked into converting engine code to provider code, I
would concur with this.  The design of providers, with their many to
many functional mappings, seems designed to promote code bloat.

> Maybe creating our own crypto providers which include only the
> algorithms actually needed by edk2 gets the size down a bit.

What about switching to a different crypto backend?  Since we don't
expose any openssl APIs at all and we wrapper everything we do expose,
it should be possible to switch to one of the non-openssl (or forked
from openssl) variants that value size, like mbedtls or boringssl?

James

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

It is possible to switch to other crypt lib.

For example, the *mbedtls* version POC can be found at https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
The advantage is: the size is much smaller.
The disadvantage is: some required functions are not available, such as PKCS7. 

Thank you
Yao Jiewen

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of James
> Bottomley
> Sent: Monday, May 9, 2022 7:48 PM
> To: devel@edk2.groups.io; kraxel@redhat.com; Yao, Jiewen
> <jiewen.yao@intel.com>
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver
> Steffen <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Jiang, Guomin
> <guomin.jiang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan
> L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
> 
> On Mon, 2022-05-09 at 13:27 +0200, Gerd Hoffmann wrote:
> [...]
> > > 1) Please keep the good work to enable OPENSSL3.0 in your personal
> > > branch.
> > > 2) If you have some way to control the size, then do it. If there
> > > is no much size difference by default, then you can submit to EDKII
> > > directly.
> >
> > I suspect I wouldn't get it down to 1.1.1 levels even if I find some
> > ways to make it smaller than it is in my branch today.  The code for
> > the new "provider" concept simply needs space and I think it also
> > makes LTO optimization less effective.
> 
> Having just looked into converting engine code to provider code, I
> would concur with this.  The design of providers, with their many to
> many functional mappings, seems designed to promote code bloat.
> 
> > Maybe creating our own crypto providers which include only the
> > algorithms actually needed by edk2 gets the size down a bit.
> 
> What about switching to a different crypto backend?  Since we don't
> expose any openssl APIs at all and we wrapper everything we do expose,
> it should be possible to switch to one of the non-openssl (or forked
> from openssl) variants that value size, like mbedtls or boringssl?
> 
> James
> 
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

I am not sure how good the openssl MACRO is designed to remove unnecessary crypto.

I think we may submit patch to openssl to add more configuration, if that can help reduce size.

Thank you
Yao Jiewen


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Monday, May 9, 2022 8:03 PM
> To: devel@edk2.groups.io; James.Bottomley@HansenPartnership.com;
> kraxel@redhat.com
> Cc: Pawel Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver
> Steffen <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Jiang, Guomin
> <guomin.jiang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan
> L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
> 
> It is possible to switch to other crypt lib.
> 
> For example, the *mbedtls* version POC can be found at
> https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> The advantage is: the size is much smaller.
> The disadvantage is: some required functions are not available, such as PKCS7.
> 
> Thank you
> Yao Jiewen
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of James
> > Bottomley
> > Sent: Monday, May 9, 2022 7:48 PM
> > To: devel@edk2.groups.io; kraxel@redhat.com; Yao, Jiewen
> > <jiewen.yao@intel.com>
> > Cc: Pawel Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>;
> Oliver
> > Steffen <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard
> > Biesheuvel <ardb+tianocore@kernel.org>; Jiang, Guomin
> > <guomin.jiang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen,
> Jordan
> > L <jordan.l.justen@intel.com>
> > Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> > unconditionally.
> >
> > On Mon, 2022-05-09 at 13:27 +0200, Gerd Hoffmann wrote:
> > [...]
> > > > 1) Please keep the good work to enable OPENSSL3.0 in your personal
> > > > branch.
> > > > 2) If you have some way to control the size, then do it. If there
> > > > is no much size difference by default, then you can submit to EDKII
> > > > directly.
> > >
> > > I suspect I wouldn't get it down to 1.1.1 levels even if I find some
> > > ways to make it smaller than it is in my branch today.  The code for
> > > the new "provider" concept simply needs space and I think it also
> > > makes LTO optimization less effective.
> >
> > Having just looked into converting engine code to provider code, I
> > would concur with this.  The design of providers, with their many to
> > many functional mappings, seems designed to promote code bloat.
> >
> > > Maybe creating our own crypto providers which include only the
> > > algorithms actually needed by edk2 gets the size down a bit.
> >
> > What about switching to a different crypto backend?  Since we don't
> > expose any openssl APIs at all and we wrapper everything we do expose,
> > it should be possible to switch to one of the non-openssl (or forked
> > from openssl) variants that value size, like mbedtls or boringssl?
> >
> > James
> >
> >
> >
> >
> >
> >
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[James Bottomley]

On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> It is possible to switch to other crypt lib.
> 
> For example, the *mbedtls* version POC can be found at 
> https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> The advantage is: the size is much smaller.
> The disadvantage is: some required functions are not available, such
> as PKCS7. 

Perhaps as a first step, we should look at our options.  I would say
missing functionality is problematic, but not necessarily a killer:
we'd have to help the chosen project develop the capability and figure
out how to maintain the fork while it was going upstream.  PKCS#7 is
pretty huge, though, it's the entire Cryptographic Message Syntax so I
think us having to develop that for mbedtls makes that one a non
starter.

Other libraries could be:

wolfssl
gnutls
boringssl
LibreSSL

They all seem to do pkcs#7.

James

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Gerd Hoffmann]

On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> > It is possible to switch to other crypt lib.
> > 
> > For example, the *mbedtls* version POC can be found at 
> > https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> > The advantage is: the size is much smaller.
> > The disadvantage is: some required functions are not available, such
> > as PKCS7. 
> 
> Perhaps as a first step, we should look at our options.  I would say
> missing functionality is problematic, but not necessarily a killer:
> we'd have to help the chosen project develop the capability and figure
> out how to maintain the fork while it was going upstream.

I don't feel like entering the business of maintaining a tls
library ...

> Other libraries could be:
> 
> wolfssl

Hmm?  Apparently no git repository?

> gnutls

Might be a issue license-wise.

> boringssl

Looks like an option worth investigating.

The "designed to meet Google's needs" and "not intended for general use"
notes in the toplevel README don't look that great though.  Might turn
out to be be difficult to get changes needed for edk2 merged (hasn't
been a problem so far for me with openssl).

> LibreSSL

There was some hype around it after it was forked from openssl in the
heartbleed aftermath.  More recent news are less enthusiastic:
https://lwn.net/Articles/841664/

Another possible option would be to add openssl3 as alternative
OpensslLib implementation, so platforms can pick the one or the
other depending on size constrains.


I've also experimented a bit with CryptoPkg/Driver.  It's not a
clear win, at least for OVMF.

PEI FV is larger in any case.  Seems LTO works very well for the
few hashes needed by TPM support code, and so the overhead added
by using the crypto service protocol instead of direct linking is
much larger than the savings by sharing code.

DXE FV is smaller in the builds with secure boot and smm support,
seems with the large tls codebase included we have enough wins by
sharing the crypto code then, so the protocol overhead is worth
the effort.

I'm wondering where the crypto algorithm selection in
CryptoPkg/CryptoPkg.dsc comes from though, specifically for
MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
for DXE and SMM?  Specifically why TLS is enabled for SMM?

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[Yao, Jiewen]

> I'm wondering where the crypto algorithm selection in
> CryptoPkg/CryptoPkg.dsc comes from though, specifically for
> MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
> for DXE and SMM?  Specifically why TLS is enabled for SMM?

[Jiewen] So far, I don't know if any SMM feature requires TLS.

I guess we may win the flash size by creating identical binary for CryptoDxe and CryptoSmm *with compression*. But I don't have data and I am not sure. Just guess.

You may have a try to remove TLS for SMM and check the final compressed FV size.




> -----Original Message-----
> From: kraxel@redhat.com <kraxel@redhat.com>
> Sent: Tuesday, May 10, 2022 6:40 PM
> To: James Bottomley <James.Bottomley@hansenpartnership.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Pawel
> Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver Steffen
> <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Jiang, Guomin <guomin.jiang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
> 
> On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> > On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> > > It is possible to switch to other crypt lib.
> > >
> > > For example, the *mbedtls* version POC can be found at
> > > https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> > > The advantage is: the size is much smaller.
> > > The disadvantage is: some required functions are not available, such
> > > as PKCS7.
> >
> > Perhaps as a first step, we should look at our options.  I would say
> > missing functionality is problematic, but not necessarily a killer:
> > we'd have to help the chosen project develop the capability and figure
> > out how to maintain the fork while it was going upstream.
> 
> I don't feel like entering the business of maintaining a tls
> library ...
> 
> > Other libraries could be:
> >
> > wolfssl
> 
> Hmm?  Apparently no git repository?
> 
> > gnutls
> 
> Might be a issue license-wise.
> 
> > boringssl
> 
> Looks like an option worth investigating.
> 
> The "designed to meet Google's needs" and "not intended for general use"
> notes in the toplevel README don't look that great though.  Might turn
> out to be be difficult to get changes needed for edk2 merged (hasn't
> been a problem so far for me with openssl).
> 
> > LibreSSL
> 
> There was some hype around it after it was forked from openssl in the
> heartbleed aftermath.  More recent news are less enthusiastic:
> https://lwn.net/Articles/841664/
> 
> Another possible option would be to add openssl3 as alternative
> OpensslLib implementation, so platforms can pick the one or the
> other depending on size constrains.
> 
> 
> I've also experimented a bit with CryptoPkg/Driver.  It's not a
> clear win, at least for OVMF.
> 
> PEI FV is larger in any case.  Seems LTO works very well for the
> few hashes needed by TPM support code, and so the overhead added
> by using the crypto service protocol instead of direct linking is
> much larger than the savings by sharing code.
> 
> DXE FV is smaller in the builds with secure boot and smm support,
> seems with the large tls codebase included we have enough wins by
> sharing the crypto code then, so the protocol overhead is worth
> the effort.
> 
> I'm wondering where the crypto algorithm selection in
> CryptoPkg/CryptoPkg.dsc comes from though, specifically for
> MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
> for DXE and SMM?  Specifically why TLS is enabled for SMM?
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.

[James Bottomley]

On Tue, 2022-05-10 at 12:40 +0200, Gerd Hoffmann wrote:
> On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> > On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> > > It is possible to switch to other crypt lib.
> > > 
> > > For example, the *mbedtls* version POC can be found at 
> > > https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> > > The advantage is: the size is much smaller.
> > > The disadvantage is: some required functions are not available,
> > > such as PKCS7. 
> > 
> > Perhaps as a first step, we should look at our options.  I would
> > say missing functionality is problematic, but not necessarily a
> > killer: we'd have to help the chosen project develop the capability
> > and figure out how to maintain the fork while it was going
> > upstream.
> 
> I don't feel like entering the business of maintaining a tls
> library ...

Me neither, but we already maintain some exceptions like the logic to
break the X509 chain for UEFI, so if we had to tinker around the edges,
I think it's feasible.

> > Other libraries could be:
> > 
> > wolfssl
> 
> Hmm?  Apparently no git repository?

https://github.com/wolfSSL/wolfssl

> > gnutls
> 
> Might be a issue license-wise.

It's LGPL and our use case entirely embeds it so we're using it within
the licence terms.  Since we're effectively linking statically, it
provides a slight problem for distributions because they need to
facilitate relinking, but that's just a nasty mechanical problem

> 
> > boringssl
> 
> Looks like an option worth investigating.
> 
> The "designed to meet Google's needs" and "not intended for general
> use" notes in the toplevel README don't look that great
> though.  Might turnons out to be be difficult to get changes needed
> for edk2 merged (hasn't been a problem so far for me with openssl).

Right, boringssl is effectively Google's fork of openssl for android
which they did because they could never get the openssl people to
accept their patches or pay attention to the embedded bloat problem
(which is currently our problem).

> > LibreSSL
> 
> There was some hype around it after it was forked from openssl in the
> heartbleed aftermath.  More recent news are less enthusiastic:
> https://lwn.net/Articles/841664/

Yes, I'm not hugely enthused about LibreSSL, but I think we do need to
list all the alternatives.

> Another possible option would be to add openssl3 as alternative
> OpensslLib implementation, so platforms can pick the one or the
> other depending on size constrains.

Really, no, we can't.  That would leave the space constrained use case
non functional when openssl 1 goes EOL.  We have to make openssl 3 work
for everything or consider a new crypto provider.

> I've also experimented a bit with CryptoPkg/Driver.  It's not a
> clear win, at least for OVMF.
> 
> PEI FV is larger in any case.  Seems LTO works very well for the
> few hashes needed by TPM support code, and so the overhead added
> by using the crypto service protocol instead of direct linking is
> much larger than the savings by sharing code.
> 
> DXE FV is smaller in the builds with secure boot and smm support,
> seems with the large tls codebase included we have enough wins by
> sharing the crypto code then, so the protocol overhead is worth
> the effort.
> 
> I'm wondering where the crypto algorithm selection in
> CryptoPkg/CryptoPkg.dsc comes from though, specifically for
> MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
> for DXE and SMM?  Specifically why TLS is enabled for SMM?

I think the idea was that using a static openssl library you could link
the various algorithm providers with it and make small pieces, but that
didn't work out well for openssl which has a massive startup
requirement.  No idea why SMM would require TLS ... I can look at the
code.

James