From: "Gerd Hoffmann" <kraxel@redhat.com>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: devel@edk2.groups.io, jiewen.yao@intel.com,
Pawel Polawski <ppolawsk@redhat.com>,
"Li, Yi1" <yi1.li@intel.com>,
Oliver Steffen <osteffen@redhat.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>
Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Date: Tue, 10 May 2022 12:40:01 +0200 [thread overview]
Message-ID: <20220510104001.rqddxn53euydk2ns@sirius.home.kraxel.org> (raw)
In-Reply-To: <98f4a21f4ce5cb50331177dd8b6aa53dc932561b.camel@HansenPartnership.com>
On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> > It is possible to switch to other crypt lib.
> >
> > For example, the *mbedtls* version POC can be found at
> > https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> > The advantage is: the size is much smaller.
> > The disadvantage is: some required functions are not available, such
> > as PKCS7.
>
> Perhaps as a first step, we should look at our options. I would say
> missing functionality is problematic, but not necessarily a killer:
> we'd have to help the chosen project develop the capability and figure
> out how to maintain the fork while it was going upstream.
I don't feel like entering the business of maintaining a tls
library ...
> Other libraries could be:
>
> wolfssl
Hmm? Apparently no git repository?
> gnutls
Might be a issue license-wise.
> boringssl
Looks like an option worth investigating.
The "designed to meet Google's needs" and "not intended for general use"
notes in the toplevel README don't look that great though. Might turn
out to be be difficult to get changes needed for edk2 merged (hasn't
been a problem so far for me with openssl).
> LibreSSL
There was some hype around it after it was forked from openssl in the
heartbleed aftermath. More recent news are less enthusiastic:
https://lwn.net/Articles/841664/
Another possible option would be to add openssl3 as alternative
OpensslLib implementation, so platforms can pick the one or the
other depending on size constrains.
I've also experimented a bit with CryptoPkg/Driver. It's not a
clear win, at least for OVMF.
PEI FV is larger in any case. Seems LTO works very well for the
few hashes needed by TPM support code, and so the overhead added
by using the crypto service protocol instead of direct linking is
much larger than the savings by sharing code.
DXE FV is smaller in the builds with secure boot and smm support,
seems with the large tls codebase included we have enough wins by
sharing the crypto code then, so the protocol overhead is worth
the effort.
I'm wondering where the crypto algorithm selection in
CryptoPkg/CryptoPkg.dsc comes from though, specifically for
MIN_DXE_MIN_SMM. Why is the crypto feature selection identical
for DXE and SMM? Specifically why TLS is enabled for SMM?
take care,
Gerd
next prev parent reply other threads:[~2022-05-10 10:40 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-02 10:34 [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 1/5] Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming OpensslLib" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 2/5] Revert "CryptoPkg: Make EC source file config-able" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 3/5] OvmfPkg: make DXEFV larger Gerd Hoffmann
2022-05-02 19:39 ` Ard Biesheuvel
2022-05-02 10:34 ` [PATCH 4/5] CryptoPkg/openssl: update generated files Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 5/5] CryptoPkg/openssl: disable codestyle checks for " Gerd Hoffmann
2022-05-03 15:39 ` [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Yao, Jiewen
2022-05-05 8:06 ` Gerd Hoffmann
2022-05-05 9:15 ` [edk2-devel] " Gerd Hoffmann
2022-05-09 1:38 ` Yao, Jiewen
2022-05-09 9:45 ` Gerd Hoffmann
2022-05-09 10:17 ` Yao, Jiewen
2022-05-09 11:27 ` Gerd Hoffmann
2022-05-09 11:47 ` James Bottomley
2022-05-09 12:03 ` Yao, Jiewen
2022-05-09 13:41 ` James Bottomley
2022-05-10 10:40 ` Gerd Hoffmann [this message]
2022-05-10 11:20 ` Yao, Jiewen
2022-05-10 14:31 ` James Bottomley
[not found] ` <16ED6E30C7B1AB9D.18911@groups.io>
2022-05-09 12:12 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220510104001.rqddxn53euydk2ns@sirius.home.kraxel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox