From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web11.48994.1675671680029717783
 for <devel@edk2.groups.io>;
 Mon, 06 Feb 2023 00:21:20 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZfdwlBmQ;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1675671678;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=wlp0VVE0OUH+5k3yIFJ5zLDJfL8F5MDAu7LnMdLa6Fk=;
	b=ZfdwlBmQIJImqOeGDpWRdYIEprCQjpMctMJrczT32TZDcYSw8x/NnB5PUAaipm9osqxjyX
	nxzD5X6dR5wAIZ6FFxqd/EwyZWxA/QF7dH6kp8ilrPfrhWzfgK1dAOBM5rAMx1TvfXxdFK
	Lt9cBk2y4pnNehSRlmieF4INKqPuSio=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-440-ouCfmmgQNLeFyQejd2-Q8g-1; Mon, 06 Feb 2023 03:21:15 -0500
X-MC-Unique: ouCfmmgQNLeFyQejd2-Q8g-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7A544857F41;
	Mon,  6 Feb 2023 08:21:14 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.85])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 39C032026D37;
	Mon,  6 Feb 2023 08:21:14 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id C32A41800850; Mon,  6 Feb 2023 09:21:12 +0100 (CET)
Date: Mon, 6 Feb 2023 09:21:12 +0100
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: devel@edk2.groups.io, Min Xu <min.m.xu@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Michael Roth <michael.roth@amd.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Pawel Polawski <ppolawsk@redhat.com>,
	Oliver Steffen <osteffen@redhat.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Xiaoyu Lu <xiaoyu1.lu@intel.com>,
	Erdem Aktas <erdemaktas@google.com>,
	Guomin Jiang <guomin.jiang@intel.com>,
	James Bottomley <jejb@linux.ibm.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
Message-ID: <20230206082112.v7cl2wiyinhjwxri@sirius.home.kraxel.org>
References: <20230203132806.2275708-1-kraxel@redhat.com>
 <CAMj1kXEHvSzrQQSFi2LsJ10beJRacjjPQgCTB4UkK1iCJc2BOg@mail.gmail.com>
 <20230203153654.pyutijc54a66pe6e@sirius.home.kraxel.org>
 <CAMj1kXFM0unD513PLQetbrnE-CgoUvEzgBAjD-WHpWwCZXRRug@mail.gmail.com>
 <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org>
 <CAMj1kXG5AVmuitkFPQEkm=0ZAaBNVfZZ5RGD+z+sCX4scxrQ3w@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAMj1kXG5AVmuitkFPQEkm=0ZAaBNVfZZ5RGD+z+sCX4scxrQ3w@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

> > > > PEI jumps up in size even though I'm using the min_pei config for
> > > > CryptoPei, seems it *still* has way too much bits compiled in
> > > > (didn't look into tweaking the config yet, hints are welcome).
> > > >
> > > > +  333950 CryptoPei
> > >
> > > Why would we use this for PEI if the size increases?

> Could we build CryptoPei with fewer algorithms built into it?

Patch attached below brings it down to

  211582 CryptoPei

Which still is quite big for some reason ...

take care,
  Gerd

commit a0ecb20af423d4b97fd008ac05807c46dcad3a53
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Mon Feb 6 08:52:41 2023 +0100

    pei needs hashes only

diff --git a/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc b/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
new file mode 100644
index 000000000000..1ead17340b6c
--- /dev/null
+++ b/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
@@ -0,0 +1,10 @@
+##
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family                      | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
index e34444dde470..3ab90d7718f5 100644
--- a/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
@@ -12,7 +12,8 @@
       TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
       OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
     <PcdsFixedAtBuild>
-!include CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
+#!include CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
+!include CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
   }
 
   CryptoPkg/Driver/CryptoSmm.inf {