From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.6468.1675856712425315943 for ; Wed, 08 Feb 2023 03:45:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CzMAku4y; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1675856711; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xJfFlkGNcWwcGSeu71YuVwdSnnNxrgvXHj4tUbJgRds=; b=CzMAku4yYmQpb8BR5Vz1wGp/hHUkopV/8J5Jzo99ySVZ50gEW3OT9GQQpADhNqjFVFRvDu Kng1L5KJSAwdv4XqocOTMAZsYAPLIlsDuaTz+2XelZt7qM4rl1ygFAd41fjK+YSnl/LYW3 FgAI8jk4UDPSq6aUtatszad+Ob0Bwt8= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-553-Oxlylee2NmSdr6RpkI4Pvw-1; Wed, 08 Feb 2023 06:45:09 -0500 X-MC-Unique: Oxlylee2NmSdr6RpkI4Pvw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E613F101A52E; Wed, 8 Feb 2023 11:45:08 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.85]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A2AC91121314; Wed, 8 Feb 2023 11:45:08 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id EB5EF18003BF; Wed, 8 Feb 2023 12:45:06 +0100 (CET) Date: Wed, 8 Feb 2023 12:45:06 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, jiewen.yao@intel.com Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Message-ID: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> References: MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto lib. > If both 1 and 2 fail, we may use *dual-crypto module*. For example: mbedtls for PEI and openssl3.0 for DXE. > The source code size will become larger, more time to download the tree. Suggestions how to do that best, ideally without duplicating CryptoPkg for that? A while back I've tried to add openssl-3 in parallel to openssl-11, with the idea to allow projects picking the one or the other, and quicky ran into problems because apparently libraries can't add include directories. Only packages can do that (see Includes.Common.Private in CryptoPkg/CryptoPkg.dec which adds Library/OpensslLib/openssl/include). take care, Gerd