From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.22849.1678463413101527402 for ; Fri, 10 Mar 2023 07:50:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=K+F7DFT4; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678463412; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+ddF7jceG5jdrfsEyS8J6AJZMAg0hzzOJTKpNDrf7B8=; b=K+F7DFT4e3kvr2f9Wo6pUZJKZ5eb1gTet8IOlpFlBKRif5SWMgGg/+eFtbw5WUmKyym3tn 4w6gg8+zxKr7aALA4+/1xkzB5U0lfYN1/8J2+Rnpnclsfkwl90pSv0+sV0Az/cfEBmbyq0 s2DoKXQyyDqZDH2X+JRxG0QtSeu/zzY= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-626-d9d4wHZZO6epEKRWxQ3xwg-1; Fri, 10 Mar 2023 10:50:10 -0500 X-MC-Unique: d9d4wHZZO6epEKRWxQ3xwg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E1C223804069; Fri, 10 Mar 2023 15:50:09 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.56]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B751CC15BA0; Fri, 10 Mar 2023 15:50:09 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 6174D1800982; Fri, 10 Mar 2023 16:50:08 +0100 (CET) Date: Fri, 10 Mar 2023 16:50:08 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, jiewen.yao@intel.com Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Message-ID: <20230310155008.6vah5svjaavroe2y@sirius.home.kraxel.org> References: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> <174209E894D5CF7F.15261@groups.io> <1742A3BAD41DE0F1.13814@groups.io> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Mar 10, 2023 at 12:28:54PM +0000, Yao, Jiewen wrote: > Hello > We have created initial POC version CryptoPkg upgrade. > > OpenSSL 3.0 POC: https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md > The size is reduced a lots. But it still exceeds some platforms. I've already mentioned the branch in the cover letter of the openssl hash series (https://edk2.groups.io/g/devel/message/100123), but apparently it went unnoticed, there are lots of commits from my old branch in there ... Anyway, my latest branch (just rebased to master) is here: https://github.com/kraxel/edk2/commits/openssl3 Doesn't (yet) pass CI, most failures are on IA32 due to missing compiler intrinsics. I've put the configuration system upside-down, replaced the process_files.pl script with python. All generated files are placed in a new 'openssl-gen' subdirectory, no matter whenever they are header files, C files or asm files. Some code changes are needed for openssl 3.0, those are mostly unchanged when comparing to my ~1y old branch. Exceptions are some EC-related changes. Acceleration support has been expanded to also cover AARCH64 with GCC5. The old openssl-1.1 apparently tries to avoid adding support for avx for asm acceleration, by taking care that nasm is not in the path. That trick will surely will not work with openssl-3.0 as openssl has learned to generate avx instructions for other assemblers meanwhile. Is there some specific reason for that? Compatibility with toolchains without avx support? Or is firmware not allowed to use avx instructions? In case of the latter we probably have to add a 'no-avx' config option to upstream openssl, similiar to the 'no-sse2' option which already exists. take care, Gerd