From: "Li, Yi" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>
Subject: [edk2-staging/OpenSSL11_EOL 4/7] Readme: 0315 update
Date: Fri, 17 Mar 2023 12:28:16 +0800 [thread overview]
Message-ID: <4affc0f9504ad7f1a2164ad3877eb6ed4a8d41b6.1679026329.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1679026329.git.yi1.li@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Readme-OpenSSL3.0.md | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md
index 8a0fc6afb0..3d4afa8ac1 100644
--- a/CryptoPkg/Readme-OpenSSL3.0.md
+++ b/CryptoPkg/Readme-OpenSSL3.0.md
@@ -21,14 +21,14 @@ Will update latest result here (Build based on Intel platform).
|-----------------|------------|------------|------------|
|CryptoPei | 386 | 398 | 3.1% |
|CryptoPeiPreMem | 31 | 31 | 0% |
-|CryptoDxe | 804 | 917 | 14% |
-|CryptoSmm | 558 | 636 | 14% |
+|CryptoDxe | 804 | 886 | 10.1% |
+|CryptoSmm | 558 | 604 | 8.2% |
| LZMA Compressed | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
-|CryptoDxe | 311 | 360 | 15% |
-|CryptoSmm | 211 | 248 | 17% |
-|FV (Dxe+Smm) | 357 | 423 | 18% |
+|CryptoDxe | 311 | 350 | 12.2% |
+|CryptoSmm | 211 | 238 | 12.8% |
+|FV (Dxe+Smm) | 357 | 412 | 15.4% |
## Limitation
@@ -64,11 +64,10 @@ MD5 --> PEM --> CryptoPem(Ec\RsaGetPrivateKeyFromPem): used in Pkcs7Sign and Uni
### 3.Disable algorithm auto init
Add -DOPENSSL_NO_AUTOALGINIT will disable OpenSsl from adding all digests and ciphers at initialization time.
-Can reduce the size by ~20KB.
+Can reduce the size by 27KB.
#### Risk:
OPENSSL_NO_AUTOALGINIT Will break PKCS7, Authenticode and Ts due to OpenSsl bug:
https://github.com/openssl/openssl/issues/20221
-Currently only available when compiling PEI.
### 4.Cut Name/NID mapping
There are some unreasonably huge arrays(~110KB) in the obj_dat.h and obj_xref.h, like:
@@ -79,6 +78,7 @@ Removing unnecessary data can reduce the size by ~50KB.
1. DXE and SMM use more functions than PEI, so can only reduce fewer size.
2. Need a detailed script or readme. The best way is to automatically cut through openssl config, raised issue in community:
https://github.com/openssl/openssl/issues/20260
+3. Will break Authticode API if applied to DXE SMM.
### 5.Hash API downgrade (for PeiPreMem)
High level API (EVP) will introduce provider and NID mapping which can increase size extremely.
@@ -97,8 +97,10 @@ This will become workaround if openssl doesn't accept such changes.
https://github.com/liyi77/openssl/commits/openssl-3.0-POC
Such as:
remove x509 print function - 7KB
-remove unused ras ameth - 7KB
+remove unused rsa ameth - 7KB
remove unused x509 extentions - 19KB
+remove unused bio enc - 3KB
+remove unused bio prov - 4KB
...
#### Risk:
This is workaround.
--
2.31.1.windows.1
next prev parent reply other threads:[~2023-03-17 4:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-17 4:28 [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17 Li, Yi
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 1/7] OpensslLib: remove bio prov Li, Yi
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 2/7] CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test Li, Yi
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 3/7] CryptoPkg/OpensslLib: enable no autoalginit Li, Yi
2023-03-17 4:28 ` Li, Yi [this message]
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 5/7] bugfix: The order of NIDs should remain the same as before Li, Yi
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 6/7] CryptoPkg/OpensslLibFull: apply all work to full inf Li, Yi
2023-03-17 4:28 ` [edk2-staging/OpenSSL11_EOL 7/7] Readme: 0317 update Li, Yi
2023-03-17 10:03 ` [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17 Gerd Hoffmann
2023-03-17 10:20 ` Yao, Jiewen
2023-03-17 10:21 ` Li, Yi
2023-04-01 18:27 ` [edk2-devel] " Rebecca Cran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4affc0f9504ad7f1a2164ad3877eb6ed4a8d41b6.1679026329.git.yi1.li@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox