From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130])
 by mx.groups.io with SMTP id smtpd.web09.32205.1652103666050644037
 for <devel@edk2.groups.io>;
 Mon, 09 May 2022 06:41:06 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=dTWPK6tm;
 spf=pass (domain: hansenpartnership.com, ip: 96.44.175.130, mailfrom: james.bottomley@hansenpartnership.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=hansenpartnership.com; s=20151216; t=1652103665;
	bh=Vi/5WmBvAY+uMIhGKYTriSRfMSryeyJbMdUit1RVVZk=;
	h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
	b=dTWPK6tmt8uRmhr6o9mST0xEOWMXtkhdNcwn9ckhL2evQxbAS4D5vKOoQu8gvPq3K
	 KWL0MX9A7yta0oTmfFV9ttr4hKsGKS1fUWFKUwVAI80NhBXvA4Vr0kNLqsX1g55qQ6
	 x7yZHiLPpzyL/E48DeH/pccAlxuC6r9zd8sI+ru0=
Received: from localhost (localhost [127.0.0.1])
	by bedivere.hansenpartnership.com (Postfix) with ESMTP id 455A412806E0;
	Mon,  9 May 2022 09:41:05 -0400 (EDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
	by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id m8AeR7nAMcfv; Mon,  9 May 2022 09:41:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=hansenpartnership.com; s=20151216; t=1652103665;
	bh=Vi/5WmBvAY+uMIhGKYTriSRfMSryeyJbMdUit1RVVZk=;
	h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
	b=dTWPK6tmt8uRmhr6o9mST0xEOWMXtkhdNcwn9ckhL2evQxbAS4D5vKOoQu8gvPq3K
	 KWL0MX9A7yta0oTmfFV9ttr4hKsGKS1fUWFKUwVAI80NhBXvA4Vr0kNLqsX1g55qQ6
	 x7yZHiLPpzyL/E48DeH/pccAlxuC6r9zd8sI+ru0=
Received: from [IPv6:2601:5c4:4300:c551:a71:90ff:fec2:f05b] (unknown [IPv6:2601:5c4:4300:c551:a71:90ff:fec2:f05b])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 275D1128036A;
	Mon,  9 May 2022 09:41:04 -0400 (EDT)
Message-ID: <98f4a21f4ce5cb50331177dd8b6aa53dc932561b.camel@HansenPartnership.com>
Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
From: "James Bottomley" <James.Bottomley@HansenPartnership.com>
To: devel@edk2.groups.io, jiewen.yao@intel.com, "kraxel@redhat.com"
	 <kraxel@redhat.com>
Cc: Pawel Polawski <ppolawsk@redhat.com>, "Li, Yi1" <yi1.li@intel.com>, 
 Oliver Steffen <osteffen@redhat.com>, "Wang, Jian J"
 <jian.j.wang@intel.com>, Ard Biesheuvel <ardb+tianocore@kernel.org>,
 "Jiang, Guomin" <guomin.jiang@intel.com>, "Lu, Xiaoyu1"
 <xiaoyu1.lu@intel.com>, "Justen, Jordan L" <jordan.l.justen@intel.com>
Date: Mon, 09 May 2022 09:41:02 -0400
In-Reply-To: <MW4PR11MB587217CC56D43B7B0C38BC528CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <20220502103436.3274412-1-kraxel@redhat.com>
	 <MW4PR11MB58724592EC5CAC17CD8FE28F8CC09@MW4PR11MB5872.namprd11.prod.outlook.com>
	 <20220505080638.rmrw3f773rkw3ljl@sirius.home.kraxel.org>
	 <20220505091536.llguh4dzozqtiiob@sirius.home.kraxel.org>
	 <MW4PR11MB58729A85832816FA3FF737588CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
	 <20220509094511.px6cl7jtjejr4y4x@sirius.home.kraxel.org>
	 <MW4PR11MB58724EBDA20EAA10F5B8F1CC8CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
	 <20220509112744.msdph5d35ph24l4p@sirius.home.kraxel.org>
	 <97444089e5113f5b5c5f538635ff1821f1c62cb2.camel@HansenPartnership.com>
	 <MW4PR11MB587217CC56D43B7B0C38BC528CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
User-Agent: Evolution 3.34.4 
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> It is possible to switch to other crypt lib.
> 
> For example, the *mbedtls* version POC can be found at 
> https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> The advantage is: the size is much smaller.
> The disadvantage is: some required functions are not available, such
> as PKCS7. 

Perhaps as a first step, we should look at our options.  I would say
missing functionality is problematic, but not necessarily a killer:
we'd have to help the chosen project develop the capability and figure
out how to maintain the fork while it was going upstream.  PKCS#7 is
pretty huge, though, it's the entire Cryptographic Message Syntax so I
think us having to develop that for mbedtls makes that one a non
starter.

Other libraries could be:

wolfssl
gnutls
boringssl
LibreSSL

They all seem to do pkcs#7.

James