From: "Li, Yi" <yi1.li@intel.com>
To: devel@edk2.groups.io
Cc: Yi Li <yi1.li@intel.com>
Subject: [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update
Date: Thu, 23 Mar 2023 10:44:36 +0800 [thread overview]
Message-ID: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> (raw)
In-Reply-To: <cover.1679537389.git.yi1.li@intel.com>
Signed-off-by: Yi Li <yi1.li@intel.com>
---
CryptoPkg/Readme-OpenSSL3.0.md | 65 +++++++++++++++++++++++++++++-----
1 file changed, 57 insertions(+), 8 deletions(-)
diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md
index 85ed37b61d..fc5d24d074 100644
--- a/CryptoPkg/Readme-OpenSSL3.0.md
+++ b/CryptoPkg/Readme-OpenSSL3.0.md
@@ -17,19 +17,26 @@ The branch owner: Li Yi <yi1.li@intel.com>
## Latest update
Will update latest result here (Build based on Intel platform).
+Binaries mode (use crypto drivers)
| Driver | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
|CryptoPei | 386 | 398 | 3.1% |
|CryptoPeiPreMem | 31 | 31 | 0% |
-|CryptoDxeFull | 1014 | 1031 | 1.7% |
-|CryptoDxe | 804 | 886 | 10.1% |
-|CryptoSmm | 558 | 604 | 8.2% |
-
+|CryptoDxeFull | 1014 | 997 | -1.6% |
+|CryptoDxe | 804 | 871 | 8.3% |
+|CryptoSmm | 558 | 581 | 4.1% |
+
| LZMA Compressed | 1.1.1 | 3.0 | percent |
|-----------------|------------|------------|------------|
-|CryptoDxe | 311 | 350 | 12.2% |
-|CryptoSmm | 211 | 238 | 12.8% |
-|FV (Dxe+Smm) | 357 | 412 | 15.4% |
+|CryptoDxe | 311 | 346 | 11.2% |
+|CryptoSmm | 211 | 233 | 10.4% |
+|FV (Dxe+Smm) | 357 | 406 | 13.7% |
+
+Library mode (use crypto library)
+| Driver | 1.1.1 | 3.0 | delta |
+|--------------------|------------|------------|------------|
+| FV | 2377 | 2639 | 262 |
+|SecurityStubDxe.efi | 562 | 605 | 43 |
## Limitation
@@ -49,7 +56,7 @@ More complex API: There will be two code paths supporting 1.1.1 legacy and 3.0 p
### 1.Cut Provider
As CryptoPkg\Library\OpensslLib\OpensslStub\uefiprov.c
-### Remove unnecessary module
+### 2.Remove unnecessary module
SM2,
SM3 - 12KB,
MD5 - 8KB,
@@ -105,5 +112,47 @@ remove unused bio prov - 4KB
#### Risk:
This is workaround.
+## Openssl code change summary
+### Level 1: Reasonable changes to reduce size
+1. Add macro such like OPENSSL_NO_ECX OPENSSL_NO_ECD to remove ecx and ecd feature,
+will reduce size about 104KB.
+(commit: ec: disable ecx and ecd)
+https://github.com/liyi77/openssl/commit/2b0a888c3623e1dc0637fbe0c5dcc1211b4d0545
+
+2. Avoid build error when sm3 disabled.
+(commit: sm3: avoid build error after sm3 disabled)
+https://github.com/liyi77/openssl/commit/df92e440e45667da6ca1f9013f015e6d18981f2e
+
+### Level 2: A bit like workaround, with possibility of upstream to openssl
+1. Enable the legacy path for X509 pubkey decode and pmeth initialization,
+The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB.
+(commit: x509: enable legacy path in pub decode)
+https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6ef7045646ef0
+(commit: evp: enable legacy pmeth)
+https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bfe1d0263f074b
+
+2. Add 'type' field back to enable OPENSSL_NO_AUTOALGINIT, will reduce size about 27KB.
+issue: https://github.com/openssl/openssl/issues/20221
+(commit: evp: add type filed back)
+https://github.com/liyi77/openssl/commit/9c68a18a3a1967baf8d93eacadac9f0e14523715
+
+### Level 3: Totally workaround and hard to upstream to openssl, may need scripts to apply them inside EDK2
+1. Provider cut.
+(commit: CryptoPkg: add own openssl provider)
+https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8f38b0dc7683b3690e
+
+2. Cut Name/NID mapping, will reduce size about 70KB.
+(commit: CryptoPkg: trim obj_dat.h)
+https://github.com/liyi77/edk2-staging/commit/6874485ebf89959953f7094990c7123e19748527
+
+3. Cut unnecessary API in structure.
+(commit: evp: cut bio_enc func 3KB)
+https://github.com/liyi77/openssl/commit/3a2331133c2e3bda3e9bdb861ea97e5d3969fb2d
+(commit: x509: remove print function 7KB)
+https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff4306
+(commit: rsa: remove unused rsa ameth 7KB)
+https://github.com/liyi77/openssl/commit/8488c75701cdd5e626785e6d9d002f6fb30ae0ff
+(commit: x509: remove unused extentions 19KB)
+https://github.com/liyi77/openssl/commit/c27b3428708eb240b626946ce10d4219806d8adf
## Timeline
Target for 2023 Q1
\ No newline at end of file
--
2.31.1.windows.1
next prev parent reply other threads:[~2023-03-23 2:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-23 2:44 [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22 Li, Yi
2023-03-23 2:44 ` [edk2-staging/OpenSSL11_EOL][PATCH 1/4] bugfix: use null md5 onlyif no-md5 defined Li, Yi
2023-03-23 2:44 ` [edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: remove unnecessary sig, ec and rsa prov Li, Yi
2023-03-23 2:44 ` [edk2-staging/OpenSSL11_EOL][PATCH 3/4] CryptoPkg: update openssl submodule Li, Yi
2023-03-23 2:44 ` Li, Yi [this message]
2023-03-23 8:56 ` [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Gerd Hoffmann
2023-03-24 1:46 ` Li, Yi
2023-03-24 6:11 ` Yao, Jiewen
2023-03-24 7:50 ` Li, Yi
2023-03-24 7:54 ` Yao, Jiewen
2023-03-23 16:00 ` [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22 Michael D Kinney
2023-03-24 17:07 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox