[edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22

[edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22

[Li, Yi]

Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/363

Latest size data:
Binaries:				
	CryptoDxeFull	1.70%	->	-1.6%	-17KB
	CryptoDxe		10.1%	->	8.3%	68KB
	CryptoSmm		8.20%	->	4.1%	23KB
After LZMA:			
	CryptoDxe		12.2%	->	11.20%	35KB
	CryptoSmm		12.8%	->	10.40%	22KB
	FV (Dxe+Smm)	15.4%	->	13.70%	49KB

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Yi Li <yi1.li@intel.com>

Yi Li (4):
  bugfix: use null md5 onlyif no-md5 defined
  CryptoPkg: remove unnecessary sig, ec and rsa prov
  CryptoPkg: update openssl submodule
  Readme: 0322 update

 CryptoPkg/Library/OpensslLib/HashNull.c       |  3 +
 .../Library/OpensslLib/OpensslStub/uefiprov.c | 23 -------
 CryptoPkg/Library/OpensslLib/openssl          |  2 +-
 CryptoPkg/Readme-OpenSSL3.0.md                | 65 ++++++++++++++++---
 4 files changed, 61 insertions(+), 32 deletions(-)

-- 
2.31.1.windows.1

[edk2-staging/OpenSSL11_EOL][PATCH 1/4] bugfix: use null md5 onlyif no-md5 defined

[Li, Yi]

Signed-off-by: Yi Li <yi1.li@intel.com>
---
 CryptoPkg/Library/OpensslLib/HashNull.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CryptoPkg/Library/OpensslLib/HashNull.c b/CryptoPkg/Library/OpensslLib/HashNull.c
index ebd6369f98..e2a4da80a1 100644
--- a/CryptoPkg/Library/OpensslLib/HashNull.c
+++ b/CryptoPkg/Library/OpensslLib/HashNull.c
@@ -20,6 +20,8 @@ int ossl_sm3_final(unsigned char *md, SM3_CTX *c){
     return -1;
 }
 #endif
+
+#ifdef OPENSSL_NO_MD5
 #include "openssl/x509.h"
 const EVP_MD *EVP_md5(void) {
     return NULL;
@@ -41,3 +43,4 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
                            size_t mac_secret_length, char is_sslv3) {
                             return -1;
                            }
+#endif
-- 
2.31.1.windows.1

[edk2-staging/OpenSSL11_EOL][PATCH 2/4] CryptoPkg: remove unnecessary sig, ec and rsa prov

[Li, Yi]

Signed-off-by: Yi Li <yi1.li@intel.com>
---
 .../Library/OpensslLib/OpensslStub/uefiprov.c | 23 -------------------
 1 file changed, 23 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
index c21c475331..4473e3e706 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
+++ b/CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c
@@ -160,9 +160,6 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
 static const OSSL_ALGORITHM deflt_keyexch[] = {
 #ifndef OPENSSL_NO_DH
     { PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions },
-#endif
-#ifndef OPENSSL_NO_EC
-    { PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions },
 #endif
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions },
     { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions },
@@ -175,15 +172,6 @@ static const OSSL_ALGORITHM deflt_rands[] = {
     { NULL, NULL, NULL }
 };
 
-static const OSSL_ALGORITHM deflt_signature[] = {
-    { PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions },
-#ifndef OPENSSL_NO_EC
-    { PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions },
-#endif
-
-    { NULL, NULL, NULL }
-};
-
 static const OSSL_ALGORITHM deflt_asym_cipher[] = {
     { PROV_NAMES_RSA, "provider=default", ossl_rsa_asym_cipher_functions },
     { NULL, NULL, NULL }
@@ -196,15 +184,6 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
     { PROV_NAMES_DHX, "provider=default", ossl_dhx_keymgmt_functions,
       PROV_DESCS_DHX },
 #endif
-
-    { PROV_NAMES_RSA, "provider=default", ossl_rsa_keymgmt_functions,
-      PROV_DESCS_RSA },
-    { PROV_NAMES_RSA_PSS, "provider=default", ossl_rsapss_keymgmt_functions,
-      PROV_DESCS_RSA_PSS },
-#ifndef OPENSSL_NO_EC
-    { PROV_NAMES_EC, "provider=default", ossl_ec_keymgmt_functions,
-      PROV_DESCS_EC },
-#endif
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_keymgmt_functions,
       PROV_DESCS_TLS1_PRF_SIGN },
     { PROV_NAMES_HKDF, "provider=default", ossl_kdf_keymgmt_functions,
@@ -232,8 +211,6 @@ static const OSSL_ALGORITHM *deflt_query(void *provctx, int operation_id,
         return deflt_keymgmt;
     case OSSL_OP_KEYEXCH:
         return deflt_keyexch;
-    case OSSL_OP_SIGNATURE:
-        return deflt_signature;
     case OSSL_OP_ASYM_CIPHER:
         return deflt_asym_cipher;
     }
-- 
2.31.1.windows.1

[edk2-staging/OpenSSL11_EOL][PATCH 3/4] CryptoPkg: update openssl submodule

[Li, Yi]

Signed-off-by: Yi Li <yi1.li@intel.com>
---
 CryptoPkg/Library/OpensslLib/openssl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
index 6048380660..2b0a888c36 160000
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit 6048380660df37d5828c1ff1d343f24a21091715
+Subproject commit 2b0a888c3623e1dc0637fbe0c5dcc1211b4d0545
-- 
2.31.1.windows.1

[edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Li, Yi]

Signed-off-by: Yi Li <yi1.li@intel.com>
---
 CryptoPkg/Readme-OpenSSL3.0.md | 65 +++++++++++++++++++++++++++++-----
 1 file changed, 57 insertions(+), 8 deletions(-)

diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md
index 85ed37b61d..fc5d24d074 100644
--- a/CryptoPkg/Readme-OpenSSL3.0.md
+++ b/CryptoPkg/Readme-OpenSSL3.0.md
@@ -17,19 +17,26 @@ The branch owner: Li Yi <yi1.li@intel.com>
 
 ## Latest update
 Will update latest result here (Build based on Intel platform).  
+Binaries mode (use crypto drivers)  
 |     Driver      |   1.1.1    |    3.0     |   percent  |  
 |-----------------|------------|------------|------------|  
 |CryptoPei        |   386      |    398     |    3.1%    |  
 |CryptoPeiPreMem  |   31       |    31      |    0%      |  
-|CryptoDxeFull    |   1014     |    1031    |    1.7%    |  
-|CryptoDxe        |   804      |    886     |    10.1%   |  
-|CryptoSmm        |   558      |    604     |    8.2%    |  
-
+|CryptoDxeFull    |   1014     |    997     |    -1.6%   |  
+|CryptoDxe        |   804      |    871     |    8.3%    |  
+|CryptoSmm        |   558      |    581     |    4.1%    |  
+  
 | LZMA Compressed |   1.1.1    |    3.0     |   percent  |  
 |-----------------|------------|------------|------------|  
-|CryptoDxe        |   311      |    350     |    12.2%   |  
-|CryptoSmm        |   211      |    238     |    12.8%   |  
-|FV (Dxe+Smm)     |   357      |    412     |    15.4%   |  
+|CryptoDxe        |   311      |    346     |    11.2%   |  
+|CryptoSmm        |   211      |    233     |    10.4%   |  
+|FV (Dxe+Smm)     |   357      |    406     |    13.7%   |  
+
+Library mode (use crypto library)  
+|     Driver         |   1.1.1    |    3.0     |    delta   |  
+|--------------------|------------|------------|------------|  
+|      FV            |   2377     |    2639    |     262    |  
+|SecurityStubDxe.efi |   562      |    605     |     43     |  
 
 ## Limitation
 
@@ -49,7 +56,7 @@ More complex API: There will be two code paths supporting 1.1.1 legacy and 3.0 p
 ### 1.Cut Provider
 As CryptoPkg\Library\OpensslLib\OpensslStub\uefiprov.c
 
-### Remove unnecessary module 
+### 2.Remove unnecessary module 
 SM2,  
 SM3 - 12KB,  
 MD5 - 8KB,  
@@ -105,5 +112,47 @@ remove unused bio prov - 4KB
 #### Risk:
 This is workaround.
 
+## Openssl code change summary
+### Level 1: Reasonable changes to reduce size
+1. Add macro such like OPENSSL_NO_ECX OPENSSL_NO_ECD to remove ecx and ecd feature,  
+will reduce size about 104KB.  
+(commit: ec: disable ecx and ecd)  
+https://github.com/liyi77/openssl/commit/2b0a888c3623e1dc0637fbe0c5dcc1211b4d0545  
+  
+2. Avoid build error when sm3 disabled.  
+(commit: sm3: avoid build error after sm3 disabled)  
+https://github.com/liyi77/openssl/commit/df92e440e45667da6ca1f9013f015e6d18981f2e  
+
+### Level 2: A bit like workaround, with possibility of upstream to openssl
+1. Enable the legacy path for X509 pubkey decode and pmeth initialization,  
+The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB.  
+(commit: x509: enable legacy path in pub decode)  
+https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6ef7045646ef0  
+(commit: evp: enable legacy pmeth)  
+https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bfe1d0263f074b  
+  
+2. Add 'type' field back to enable OPENSSL_NO_AUTOALGINIT,  will reduce size about 27KB.  
+issue: https://github.com/openssl/openssl/issues/20221  
+(commit: evp: add type filed back)  
+https://github.com/liyi77/openssl/commit/9c68a18a3a1967baf8d93eacadac9f0e14523715  
+
+### Level 3: Totally workaround and hard to upstream to openssl, may need scripts to apply them inside EDK2
+1. Provider cut.  
+(commit: CryptoPkg: add own openssl provider)  
+https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8f38b0dc7683b3690e  
+  
+2. Cut Name/NID mapping, will reduce size about 70KB.  
+(commit: CryptoPkg: trim obj_dat.h)  
+https://github.com/liyi77/edk2-staging/commit/6874485ebf89959953f7094990c7123e19748527  
+
+3. Cut unnecessary API in structure.  
+(commit: evp: cut bio_enc func 3KB)  
+https://github.com/liyi77/openssl/commit/3a2331133c2e3bda3e9bdb861ea97e5d3969fb2d  
+(commit: x509: remove print function 7KB)  
+https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff4306  
+(commit: rsa: remove unused rsa ameth 7KB)  
+https://github.com/liyi77/openssl/commit/8488c75701cdd5e626785e6d9d002f6fb30ae0ff  
+(commit: x509: remove unused extentions 19KB)  
+https://github.com/liyi77/openssl/commit/c27b3428708eb240b626946ce10d4219806d8adf  
 ## Timeline
 Target for 2023 Q1
\ No newline at end of file
-- 
2.31.1.windows.1

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Gerd Hoffmann]

  Hi,

> +### Level 2: A bit like workaround, with possibility of upstream to openssl
> +1. Enable the legacy path for X509 pubkey decode and pmeth initialization,  
> +The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB.  
> +(commit: x509: enable legacy path in pub decode)  
> +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6ef7045646ef0  
> +(commit: evp: enable legacy pmeth)  
> +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bfe1d0263f074b  

I suspect that is not going to work well long-term, probably openssl
will remove the code paths they consider being "legacy" at some point
in the future.  Probably not 3.0.x but maybe in 3.1 branch.

> +### Level 3: Totally workaround and hard to upstream to openssl, may need scripts to apply them inside EDK2
> +1. Provider cut.  
> +(commit: CryptoPkg: add own openssl provider)  
> +https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8f38b0dc7683b3690e  

Allow people implement their own providers looks like an openssl feature
to me.  So I don't think this will be a big problem to maintain, I
expect they try to keep the interfaces stable to not break apps doing
so.

The only little detail we do differently here is to remove the default
providers so LTO can actually remove the unused code.

> +(commit: x509: remove print function 7KB)  
> +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff4306  

Did you double-check this doesn't break something?

It did for me, due to some code in openssl depending on a
working bio_sprintf() implementation.

take care,
  Gerd

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22

[Michael D Kinney]

Hi Jiewen,

What is your assessment of the progress on Openssl 3.0 from a size perspective.

What is the goal and how close are we now?

Thanks,

Mike

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> Sent: Wednesday, March 22, 2023 7:45 PM
> To: devel@edk2.groups.io
> Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Hou, Wenxing <wenxing.hou@intel.com>; Gerd Hoffmann
> <kraxel@redhat.com>
> Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22
> 
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/363
> 
> Latest size data:
> Binaries:
> 	CryptoDxeFull	1.70%	->	-1.6%	-17KB
> 	CryptoDxe		10.1%	->	8.3%	68KB
> 	CryptoSmm		8.20%	->	4.1%	23KB
> After LZMA:
> 	CryptoDxe		12.2%	->	11.20%	35KB
> 	CryptoSmm		12.8%	->	10.40%	22KB
> 	FV (Dxe+Smm)	15.4%	->	13.70%	49KB
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Wenxing Hou <wenxing.hou@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Yi Li <yi1.li@intel.com>
> 
> Yi Li (4):
>   bugfix: use null md5 onlyif no-md5 defined
>   CryptoPkg: remove unnecessary sig, ec and rsa prov
>   CryptoPkg: update openssl submodule
>   Readme: 0322 update
> 
>  CryptoPkg/Library/OpensslLib/HashNull.c       |  3 +
>  .../Library/OpensslLib/OpensslStub/uefiprov.c | 23 -------
>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>  CryptoPkg/Readme-OpenSSL3.0.md                | 65 ++++++++++++++++---
>  4 files changed, 61 insertions(+), 32 deletions(-)
> 
> --
> 2.31.1.windows.1
> 
> 
> 
> 
> 

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Li, Yi]

Hi Gerd,

Thanks for review,

>> +### Level 2: A bit like workaround, with possibility of upstream to 
>> +openssl 1. Enable the legacy path for X509 pubkey decode and pmeth 
>> +initialization, The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB.
>> +(commit: x509: enable legacy path in pub decode)
>> +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6
>> +ef7045646ef0
>> +(commit: evp: enable legacy pmeth)
>> +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bf
>> +e1d0263f074b

>I suspect that is not going to work well long-term, probably openssl will remove the code paths they consider being "legacy" at some point in the future.  Probably not 3.0.x but maybe in 3.1 branch.

Yes, I think in long-term the better way is to remove all legacy code paths, this will also help reduce the size.
The problem is that a large number of legacy APIs are currently used in the EDK2 code.
In the future, it may be a big update to throw all the legacy code.

>> +### Level 3: Totally workaround and hard to upstream to openssl, may 
>> +need scripts to apply them inside EDK2 1. Provider cut.
>> +(commit: CryptoPkg: add own openssl provider) 
>> +https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8
>> +f38b0dc7683b3690e

>Allow people implement their own providers looks like an openssl feature to me.  So I don't think this will be a big problem to maintain, I expect they try to keep the interfaces stable to not break apps doing so.

>The only little detail we do differently here is to remove the default providers so LTO can actually remove the unused code.

>> +(commit: x509: remove print function 7KB)
>> +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e
>> +2955d7ff4306

>Did you double-check this doesn't break something?

>It did for me, due to some code in openssl depending on a working bio_sprintf() implementation.

I don't do any more test than unit test.
I am sick of this part, but I currently have no other way to reduce the size. I would like to drop those changes first if i find another way.

Regards,
Yi

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Yao, Jiewen]

We have 2 level APIs.

1) EDKII other code -> CryptoPkg.
2) CryptoPkg -> Openssl.

Current strategy of openssl 3.0 update is to keep both 1) and 2). That is minimal impact.

Do you think if we can keep 1) and only update 2) to use new API in openssl 3.0?



> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> Sent: Friday, March 24, 2023 9:47 AM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4]
> Readme: 0322 update
> 
> Hi Gerd,
> 
> Thanks for review,
> 
> >> +### Level 2: A bit like workaround, with possibility of upstream to
> >> +openssl 1. Enable the legacy path for X509 pubkey decode and pmeth
> >> +initialization, The purpose is to avoid the use of EN/DECODE and
> Signature provider, will reduce size about 90KB.
> >> +(commit: x509: enable legacy path in pub decode)
> >>
> +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd
> 6
> >> +ef7045646ef0
> >> +(commit: evp: enable legacy pmeth)
> >>
> +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1
> bf
> >> +e1d0263f074b
> 
> >I suspect that is not going to work well long-term, probably openssl will
> remove the code paths they consider being "legacy" at some point in the
> future.  Probably not 3.0.x but maybe in 3.1 branch.
> 
> Yes, I think in long-term the better way is to remove all legacy code paths,
> this will also help reduce the size.
> The problem is that a large number of legacy APIs are currently used in the
> EDK2 code.
> In the future, it may be a big update to throw all the legacy code.
> 
> >> +### Level 3: Totally workaround and hard to upstream to openssl, may
> >> +need scripts to apply them inside EDK2 1. Provider cut.
> >> +(commit: CryptoPkg: add own openssl provider)
> >> +https://github.com/liyi77/edk2-
> staging/commit/c3a5b69d8a3465259cfdca8
> >> +f38b0dc7683b3690e
> 
> >Allow people implement their own providers looks like an openssl feature to
> me.  So I don't think this will be a big problem to maintain, I expect they try
> to keep the interfaces stable to not break apps doing so.
> 
> >The only little detail we do differently here is to remove the default
> providers so LTO can actually remove the unused code.
> 
> >> +(commit: x509: remove print function 7KB)
> >>
> +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e
> >> +2955d7ff4306
> 
> >Did you double-check this doesn't break something?
> 
> >It did for me, due to some code in openssl depending on a working
> bio_sprintf() implementation.
> 
> I don't do any more test than unit test.
> I am sick of this part, but I currently have no other way to reduce the size. I
> would like to drop those changes first if i find another way.
> 
> Regards,
> Yi
> 
> 
> 
> 
> 

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Li, Yi]

Not easy, I have tried to update, but blocked at the RSA and MAC part, there will be many strange problems such as:
the context generated by RsaNew and RsaSetKey cannot be used for sign/verify, 
the hmac_duplicate (*src,*dst) function needs to expose the openssl structure details...
https://github.com/liyi77/libspdm/tree/openssl-3-rsa
https://github.com/liyi77/libspdm/tree/openssl-3-work-mac

I didn't have enough time to debug it.

Even if the API is updated, we still need to delete legacy code inside openssl to reduce size.

Regards,
Yi

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com> 
Sent: Friday, March 24, 2023 2:11 PM
To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>; Gerd Hoffmann <kraxel@redhat.com>
Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

We have 2 level APIs.

1) EDKII other code -> CryptoPkg.
2) CryptoPkg -> Openssl.

Current strategy of openssl 3.0 update is to keep both 1) and 2). That is minimal impact.

Do you think if we can keep 1) and only update 2) to use new API in openssl 3.0?



> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> Sent: Friday, March 24, 2023 9:47 AM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4]
> Readme: 0322 update
> 
> Hi Gerd,
> 
> Thanks for review,
> 
> >> +### Level 2: A bit like workaround, with possibility of upstream 
> >> +to openssl 1. Enable the legacy path for X509 pubkey decode and 
> >> +pmeth initialization, The purpose is to avoid the use of EN/DECODE 
> >> +and
> Signature provider, will reduce size about 90KB.
> >> +(commit: x509: enable legacy path in pub decode)
> >>
> +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd
> 6
> >> +ef7045646ef0
> >> +(commit: evp: enable legacy pmeth)
> >>
> +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1
> bf
> >> +e1d0263f074b
> 
> >I suspect that is not going to work well long-term, probably openssl 
> >will
> remove the code paths they consider being "legacy" at some point in 
> the future.  Probably not 3.0.x but maybe in 3.1 branch.
> 
> Yes, I think in long-term the better way is to remove all legacy code 
> paths, this will also help reduce the size.
> The problem is that a large number of legacy APIs are currently used 
> in the
> EDK2 code.
> In the future, it may be a big update to throw all the legacy code.
> 
> >> +### Level 3: Totally workaround and hard to upstream to openssl, 
> >> +may need scripts to apply them inside EDK2 1. Provider cut.
> >> +(commit: CryptoPkg: add own openssl provider)
> >> +https://github.com/liyi77/edk2-
> staging/commit/c3a5b69d8a3465259cfdca8
> >> +f38b0dc7683b3690e
> 
> >Allow people implement their own providers looks like an openssl 
> >feature to
> me.  So I don't think this will be a big problem to maintain, I expect 
> they try to keep the interfaces stable to not break apps doing so.
> 
> >The only little detail we do differently here is to remove the 
> >default
> providers so LTO can actually remove the unused code.
> 
> >> +(commit: x509: remove print function 7KB)
> >>
> +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e
> >> +2955d7ff4306
> 
> >Did you double-check this doesn't break something?
> 
> >It did for me, due to some code in openssl depending on a working
> bio_sprintf() implementation.
> 
> I don't do any more test than unit test.
> I am sick of this part, but I currently have no other way to reduce 
> the size. I would like to drop those changes first if i find another way.
> 
> Regards,
> Yi
> 
> 
> 
> 
> 

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update

[Yao, Jiewen]

Thanks. That means we need revisit the API in crypto library.

The original idea of crypt API is suitable for all crypto implementation.
But if they cannot be implemented with opensssl 3.0 mode,  the crypto API design is problematic... Sigh...



> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Friday, March 24, 2023 3:51 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Gerd
> Hoffmann <kraxel@redhat.com>
> Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4]
> Readme: 0322 update
> 
> Not easy, I have tried to update, but blocked at the RSA and MAC part, there
> will be many strange problems such as:
> the context generated by RsaNew and RsaSetKey cannot be used for
> sign/verify,
> the hmac_duplicate (*src,*dst) function needs to expose the openssl
> structure details...
> https://github.com/liyi77/libspdm/tree/openssl-3-rsa
> https://github.com/liyi77/libspdm/tree/openssl-3-work-mac
> 
> I didn't have enough time to debug it.
> 
> Even if the API is updated, we still need to delete legacy code inside openssl
> to reduce size.
> 
> Regards,
> Yi
> 
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Friday, March 24, 2023 2:11 PM
> To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>; Gerd Hoffmann
> <kraxel@redhat.com>
> Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4]
> Readme: 0322 update
> 
> We have 2 level APIs.
> 
> 1) EDKII other code -> CryptoPkg.
> 2) CryptoPkg -> Openssl.
> 
> Current strategy of openssl 3.0 update is to keep both 1) and 2). That is
> minimal impact.
> 
> Do you think if we can keep 1) and only update 2) to use new API in openssl
> 3.0?
> 
> 
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> > Sent: Friday, March 24, 2023 9:47 AM
> > To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> > Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4]
> > Readme: 0322 update
> >
> > Hi Gerd,
> >
> > Thanks for review,
> >
> > >> +### Level 2: A bit like workaround, with possibility of upstream
> > >> +to openssl 1. Enable the legacy path for X509 pubkey decode and
> > >> +pmeth initialization, The purpose is to avoid the use of EN/DECODE
> > >> +and
> > Signature provider, will reduce size about 90KB.
> > >> +(commit: x509: enable legacy path in pub decode)
> > >>
> >
> +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd
> > 6
> > >> +ef7045646ef0
> > >> +(commit: evp: enable legacy pmeth)
> > >>
> >
> +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1
> > bf
> > >> +e1d0263f074b
> >
> > >I suspect that is not going to work well long-term, probably openssl
> > >will
> > remove the code paths they consider being "legacy" at some point in
> > the future.  Probably not 3.0.x but maybe in 3.1 branch.
> >
> > Yes, I think in long-term the better way is to remove all legacy code
> > paths, this will also help reduce the size.
> > The problem is that a large number of legacy APIs are currently used
> > in the
> > EDK2 code.
> > In the future, it may be a big update to throw all the legacy code.
> >
> > >> +### Level 3: Totally workaround and hard to upstream to openssl,
> > >> +may need scripts to apply them inside EDK2 1. Provider cut.
> > >> +(commit: CryptoPkg: add own openssl provider)
> > >> +https://github.com/liyi77/edk2-
> > staging/commit/c3a5b69d8a3465259cfdca8
> > >> +f38b0dc7683b3690e
> >
> > >Allow people implement their own providers looks like an openssl
> > >feature to
> > me.  So I don't think this will be a big problem to maintain, I expect
> > they try to keep the interfaces stable to not break apps doing so.
> >
> > >The only little detail we do differently here is to remove the
> > >default
> > providers so LTO can actually remove the unused code.
> >
> > >> +(commit: x509: remove print function 7KB)
> > >>
> >
> +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e
> > >> +2955d7ff4306
> >
> > >Did you double-check this doesn't break something?
> >
> > >It did for me, due to some code in openssl depending on a working
> > bio_sprintf() implementation.
> >
> > I don't do any more test than unit test.
> > I am sick of this part, but I currently have no other way to reduce
> > the size. I would like to drop those changes first if i find another way.
> >
> > Regards,
> > Yi
> >
> >
> >
> > 
> >

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl 3.0 POC update Mar 22

[Yao, Jiewen]

I think we almost finished POC.

My feeling for the final openssl 3.0 size increasement would be 10% ~ 20%, based upon how many patch we can upstream to openssl community.




> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Friday, March 24, 2023 12:00 AM
> To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Hou, Wenxing
> <wenxing.hou@intel.com>; Gerd Hoffmann <kraxel@redhat.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4]
> Openssl 3.0 POC update Mar 22
> 
> Hi Jiewen,
> 
> What is your assessment of the progress on Openssl 3.0 from a size
> perspective.
> 
> What is the goal and how close are we now?
> 
> Thanks,
> 
> Mike
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Li, Yi
> > Sent: Wednesday, March 22, 2023 7:45 PM
> > To: devel@edk2.groups.io
> > Cc: Li, Yi1 <yi1.li@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Hou,
> Wenxing <wenxing.hou@intel.com>; Gerd Hoffmann
> > <kraxel@redhat.com>
> > Subject: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 0/4] Openssl
> 3.0 POC update Mar 22
> >
> > Please check the patch series if interested.
> > PR: https://github.com/tianocore/edk2-staging/pull/363
> >
> > Latest size data:
> > Binaries:
> > 	CryptoDxeFull	1.70%	->	-1.6%	-17KB
> > 	CryptoDxe		10.1%	->	8.3%	68KB
> > 	CryptoSmm		8.20%	->	4.1%	23KB
> > After LZMA:
> > 	CryptoDxe		12.2%	->	11.20%	35KB
> > 	CryptoSmm		12.8%	->	10.40%	22KB
> > 	FV (Dxe+Smm)	15.4%	->	13.70%	49KB
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Wenxing Hou <wenxing.hou@intel.com>
> > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > Signed-off-by: Yi Li <yi1.li@intel.com>
> >
> > Yi Li (4):
> >   bugfix: use null md5 onlyif no-md5 defined
> >   CryptoPkg: remove unnecessary sig, ec and rsa prov
> >   CryptoPkg: update openssl submodule
> >   Readme: 0322 update
> >
> >  CryptoPkg/Library/OpensslLib/HashNull.c       |  3 +
> >  .../Library/OpensslLib/OpensslStub/uefiprov.c | 23 -------
> >  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
> >  CryptoPkg/Readme-OpenSSL3.0.md                | 65 ++++++++++++++++---
> >  4 files changed, 61 insertions(+), 32 deletions(-)
> >
> > --
> > 2.31.1.windows.1
> >
> >
> >
> > 
> >