From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web10.64005.1679539483463757164 for ; Wed, 22 Mar 2023 19:44:47 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=I3lHxk9l; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: yi1.li@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679539487; x=1711075487; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=yv12LgIg7+IRATvBOx/a4ALk5cKvdOwEkp97DHtWmv8=; b=I3lHxk9lBQk9yb0SIMyW4sVyxe+iZYy2sAF0dufufymYLxxHcBwMvR33 jzBFF/Ff22gX0Tt7eo9yQSGxmdjI0j26ANafLhFPES7l82b7zfpxSvzQL KmMFhV0qCElGoDTSWwU06dVJdLg8Fj0hJ7MkkuUvbhQcgVwlmZf+p5+kl +J+N0jsii1Dwe+6tN3SSzdhg2rBYXcV2uX3YavHcf+UDhz5snQGCjosXW 96O0qDgsMnZ4p0D9uu0cKHWUXajfJd3ZD9n2w3bUmOd+6rLLG1pzYPRa4 R22GWuGwiGLjCkpsU6WAHnUfVMUI6fjo98GNx9kO+taU1P/c4nkDAbVsf Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10657"; a="338100782" X-IronPort-AV: E=Sophos;i="5.98,283,1673942400"; d="scan'208";a="338100782" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2023 19:44:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10657"; a="712492359" X-IronPort-AV: E=Sophos;i="5.98,283,1673942400"; d="scan'208";a="712492359" Received: from liyi4-desktop.ccr.corp.intel.com ([10.239.153.82]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2023 19:44:46 -0700 From: "Li, Yi" To: devel@edk2.groups.io Cc: Yi Li Subject: [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Date: Thu, 23 Mar 2023 10:44:36 +0800 Message-Id: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> X-Mailer: git-send-email 2.31.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Signed-off-by: Yi Li --- CryptoPkg/Readme-OpenSSL3.0.md | 65 +++++++++++++++++++++++++++++----- 1 file changed, 57 insertions(+), 8 deletions(-) diff --git a/CryptoPkg/Readme-OpenSSL3.0.md b/CryptoPkg/Readme-OpenSSL3.0.md index 85ed37b61d..fc5d24d074 100644 --- a/CryptoPkg/Readme-OpenSSL3.0.md +++ b/CryptoPkg/Readme-OpenSSL3.0.md @@ -17,19 +17,26 @@ The branch owner: Li Yi ## Latest update Will update latest result here (Build based on Intel platform). +Binaries mode (use crypto drivers) | Driver | 1.1.1 | 3.0 | percent | |-----------------|------------|------------|------------| |CryptoPei | 386 | 398 | 3.1% | |CryptoPeiPreMem | 31 | 31 | 0% | -|CryptoDxeFull | 1014 | 1031 | 1.7% | -|CryptoDxe | 804 | 886 | 10.1% | -|CryptoSmm | 558 | 604 | 8.2% | - +|CryptoDxeFull | 1014 | 997 | -1.6% | +|CryptoDxe | 804 | 871 | 8.3% | +|CryptoSmm | 558 | 581 | 4.1% | + | LZMA Compressed | 1.1.1 | 3.0 | percent | |-----------------|------------|------------|------------| -|CryptoDxe | 311 | 350 | 12.2% | -|CryptoSmm | 211 | 238 | 12.8% | -|FV (Dxe+Smm) | 357 | 412 | 15.4% | +|CryptoDxe | 311 | 346 | 11.2% | +|CryptoSmm | 211 | 233 | 10.4% | +|FV (Dxe+Smm) | 357 | 406 | 13.7% | + +Library mode (use crypto library) +| Driver | 1.1.1 | 3.0 | delta | +|--------------------|------------|------------|------------| +| FV | 2377 | 2639 | 262 | +|SecurityStubDxe.efi | 562 | 605 | 43 | ## Limitation @@ -49,7 +56,7 @@ More complex API: There will be two code paths supporting 1.1.1 legacy and 3.0 p ### 1.Cut Provider As CryptoPkg\Library\OpensslLib\OpensslStub\uefiprov.c -### Remove unnecessary module +### 2.Remove unnecessary module SM2, SM3 - 12KB, MD5 - 8KB, @@ -105,5 +112,47 @@ remove unused bio prov - 4KB #### Risk: This is workaround. +## Openssl code change summary +### Level 1: Reasonable changes to reduce size +1. Add macro such like OPENSSL_NO_ECX OPENSSL_NO_ECD to remove ecx and ecd feature, +will reduce size about 104KB. +(commit: ec: disable ecx and ecd) +https://github.com/liyi77/openssl/commit/2b0a888c3623e1dc0637fbe0c5dcc1211b4d0545 + +2. Avoid build error when sm3 disabled. +(commit: sm3: avoid build error after sm3 disabled) +https://github.com/liyi77/openssl/commit/df92e440e45667da6ca1f9013f015e6d18981f2e + +### Level 2: A bit like workaround, with possibility of upstream to openssl +1. Enable the legacy path for X509 pubkey decode and pmeth initialization, +The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB. +(commit: x509: enable legacy path in pub decode) +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6ef7045646ef0 +(commit: evp: enable legacy pmeth) +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bfe1d0263f074b + +2. Add 'type' field back to enable OPENSSL_NO_AUTOALGINIT, will reduce size about 27KB. +issue: https://github.com/openssl/openssl/issues/20221 +(commit: evp: add type filed back) +https://github.com/liyi77/openssl/commit/9c68a18a3a1967baf8d93eacadac9f0e14523715 + +### Level 3: Totally workaround and hard to upstream to openssl, may need scripts to apply them inside EDK2 +1. Provider cut. +(commit: CryptoPkg: add own openssl provider) +https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8f38b0dc7683b3690e + +2. Cut Name/NID mapping, will reduce size about 70KB. +(commit: CryptoPkg: trim obj_dat.h) +https://github.com/liyi77/edk2-staging/commit/6874485ebf89959953f7094990c7123e19748527 + +3. Cut unnecessary API in structure. +(commit: evp: cut bio_enc func 3KB) +https://github.com/liyi77/openssl/commit/3a2331133c2e3bda3e9bdb861ea97e5d3969fb2d +(commit: x509: remove print function 7KB) +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff4306 +(commit: rsa: remove unused rsa ameth 7KB) +https://github.com/liyi77/openssl/commit/8488c75701cdd5e626785e6d9d002f6fb30ae0ff +(commit: x509: remove unused extentions 19KB) +https://github.com/liyi77/openssl/commit/c27b3428708eb240b626946ce10d4219806d8adf ## Timeline Target for 2023 Q1 \ No newline at end of file -- 2.31.1.windows.1