[PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

This commit is a cherry pick of project mu's commit
https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c352316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 .../Library/Include/openssl/opensslconf.h     | 25 ++--------
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
 .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
 CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
 4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
 #ifndef OPENSSL_NO_DSA
 # define OPENSSL_NO_DSA
 #endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
 #ifndef OPENSSL_NO_IDEA
 # define OPENSSL_NO_IDEA
 #endif
@@ -88,9 +85,6 @@ extern "C" {
 #ifndef OPENSSL_NO_SEED
 # define OPENSSL_NO_SEED
 #endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
 #ifndef OPENSSL_NO_SRP
 # define OPENSSL_NO_SRP
 #endif
@@ -154,12 +148,6 @@ extern "C" {
 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 # define OPENSSL_NO_EC_NISTP_64_GCC_128
 #endif
-#ifndef OPENSSL_NO_ECDH
-# define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-# define OPENSSL_NO_ECDSA
-#endif
 #ifndef OPENSSL_NO_EGD
 # define OPENSSL_NO_EGD
 #endif
@@ -226,9 +214,6 @@ extern "C" {
 #ifndef OPENSSL_NO_TESTS
 # define OPENSSL_NO_TESTS
 #endif
-#ifndef OPENSSL_NO_TLS1_3
-# define OPENSSL_NO_TLS1_3
-#endif
 #ifndef OPENSSL_NO_UBSAN
 # define OPENSSL_NO_UBSAN
 #endif
@@ -265,11 +250,11 @@ extern "C" {
 #   undef DECLARE_DEPRECATED
 #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
 #  endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+#  if (__SUNPRO_C >= 0x5130)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#  endif
 # endif
 #endif
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
                 "no-dgram",
                 "no-dsa",
                 "no-dynamic-engine",
-                "no-ec",
                 "no-ec2m",
                 "no-engine",
                 "no-err",
-- 
2.17.1

[PATCH 2/2] Allow wildcards in hostname

[Vineel Kovvuri]

This PR is cherry-picked from
https://github.com/microsoft/mu_basecore/commit/d0c7733400c35722499eedcd4279042a9bcb0eb4

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
   //
   HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
   HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
   HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
   HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
 
-- 
2.17.1

Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>


> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Tuesday, October 12, 2021 1:38 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
> Michael.Turner@microsoft.com
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
> algorithms
> 
> This commit is a cherry pick of project mu's commit
> https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c3
> 52316197889c5d3e0c2
> 
> Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> The only file manually changed is process_files.pl.
> Running the script changes the other three files.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
>  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
>  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
>  4 files changed, 105 insertions(+), 21 deletions(-)
> 
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index b8d59aebe8..09a6641ffc 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -55,9 +55,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_DSA
>  # define OPENSSL_NO_DSA
>  #endif
> -#ifndef OPENSSL_NO_EC
> -# define OPENSSL_NO_EC
> -#endif
>  #ifndef OPENSSL_NO_IDEA
>  # define OPENSSL_NO_IDEA
>  #endif
> @@ -88,9 +85,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_SEED
>  # define OPENSSL_NO_SEED
>  #endif
> -#ifndef OPENSSL_NO_SM2
> -# define OPENSSL_NO_SM2
> -#endif
>  #ifndef OPENSSL_NO_SRP
>  # define OPENSSL_NO_SRP
>  #endif
> @@ -154,12 +148,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
>  # define OPENSSL_NO_EC_NISTP_64_GCC_128
>  #endif
> -#ifndef OPENSSL_NO_ECDH
> -# define OPENSSL_NO_ECDH
> -#endif
> -#ifndef OPENSSL_NO_ECDSA
> -# define OPENSSL_NO_ECDSA
> -#endif
>  #ifndef OPENSSL_NO_EGD
>  # define OPENSSL_NO_EGD
>  #endif
> @@ -226,9 +214,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_TESTS
>  # define OPENSSL_NO_TESTS
>  #endif
> -#ifndef OPENSSL_NO_TLS1_3
> -# define OPENSSL_NO_TLS1_3
> -#endif
>  #ifndef OPENSSL_NO_UBSAN
>  # define OPENSSL_NO_UBSAN
>  #endif
> @@ -265,11 +250,11 @@ extern "C" {
>  #   undef DECLARE_DEPRECATED
>  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
>  #  endif
> -#elif defined(__SUNPRO_C)
> -#if (__SUNPRO_C >= 0x5130)
> -#undef DECLARE_DEPRECATED
> -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> -#endif
> +# elif defined(__SUNPRO_C)
> +#  if (__SUNPRO_C >= 0x5130)
> +#   undef DECLARE_DEPRECATED
> +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> +#  endif
>  # endif
>  #endif
> 
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d84bde056a..bd3d9cc90f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index cdeed0d073..38ccf1a5b6 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 42bff05fa6..2ebfbbbca0 100755
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -169,7 +169,6 @@ BEGIN {
>                  "no-dgram",
>                  "no-dsa",
>                  "no-dynamic-engine",
> -                "no-ec",
>                  "no-ec2m",
>                  "no-engine",
>                  "no-err",
> --
> 2.17.1

Re: [PATCH 2/2] Allow wildcards in hostname

[Yao, Jiewen]

It seems the Bugzilla only describes the ECC, but no much info on why we need allow wildcards in hostname.

The git log in mu is also unclear to me - "This enables certain local network recovery stories. May re-evaluate as those stories change. "

I am OK with ECC change, and give R-B.

But I would like to understand more on why we need allow wildcards in general. What are the stories?

If this is only for "recovery stories", should we also allow wildcards in recovery boot path?

For example, should we have a PCD to platform owner make decision? E.g. normal boot - NO. recovery boot - YES ?

Thank you
Yao Jiewen



> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Tuesday, October 12, 2021 1:38 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
> Michael.Turner@microsoft.com
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH 2/2] Allow wildcards in hostname
> 
> This PR is cherry-picked from
> https://github.com/microsoft/mu_basecore/commit/d0c7733400c35722499ee
> dcd4279042a9bcb0eb4
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1

Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

Hi
This patch fails in the P-R - https://github.com/tianocore/edk2/pull/2073. Please double check.

You are encourage to try P-R by yourself before submit the patch.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Tuesday, October 12, 2021 1:38 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
> Michael.Turner@microsoft.com
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
> algorithms
> 
> This commit is a cherry pick of project mu's commit
> https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c3
> 52316197889c5d3e0c2
> 
> Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> The only file manually changed is process_files.pl.
> Running the script changes the other three files.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
>  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
>  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
>  4 files changed, 105 insertions(+), 21 deletions(-)
> 
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index b8d59aebe8..09a6641ffc 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -55,9 +55,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_DSA
>  # define OPENSSL_NO_DSA
>  #endif
> -#ifndef OPENSSL_NO_EC
> -# define OPENSSL_NO_EC
> -#endif
>  #ifndef OPENSSL_NO_IDEA
>  # define OPENSSL_NO_IDEA
>  #endif
> @@ -88,9 +85,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_SEED
>  # define OPENSSL_NO_SEED
>  #endif
> -#ifndef OPENSSL_NO_SM2
> -# define OPENSSL_NO_SM2
> -#endif
>  #ifndef OPENSSL_NO_SRP
>  # define OPENSSL_NO_SRP
>  #endif
> @@ -154,12 +148,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
>  # define OPENSSL_NO_EC_NISTP_64_GCC_128
>  #endif
> -#ifndef OPENSSL_NO_ECDH
> -# define OPENSSL_NO_ECDH
> -#endif
> -#ifndef OPENSSL_NO_ECDSA
> -# define OPENSSL_NO_ECDSA
> -#endif
>  #ifndef OPENSSL_NO_EGD
>  # define OPENSSL_NO_EGD
>  #endif
> @@ -226,9 +214,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_TESTS
>  # define OPENSSL_NO_TESTS
>  #endif
> -#ifndef OPENSSL_NO_TLS1_3
> -# define OPENSSL_NO_TLS1_3
> -#endif
>  #ifndef OPENSSL_NO_UBSAN
>  # define OPENSSL_NO_UBSAN
>  #endif
> @@ -265,11 +250,11 @@ extern "C" {
>  #   undef DECLARE_DEPRECATED
>  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
>  #  endif
> -#elif defined(__SUNPRO_C)
> -#if (__SUNPRO_C >= 0x5130)
> -#undef DECLARE_DEPRECATED
> -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> -#endif
> +# elif defined(__SUNPRO_C)
> +#  if (__SUNPRO_C >= 0x5130)
> +#   undef DECLARE_DEPRECATED
> +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> +#  endif
>  # endif
>  #endif
> 
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d84bde056a..bd3d9cc90f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index cdeed0d073..38ccf1a5b6 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 42bff05fa6..2ebfbbbca0 100755
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -169,7 +169,6 @@ BEGIN {
>                  "no-dgram",
>                  "no-dsa",
>                  "no-dynamic-engine",
> -                "no-ec",
>                  "no-ec2m",
>                  "no-engine",
>                  "no-err",
> --
> 2.17.1

Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[vineelko]

Hi Jiewen,

Sorry for the build break. I will fix this locally and send you the patch.

Thanks,
Vineel

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com> 
Sent: Saturday, October 16, 2021 7:49 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi
This patch fails in the P-R - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Fpull%2F2073&amp;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqbbiuJ6Q%3D&amp;reserved=0. Please double check.

You are encourage to try P-R by yourself before submit the patch.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Sent: Tuesday, October 12, 2021 1:38 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; 
> sean.brogan@microsoft.com; bret.barkelew@microsoft.com; 
> Michael.Turner@microsoft.com
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve 
> chipher algorithms
> 
> This commit is a cherry pick of project mu's commit
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c3&am
> p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d991
> 18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621360496
> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
> k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0H%2B2wfX
> %2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
> 52316197889c5d3e0c2
> 
> Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> The only file manually changed is process_files.pl.
> Running the script changes the other three files.
> 
> BugZilla: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvinee
> lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTEKY%3D&
> amp;reserved=0
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
>  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
>  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
>  4 files changed, 105 insertions(+), 21 deletions(-)
> 
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index b8d59aebe8..09a6641ffc 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -55,9 +55,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_DSA
>  # define OPENSSL_NO_DSA
>  #endif
> -#ifndef OPENSSL_NO_EC
> -# define OPENSSL_NO_EC
> -#endif
>  #ifndef OPENSSL_NO_IDEA
>  # define OPENSSL_NO_IDEA
>  #endif
> @@ -88,9 +85,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_SEED
>  # define OPENSSL_NO_SEED
>  #endif
> -#ifndef OPENSSL_NO_SM2
> -# define OPENSSL_NO_SM2
> -#endif
>  #ifndef OPENSSL_NO_SRP
>  # define OPENSSL_NO_SRP
>  #endif
> @@ -154,12 +148,6 @@ extern "C" {
>  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128  # define 
> OPENSSL_NO_EC_NISTP_64_GCC_128  #endif -#ifndef OPENSSL_NO_ECDH -# 
> define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define 
> OPENSSL_NO_ECDSA -#endif  #ifndef OPENSSL_NO_EGD  # define 
> OPENSSL_NO_EGD  #endif @@ -226,9 +214,6 @@ extern "C" {  #ifndef 
> OPENSSL_NO_TESTS  # define OPENSSL_NO_TESTS  #endif -#ifndef 
> OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif  #ifndef 
> OPENSSL_NO_UBSAN  # define OPENSSL_NO_UBSAN  #endif @@ -265,11 +250,11 
> @@ extern "C" {
>  #   undef DECLARE_DEPRECATED
>  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
>  #  endif
> -#elif defined(__SUNPRO_C)
> -#if (__SUNPRO_C >= 0x5130)
> -#undef DECLARE_DEPRECATED
> -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> -#endif
> +# elif defined(__SUNPRO_C)
> +#  if (__SUNPRO_C >= 0x5130)
> +#   undef DECLARE_DEPRECATED
> +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> +#  endif
>  # endif
>  #endif
> 
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d84bde056a..bd3d9cc90f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index cdeed0d073..38ccf1a5b6 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -199,6 +199,43 @@
>    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
>    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
>    $(OPENSSL_PATH)/crypto/ebcdic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
>    $(OPENSSL_PATH)/crypto/err/err.c
>    $(OPENSSL_PATH)/crypto/err/err_prn.c
>    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> @@ -384,6 +421,10 @@
>    $(OPENSSL_PATH)/crypto/siphash/siphash.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
>    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
>    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
>    $(OPENSSL_PATH)/crypto/sm3/sm3.c
>    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> @@ -496,6 +537,15 @@
>    $(OPENSSL_PATH)/crypto/conf/conf_local.h
>    $(OPENSSL_PATH)/crypto/dh/dh_local.h
>    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_local.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 42bff05fa6..2ebfbbbca0 100755
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -169,7 +169,6 @@ BEGIN {
>                  "no-dgram",
>                  "no-dsa",
>                  "no-dynamic-engine",
> -                "no-ec",
>                  "no-ec2m",
>                  "no-engine",
>                  "no-err",
> --
> 2.17.1

Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

Hello Vineel
May I know if you have send out v2?

> -----Original Message-----
> From: Vineel Kovvuri <vineelko@microsoft.com>
> Sent: Tuesday, October 19, 2021 4:06 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Vineel Kovvuri
> <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean Brogan
> <sean.brogan@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Mike Turner
> <Michael.Turner@microsoft.com>
> Cc: Jancarlo Perez <jpere@microsoft.com>
> Subject: RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
> algorithms
> 
> Hi Jiewen,
> 
> Sorry for the build break. I will fix this locally and send you the patch.
> 
> Thanks,
> Vineel
> 
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Saturday, October 16, 2021 7:49 PM
> To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean
> Brogan <sean.brogan@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Mike Turner
> <Michael.Turner@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> Hi
> This patch fails in the P-R -
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2Ftianocore%2Fedk2%2Fpull%2F2073&amp;data=04%7C01%7Cvineelko%4
> 0microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141
> af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
> CI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqb
> biuJ6Q%3D&amp;reserved=0. Please double check.
> 
> You are encourage to try P-R by yourself before submit the patch.
> 
> Thank you
> Yao Jiewen
> 
> > -----Original Message-----
> > From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> > Sent: Tuesday, October 12, 2021 1:38 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> > sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
> > Michael.Turner@microsoft.com
> > Cc: Vineel Kovvuri <vineelko@microsoft.com>
> > Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
> > chipher algorithms
> >
> > This commit is a cherry pick of project mu's commit
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> >
> ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c
> 3&am
> >
> p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608
> d991
> >
> 18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621
> 360496
> > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
> JBTiI6I
> >
> k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0
> H%2B2wfX
> > %2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
> > 52316197889c5d3e0c2
> >
> > Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> > The only file manually changed is process_files.pl.
> > Running the script changes the other three files.
> >
> > BugZilla:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvin
> ee
> >
> lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf8
> 6f14
> >
> 1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> WFpbGZsb
> >
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%
> >
> 7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTE
> KY%3D&
> > amp;reserved=0
> >
> > Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> > ---
> >  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
> >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
> >  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
> >  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
> >  4 files changed, 105 insertions(+), 21 deletions(-)
> >
> > diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > index b8d59aebe8..09a6641ffc 100644
> > --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > @@ -55,9 +55,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_DSA
> >  # define OPENSSL_NO_DSA
> >  #endif
> > -#ifndef OPENSSL_NO_EC
> > -# define OPENSSL_NO_EC
> > -#endif
> >  #ifndef OPENSSL_NO_IDEA
> >  # define OPENSSL_NO_IDEA
> >  #endif
> > @@ -88,9 +85,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_SEED
> >  # define OPENSSL_NO_SEED
> >  #endif
> > -#ifndef OPENSSL_NO_SM2
> > -# define OPENSSL_NO_SM2
> > -#endif
> >  #ifndef OPENSSL_NO_SRP
> >  # define OPENSSL_NO_SRP
> >  #endif
> > @@ -154,12 +148,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128  # define
> > OPENSSL_NO_EC_NISTP_64_GCC_128  #endif -#ifndef OPENSSL_NO_ECDH -#
> > define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define
> > OPENSSL_NO_ECDSA -#endif  #ifndef OPENSSL_NO_EGD  # define
> > OPENSSL_NO_EGD  #endif @@ -226,9 +214,6 @@ extern "C" {  #ifndef
> > OPENSSL_NO_TESTS  # define OPENSSL_NO_TESTS  #endif -#ifndef
> > OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif  #ifndef
> > OPENSSL_NO_UBSAN  # define OPENSSL_NO_UBSAN  #endif @@ -265,11
> +250,11
> > @@ extern "C" {
> >  #   undef DECLARE_DEPRECATED
> >  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> >  #  endif
> > -#elif defined(__SUNPRO_C)
> > -#if (__SUNPRO_C >= 0x5130)
> > -#undef DECLARE_DEPRECATED
> > -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > -#endif
> > +# elif defined(__SUNPRO_C)
> > +#  if (__SUNPRO_C >= 0x5130)
> > +#   undef DECLARE_DEPRECATED
> > +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > +#  endif
> >  # endif
> >  #endif
> >
> > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > index d84bde056a..bd3d9cc90f 100644
> > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > @@ -199,6 +199,43 @@
> >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> >    $(OPENSSL_PATH)/crypto/err/err.c
> >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > @@ -384,6 +421,10 @@
> >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > @@ -496,6 +537,15 @@
> >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > index cdeed0d073..38ccf1a5b6 100644
> > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > @@ -199,6 +199,43 @@
> >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> >    $(OPENSSL_PATH)/crypto/err/err.c
> >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > @@ -384,6 +421,10 @@
> >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > @@ -496,6 +537,15 @@
> >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> > b/CryptoPkg/Library/OpensslLib/process_files.pl
> > index 42bff05fa6..2ebfbbbca0 100755
> > --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> > +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> > @@ -169,7 +169,6 @@ BEGIN {
> >                  "no-dgram",
> >                  "no-dsa",
> >                  "no-dynamic-engine",
> > -                "no-ec",
> >                  "no-ec2m",
> >                  "no-engine",
> >                  "no-err",
> > --
> > 2.17.1

Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 15338 bytes --]

Hi Jiewen,

Thanks for checking. One of the issue is, ecc change required additional
vsinstrincs to be included. If not, IA32 build will fail with __allmul
undefined. So I have to include below in OVMFPKGIA32.dsc from Project Mu

[LibraryClasses.IA32]
  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf

but then I am hitting a new failure when building "stuart_build -c
OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=VS2019 TARGET=DEBUG -a
IA32"

ERROR - Linker #2001 from LINK :   unresolved external symbol
__ModuleEntryPoint
ERROR - Linker #1120 from
d:\repos\edk2\Build\OvmfIa32\DEBUG_VS2019\IA32\OvmfPkg\ResetVector\ResetVector\DEBUG\ResetVector.dll
: fatal   1 unresolved externals
ERROR - Compiler #1077 from NMAKE : fatal   '"C:\Program Files
(x86)\Microsoft Visual
Studio\2019\Enterprise\VC\Tools\MSVC\14.28.29910\bin\Hostx86\x86\link.exe"'
: return code '0x460'
ERROR - Compiler #7000 from :   Failed to execute command
ERROR - EDK2 #002 from :   Failed to build module

Probably I am missing something.

The other issue is the increased size of the OVMF firmware after
enabling ec ciphers. We need some guidance in handling this as OVMF is
being used by other open source projects like QEMU etc.

Thanks,
Vineel


On Tue, Nov 2, 2021 at 5:37 PM Yao, Jiewen <jiewen.yao@intel.com> wrote:

> Hello Vineel
> May I know if you have send out v2?
>
> > -----Original Message-----
> > From: Vineel Kovvuri <vineelko@microsoft.com>
> > Sent: Tuesday, October 19, 2021 4:06 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; Vineel Kovvuri
> > <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean Brogan
> > <sean.brogan@microsoft.com>; Bret Barkelew
> > <Bret.Barkelew@microsoft.com>; Mike Turner
> > <Michael.Turner@microsoft.com>
> > Cc: Jancarlo Perez <jpere@microsoft.com>
> > Subject: RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
> chipher
> > algorithms
> >
> > Hi Jiewen,
> >
> > Sorry for the build break. I will fix this locally and send you the
> patch.
> >
> > Thanks,
> > Vineel
> >
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Saturday, October 16, 2021 7:49 PM
> > To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io;
> Sean
> > Brogan <sean.brogan@microsoft.com>; Bret Barkelew
> > <Bret.Barkelew@microsoft.com>; Mike Turner
> > <Michael.Turner@microsoft.com>
> > Cc: Vineel Kovvuri <vineelko@microsoft.com>
> > Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add
> elliptic
> > curve chipher algorithms
> >
> > Hi
> > This patch fails in the P-R -
> >
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> > om%2Ftianocore%2Fedk2%2Fpull%2F2073&amp;data=04%7C01%7Cvineelko%4
> > 0microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141
> > af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
> > CI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqb
> > biuJ6Q%3D&amp;reserved=0. Please double check.
> >
> > You are encourage to try P-R by yourself before submit the patch.
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> > > Sent: Tuesday, October 12, 2021 1:38 PM
> > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> > > sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
> > > Michael.Turner@microsoft.com
> > > Cc: Vineel Kovvuri <vineelko@microsoft.com>
> > > Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
> > > chipher algorithms
> > >
> > > This commit is a cherry pick of project mu's commit
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > >
> > ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c
> > 3&am
> > >
> > p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608
> > d991
> > >
> > 18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621
> > 360496
> > > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
> > JBTiI6I
> > >
> > k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0
> > H%2B2wfX
> > > %2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
> > > 52316197889c5d3e0c2
> > >
> > > Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> > > The only file manually changed is process_files.pl.
> > > Running the script changes the other three files.
> > >
> > > BugZilla:
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> > >
> > illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvin
> > ee
> > >
> > lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf8
> > 6f14
> > >
> > 1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> > WFpbGZsb
> > >
> > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> > 3D%
> > >
> > 7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTE
> > KY%3D&
> > > amp;reserved=0
> > >
> > > Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> > > ---
> > >  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
> > >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
> > >  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
> > >  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
> > >  4 files changed, 105 insertions(+), 21 deletions(-)
> > >
> > > diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > > b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > > index b8d59aebe8..09a6641ffc 100644
> > > --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > > +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > > @@ -55,9 +55,6 @@ extern "C" {
> > >  #ifndef OPENSSL_NO_DSA
> > >  # define OPENSSL_NO_DSA
> > >  #endif
> > > -#ifndef OPENSSL_NO_EC
> > > -# define OPENSSL_NO_EC
> > > -#endif
> > >  #ifndef OPENSSL_NO_IDEA
> > >  # define OPENSSL_NO_IDEA
> > >  #endif
> > > @@ -88,9 +85,6 @@ extern "C" {
> > >  #ifndef OPENSSL_NO_SEED
> > >  # define OPENSSL_NO_SEED
> > >  #endif
> > > -#ifndef OPENSSL_NO_SM2
> > > -# define OPENSSL_NO_SM2
> > > -#endif
> > >  #ifndef OPENSSL_NO_SRP
> > >  # define OPENSSL_NO_SRP
> > >  #endif
> > > @@ -154,12 +148,6 @@ extern "C" {
> > >  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128  # define
> > > OPENSSL_NO_EC_NISTP_64_GCC_128  #endif -#ifndef OPENSSL_NO_ECDH -#
> > > define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define
> > > OPENSSL_NO_ECDSA -#endif  #ifndef OPENSSL_NO_EGD  # define
> > > OPENSSL_NO_EGD  #endif @@ -226,9 +214,6 @@ extern "C" {  #ifndef
> > > OPENSSL_NO_TESTS  # define OPENSSL_NO_TESTS  #endif -#ifndef
> > > OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif  #ifndef
> > > OPENSSL_NO_UBSAN  # define OPENSSL_NO_UBSAN  #endif @@ -265,11
> > +250,11
> > > @@ extern "C" {
> > >  #   undef DECLARE_DEPRECATED
> > >  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > >  #  endif
> > > -#elif defined(__SUNPRO_C)
> > > -#if (__SUNPRO_C >= 0x5130)
> > > -#undef DECLARE_DEPRECATED
> > > -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > > -#endif
> > > +# elif defined(__SUNPRO_C)
> > > +#  if (__SUNPRO_C >= 0x5130)
> > > +#   undef DECLARE_DEPRECATED
> > > +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > > +#  endif
> > >  # endif
> > >  #endif
> > >
> > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > index d84bde056a..bd3d9cc90f 100644
> > > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > @@ -199,6 +199,43 @@
> > >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> > >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> > >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> > >    $(OPENSSL_PATH)/crypto/err/err.c
> > >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> > >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > > @@ -384,6 +421,10 @@
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> > >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> > >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> > >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > > @@ -496,6 +537,15 @@
> > >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> > >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> > >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> > >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> > >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> > >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > index cdeed0d073..38ccf1a5b6 100644
> > > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > @@ -199,6 +199,43 @@
> > >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> > >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> > >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> > >    $(OPENSSL_PATH)/crypto/err/err.c
> > >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> > >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > > @@ -384,6 +421,10 @@
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> > >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> > >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> > >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> > >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > > @@ -496,6 +537,15 @@
> > >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> > >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> > >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> > >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> > >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> > >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > > diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> > > b/CryptoPkg/Library/OpensslLib/process_files.pl
> > > index 42bff05fa6..2ebfbbbca0 100755
> > > --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> > > +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> > > @@ -169,7 +169,6 @@ BEGIN {
> > >                  "no-dgram",
> > >                  "no-dsa",
> > >                  "no-dynamic-engine",
> > > -                "no-ec",
> > >                  "no-ec2m",
> > >                  "no-engine",
> > >                  "no-err",
> > > --
> > > 2.17.1
>
>

[-- Attachment #2: Type: text/html, Size: 21824 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1.1: Type: text/plain, Size: 1137 bytes --]

Hi Folks,

We are able to resolve the __ModuleEntryPoint error and was able to run below build configurations locally.

* Windows_VS2019 - Passed

* EmulatorPkg_Win_VS2019 - Passed
* OvmfPkg_Win_VS2019 - Passed

* Ubuntu_GCC5 - Passed

* ArmVirtPkg_Ubuntu_GCC5 - Passed
* EmulatorPkg_Ubuntu_GCC5 - Passed
* OvmfPkg_Ubuntu_GCC5 – Failed

* INFO - GenFv: ERROR 3000: Invalid
* INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

Is it okay to increase the fv image size if so need some guidance with respected to that as it may effect other projects like QEMU etc. Any inputs here are much appreciated

For Reference: https://github.com/vineelkovvuri/edk2/pull/2 ( https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvineelkovvuri%2Fedk2%2Fpull%2F2&data=04%7C01%7Cvineelko%40microsoft.com%7C39a86fd17084443454fa08d9a2dc1185%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637719888367133870%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Mj7FG%2FZvbQska6c6tGj9Z0xgcenZSX3COrPoL4Pe1k0%3D&reserved=0 )

[-- Attachment #1.2: Type: text/html, Size: 3244 bytes --]

[-- Attachment #2: 0001-ECC-Fixes.patch --]
[-- Type: application/octet-stream, Size: 9317 bytes --]

From 0533837d64939b47379572c1c2bae08acad6a569 Mon Sep 17 00:00:00 2001
From: Vineel Kovvuri <vineelko@microsoft.com>
Date: Sat, 16 Oct 2021 22:36:58 -0700
Subject: [PATCH 1/3] ECC Fixes

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 .../Library/Include/openssl/opensslconf.h     | 23 ++-------
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
 .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
 CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
 4 files changed, 104 insertions(+), 20 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..e097de7797 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
 #ifndef OPENSSL_NO_DSA
 # define OPENSSL_NO_DSA
 #endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
 #ifndef OPENSSL_NO_IDEA
 # define OPENSSL_NO_IDEA
 #endif
@@ -88,9 +85,6 @@ extern "C" {
 #ifndef OPENSSL_NO_SEED
 # define OPENSSL_NO_SEED
 #endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
 #ifndef OPENSSL_NO_SRP
 # define OPENSSL_NO_SRP
 #endif
@@ -154,12 +148,6 @@ extern "C" {
 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 # define OPENSSL_NO_EC_NISTP_64_GCC_128
 #endif
-#ifndef OPENSSL_NO_ECDH
-# define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-# define OPENSSL_NO_ECDSA
-#endif
 #ifndef OPENSSL_NO_EGD
 # define OPENSSL_NO_EGD
 #endif
@@ -226,9 +214,6 @@ extern "C" {
 #ifndef OPENSSL_NO_TESTS
 # define OPENSSL_NO_TESTS
 #endif
-#ifndef OPENSSL_NO_TLS1_3
-# define OPENSSL_NO_TLS1_3
-#endif
 #ifndef OPENSSL_NO_UBSAN
 # define OPENSSL_NO_UBSAN
 #endif
@@ -265,11 +250,11 @@ extern "C" {
 #   undef DECLARE_DEPRECATED
 #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
 #  endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
+# elif defined(__SUNPRO_C)
+#  if (__SUNPRO_C >= 0x5130)
+#   undef DECLARE_DEPRECATED
 #define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
-#endif
+#  endif
 # endif
 #endif
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
   $(OPENSSL_PATH)/crypto/dso/dso_vms.c
   $(OPENSSL_PATH)/crypto/dso/dso_win32.c
   $(OPENSSL_PATH)/crypto/ebcdic.c
+  $(OPENSSL_PATH)/crypto/ec/curve25519.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+  $(OPENSSL_PATH)/crypto/ec/ec_check.c
+  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+  $(OPENSSL_PATH)/crypto/ec/ec_err.c
+  $(OPENSSL_PATH)/crypto/ec/ec_key.c
+  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+  $(OPENSSL_PATH)/crypto/ec/ec_print.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
   $(OPENSSL_PATH)/crypto/err/err.c
   $(OPENSSL_PATH)/crypto/err/err_prn.c
   $(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
   $(OPENSSL_PATH)/crypto/siphash/siphash.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
   $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
   $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
   $(OPENSSL_PATH)/crypto/sm3/sm3.c
   $(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
   $(OPENSSL_PATH)/crypto/conf/conf_local.h
   $(OPENSSL_PATH)/crypto/dh/dh_local.h
   $(OPENSSL_PATH)/crypto/dso/dso_local.h
+  $(OPENSSL_PATH)/crypto/ec/ec_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
   $(OPENSSL_PATH)/crypto/evp/evp_local.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
                 "no-dgram",
                 "no-dsa",
                 "no-dynamic-engine",
-                "no-ec",
                 "no-ec2m",
                 "no-engine",
                 "no-err",
-- 
2.31.0.vfs.0.1


[-- Attachment #3: 0002-Port-VsIntrinsicLib-from-Project-Mu.patch --]
[-- Type: application/octet-stream, Size: 7906 bytes --]

From 23788c199dd9f615b03d0730ab68c5411f56bf87 Mon Sep 17 00:00:00 2001
From: Vineel Kovvuri <vineelko@microsoft.com>
Date: Sat, 6 Nov 2021 01:00:26 -0700
Subject: [PATCH 2/3] Port VsIntrinsicLib from Project Mu

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 MdePkg/Library/VsIntrinsicLib/IA32/Llmul.asm  | 98 +++++++++++++++++++
 MdePkg/Library/VsIntrinsicLib/IA32/Llshr.asm  | 79 +++++++++++++++
 .../Library/VsIntrinsicLib/VsIntrinsicLib.inf | 38 +++++++
 .../Library/VsIntrinsicLib/VsIntrinsicLib.uni | 17 ++++
 4 files changed, 232 insertions(+)
 create mode 100644 MdePkg/Library/VsIntrinsicLib/IA32/Llmul.asm
 create mode 100644 MdePkg/Library/VsIntrinsicLib/IA32/Llshr.asm
 create mode 100644 MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
 create mode 100644 MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.uni

diff --git a/MdePkg/Library/VsIntrinsicLib/IA32/Llmul.asm b/MdePkg/Library/VsIntrinsicLib/IA32/Llmul.asm
new file mode 100644
index 0000000000..190392da1b
--- /dev/null
+++ b/MdePkg/Library/VsIntrinsicLib/IA32/Llmul.asm
@@ -0,0 +1,98 @@
+;***
+;llmul.asm - long multiply routine
+;
+;       Copyright (c) Microsoft Corporation. All rights reserved.
+;       SPDX-License-Identifier: BSD-2-Clause-Patent
+;
+;Purpose:
+;       Defines long multiply routine
+;       Both signed and unsigned routines are the same, since multiply's
+;       work out the same in 2's complement
+;       creates the following routine:
+;           __allmul
+;
+;Original Implemenation: MSVC 14.12.25827
+;
+;*******************************************************************************
+    .686
+    .model  flat,C
+    .code
+
+
+;***
+;llmul - long multiply routine
+;
+;Purpose:
+;       Does a long multiply (same for signed/unsigned)
+;       Parameters are not changed.
+;
+;Entry:
+;       Parameters are passed on the stack:
+;               1st pushed: multiplier (QWORD)
+;               2nd pushed: multiplicand (QWORD)
+;
+;Exit:
+;       EDX:EAX - product of multiplier and multiplicand
+;       NOTE: parameters are removed from the stack
+;
+;Uses:
+;       ECX
+;
+;Exceptions:
+;
+;*******************************************************************************
+_allmul PROC NEAR
+
+A       EQU     [esp + 4]       ; stack address of a
+B       EQU     [esp + 12]      ; stack address of b
+
+HIGH_PART  EQU     [4]             ; 
+LOW_PART   EQU     [0]
+
+;
+;       AHI, BHI : upper 32 bits of A and B
+;       ALO, BLO : lower 32 bits of A and B
+;
+;             ALO * BLO
+;       ALO * BHI
+; +     BLO * AHI
+; ---------------------
+;
+
+        mov     eax,HIGH_PART(A)
+        mov     ecx,HIGH_PART(B)
+        or      ecx,eax         ;test for both high dwords zero.
+        mov     ecx,LOW_PART(B)
+        jnz     short hard      ;both are zero, just mult ALO and BLO
+
+        mov     eax,LOW_PART(A)
+        mul     ecx
+
+        ret     16              ; callee restores the stack
+
+hard:
+        push    ebx
+
+; must redefine A and B since esp has been altered
+
+A2      EQU     [esp + 8]       ; stack address of a
+B2      EQU     [esp + 16]      ; stack address of b
+
+        mul     ecx             ;eax has AHI, ecx has BLO, so AHI * BLO
+        mov     ebx,eax         ;save result
+
+        mov     eax,LOW_PART(A2)
+        mul     dword ptr HIGH_PART(B2) ;ALO * BHI
+        add     ebx,eax         ;ebx = ((ALO * BHI) + (AHI * BLO))
+
+        mov     eax,LOW_PART(A2);ecx = BLO
+        mul     ecx             ;so edx:eax = ALO*BLO
+        add     edx,ebx         ;now edx has all the LO*HI stuff
+
+        pop     ebx
+
+        ret     16              ; callee restores the stack
+
+_allmul ENDP
+
+        end
diff --git a/MdePkg/Library/VsIntrinsicLib/IA32/Llshr.asm b/MdePkg/Library/VsIntrinsicLib/IA32/Llshr.asm
new file mode 100644
index 0000000000..81c5240c16
--- /dev/null
+++ b/MdePkg/Library/VsIntrinsicLib/IA32/Llshr.asm
@@ -0,0 +1,79 @@
+        title   llshr - long shift right
+;***
+;llshr.asm - long shift right
+;
+;       Copyright (c) Microsoft Corporation. All rights reserved.
+;       SPDX-License-Identifier: BSD-2-Clause-Patent
+;
+;Purpose:
+;       define signed long shift right routine
+;           __allshr
+;
+;Original Implemenation: MSVC 14.12.25827
+;
+;*******************************************************************************
+    .686
+    .model  flat,C
+    .code
+
+
+
+;***
+;llshr - long shift right
+;
+;Purpose:
+;       Does a signed Long Shift Right
+;       Shifts a long right any number of bits.
+;
+;Entry:
+;       EDX:EAX - long value to be shifted
+;       CL    - number of bits to shift by
+;
+;Exit:
+;       EDX:EAX - shifted value
+;
+;Uses:
+;       CL is destroyed.
+;
+;Exceptions:
+;
+;*******************************************************************************
+_allshr PROC NEAR
+
+;
+; Handle shifts of 64 bits or more (if shifting 64 bits or more, the result
+; depends only on the high order bit of edx).
+;
+        cmp     cl,64
+        jae     short RETSIGN
+
+;
+; Handle shifts of between 0 and 31 bits
+;
+        cmp     cl, 32
+        jae     short MORE32
+        shrd    eax,edx,cl
+        sar     edx,cl
+        ret
+
+;
+; Handle shifts of between 32 and 63 bits
+;
+MORE32:
+        mov     eax,edx
+        sar     edx,31
+        and     cl,31
+        sar     eax,cl
+        ret
+
+;
+; Return double precision 0 or -1, depending on the sign of edx
+;
+RETSIGN:
+        sar     edx,31
+        mov     eax,edx
+        ret
+
+_allshr ENDP
+
+        end
diff --git a/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf b/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
new file mode 100644
index 0000000000..d55bfcbd22
--- /dev/null
+++ b/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
@@ -0,0 +1,38 @@
+## @file
+#  Visual Studio 2017 C compiler intrinsic Library implementation.
+#
+#  Since the C compiler does very aggressive full program optimizations there are cases
+#  where some small number of compiler inserted functions can not be avoided.
+#  To handle that case this NULL library can be injected into all 32bit modules
+#  so that the link time dependency is met and the modules compile.
+#
+#  The routines are based on src delivered with the visual studio product.  it is
+#  critical that calling convention, stack usage, register usage, etc is in line
+#  with what the compiler expects as there is no way to influence the behaviors
+#  for compiler inserted functions.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = VsIntrinsicLib
+  MODULE_UNI_FILE                = VsIntrinsicLib.uni
+  FILE_GUID                      = ed449fc0-3265-40ed-91b8-435b8df0aa5f
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = NULL
+
+#
+#  VALID_ARCHITECTURES           = IA32
+#
+
+[Sources]
+
+[Sources.Ia32]
+  IA32/Llmul.asm
+  IA32/Llshr.asm
+
+[Packages]
+  MdePkg/MdePkg.dec
diff --git a/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.uni b/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.uni
new file mode 100644
index 0000000000..c4513808fd
--- /dev/null
+++ b/MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.uni
@@ -0,0 +1,17 @@
+// /** @file
+// VsIntrinsic Library implementation.
+//
+// VsIntrinsic Library implementation.
+//
+//
+//
+//Copyright (c) Microsoft Corporation. All rights reserved.
+//SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+//**/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "VsIntrinsic Library implementation"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "VsIntrinsic Library implementation"
+
-- 
2.31.0.vfs.0.1


[-- Attachment #4: 0003-Reference-VsIntrinsicLib.patch --]
[-- Type: application/octet-stream, Size: 3785 bytes --]

From 799b36c6560c1a3fd5f9b30856ff61c002694e4c Mon Sep 17 00:00:00 2001
From: Vineel Kovvuri <vineelko@microsoft.com>
Date: Sat, 6 Nov 2021 01:01:13 -0700
Subject: [PATCH 3/3] Reference VsIntrinsicLib

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
 CryptoPkg/CryptoPkg.dsc     | 3 +++
 EmulatorPkg/EmulatorPkg.dsc | 3 +++
 MdePkg/MdePkg.ci.yaml       | 2 +-
 MdePkg/MdePkg.dsc           | 4 ++++
 OvmfPkg/OvmfPkgIa32.dsc     | 5 +++++
 OvmfPkg/OvmfPkgIa32X64.dsc  | 5 +++++
 6 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 0aa72ed878..9a01554f19 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -67,6 +67,9 @@
   HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
   RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
 
+[LibraryClasses.IA32]
+  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
+
 [LibraryClasses.ARM, LibraryClasses.AARCH64]
   #
   # It is not possible to prevent the ARM compiler for generic intrinsic functions.
diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 554c13ddb5..483ee0d036 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -138,6 +138,9 @@
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
 
+[LibraryClasses.IA32]
+  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
+
 [LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
diff --git a/MdePkg/MdePkg.ci.yaml b/MdePkg/MdePkg.ci.yaml
index 3ea8eec331..b339686433 100644
--- a/MdePkg/MdePkg.ci.yaml
+++ b/MdePkg/MdePkg.ci.yaml
@@ -54,7 +54,7 @@
 
     ## options defined ci/Plugin/DscCompleteCheck
     "DscCompleteCheck": {
-        "IgnoreInf": [""],
+        "IgnoreInf": ["MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf"],
         "DscPath": "MdePkg.dsc"
     },
 
diff --git a/MdePkg/MdePkg.dsc b/MdePkg/MdePkg.dsc
index a94959169b..3a4b9d093e 100644
--- a/MdePkg/MdePkg.dsc
+++ b/MdePkg/MdePkg.dsc
@@ -176,6 +176,10 @@
   MdePkg/Library/MmServicesTableLib/MmServicesTableLib.inf
   MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
 
+[Components.IA32]
+  # For VS2017 support link the VsIntrinsicLib into all 32 bit modules
+  MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
+
 [Components.EBC]
   MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
   MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6a5be97c05..f52d48d83a 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -240,6 +240,11 @@
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
 !endif
 
+!if $(TOOL_CHAIN_TAG) == "VS2019"
+[LibraryClasses.IA32.UEFI_DRIVER]
+  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
+!endif
+
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
   VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 71227d1b70..a53555240e 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -244,6 +244,11 @@
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
 !endif
 
+!if $(TOOL_CHAIN_TAG) == "VS2019"
+[LibraryClasses.IA32.UEFI_DRIVER]
+  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf
+!endif
+
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
   VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
-- 
2.31.0.vfs.0.1

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

[-- Attachment #1: Type: text/plain, Size: 2308 bytes --]

Some options for your consideration.

  1.  Enlarge OVMF size
     *   I have seen discussion to 8M to 16M, but it seems not concluded.
  2.  Remove unnecessary algo in openssl config
     *   Do you really want to enable all those algorithms? Such as SM2? Maybe revisit them again to see if they are really needed. I could see it might break other platform potentially.
     *   Do you have any evaluation on binary size difference before or after your patch ? Please provide the data to help other people make decision.
  3.  Provide 2 profiles – with ECC and without ECC.
     *   As such, we can let platform decide which one it wants to take, if there is significant size difference.
     *   This would be the best way to keep the compatibility.
Thank you
Yao Jiewen

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel Kovvuri via groups.io
Sent: Tuesday, November 9, 2021 6:30 AM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms


Hi Folks,



We are able to resolve the __ModuleEntryPoint error and was able to run below build configurations locally.

  *   Windows_VS2019 - Passed

     *   EmulatorPkg_Win_VS2019 - Passed
     *   OvmfPkg_Win_VS2019 - Passed

  *   Ubuntu_GCC5 - Passed

     *   ArmVirtPkg_Ubuntu_GCC5 - Passed
     *   EmulatorPkg_Ubuntu_GCC5 - Passed
     *   OvmfPkg_Ubuntu_GCC5 – Failed

        *   INFO - GenFv: ERROR 3000: Invalid
        *   INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

Is it okay to increase the fv image size if so need some guidance with respected to that as it may effect other projects like QEMU etc. Any inputs here are much appreciated



For Reference: https://github.com/vineelkovvuri/edk2/pull/2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvineelkovvuri%2Fedk2%2Fpull%2F2&data=04%7C01%7Cvineelko%40microsoft.com%7C39a86fd17084443454fa08d9a2dc1185%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637719888367133870%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Mj7FG%2FZvbQska6c6tGj9Z0xgcenZSX3COrPoL4Pe1k0%3D&reserved=0>




[-- Attachment #2: Type: text/html, Size: 10785 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

  Hi,

> * OvmfPkg_Win_VS2019 - Passed
> * OvmfPkg_Ubuntu_GCC5 – Failed

> * INFO - GenFv: ERROR 3000: Invalid
> * INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

Wow.  That is a quite significant increase.
Is this the OVMF_IA32X64_FULL_NOOPT build?

That one is disabled on windows already, probably because turning off
compiler optimizations increases the build size too much.  We could do
the same for ubuntu as short-term solution.  Long-term we probably need
options to build 8M and 16M OVMF binaries.

While being at it: have you by chance also looked at switching tianocore
over to openssl 3.0?

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

>   2.  Remove unnecessary algo in openssl config
>      *   Do you really want to enable all those algorithms? Such as SM2? Maybe revisit them again to see if they are really needed. I could see it might break other platform potentially.

Enabling only those algorithms which are actually used by tianocore
certainly makes sense ...

>   3.  Provide 2 profiles – with ECC and without ECC.

... and if it gets down the size enough would be better than yet another
compile time option.

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 3731 bytes --]

Hi All,

Sorry, my bad for not providing the details. Below is the build
configuration.

Passing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py
TOOL_CHAIN_TAG=GCC5 TARGET=NOOPT   -a IA32,X64

Failing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py
TOOL_CHAIN_TAG=GCC5 TARGET=NOOPT -a IA32,X64 BLD_*_SECURE_BOOT_ENABLE=1
BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1
BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1
BLD_*_NETWORK_HTTP_BOOT_ENABLE=1

The failure is happening while generating DXEFV.FVINFO
- Generating DXEFV FV
INFO - ##### ['GenFv', '-F', 'FALSE', '-a',
'/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/DXEFV.inf', '-o',
'/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv', '-i',
'/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.inf']
INFO - Return Value = 2
INFO - GenFv: ERROR 3000: Invalid
INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size
0xc00000

The difference I see without ecc change and with the change is the increase
in file sizes for below ffs files,(other .ffs files remained unchanged)

Without ecc change:
794742
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
653470
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1174654
 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
872594
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

With ecc change:
1058678
 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
917214
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1470718
 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
1134738
 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

Below is the size of DXEFV.Fv in successful build(without ecc change)

ubuntu@ubuntuubuntu:~/src/edk2$ ls -l
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv
-rw-rw-r-- 1 ubuntu ubuntu 12582912(0xC0000) Nov  9 19:18
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv

We haven't looked at porting to OpenSSL 3.0.

I am wondering, removing existing ciphers might impact other platforms.
Could you please suggest any less intrusive options without impacting
other platforms.

I am new to EDK and what compile time options are you referring to? Please
let me know if any other information is needed from the build.

Thanks in advance,
Vineel


On Tue, Nov 9, 2021 at 12:58 AM Gerd Hoffmann <kraxel@redhat.com> wrote:

> >   2.  Remove unnecessary algo in openssl config
> >      *   Do you really want to enable all those algorithms? Such as SM2?
> Maybe revisit them again to see if they are really needed. I could see it
> might break other platform potentially.
>
> Enabling only those algorithms which are actually used by tianocore
> certainly makes sense ...
>
> >   3.  Provide 2 profiles – with ECC and without ECC.
>
> ... and if it gets down the size enough would be better than yet another
> compile time option.
>
> take care,
>   Gerd
>
>

[-- Attachment #2: Type: text/html, Size: 4382 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

  Hi,

> The difference I see without ecc change and with the change is the increase
> in file sizes for below ffs files,(other .ffs files remained unchanged)
> 
> Without ecc change:
> 794742
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
> 653470
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
> 1174654
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
> 872594
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs
> 
> With ecc change:
> 1058678
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
> 917214
> /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
> 1470718
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
> 1134738
>  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

Uh.  So each driver which needs openssl has its own copy of the library?

I wasn't aware of that, but yes, given we don't have dynamic linking
this makes sense and also easily explains why we see such a big jump in
size.

> I am wondering, removing existing ciphers might impact other platforms.
> Could you please suggest any less intrusive options without impacting
> other platforms.

I was thinking more about reviewing the chipers added.  Pick the most
commonly used ones instead of just adding them all for example.

> I am new to EDK and what compile time options are you referring to? Please
> let me know if any other information is needed from the build.

Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.

But I think Jiewen meant something else with "2 profiles":

We could create two OpensslLib variants.  One full-featured build with
ecc enabled which TlsDxe could use (assuming better TLS support is your
use case).  And one less-featured variant for VariableSmm +
SecureBootConfigDxe + SecurityStubDxe.

That way we have the ecc code only once not four times in the firmware
build.  Possibly the less-featured could be stripped down even more when
it doesn't need to support TLS any more.

I'm also wondering why SecurityStubDxe needs OpensslLib ...

take care & HTH,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

Sorry, I don't mean: one platform uses 2 different configuration.

That might be worse, because we lose the benefit on compression.
Ideally, no matter how many *same* copies you have, the compression algo will handle it and make only *one* copy. If you have two *different* copies, then compression also may finally make *two* different copy.
I don't have data. I just feel it might be worse.

I mean two platform can choose 2 different configuration. But eventually, one platform should select one of them consistently, such as using only one CryptoDxe.inf.

In this case, you need carefully remove all unneeded algo.
For example, do you really need SM2 ?
Do you really need EdDSA ?
Do you really need ECX ?

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Thursday, November 11, 2021 9:06 PM
> To: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> vineelko@microsoft.com
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
>   Hi,
> 
> > The difference I see without ecc change and with the change is the increase
> > in file sizes for below ffs files,(other .ffs files remained unchanged)
> >
> > Without ecc change:
> > 794742
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> 88E33EF71DFC.ffs
> > 653470
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> AC64-54F202CD0A21.ffs
> > 1174654
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> 74d435052646.ffs
> > 872594
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> 43E3298C2343.ffs
> >
> > With ecc change:
> > 1058678
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> 88E33EF71DFC.ffs
> > 917214
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> AC64-54F202CD0A21.ffs
> > 1470718
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> 74d435052646.ffs
> > 1134738
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> 43E3298C2343.ffs
> 
> Uh.  So each driver which needs openssl has its own copy of the library?
> 
> I wasn't aware of that, but yes, given we don't have dynamic linking
> this makes sense and also easily explains why we see such a big jump in
> size.
> 
> > I am wondering, removing existing ciphers might impact other platforms.
> > Could you please suggest any less intrusive options without impacting
> > other platforms.
> 
> I was thinking more about reviewing the chipers added.  Pick the most
> commonly used ones instead of just adding them all for example.
> 
> > I am new to EDK and what compile time options are you referring to? Please
> > let me know if any other information is needed from the build.
> 
> Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.
> 
> But I think Jiewen meant something else with "2 profiles":
> 
> We could create two OpensslLib variants.  One full-featured build with
> ecc enabled which TlsDxe could use (assuming better TLS support is your
> use case).  And one less-featured variant for VariableSmm +
> SecureBootConfigDxe + SecurityStubDxe.
> 
> That way we have the ecc code only once not four times in the firmware
> build.  Possibly the less-featured could be stripped down even more when
> it doesn't need to support TLS any more.
> 
> I'm also wondering why SecurityStubDxe needs OpensslLib ...
> 
> take care & HTH,
>   Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 4727 bytes --]

Hi Folks,

Sorry for the delay in my response. Thanks for the inputs. My bad for not
understanding what Jiewen was referring to,
I think he is suggesting to remove the unused algorithms with in the ECC
cipher. Not removing already available ciphers.

Totally makes sense but it would involve more testing against each private
bios with the narrowed list of algorithms.

+Harshit from Intel for context

Thanks,
Vineel


On Thu, Nov 11, 2021 at 5:26 AM Yao, Jiewen <jiewen.yao@intel.com> wrote:

> Sorry, I don't mean: one platform uses 2 different configuration.
>
> That might be worse, because we lose the benefit on compression.
> Ideally, no matter how many *same* copies you have, the compression algo
> will handle it and make only *one* copy. If you have two *different*
> copies, then compression also may finally make *two* different copy.
> I don't have data. I just feel it might be worse.
>
> I mean two platform can choose 2 different configuration. But eventually,
> one platform should select one of them consistently, such as using only one
> CryptoDxe.inf.
>
> In this case, you need carefully remove all unneeded algo.
> For example, do you really need SM2 ?
> Do you really need EdDSA ?
> Do you really need ECX ?
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Thursday, November 11, 2021 9:06 PM
> > To: Vineel Kovvuri <vineel.kovvuri@gmail.com>
> > Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> > vineelko@microsoft.com
> > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add
> elliptic
> > curve chipher algorithms
> >
> >   Hi,
> >
> > > The difference I see without ecc change and with the change is the
> increase
> > > in file sizes for below ffs files,(other .ffs files remained unchanged)
> > >
> > > Without ecc change:
> > > 794742
> > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> > 88E33EF71DFC.ffs
> > > 653470
> > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> > AC64-54F202CD0A21.ffs
> > > 1174654
> > >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> > 74d435052646.ffs
> > > 872594
> > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> > 43E3298C2343.ffs
> > >
> > > With ecc change:
> > > 1058678
> > >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> > 88E33EF71DFC.ffs
> > > 917214
> > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> > AC64-54F202CD0A21.ffs
> > > 1470718
> > >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> > 74d435052646.ffs
> > > 1134738
> > >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> > 43E3298C2343.ffs
> >
> > Uh.  So each driver which needs openssl has its own copy of the library?
> >
> > I wasn't aware of that, but yes, given we don't have dynamic linking
> > this makes sense and also easily explains why we see such a big jump in
> > size.
> >
> > > I am wondering, removing existing ciphers might impact other platforms.
> > > Could you please suggest any less intrusive options without impacting
> > > other platforms.
> >
> > I was thinking more about reviewing the chipers added.  Pick the most
> > commonly used ones instead of just adding them all for example.
> >
> > > I am new to EDK and what compile time options are you referring to?
> Please
> > > let me know if any other information is needed from the build.
> >
> > Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.
> >
> > But I think Jiewen meant something else with "2 profiles":
> >
> > We could create two OpensslLib variants.  One full-featured build with
> > ecc enabled which TlsDxe could use (assuming better TLS support is your
> > use case).  And one less-featured variant for VariableSmm +
> > SecureBootConfigDxe + SecurityStubDxe.
> >
> > That way we have the ecc code only once not four times in the firmware
> > build.  Possibly the less-featured could be stripped down even more when
> > it doesn't need to support TLS any more.
> >
> > I'm also wondering why SecurityStubDxe needs OpensslLib ...
> >
> > take care & HTH,
> >   Gerd
>
>

[-- Attachment #2: Type: text/html, Size: 6264 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

[-- Attachment #1: Type: text/plain, Size: 1407 bytes --]

Hi Vineel,

Are you still working on this issue? I'm glad to see that edk2 will enable EC and other crypto features and would like some advice.

I found from the previous discussion that there are only some issues with Ovmf binary size left,
Have you tried enlarging the size of DXEFV in OvmfPkgIa32X64.fdf, I think this is the most direct way to solve this problem.

Such like:
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 097fd428d5..1de0aad9f4 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -62,10 +62,10 @@ FV = SECFV

[FD.MEMFD]
BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
ErasePolarity = 1
BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0

0x000000|0x006000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -83,7 +83,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
FV = PEIFV

-0x100000|0xC00000
+0x100000|0xD00000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
FV = DXEFV

Please cc me if there is any other progress, my team and I will provide support as far as possible.
Thanks!

[-- Attachment #2: Type: text/html, Size: 1894 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 1903 bytes --]

Hi,

Thanks for providing the inputs here. Really appreciated.
I will try to resume the work(had to put it aside due to other priorities). Please expect the patch by EOW.

Thanks,
Vineel
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of yi1 li via groups.io
Sent: Tuesday, February 22, 2022 6:33 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi Vineel,

Are you still working on this issue? I'm glad to see that edk2 will enable EC and other crypto features and would like some advice.

I found from the previous discussion that there are only some issues with Ovmf binary size left,
Have you tried enlarging the size of DXEFV in OvmfPkgIa32X64.fdf, I think this is the most direct way to solve this problem.

Such like:
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 097fd428d5..1de0aad9f4 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -62,10 +62,10 @@ FV = SECFV

 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0

 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -83,7 +83,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV

-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV

Please cc me if there is any other progress, my team and I will provide support as far as possible.
Thanks!


[-- Attachment #2: Type: text/html, Size: 5666 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

[-- Attachment #1: Type: text/plain, Size: 2264 bytes --]

Good news, Thanks for your work.

Thanks!
Yi Li
From: Vineel Kovvuri <vineelko@microsoft.com>
Sent: Wednesday, February 23, 2022 10:46 AM
To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>; Vineel Kovvuri <vineel.kovvuri@gmail.com>
Subject: RE: [EXTERNAL] Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi,

Thanks for providing the inputs here. Really appreciated.
I will try to resume the work(had to put it aside due to other priorities). Please expect the patch by EOW.

Thanks,
Vineel
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of yi1 li via groups.io
Sent: Tuesday, February 22, 2022 6:33 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi Vineel,

Are you still working on this issue? I'm glad to see that edk2 will enable EC and other crypto features and would like some advice.

I found from the previous discussion that there are only some issues with Ovmf binary size left,
Have you tried enlarging the size of DXEFV in OvmfPkgIa32X64.fdf, I think this is the most direct way to solve this problem.

Such like:
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 097fd428d5..1de0aad9f4 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -62,10 +62,10 @@ FV = SECFV

 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0

 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -83,7 +83,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV

-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV

Please cc me if there is any other progress, my team and I will provide support as far as possible.
Thanks!


[-- Attachment #2: Type: text/html, Size: 6758 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 713 bytes --]

Hi Yi Li,

I have posted the recent patch set to enable ECC ciphers in OpenSSLLib to the bug https://bugzilla.tianocore.org/show_bug.cgi?id=3679

I have ran the entire OVMF Azure pipeline locally and confirm that the code gets build without any issue. Thanks for the inputs after enlarging DXEFV the build succeeded.

I am new to EDK build and to the overall process so please review the patch set and provide your comments. I am happy to address them. Once reviewed I can add it to the proposed feature to the release planning wiki

0001-Crypto-Enable-ECC-ciphers.patch
0002-Port-VsIntrinsicLib-from-Project-Mu.patch
0003-Reference-VsIntrinsicLib.patch
0004-Increase-FV-size.patch

Thanks,
Vineel

[-- Attachment #2: Type: text/html, Size: 901 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

[-- Attachment #1: Type: text/plain, Size: 2731 bytes --]

Hi Vineel,

Code is good to me, just some BKM for edk2 upstream:


  1.  It's a little strange that there are submodule changes in the patch 0004, maybe you forget to run git submodule update:

diff --git a/BaseTools/Source/C/BrotliCompress/brotli b/BaseTools/Source/C/BrotliCompress/brotli

index f4153a09f8..666c3280cc 160000

--- a/BaseTools/Source/C/BrotliCompress/brotli

+++ b/BaseTools/Source/C/BrotliCompress/brotli



  1.  Good commit titles and comments can get feedback from the community more quickly and more accurately, refer: https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format,

And CC Maintainers about changed pkg in commit will remind relevant people to review the code as soon as possible, you can find them at: https://github.com/tianocore/edk2/blob/master/Maintainers.txt,

A demo:



CryptoPkg: Enable ECC ciphers



REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3679



Reconfigure OpenSSLLib to add elliptic curve ciphers  # detail info



Cc: Vineel Kovvuri <vineelko@microsoft.com>

Cc: # Maintainers or other people you want to Cc

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>



  1.  According to 2, it is best to split the changes of different PKGs, such in patch 0003.


  1.  Extra spaces or tabs can cause formatting errors in CI, make sure there are no unnecessary changes in the patch. Such:

#ifndef OSSL_CRYPTO_DSO_CONF_H
-#define OSSL_CRYPTO_DSO_CONF_H
-#define DSO_NONE
-#define DSO_EXTENSION  ".so"
+# define OSSL_CRYPTO_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
#endif

You can submit PR to edk2 mater branch directly to check for CI bugs(will not be reviewed or merged).


Thanks!
Yi Li
From: vineelko via groups.io <vineelko=microsoft.com@groups.io>
Sent: Thursday, February 24, 2022 2:51 PM
To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi Yi Li,

I have posted the recent patch set to enable ECC ciphers in OpenSSLLib to the bug https://bugzilla.tianocore.org/show_bug.cgi?id=3679

I have ran the entire OVMF Azure pipeline locally and confirm that the code gets build without any issue. Thanks for the inputs after enlarging DXEFV the build succeeded.

I am new to EDK build and to the overall process so please review the patch set and provide your comments. I am happy to address them. Once reviewed I can add it to the proposed feature to the release planning wiki
0001-Crypto-Enable-ECC-ciphers.patch
0002-Port-VsIntrinsicLib-from-Project-Mu.patch
0003-Reference-VsIntrinsicLib.patch
0004-Increase-FV-size.patch

Thanks,
Vineel

[-- Attachment #2: Type: text/html, Size: 10848 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

Huge Thanks for "You can submit PR to edk2 mater branch directly to check for CI bugs(will not be reviewed or merged)."

I am fixing them. Regarding the style(extra spaces and tabs), It is actually coming from openssl when we run CryptoPkg/Library/OpensslLib/process_files.pl
Not sure if there a way to exclude some of the files from checking the style?

Sample PR against EDK2 master: https://github.com/tianocore/edk2/pull/2546/files

Thanks,
Vineel

[-- Attachment #2: Type: text/html, Size: 503 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

[-- Attachment #1: Type: text/plain, Size: 1091 bytes --]

Well done!  And Edk2 has code style tools internal, use this cmd to fix it:

pip install -r pip-requirements.txt

git ls-files CryptoPkg*.c CryptoPkg*.h | .\.pytool\Plugin\UncrustifyCheck\mu-uncrustify-release_extdep\Windows-x86\uncrustify.exe -c .\.pytool\Plugin\UncrustifyCheck\uncrustify.cfg -F - --replace --no-backup --if-changed

Thank you!
Yi Li

From: vineelko via groups.io <vineelko=microsoft.com@groups.io>
Sent: Saturday, February 26, 2022 1:52 AM
To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Huge Thanks for "You can submit PR to edk2 mater branch directly to check for CI bugs(will not be reviewed or merged)."

I am fixing them. Regarding the style(extra spaces and tabs), It is actually coming from openssl when we run CryptoPkg/Library/OpensslLib/process_files.pl
Not sure if there a way to exclude some of the files from checking the style?

Sample PR against EDK2 master: https://github.com/tianocore/edk2/pull/2546/files

Thanks,
Vineel

[-- Attachment #2: Type: text/html, Size: 3729 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

[-- Attachment #1.1: Type: text/plain, Size: 1708 bytes --]

Hi Vineel,

I noticed that there are some CI errors still in PR,


  1.  The VsIntrinscicLib is only used in OpenSSL related lib, putting it only in the CryptoPkg would make more sense and simplify the review process.



  1.  A BKM: NULL LibraryClass means that its internal API will not be called by external modules, the correct usage of a library is to give it a name and use it in other modules,

And this link will be more clear: https://edk2.groups.io/g/devel/topic/what_is_a_null_library/80192232?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,20,80192232,

This is also the root cause of the remaining CI errors.



  1.  I drafted a demo patch and it passed the CI test,

Seems we only need three patch:

CryptoPkg: Reconfigure OpensslLib to add elliptic curve cipher algori…

CryptoPkg: Add instrinsics to support building ECC on IA32 windows

OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related changes

FYR.

Thanks!
Yi Li
From: vineelko via groups.io <vineelko=microsoft.com@groups.io>
Sent: Saturday, February 26, 2022 1:52 AM
To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Huge Thanks for "You can submit PR to edk2 mater branch directly to check for CI bugs(will not be reviewed or merged)."

I am fixing them. Regarding the style(extra spaces and tabs), It is actually coming from openssl when we run CryptoPkg/Library/OpensslLib/process_files.pl
Not sure if there a way to exclude some of the files from checking the style?

Sample PR against EDK2 master: https://github.com/tianocore/edk2/pull/2546/files

Thanks,
Vineel

[-- Attachment #1.2: Type: text/html, Size: 6791 bytes --]

[-- Attachment #2: 0001-CryptoPkg-Add-instrinsics-to-support-building-ECC-on.patch --]
[-- Type: application/octet-stream, Size: 6342 bytes --]

From d4622c67ae10557ac379f1e388175869c2e86f85 Mon Sep 17 00:00:00 2001
From: yi1 li <yi1.li@intel.com>
Date: Mon, 28 Feb 2022 14:54:05 +0800
Subject: [PATCH 1/1] CryptoPkg: Add instrinsics to support building ECC on
 IA32 windows

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3679

This dependency is needed to build openssl lib with ECC ciphers
under IA32 Windows and adds implementation for _allmul and _allshr
instrinsics.

It is taken from Project Mu:
microsoft/mu_basecore@b55b341

Signed-off-by: yi1 li <yi1.li@intel.com>
---
 .../Library/IntrinsicLib/Ia32/MathLlmul.asm   | 98 +++++++++++++++++++
 .../Library/IntrinsicLib/Ia32/MathLlshr.asm   | 78 +++++++++++++++
 .../Library/IntrinsicLib/IntrinsicLib.inf     |  2 +
 3 files changed, 178 insertions(+)
 create mode 100644 CryptoPkg/Library/IntrinsicLib/Ia32/MathLlmul.asm
 create mode 100644 CryptoPkg/Library/IntrinsicLib/Ia32/MathLlshr.asm

diff --git a/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlmul.asm b/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlmul.asm
new file mode 100644
index 000000000000..341ea8a7bc0d
--- /dev/null
+++ b/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlmul.asm
@@ -0,0 +1,98 @@
+;***
+;llmul.asm - long multiply routine
+;
+;       Copyright (c) Microsoft Corporation. All rights reserved.
+;       SPDX-License-Identifier: BSD-2-Clause-Patent
+;
+;Purpose:
+;       Defines long multiply routine
+;       Both signed and unsigned routines are the same, since multiply's
+;       work out the same in 2's complement
+;       creates the following routine:
+;           __allmul
+;
+;Original Implemenation: MSVC 14.12.25827
+;
+;*******************************************************************************
+    .686
+    .model  flat,C
+    .code
+
+
+;***
+;llmul - long multiply routine
+;
+;Purpose:
+;       Does a long multiply (same for signed/unsigned)
+;       Parameters are not changed.
+;
+;Entry:
+;       Parameters are passed on the stack:
+;               1st pushed: multiplier (QWORD)
+;               2nd pushed: multiplicand (QWORD)
+;
+;Exit:
+;       EDX:EAX - product of multiplier and multiplicand
+;       NOTE: parameters are removed from the stack
+;
+;Uses:
+;       ECX
+;
+;Exceptions:
+;
+;*******************************************************************************
+_allmul PROC NEAR
+
+A       EQU     [esp + 4]       ; stack address of a
+B       EQU     [esp + 12]      ; stack address of b
+
+HIGH_PART  EQU     [4]             ;
+LOW_PART   EQU     [0]
+
+;
+;       AHI, BHI : upper 32 bits of A and B
+;       ALO, BLO : lower 32 bits of A and B
+;
+;             ALO * BLO
+;       ALO * BHI
+; +     BLO * AHI
+; ---------------------
+;
+
+        mov     eax,HIGH_PART(A)
+        mov     ecx,HIGH_PART(B)
+        or      ecx,eax         ;test for both high dwords zero.
+        mov     ecx,LOW_PART(B)
+        jnz     short hard      ;both are zero, just mult ALO and BLO
+
+        mov     eax,LOW_PART(A)
+        mul     ecx
+
+        ret     16              ; callee restores the stack
+
+hard:
+        push    ebx
+
+; must redefine A and B since esp has been altered
+
+A2      EQU     [esp + 8]       ; stack address of a
+B2      EQU     [esp + 16]      ; stack address of b
+
+        mul     ecx             ;eax has AHI, ecx has BLO, so AHI * BLO
+        mov     ebx,eax         ;save result
+
+        mov     eax,LOW_PART(A2)
+        mul     dword ptr HIGH_PART(B2) ;ALO * BHI
+        add     ebx,eax         ;ebx = ((ALO * BHI) + (AHI * BLO))
+
+        mov     eax,LOW_PART(A2);ecx = BLO
+        mul     ecx             ;so edx:eax = ALO*BLO
+        add     edx,ebx         ;now edx has all the LO*HI stuff
+
+        pop     ebx
+
+        ret     16              ; callee restores the stack
+
+_allmul ENDP
+
+        end
diff --git a/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlshr.asm b/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlshr.asm
new file mode 100644
index 000000000000..ab8294580f16
--- /dev/null
+++ b/CryptoPkg/Library/IntrinsicLib/Ia32/MathLlshr.asm
@@ -0,0 +1,78 @@
+;***
+;llshr.asm - long shift right
+;
+;       Copyright (c) Microsoft Corporation. All rights reserved.
+;       SPDX-License-Identifier: BSD-2-Clause-Patent
+;
+;Purpose:
+;       define signed long shift right routine
+;           __allshr
+;
+;Original Implemenation: MSVC 14.12.25827
+;
+;*******************************************************************************
+    .686
+    .model  flat,C
+    .code
+
+
+
+;***
+;llshr - long shift right
+;
+;Purpose:
+;       Does a signed Long Shift Right
+;       Shifts a long right any number of bits.
+;
+;Entry:
+;       EDX:EAX - long value to be shifted
+;       CL    - number of bits to shift by
+;
+;Exit:
+;       EDX:EAX - shifted value
+;
+;Uses:
+;       CL is destroyed.
+;
+;Exceptions:
+;
+;*******************************************************************************
+_allshr PROC NEAR
+
+;
+; Handle shifts of 64 bits or more (if shifting 64 bits or more, the result
+; depends only on the high order bit of edx).
+;
+        cmp     cl,64
+        jae     short RETSIGN
+
+;
+; Handle shifts of between 0 and 31 bits
+;
+        cmp     cl, 32
+        jae     short MORE32
+        shrd    eax,edx,cl
+        sar     edx,cl
+        ret
+
+;
+; Handle shifts of between 32 and 63 bits
+;
+MORE32:
+        mov     eax,edx
+        sar     edx,31
+        and     cl,31
+        sar     eax,cl
+        ret
+
+;
+; Return double precision 0 or -1, depending on the sign of edx
+;
+RETSIGN:
+        sar     edx,31
+        mov     eax,edx
+        ret
+
+_allshr ENDP
+
+        end
diff --git a/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf b/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
index fcbb93316cf7..86e74b57b109 100644
--- a/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+++ b/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
@@ -30,6 +30,8 @@
   Ia32/MathLShiftS64.c      | MSFT
   Ia32/MathRShiftU64.c      | MSFT
   Ia32/MathFtol.c           | MSFT
+  Ia32/MathLlmul.asm        | MSFT
+  Ia32/MathLlshr.asm        | MSFT
 
   Ia32/MathLShiftS64.c      | INTEL
   Ia32/MathRShiftU64.c      | INTEL
-- 
2.33.0.windows.2

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

> CryptoPkg: Add instrinsics to support building ECC on IA32 windows

See also https://edk2.groups.io/g/devel/message/87130 & followups.
git branch here: https://github.com/kraxel/edk2/commits/intrinsics

> OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related changes

Changing flash size breaks backward compatibility, so this is a problem.
openssl3 porting runs into this too, not solved yet.

Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of
linking openssl as Library, so we have only one copy of the code.  Not
investigated yet.

Also: what do you need ecc support for?

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Sean]

On 3/1/2022 6:04 AM, Gerd Hoffmann wrote:
>> CryptoPkg: Add instrinsics to support building ECC on IA32 windows
> 
> See also https://edk2.groups.io/g/devel/message/87130 & followups.
> git branch here: https://github.com/kraxel/edk2/commits/intrinsics
> 
>> OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related changes
> 
> Changing flash size breaks backward compatibility, so this is a problem.
> openssl3 porting runs into this too, not solved yet.
> 
> Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of
> linking openssl as Library, so we have only one copy of the code.  Not
> investigated yet.
> 
> Also: what do you need ecc support for?

TLS requirements for modern endpoints/services are "generally" moving to 
ECC.


> 
> take care,
>    Gerd
> 
> 
> 
> 
> 
> 

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

Thanks for your information,

1.See also https://edk2.groups.io/g/devel/message/87130 & followups.
git branch here: https://github.com/kraxel/edk2/commits/intrinsics

It's good to me, make code more clear.

2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of linking openssl as Library, so we have only one copy of the code.  Not investigated yet.

Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and OpensslLib directly? Sounds will be a big change.
Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and OpensslLib?
I would like to point out that once we close macro OPENSSL_NO_EC, The size of Openssllib will inevitably increase due to some enabled feature and exceed limit of Ovmf, 
Such in x509_vry.c:
static int check_curve(X509 *cert)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *pkey = X509_get0_pubkey(cert);

    /* Unsupported or malformed key */
    if (pkey == NULL)
        return -1;

    if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
        int ret;

        ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
        return ret < 0 ? ret : !ret;
    }
#endif

3. Also: what do you need ecc support for?

WPA3 needs ECC's support, and I think Vineel's work will be the foundation.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828

Thanks!
Yi Li
-----Original Message-----
From: Gerd Hoffmann <kraxel@redhat.com> 
Sent: Tuesday, March 1, 2022 10:05 PM
To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>
Cc: Kovvuri, Vineel <vineelko@microsoft.com>; Yao, Jiewen <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

> CryptoPkg: Add instrinsics to support building ECC on IA32 windows

See also https://edk2.groups.io/g/devel/message/87130 & followups.
git branch here: https://github.com/kraxel/edk2/commits/intrinsics

> OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related 
> changes

Changing flash size breaks backward compatibility, so this is a problem.
openssl3 porting runs into this too, not solved yet.

Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of linking openssl as Library, so we have only one copy of the code.  Not investigated yet.

Also: what do you need ecc support for?

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

I think another option to pursue is to how to control the openssl configuration from module or platform level.

E.g. what if platform-A has enough size and wants to use ECC, while platform-B has size constrain and wants to disable ECC ?

We can let platform choose if ECC is needed or not? I hope so.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Wednesday, March 2, 2022 12:24 PM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Cc: Kovvuri, Vineel <vineelko@microsoft.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Luo, Heng <heng.luo@intel.com>
> Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> Thanks for your information,
> 
> 1.See also https://edk2.groups.io/g/devel/message/87130 & followups.
> git branch here: https://github.com/kraxel/edk2/commits/intrinsics
> 
> It's good to me, make code more clear.
> 
> 2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of
> linking openssl as Library, so we have only one copy of the code.  Not
> investigated yet.
> 
> Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and
> OpensslLib directly? Sounds will be a big change.
> Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and
> OpensslLib?
> I would like to point out that once we close macro OPENSSL_NO_EC, The size of
> Openssllib will inevitably increase due to some enabled feature and exceed limit
> of Ovmf,
> Such in x509_vry.c:
> static int check_curve(X509 *cert)
> {
> #ifndef OPENSSL_NO_EC
>     EVP_PKEY *pkey = X509_get0_pubkey(cert);
> 
>     /* Unsupported or malformed key */
>     if (pkey == NULL)
>         return -1;
> 
>     if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
>         int ret;
> 
>         ret =
> EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
>         return ret < 0 ? ret : !ret;
>     }
> #endif
> 
> 3. Also: what do you need ecc support for?
> 
> WPA3 needs ECC's support, and I think Vineel's work will be the foundation.
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828
> 
> Thanks!
> Yi Li
> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, March 1, 2022 10:05 PM
> To: devel@edk2.groups.io; Li, Yi1 <yi1.li@intel.com>
> Cc: Kovvuri, Vineel <vineelko@microsoft.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> > CryptoPkg: Add instrinsics to support building ECC on IA32 windows
> 
> See also https://edk2.groups.io/g/devel/message/87130 & followups.
> git branch here: https://github.com/kraxel/edk2/commits/intrinsics
> 
> > OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related
> > changes
> 
> Changing flash size breaks backward compatibility, so this is a problem.
> openssl3 porting runs into this too, not solved yet.
> 
> Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of linking
> openssl as Library, so we have only one copy of the code.  Not investigated yet.
> 
> Also: what do you need ecc support for?
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> I think another option to pursue is to how to control the openssl configuration from module or platform level.
> 
> E.g. what if platform-A has enough size and wants to use ECC, while platform-B has size constrain and wants to disable ECC ?
> 
> We can let platform choose if ECC is needed or not? I hope so.

Not so easy.  Would require to put the way openssl is integrated upside
down.  Today openssl is configured and the results (header files etc)
are committed to the repo, so the openssl config is the same for
everybody.

Also I expect there is no way around ecc long-term.  WPA3 was mentioned
elsewhere in the thread.  For TLS it will most likely be a requirement
too at some point in the future.  With TLS 1.2 it is possible to choose
ciphers not requiring ECC, for TLS 1.3 ECC is mandatory though.

So I doubt making ECC optional is worth the trouble.

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Gerd Hoffmann]

  Hi,

> 2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of linking openssl as Library, so we have only one copy of the code.  Not investigated yet.
> 
> Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and OpensslLib directly? Sounds will be a big change.

Havn't checked yet how much of a change that would be.

Looks like CryptoPkg/Library/BaseCryptLibOnProtocolPpi is a drop-in
replacement for CryptoPkg/Library/BaseCryptLib, which will call
EDKII_CRYPTO_PROTOCOL provided by CryptoPkg/Driver instead of linking in
the crypto bits from openssl.

Apparently there isn't something simliar for OpensslLib though.

> Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and OpensslLib?

Would probably make sense to just add ecc support to the existing
CryptoPkg/Driver.

take care,
  Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

>From requirement perspective, I am thinking more broadly than just ECC.

Looking at https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/openssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA, TLS1_3, which might be potential useful. While the algorithm we used today such as FFDHE, MD5, SHA1, might be not useful.

Even for ECC, some platform may need normal ECDH/ECDSA. However, some platform may or might not need EdDSA or X-Curve DH. I am not sure if we really need to enable all of them in previous patch set.

SM3 and SM2 are another category. It might be useful for one particular segment, but not useful for others. For example, a SMx-compliant only platform may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only platform might not required SMx.


If a platform does have flash size constrain, why it cannot do customization? Why we enforce every platform, from an embedded system to a server use the same default configuration ?

openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also does same thing, such as
https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mbedtls_config.h,
https://github.com/wolfSSL/wolfssl/tree/master/examples/configs
Why we cannot allow a platform override such configuration ?

I am not saying we must do it. But I believe it is worth to revisit, to see if any platform has such need, before draw the conclusion so quick.

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Wednesday, March 2, 2022 3:42 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel
> <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> > I think another option to pursue is to how to control the openssl configuration
> from module or platform level.
> >
> > E.g. what if platform-A has enough size and wants to use ECC, while platform-
> B has size constrain and wants to disable ECC ?
> >
> > We can let platform choose if ECC is needed or not? I hope so.
> 
> Not so easy.  Would require to put the way openssl is integrated upside
> down.  Today openssl is configured and the results (header files etc)
> are committed to the repo, so the openssl config is the same for
> everybody.
> 
> Also I expect there is no way around ecc long-term.  WPA3 was mentioned
> elsewhere in the thread.  For TLS it will most likely be a requirement
> too at some point in the future.  With TLS 1.2 it is possible to choose
> ciphers not requiring ECC, for TLS 1.3 ECC is mandatory though.
> 
> So I doubt making ECC optional is worth the trouble.
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 940 bytes --]

Hi Yi Li,

I am able to incorporate all your feedback regarding commit hygiene. Also able to validate them by firing an sample PR against EDK2 master https://github.com/tianocore/edk2/pull/2550/checks
All of the checks passed expected 3 which seems to be infrastructure related. I would need your teams help in taking a look at them if its caused by my commits.

Broken down the commits per area owner and CC'ed them.

0001-CryptoPkg-Reconfigure-OpensslLib-to-add-elliptic-cur.patch
0002-CryptoPkg-Reference-to-VsIntrincsicLib-to-build-Open.patch
0003-MdePkg-Add-VsIntrincsicLib-to-support-building-OpenS.patch
0004-EmulatorPkg-Reference-to-VsIntrincsicLib-to-build-Op.patch
0005-OvmfPkg-Reference-to-VsIntrincsicLib-to-build-OpenSS.patch
0006-OvmfPkg-Increase-DXEFV-size-to-accommodate-ECC-ciphe.patch

Updated the bug https://bugzilla.tianocore.org/show_bug.cgi?id=3679 with the patch set.

Thanks for your help,
Vineel

[-- Attachment #2: Type: text/html, Size: 1264 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 144 bytes --]

Sorry I missed the earlier feedback from You/Gerd/Jiewen and replied quickly with my updated patch set. I will try to look at them.

-Vineel

[-- Attachment #2: Type: text/html, Size: 152 bytes --]

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

Agree with that and I think the first issue is OPENSSL_NO_* be not cover every file related to some feature in openssl (like ec).
Once those macro defines can cover everything, we can put all files in OpensslLib.inf [Source],
and control macro defines in opensslconf.h by PCDs to do customization.
Openssl community feels ok to it and that's exactly what they do, like asn1, just not covering all features.
https://github.com/openssl/openssl/issues/17801

I am glad to push it forward, but, it seems will be a long time and platform needs to support WPA3 as soon as possible.
I'm thinking about whether we can use a new OpensslEclib.inf to enable ECC firstly to meet customer needs?

Thanks!
Yi Li
-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com> 
Sent: Wednesday, March 2, 2022 7:57 PM
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

>From requirement perspective, I am thinking more broadly than just ECC.

Looking at https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/openssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA, TLS1_3, which might be potential useful. While the algorithm we used today such as FFDHE, MD5, SHA1, might be not useful.

Even for ECC, some platform may need normal ECDH/ECDSA. However, some platform may or might not need EdDSA or X-Curve DH. I am not sure if we really need to enable all of them in previous patch set.

SM3 and SM2 are another category. It might be useful for one particular segment, but not useful for others. For example, a SMx-compliant only platform may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only platform might not required SMx.


If a platform does have flash size constrain, why it cannot do customization? Why we enforce every platform, from an embedded system to a server use the same default configuration ?

openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also does same thing, such as https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mbedtls_config.h,
https://github.com/wolfSSL/wolfssl/tree/master/examples/configs
Why we cannot allow a platform override such configuration ?

I am not saying we must do it. But I believe it is worth to revisit, to see if any platform has such need, before draw the conclusion so quick.

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Wednesday, March 2, 2022 3:42 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel 
> <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add 
> elliptic curve chipher algorithms
> 
> On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> > I think another option to pursue is to how to control the openssl 
> > configuration
> from module or platform level.
> >
> > E.g. what if platform-A has enough size and wants to use ECC, while 
> > platform-
> B has size constrain and wants to disable ECC ?
> >
> > We can let platform choose if ECC is needed or not? I hope so.
> 
> Not so easy.  Would require to put the way openssl is integrated 
> upside down.  Today openssl is configured and the results (header 
> files etc) are committed to the repo, so the openssl config is the 
> same for everybody.
> 
> Also I expect there is no way around ecc long-term.  WPA3 was 
> mentioned elsewhere in the thread.  For TLS it will most likely be a 
> requirement too at some point in the future.  With TLS 1.2 it is 
> possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandatory though.
> 
> So I doubt making ECC optional is worth the trouble.
> 
> take care,
>   Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Yao, Jiewen]

I don't like OpensslEclib, it seems a workaround. We already have 5 INF under BaseCryptLib. It is complicated enough.
And I am not sure how OpensslEclib can resolve size issue...


> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Thursday, March 3, 2022 4:43 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Gerd Hoffmann <kraxel@redhat.com>
> Cc: devel@edk2.groups.io; Kovvuri, Vineel <vineelko@microsoft.com>; Luo,
> Heng <heng.luo@intel.com>
> Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> Agree with that and I think the first issue is OPENSSL_NO_* be not cover every
> file related to some feature in openssl (like ec).
> Once those macro defines can cover everything, we can put all files in
> OpensslLib.inf [Source],
> and control macro defines in opensslconf.h by PCDs to do customization.
> Openssl community feels ok to it and that's exactly what they do, like asn1, just
> not covering all features.
> https://github.com/openssl/openssl/issues/17801
> 
> I am glad to push it forward, but, it seems will be a long time and platform needs
> to support WPA3 as soon as possible.
> I'm thinking about whether we can use a new OpensslEclib.inf to enable ECC
> firstly to meet customer needs?
> 
> Thanks!
> Yi Li
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Wednesday, March 2, 2022 7:57 PM
> To: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel
> <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
> 
> From requirement perspective, I am thinking more broadly than just ECC.
> 
> Looking at
> https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/op
> enssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA, TLS1_3,
> which might be potential useful. While the algorithm we used today such as
> FFDHE, MD5, SHA1, might be not useful.
> 
> Even for ECC, some platform may need normal ECDH/ECDSA. However, some
> platform may or might not need EdDSA or X-Curve DH. I am not sure if we really
> need to enable all of them in previous patch set.
> 
> SM3 and SM2 are another category. It might be useful for one particular
> segment, but not useful for others. For example, a SMx-compliant only platform
> may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only
> platform might not required SMx.
> 
> 
> If a platform does have flash size constrain, why it cannot do customization?
> Why we enforce every platform, from an embedded system to a server use the
> same default configuration ?
> 
> openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also does same
> thing, such as
> https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mb
> edtls_config.h,
> https://github.com/wolfSSL/wolfssl/tree/master/examples/configs
> Why we cannot allow a platform override such configuration ?
> 
> I am not saying we must do it. But I believe it is worth to revisit, to see if any
> platform has such need, before draw the conclusion so quick.
> 
> Thank you
> Yao Jiewen
> 
> 
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Wednesday, March 2, 2022 3:42 PM
> > To: Yao, Jiewen <jiewen.yao@intel.com>
> > Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel
> > <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add
> > elliptic curve chipher algorithms
> >
> > On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> > > I think another option to pursue is to how to control the openssl
> > > configuration
> > from module or platform level.
> > >
> > > E.g. what if platform-A has enough size and wants to use ECC, while
> > > platform-
> > B has size constrain and wants to disable ECC ?
> > >
> > > We can let platform choose if ECC is needed or not? I hope so.
> >
> > Not so easy.  Would require to put the way openssl is integrated
> > upside down.  Today openssl is configured and the results (header
> > files etc) are committed to the repo, so the openssl config is the
> > same for everybody.
> >
> > Also I expect there is no way around ecc long-term.  WPA3 was
> > mentioned elsewhere in the thread.  For TLS it will most likely be a
> > requirement too at some point in the future.  With TLS 1.2 it is
> > possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandatory
> though.
> >
> > So I doubt making ECC optional is worth the trouble.
> >
> > take care,
> >   Gerd

Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[Vineel Kovvuri]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

Apologies, I am afraid as I may not be able to incorporate/address all the concerns expressed in the thread due to lack of my understanding in this space.

But I have created a new PR which addresses Yi Li concerns about constraining the changes only to CryptoPkg.
EDK2: PR to enable ECC Ciphers in OpenSSL(Increase DXEFV) - Mar 3 - Iteration 1 by vineelko · Pull Request #2583 · tianocore/edk2 (github.com) ( https://github.com/tianocore/edk2/pull/2583 )

I appreciate your time and feedback.

Thanks,
Vineel

[-- Attachment #2: Type: text/html, Size: 575 bytes --]