From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179]) by mx.groups.io with SMTP id smtpd.web11.362.1636561103338008797 for ; Wed, 10 Nov 2021 08:18:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HDQHvlmw; spf=pass (domain: gmail.com, ip: 209.85.166.179, mailfrom: vineel.kovvuri@gmail.com) Received: by mail-il1-f179.google.com with SMTP id s15so3052727ild.9 for ; Wed, 10 Nov 2021 08:18:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=64YIpgGzVnKdQdp5A3qDef5jdgK3n/+EyqnQZzSp4eA=; b=HDQHvlmwUgpSRBfx6hYXKjYsr9Mp1BGVut0u26zz7A4zF1hAO/z9E4z/VSsdhva5lg 51G9oVmpM9F6Hbb5iEc90r2Ct+Q/lyXvRgHi7LDlx8GKRwlA92GIQP+Xhza9dJapyByv L6sdyyLPU+GFPeoooLwgnjpQmLYs8VzDRLSC9vhQFhIzrFI7+DBQEkTDzcPZzN9Dlbrc yQbYc62/JfXnIU7mC+Hp62ssdnz1YN/d6J1XF0GXAn0gakofvII7yElcG2qkOBvH2bCR zc+9yec2Mf0HGFt/4hZ4nR2vxBk9gj7Qffy6RjBBeohydyDEhosg2V9N3WukJ5rj/X4t CXNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=64YIpgGzVnKdQdp5A3qDef5jdgK3n/+EyqnQZzSp4eA=; b=jjAH6FaDBFt8x5/InmvIMDSqqx3f+Q5CldbkSKEv8+SZ4RuFOChnOHoT9ai6GsysUd cReB4etubqfsK2vx0KDqe94rtW4y/UWYkYYyBsuViSjiN5zrcGfBTOT7Sl9xyUyPcWYJ uNK14kshtY2ogaV32FvtI4Pef0Kn6M30hLQRutTTQj2Ksp19gteABQO1F3mYU6GgnUF3 ucxwBHbLweryarOBrYL787VbXgJ2JxJs5c62MrJYt9B9vBaeWLCmJjYnel0N9whM7lur OFZaXyOL0jfxrekJTV+zXJQCKd1W/Evyhb0XnhbYR402scdhP6ZT9MaaKfW/Sx5sI9fy 8O4g== X-Gm-Message-State: AOAM530jURuO8ByNrsStN9/xbZt+M5zTDYDwpOrAdhn9MM6wPnEI3tpn pC96ZiWjqSzRWVVlGnk/xZgVmnhBCX7eEXYDzeI= X-Google-Smtp-Source: ABdhPJyNu4JJPL4kXGuBED/bY2iWsBL8Prq3I6UyZ/Cno9JypzSp2uJ6l82In8U8+asYZANF1dyBmMIfgmiimmXO75o= X-Received: by 2002:a92:c846:: with SMTP id b6mr119809ilq.255.1636561102671; Wed, 10 Nov 2021 08:18:22 -0800 (PST) MIME-Version: 1.0 References: <23891.1636410576311055186@groups.io> <20211109085809.22kqmzd6zxu465ua@sirius.home.kraxel.org> In-Reply-To: <20211109085809.22kqmzd6zxu465ua@sirius.home.kraxel.org> From: Vineel Kovvuri Date: Wed, 10 Nov 2021 08:18:11 -0800 Message-ID: Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms To: Gerd Hoffmann Cc: devel@edk2.groups.io, "Yao, Jiewen" , "vineelko@microsoft.com" Content-Type: multipart/alternative; boundary="0000000000002d942305d071931b" --0000000000002d942305d071931b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi All, Sorry, my bad for not providing the details. Below is the build configuration. Passing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=3DGCC5 TARGET=3DNOOPT -a IA32,X64 Failing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=3DGCC5 TARGET=3DNOOPT -a IA32,X64 BLD_*_SECURE_BOOT_ENABLE= =3D1 BLD_*_SMM_REQUIRE=3D1 BLD_*_TPM_ENABLE=3D1 BLD_*_TPM_CONFIG_ENABLE=3D1 BLD_*_NETWORK_TLS_ENABLE=3D1 BLD_*_NETWORK_IP6_ENABLE=3D1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=3D1 The failure is happening while generating DXEFV.FVINFO - Generating DXEFV FV INFO - ##### ['GenFv', '-F', 'FALSE', '-a', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/DXEFV.inf', '-o', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv', '-i', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.inf'] INFO - Return Value =3D 2 INFO - GenFv: ERROR 3000: Invalid INFO - the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000 The difference I see without ecc change and with the change is the increase in file sizes for below ffs files,(other .ffs files remained unchanged) Without ecc change: 794742 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8= 646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs 653470 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-A= C64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ff= s 1174654 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-= 9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs 872594 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B= 2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs With ecc change: 1058678 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-= 8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs 917214 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-A= C64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ff= s 1470718 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-= 9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs 1134738 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-= B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs Below is the size of DXEFV.Fv in successful build(without ecc change) ubuntu@ubuntuubuntu:~/src/edk2$ ls -l /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv -rw-rw-r-- 1 ubuntu ubuntu 12582912(0xC0000) Nov 9 19:18 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv We haven't looked at porting to OpenSSL 3.0. I am wondering, removing existing ciphers might impact other platforms. Could you please suggest any less intrusive options without impacting other platforms. I am new to EDK and what compile time options are you referring to? Please let me know if any other information is needed from the build. Thanks in advance, Vineel On Tue, Nov 9, 2021 at 12:58 AM Gerd Hoffmann wrote: > > 2. Remove unnecessary algo in openssl config > > * Do you really want to enable all those algorithms? Such as SM2= ? > Maybe revisit them again to see if they are really needed. I could see it > might break other platform potentially. > > Enabling only those algorithms which are actually used by tianocore > certainly makes sense ... > > > 3. Provide 2 profiles =E2=80=93 with ECC and without ECC. > > ... and if it gets down the size enough would be better than yet another > compile time option. > > take care, > Gerd > > --0000000000002d942305d071931b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All,

Sorry, my bad for not prov= iding the details. Below is the build configuration.

Passing: stuart= _build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=3DGCC5 TARGET= =3DNOOPT =C2=A0 -a IA32,X64

Failing: stuart_b= uild -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=3DGCC5 TARGET=3D= NOOPT -a IA32,X64 BLD_*_SECURE_BOOT_ENABLE=3D1 BLD_*_SMM_REQUIRE=3D1 BLD_*_= TPM_ENABLE=3D1 BLD_*_TPM_CONFIG_ENABLE=3D1 BLD_*_NETWORK_TLS_ENABLE=3D1 BLD= _*_NETWORK_IP6_ENABLE=3D1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=3D1

<= div dir=3D"ltr">The failure is happening while generating DXEFV.FVINFO=C2= =A0
- Generating DXEFV FV
INFO - ##### ['GenFv= ', '-F', 'FALSE', '-a', '/home/ubuntu/src/e= dk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/DXEFV.inf', '-o', '/ho= me/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv', '-i'= , '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.inf']INFO - Return Value =3D 2
INFO - GenFv: ERROR 3000: Invalid
INFO - = =C2=A0 the required fv image size 0xcb2ac0 exceeds the set fv image size 0x= c00000

The difference I see without ecc change and with the change i= s the increase in file sizes for below ffs files,(other .ffs files remained= unchanged)

Without ecc change:
794742 =C2=A0 /home/ubuntu/src/ed= k2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSec= urityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
653470 =C2=A0 /hom= e/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-= 54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs1174654 =C2=A0/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb= 0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.= ffs
872594 =C2=A0 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs= /23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43= E3298C2343.ffs

With ecc change:
1058678 =C2=A0/home/ubuntu/src/ed= k2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSec= urityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
917214 =C2=A0 /hom= e/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-= 54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs1470718 =C2=A0/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb= 0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.= ffs
1134738 =C2=A0/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs= /23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43= E3298C2343.ffs

Below is the size of DXEFV.Fv in successful build(wit= hout ecc change)

ubuntu@ubuntuubuntu:~/src/edk2$ ls -l /home/ubuntu/= src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv
-rw-rw-r-- 1 ubuntu ubunt= u 12582912(0xC0000) Nov =C2=A09 19:18 /home/ubuntu/src/edk2/Build/Ovmf3264/= NOOPT_GCC5/FV/DXEFV.Fv

We haven't looked at porting to OpenSSL 3= .0.=C2=A0

I am wondering, = removing existing=C2=A0ciphers might impact other platforms. Could you plea= se suggest any less intrusive options without impacting other=C2=A0platform= s.

I am new to EDK and wha= t compile time options are you referring=C2=A0to? Please let me know if any= other information is needed from the build.

Thanks in advance,
V= ineel


On Tue, Nov 9, 2021 at 12:58 AM Gerd Hoffmann <<= a href=3D"mailto:kraxel@redhat.com">kraxel@redhat.com> wrote:
>=C2=A0 =C2=A02.=C2= =A0 Remove unnecessary algo in openssl config
>=C2=A0 =C2=A0 =C2=A0 *=C2=A0 =C2=A0Do you really want to enable all tho= se algorithms? Such as SM2? Maybe revisit them again to see if they are rea= lly needed. I could see it might break other platform potentially.

Enabling only those algorithms which are actually used by tianocore
certainly makes sense ...

>=C2=A0 =C2=A03.=C2=A0 Provide 2 profiles =E2=80=93 with ECC and without= ECC.

... and if it gets down the size enough would be better than yet another compile time option.

take care,
=C2=A0 Gerd

--0000000000002d942305d071931b--