From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176])
 by mx.groups.io with SMTP id smtpd.web11.20975.1675453538037075342
 for <devel@edk2.groups.io>;
 Fri, 03 Feb 2023 11:45:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=jle1EM2Y;
 spf=pass (domain: gmail.com, ip: 209.85.210.176, mailfrom: pedro.falcato@gmail.com)
Received: by mail-pf1-f176.google.com with SMTP id 144so4464670pfv.11
        for <devel@edk2.groups.io>; Fri, 03 Feb 2023 11:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=Wwlhq7tzL5k1RbKzDtPiUbf5bQxSmZpy/coynLHRKL8=;
        b=jle1EM2Y1+fpdGcBxvNIidQ8WsOhmopPmG4Ncs6T2s6qimQ1ziUdSe6mEBnYoDEuA3
         bGprTRKhj6pthzIx5WqjAsYTWDxHdLDjdM6JnF03ptT50B7WTMgnfoxmBIouYWeCmAK4
         Ska07f70y7uKptfkA8P+g7cAohkjI45Ont9xhdTtttnX5Xi/cklQFAi8LatCvBN5HFNF
         1h1jixuMY9pFzthwB7nMWUJQHS8u8lU06iwGb1+YKRfz8bw+K1saePUAwge/3s5RX8wO
         g6orrJ34REaRzfeQ0aAN6p1NqvrQSMC1qU7+uKQV9FgIEszDHyGbDtKS9eYTv3EIlYnk
         MWNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Wwlhq7tzL5k1RbKzDtPiUbf5bQxSmZpy/coynLHRKL8=;
        b=xsqllS0EZBEbouk16S/Qc18o0dtznj6q5vCmHDlM03HOUQcJpD7lEgWvuiZu5Ft1ck
         7+VmxJhyU439YkOwrfVnGyhoXQPLxxztZSzzFg5Q9hagAVJmOGLmeNLlQlkWUfY3C/sc
         g5NVeiwi58+8cknKoDWf+sLAkCdioeBDq2BT5PXmrBQm7rb64z70EfsXmGVDZXy4qmbZ
         e3x3dOCHsqdWJMRWKwGeFZjWaEVkzsmtnisT0W57Z1UbN6V7NcB3DJsm/3O53lqfDAUS
         5oV2ITgTlW6ZpJ4TOWss2ckbahx5a9YG6UAWC6k1leiERHBDL9TYDl0TrCUeYS2u555Z
         Br/w==
X-Gm-Message-State: AO0yUKWvZc+cviyfEWm6KdqaQUtDvSaWdzIZ7FhtuRr9O5AvF3JWGUVl
	hi95bD4AXrta2QW13OcHDjhJwOTkvuN8aQtNNaKHVOErTe4=
X-Google-Smtp-Source: AK7set+NevSjMoJzBZF/RtzL8iQDEUKhJLLzRcwA2PHdgYHFzejKdb6Cj+7llwp0C5YyKTkCOA4ZjaaMbz9W3OYlQRM=
X-Received: by 2002:a05:6a00:2408:b0:593:c68b:4e5b with SMTP id
 z8-20020a056a00240800b00593c68b4e5bmr2369719pfh.17.1675453537319; Fri, 03 Feb
 2023 11:45:37 -0800 (PST)
MIME-Version: 1.0
References: <20230203132806.2275708-1-kraxel@redhat.com> <CAMj1kXEHvSzrQQSFi2LsJ10beJRacjjPQgCTB4UkK1iCJc2BOg@mail.gmail.com>
 <20230203153654.pyutijc54a66pe6e@sirius.home.kraxel.org> <CAMj1kXFM0unD513PLQetbrnE-CgoUvEzgBAjD-WHpWwCZXRRug@mail.gmail.com>
 <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org>
In-Reply-To: <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org>
From: "Pedro Falcato" <pedro.falcato@gmail.com>
Date: Fri, 3 Feb 2023 19:45:26 +0000
Message-ID: <CAKbZUD0L0KcrrO-RHTNwKzqmCFx5aXibmATv-T5NoMEJWE00Bw@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
To: devel@edk2.groups.io, kraxel@redhat.com
Cc: Ard Biesheuvel <ardb@kernel.org>, Min Xu <min.m.xu@intel.com>, 
	Ard Biesheuvel <ardb+tianocore@kernel.org>, Michael Roth <michael.roth@amd.com>, 
	Jiewen Yao <jiewen.yao@intel.com>, Jian J Wang <jian.j.wang@intel.com>, 
	Jordan Justen <jordan.l.justen@intel.com>, Pawel Polawski <ppolawsk@redhat.com>, 
	Oliver Steffen <osteffen@redhat.com>, Tom Lendacky <thomas.lendacky@amd.com>, 
	Xiaoyu Lu <xiaoyu1.lu@intel.com>, Erdem Aktas <erdemaktas@google.com>, 
	Guomin Jiang <guomin.jiang@intel.com>, James Bottomley <jejb@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"

On Fri, Feb 3, 2023 at 4:28 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
>
>   Hi,
>
> > > Unfortunately it is not a clear size win everywhere.
> > >
> > > PEI jumps up in size even though I'm using the min_pei config for
> > > CryptoPei, seems it *still* has way too much bits compiled in
> > > (didn't look into tweaking the config yet, hints are welcome).
> > >
> > > -   17530 TcgPei
> > > +   17146 TcgPei
> > > +   34362 Tcg2Pei
> > > -   51066 Tcg2Pei
> > > +  333950 CryptoPei
> >
> > Why would we use this for PEI if the size increases?
>
> When using the crypto driver I'd prefer to do it everywhere and
> don't mix+match things.
>
> Background is that I'm hoping the crypto driver abstraction can also
> help to have alternative drivers using other crypto libraries without
> creating a huge mess in CryptoPkg.  Specifically add openssl-3 as an
> option.  openssl-11 goes EOL later this year (Nov IIRC).  Switch to
> openssl-3 unconditionally has been vetoed by Intel due to the size
> increase v3 brings.  So I'm looking for options here ...

Seriously?

Intel is blocking UP TO DATE NOT VULNERABLE OPENSSL because it doesn't
fit their flash due to all the cra- value add?
This is insane by many standards. Your freaking *CRYPTO LIBRARY* goes
EOL and people are still concerned about size.

Stellar job, Intel. Hopefully everyone gets their horrific custom
network stack heartbled to death. Or someone finds yet another Secure
Boot exploit.

-- 
Pedro