public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Pkcs7 crypto verification without openSSL
@ 2018-11-28 17:31 Tomas Pilar (tpilar)
  2018-11-28 19:40 ` Kevin D Davis
  2018-12-03 12:40 ` Ard Biesheuvel
  0 siblings, 2 replies; 5+ messages in thread
From: Tomas Pilar (tpilar) @ 2018-11-28 17:31 UTC (permalink / raw)
  To: edk2-devel@lists.01.org

Hi,

Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?

Cheers,
Tom


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Pkcs7 crypto verification without openSSL
  2018-11-28 17:31 Pkcs7 crypto verification without openSSL Tomas Pilar (tpilar)
@ 2018-11-28 19:40 ` Kevin D Davis
  2018-12-03 12:40 ` Ard Biesheuvel
  1 sibling, 0 replies; 5+ messages in thread
From: Kevin D Davis @ 2018-11-28 19:40 UTC (permalink / raw)
  To: Tomas Pilar (tpilar), edk2-devel


  
  
    
    	
    	Tom,
Let me know if you get any useful offline answers.  From our experience, there are some licensed 3rd party solutions that are tiny but aren’t cheap.  
The problem is parts of any encryption runs the risk of triggering government laws about encryption.  So the owners of Tianocore made the decision to pull in OpenSSL as a whole to put the problem onto the user of TC.  
Making smaller versions of OpenSSL means you have a lot of work to incorporate newer versions. 
    	

    	Kevin
    
  From: edk2-devel <edk2-devel-bounces@lists.01.org> on behalf of Tomas Pilar (tpilar) <tpilar@solarflare.com>
Sent: Wednesday, November 28, 2018 11:40 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Pkcs7 crypto verification without openSSL Hi,

Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?

Cheers,
Tom
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Pkcs7 crypto verification without openSSL
  2018-11-28 17:31 Pkcs7 crypto verification without openSSL Tomas Pilar (tpilar)
  2018-11-28 19:40 ` Kevin D Davis
@ 2018-12-03 12:40 ` Ard Biesheuvel
  2018-12-03 12:55   ` Tomas Pilar (tpilar)
  1 sibling, 1 reply; 5+ messages in thread
From: Ard Biesheuvel @ 2018-12-03 12:40 UTC (permalink / raw)
  To: Tomas Pilar (tpilar); +Cc: edk2-devel@lists.01.org

On Wed, 28 Nov 2018 at 18:40, Tomas Pilar (tpilar)
<tpilar@solarflare.com> wrote:
>
> Hi,
>
> Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?

Well, I'd expect the code size to come from the asymmetric crypto, not
from the SHA256 hash code. Which FmpAuthenticationLib are you using?


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Pkcs7 crypto verification without openSSL
  2018-12-03 12:40 ` Ard Biesheuvel
@ 2018-12-03 12:55   ` Tomas Pilar (tpilar)
  2018-12-03 15:26     ` Ard Biesheuvel
  0 siblings, 1 reply; 5+ messages in thread
From: Tomas Pilar (tpilar) @ 2018-12-03 12:55 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: edk2-devel@lists.01.org



On 03/12/2018 12:40, Ard Biesheuvel wrote:
> On Wed, 28 Nov 2018 at 18:40, Tomas Pilar (tpilar)
> <tpilar@solarflare.com> wrote:
>> Hi,
>>
>> Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?
> Well, I'd expect the code size to come from the asymmetric crypto, not
> from the SHA256 hash code. Which FmpAuthenticationLib are you using?
Yes, that makes sense. I am using the FmpAuthenticationLibPkcs7 from SecurityPkg which pulls in BaseCryptLib. I would assume that the linker only links the functions which are referenced so it should not pull in the entire library but I expect some overgeneric helpers might be quite large.

Cheers,
Tom


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Pkcs7 crypto verification without openSSL
  2018-12-03 12:55   ` Tomas Pilar (tpilar)
@ 2018-12-03 15:26     ` Ard Biesheuvel
  0 siblings, 0 replies; 5+ messages in thread
From: Ard Biesheuvel @ 2018-12-03 15:26 UTC (permalink / raw)
  To: Tomas Pilar (tpilar); +Cc: edk2-devel@lists.01.org

On Mon, 3 Dec 2018 at 13:55, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote:
>
>
>
> On 03/12/2018 12:40, Ard Biesheuvel wrote:
> > On Wed, 28 Nov 2018 at 18:40, Tomas Pilar (tpilar)
> > <tpilar@solarflare.com> wrote:
> >> Hi,
> >>
> >> Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?
> > Well, I'd expect the code size to come from the asymmetric crypto, not
> > from the SHA256 hash code. Which FmpAuthenticationLib are you using?
> Yes, that makes sense. I am using the FmpAuthenticationLibPkcs7 from SecurityPkg which pulls in BaseCryptLib. I would assume that the linker only links the functions which are referenced so it should not pull in the entire library but I expect some overgeneric helpers might be quite large.
>

Just the arbitrary precision integer library needed for the modular
exponentiation produces a fair chunk of code.

You can check the .map file in the Build/ directory of your driver
where all the memory is going, but all of the bn_xxx objects are
probably required.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-12-03 15:26 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-28 17:31 Pkcs7 crypto verification without openSSL Tomas Pilar (tpilar)
2018-11-28 19:40 ` Kevin D Davis
2018-12-03 12:40 ` Ard Biesheuvel
2018-12-03 12:55   ` Tomas Pilar (tpilar)
2018-12-03 15:26     ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox