From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
 by mx.groups.io with SMTP id smtpd.web11.2251.1675498231299750514
 for <devel@edk2.groups.io>;
 Sat, 04 Feb 2023 00:10:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dFjQ+wp9;
 spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id DA547B800C1
	for <devel@edk2.groups.io>; Sat,  4 Feb 2023 08:10:28 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 896C1C433EF
	for <devel@edk2.groups.io>; Sat,  4 Feb 2023 08:10:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1675498227;
	bh=P4QYyt9S3BfODU1ZCXoeUVptMwKJscg26g2U0/+lSjk=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=dFjQ+wp9HHsHP6lSEMvekSRY5pIFc8VXgfoWb0+4Ty1rHqTvxo/Q9usjEO0sbvyyW
	 F/RiWg3HEfhFwghDQnkbP8BJWjiSYsz9qzB59UK+xO/AzBlzS0kfw3SAFVyRtHz0C/
	 ktK2LUPx4hjzEFxEs2fr5misg4Vkvi1ZxrsnvjiTB2ft4bGNJ4jwd7pPBtmcIjfNYr
	 lA8UPQARdcR1XkHOyh0mgSsTYw6VZWJj1zITJ6uZDxOdPZj+t9oBMCFFtV5HkjZs7s
	 FJ76qCyeT5DtaJfs0qlUcsrj2PFUoKR4jqW/VjRqm07oqezlLUVKFez0b7UoOZXSK3
	 VnOhUU7V62C7w==
Received: by mail-lf1-f49.google.com with SMTP id bp15so10879846lfb.13
        for <devel@edk2.groups.io>; Sat, 04 Feb 2023 00:10:27 -0800 (PST)
X-Gm-Message-State: AO0yUKV80ouu0bqCl+6UVjjTecA5Bh9cvNS7PUW/qSWFgEp1RZ/isydV
	GR5WzcqIn8I98C6dDOovehaR4KLbAHxiMZNaxQY=
X-Google-Smtp-Source: AK7set95XuWLy78QM4KUsHo50b9c6Jtg1xd4HViztplgEJbSC4uQ+y7HJzt7L8sa4VcHeVy4NhrHcnRNTbd3VFfN2MM=
X-Received: by 2002:ac2:5fb0:0:b0:4d7:2dc1:b7bc with SMTP id
 s16-20020ac25fb0000000b004d72dc1b7bcmr2419033lfe.100.1675498225631; Sat, 04
 Feb 2023 00:10:25 -0800 (PST)
MIME-Version: 1.0
References: <20230203132806.2275708-1-kraxel@redhat.com> <CAMj1kXEHvSzrQQSFi2LsJ10beJRacjjPQgCTB4UkK1iCJc2BOg@mail.gmail.com>
 <20230203153654.pyutijc54a66pe6e@sirius.home.kraxel.org> <CAMj1kXFM0unD513PLQetbrnE-CgoUvEzgBAjD-WHpWwCZXRRug@mail.gmail.com>
 <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org>
In-Reply-To: <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Sat, 4 Feb 2023 09:10:14 +0100
X-Gmail-Original-Message-ID: <CAMj1kXG5AVmuitkFPQEkm=0ZAaBNVfZZ5RGD+z+sCX4scxrQ3w@mail.gmail.com>
Message-ID: <CAMj1kXG5AVmuitkFPQEkm=0ZAaBNVfZZ5RGD+z+sCX4scxrQ3w@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: devel@edk2.groups.io, Min Xu <min.m.xu@intel.com>, 
	Ard Biesheuvel <ardb+tianocore@kernel.org>, Michael Roth <michael.roth@amd.com>, 
	Jiewen Yao <jiewen.yao@intel.com>, Jian J Wang <jian.j.wang@intel.com>, 
	Jordan Justen <jordan.l.justen@intel.com>, Pawel Polawski <ppolawsk@redhat.com>, 
	Oliver Steffen <osteffen@redhat.com>, Tom Lendacky <thomas.lendacky@amd.com>, 
	Xiaoyu Lu <xiaoyu1.lu@intel.com>, Erdem Aktas <erdemaktas@google.com>, 
	Guomin Jiang <guomin.jiang@intel.com>, James Bottomley <jejb@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"

On Fri, 3 Feb 2023 at 17:28, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
>   Hi,
>
> > > Unfortunately it is not a clear size win everywhere.
> > >
> > > PEI jumps up in size even though I'm using the min_pei config for
> > > CryptoPei, seems it *still* has way too much bits compiled in
> > > (didn't look into tweaking the config yet, hints are welcome).
> > >
> > > -   17530 TcgPei
> > > +   17146 TcgPei
> > > +   34362 Tcg2Pei
> > > -   51066 Tcg2Pei
> > > +  333950 CryptoPei
> >
> > Why would we use this for PEI if the size increases?
>
> When using the crypto driver I'd prefer to do it everywhere and
> don't mix+match things.
>
> Background is that I'm hoping the crypto driver abstraction can also
> help to have alternative drivers using other crypto libraries without
> creating a huge mess in CryptoPkg.  Specifically add openssl-3 as an
> option.  openssl-11 goes EOL later this year (Nov IIRC).  Switch to
> openssl-3 unconditionally has been vetoed by Intel due to the size
> increase v3 brings.  So I'm looking for options here ...
>

I agree that this is a good idea in principle. However, the TPM code
probably just uses a few flavors of SHA and nothing else, and this is
not the part of CryptoPkg that I'd be concerned about. Most of the
issues with OpenSSL are in the TLS part of the library, with the
insanely complex ASN.1 parsing and X.509 handling etc etc.

Could we build CryptoPei with fewer algorithms built into it?

> > > If there are no objections I happily drop the USE_CRYPTO_DRIVER option
> > > and switch over to the crypto driver unconditionally.
> >
> > Yeah, I'd prefer that.
>
> Noted for v2 next week.
>
> take care,
>   Gerd
>