From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
 by mx.groups.io with SMTP id smtpd.web11.2165.1675497387592833812
 for <devel@edk2.groups.io>;
 Fri, 03 Feb 2023 23:56:28 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=EDH91YEV;
 spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id 58A51B80185
	for <devel@edk2.groups.io>; Sat,  4 Feb 2023 07:56:25 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04E39C433EF
	for <devel@edk2.groups.io>; Sat,  4 Feb 2023 07:56:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1675497384;
	bh=s53ZlthfkWyDqP8caDv5zeZkUBbwTWQgIFoEfiZkqnE=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=EDH91YEVXkCKTOw1DKRjJUlgRzg1+EjwYBd/fXzy1BdAqJ8FPrEAlRrtBeBG/wXhZ
	 ep+9BUdjqPq6WqkhJ3/cJ3v/ppVL/ksGX2diHoOfWbTOx4Dr875h8BlkTcPIdj6e2h
	 YZUVFeOwlYqTr6q/ELUrgyApdzkF6yEX+ngKK2iDnnC4GDclxIxbUQpLqSTx52bZwu
	 jGOyqKVfJEKbM+FTBfS5XPzytVNL2FJHsti60Y4k7s/HB2pWWSREvh0/SrZA/jnYqS
	 DQLqPty9o+MiNRXq0O9Uk+x/lNhL8a2KpafL6956284H3O8jUk39m0TLmHjiSdxhyG
	 Yk+r4HarV/dFA==
Received: by mail-lf1-f47.google.com with SMTP id br9so10899853lfb.4
        for <devel@edk2.groups.io>; Fri, 03 Feb 2023 23:56:23 -0800 (PST)
X-Gm-Message-State: AO0yUKWyaqORWjHtFzblR+CtEDs3rJweltnnDX91yhXTUvdDd985ABPT
	a7Yopw4CifGGM4NLbhLqpKV3EmANohIH+MQmxkI=
X-Google-Smtp-Source: AK7set9FiNBtsPnVJ+4xJAGTC1RT1YRpOl+aIdpsAojAh8eH29aLOkpGOV1iwyemHyPvaRI9UE9jLNQihIvh23enbQc=
X-Received: by 2002:a05:6512:114f:b0:4ca:f9e3:c324 with SMTP id
 m15-20020a056512114f00b004caf9e3c324mr2305249lfg.190.1675497382058; Fri, 03
 Feb 2023 23:56:22 -0800 (PST)
MIME-Version: 1.0
References: <20230203132806.2275708-1-kraxel@redhat.com> <CAMj1kXEHvSzrQQSFi2LsJ10beJRacjjPQgCTB4UkK1iCJc2BOg@mail.gmail.com>
 <20230203153654.pyutijc54a66pe6e@sirius.home.kraxel.org> <CAMj1kXFM0unD513PLQetbrnE-CgoUvEzgBAjD-WHpWwCZXRRug@mail.gmail.com>
 <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org> <CAKbZUD0L0KcrrO-RHTNwKzqmCFx5aXibmATv-T5NoMEJWE00Bw@mail.gmail.com>
 <CAMj1kXGjRMXruRuptjOgFQH68Wj6HwWE+WG-kiKe_sOnJXNLSQ@mail.gmail.com> <CAKbZUD0RcoSYR87LddNDPtmLFvqq5DFxL1v4WhvD+ghibcZbzA@mail.gmail.com>
In-Reply-To: <CAKbZUD0RcoSYR87LddNDPtmLFvqq5DFxL1v4WhvD+ghibcZbzA@mail.gmail.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Sat, 4 Feb 2023 08:56:10 +0100
X-Gmail-Original-Message-ID: <CAMj1kXGBRo5bJGTey-9Crr0pXi7=KSJCx3BfrA983cmT6nGGFg@mail.gmail.com>
Message-ID: <CAMj1kXGBRo5bJGTey-9Crr0pXi7=KSJCx3BfrA983cmT6nGGFg@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: devel@edk2.groups.io, kraxel@redhat.com, Min Xu <min.m.xu@intel.com>, 
	Michael Roth <michael.roth@amd.com>, Jiewen Yao <jiewen.yao@intel.com>, 
	Jian J Wang <jian.j.wang@intel.com>, Jordan Justen <jordan.l.justen@intel.com>, 
	Pawel Polawski <ppolawsk@redhat.com>, Oliver Steffen <osteffen@redhat.com>, 
	Tom Lendacky <thomas.lendacky@amd.com>, Xiaoyu Lu <xiaoyu1.lu@intel.com>, 
	Erdem Aktas <erdemaktas@google.com>, Guomin Jiang <guomin.jiang@intel.com>, 
	James Bottomley <jejb@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"

On Sat, 4 Feb 2023 at 02:08, Pedro Falcato <pedro.falcato@gmail.com> wrote:
>
> On Fri, Feb 3, 2023 at 11:25 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > On Fri, 3 Feb 2023 at 20:45, Pedro Falcato <pedro.falcato@gmail.com> wrote:
> > >
> > > On Fri, Feb 3, 2023 at 4:28 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
> > > >
> > > >   Hi,
> > > >
> > > > > > Unfortunately it is not a clear size win everywhere.
> > > > > >
> > > > > > PEI jumps up in size even though I'm using the min_pei config for
> > > > > > CryptoPei, seems it *still* has way too much bits compiled in
> > > > > > (didn't look into tweaking the config yet, hints are welcome).
> > > > > >
> > > > > > -   17530 TcgPei
> > > > > > +   17146 TcgPei
> > > > > > +   34362 Tcg2Pei
> > > > > > -   51066 Tcg2Pei
> > > > > > +  333950 CryptoPei
> > > > >
> > > > > Why would we use this for PEI if the size increases?
> > > >
> > > > When using the crypto driver I'd prefer to do it everywhere and
> > > > don't mix+match things.
> > > >
> > > > Background is that I'm hoping the crypto driver abstraction can also
> > > > help to have alternative drivers using other crypto libraries without
> > > > creating a huge mess in CryptoPkg.  Specifically add openssl-3 as an
> > > > option.  openssl-11 goes EOL later this year (Nov IIRC).  Switch to
> > > > openssl-3 unconditionally has been vetoed by Intel due to the size
> > > > increase v3 brings.  So I'm looking for options here ...
> > >
> > > Seriously?
> > >
> > > Intel is blocking UP TO DATE NOT VULNERABLE OPENSSL because it doesn't
> > > fit their flash due to all the cra- value add?
> > > This is insane by many standards. Your freaking *CRYPTO LIBRARY* goes
> > > EOL and people are still concerned about size.
> > >
> > > Stellar job, Intel. Hopefully everyone gets their horrific custom
> > > network stack heartbled to death. Or someone finds yet another Secure
> > > Boot exploit.
> > >
> >
> > This is uncalled for. Please keep it civil and on topic. You (nor I)
> > have any context about this, and if you want to start a shouting match
> > on a public mailing list, I suggest you first get informed about what
> > the actual reasoning is behind such a decision (which, according to
> > the above, is the decision to keep OpenSSL 1.1 and 3 available side by
> > side). And please start another thread for this - I have no interest
> > in being part of this type of discussion.
>
> Sorry everyone, that was a ...passionate speech.
> I recognize I'm on the wrong here.
>

Thanks, much appreciated.