From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
 by mx.groups.io with SMTP id smtpd.web10.324.1675466704347076568
 for <devel@edk2.groups.io>;
 Fri, 03 Feb 2023 15:25:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rlGOQxBw;
 spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id A9D9E6201F
	for <devel@edk2.groups.io>; Fri,  3 Feb 2023 23:25:03 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8988CC4339E
	for <devel@edk2.groups.io>; Fri,  3 Feb 2023 23:25:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1675466702;
	bh=rUk9HLJ0GTlwFUYayCIw3jWWQZ0ozRy16Ko5lPLGweE=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=rlGOQxBwsGsloiSNOuSvPdoDP9Dk12aKgh0aisNarR9PYTEBfmmozBWXQCwgV6/MJ
	 OHk3pHgUzKTxlrdGiaVywxaV99v5P7JVTSHnJ+cxCPfrTyK8x4OZARtpvui+odeDJK
	 o2hOs3eXJb6k3qeEUON3LNIe+I+UXh6PLMeHY74QLPDuutEqOUKAH5jYyrfJgbOhX+
	 zHAQeXXmvyGd4YOJDRU6bkH3fKqi6yu+Yz8zXnR6GsaZ2Gu4rGoqOAKVYqccH5yOlc
	 gXvNuKDURuKdTT+cWh0o7g/baz34d5cZ6LR9WsH7Kir5ueYadBuQNOjlJcV02KZq/G
	 xoYBfC+FgHgPw==
Received: by mail-lj1-f172.google.com with SMTP id bf19so6751902ljb.6
        for <devel@edk2.groups.io>; Fri, 03 Feb 2023 15:25:02 -0800 (PST)
X-Gm-Message-State: AO0yUKWXOyHUS6JDYUVJuylq4LTF/tqYWgEA5E87wJ8xSDjY4b/0KTBZ
	obzz18Iigg7lWZpXGcNT6kvZfptZflqx1odFuXM=
X-Google-Smtp-Source: AK7set8l44lQ8LRuUwNoGb3dZZnU1M9ZyQ9geIg61y8KE50MCBxFNFIkHI1Uz3suEMft4gqNAkhiKzDoC/bPk+AFbo4=
X-Received: by 2002:a2e:aaa7:0:b0:28b:9149:6291 with SMTP id
 bj39-20020a2eaaa7000000b0028b91496291mr1772050ljb.142.1675466700493; Fri, 03
 Feb 2023 15:25:00 -0800 (PST)
MIME-Version: 1.0
References: <20230203132806.2275708-1-kraxel@redhat.com> <CAMj1kXEHvSzrQQSFi2LsJ10beJRacjjPQgCTB4UkK1iCJc2BOg@mail.gmail.com>
 <20230203153654.pyutijc54a66pe6e@sirius.home.kraxel.org> <CAMj1kXFM0unD513PLQetbrnE-CgoUvEzgBAjD-WHpWwCZXRRug@mail.gmail.com>
 <20230203162844.gailv3rz3ia3jdpe@sirius.home.kraxel.org> <CAKbZUD0L0KcrrO-RHTNwKzqmCFx5aXibmATv-T5NoMEJWE00Bw@mail.gmail.com>
In-Reply-To: <CAKbZUD0L0KcrrO-RHTNwKzqmCFx5aXibmATv-T5NoMEJWE00Bw@mail.gmail.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Sat, 4 Feb 2023 00:24:48 +0100
X-Gmail-Original-Message-ID: <CAMj1kXGjRMXruRuptjOgFQH68Wj6HwWE+WG-kiKe_sOnJXNLSQ@mail.gmail.com>
Message-ID: <CAMj1kXGjRMXruRuptjOgFQH68Wj6HwWE+WG-kiKe_sOnJXNLSQ@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: devel@edk2.groups.io, kraxel@redhat.com, Min Xu <min.m.xu@intel.com>, 
	Michael Roth <michael.roth@amd.com>, Jiewen Yao <jiewen.yao@intel.com>, 
	Jian J Wang <jian.j.wang@intel.com>, Jordan Justen <jordan.l.justen@intel.com>, 
	Pawel Polawski <ppolawsk@redhat.com>, Oliver Steffen <osteffen@redhat.com>, 
	Tom Lendacky <thomas.lendacky@amd.com>, Xiaoyu Lu <xiaoyu1.lu@intel.com>, 
	Erdem Aktas <erdemaktas@google.com>, Guomin Jiang <guomin.jiang@intel.com>, 
	James Bottomley <jejb@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"

On Fri, 3 Feb 2023 at 20:45, Pedro Falcato <pedro.falcato@gmail.com> wrote:
>
> On Fri, Feb 3, 2023 at 4:28 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> >   Hi,
> >
> > > > Unfortunately it is not a clear size win everywhere.
> > > >
> > > > PEI jumps up in size even though I'm using the min_pei config for
> > > > CryptoPei, seems it *still* has way too much bits compiled in
> > > > (didn't look into tweaking the config yet, hints are welcome).
> > > >
> > > > -   17530 TcgPei
> > > > +   17146 TcgPei
> > > > +   34362 Tcg2Pei
> > > > -   51066 Tcg2Pei
> > > > +  333950 CryptoPei
> > >
> > > Why would we use this for PEI if the size increases?
> >
> > When using the crypto driver I'd prefer to do it everywhere and
> > don't mix+match things.
> >
> > Background is that I'm hoping the crypto driver abstraction can also
> > help to have alternative drivers using other crypto libraries without
> > creating a huge mess in CryptoPkg.  Specifically add openssl-3 as an
> > option.  openssl-11 goes EOL later this year (Nov IIRC).  Switch to
> > openssl-3 unconditionally has been vetoed by Intel due to the size
> > increase v3 brings.  So I'm looking for options here ...
>
> Seriously?
>
> Intel is blocking UP TO DATE NOT VULNERABLE OPENSSL because it doesn't
> fit their flash due to all the cra- value add?
> This is insane by many standards. Your freaking *CRYPTO LIBRARY* goes
> EOL and people are still concerned about size.
>
> Stellar job, Intel. Hopefully everyone gets their horrific custom
> network stack heartbled to death. Or someone finds yet another Secure
> Boot exploit.
>

This is uncalled for. Please keep it civil and on topic. You (nor I)
have any context about this, and if you want to start a shouting match
on a public mailing list, I suggest you first get informed about what
the actual reasoning is behind such a decision (which, according to
the above, is the decision to keep OpenSSL 1.1 and 3 available side by
side). And please start another thread for this - I have no interest
in being part of this type of discussion.