Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support

["Ard Biesheuvel" <ardb@kernel.org>]

On Sat, 4 Feb 2023 at 02:13, Marvin Häuser <mhaeuser@posteo.de> wrote:
>
> Hi Ard,
>
> While I agree the tone is a bit irritating, I am not sure what kind of context you expect there to be. The library is nearing EOL and usage beyond EOL is unacceptable. It will take significant time to solve the related issues, test them, have them merged, and for them to trickle down the IBV chains.
>
> OpenSSL is quite "big" in general and many consider it to not be a good choice for embedded usage. Do you know of any discussion regarding alternatives? I've heard folks use libsodium or mbedtls outside edk2, but don't have any experience with either. (Not necessarily looking to *start* a discussion, but mostly references / reading material, if you have any.)
>

Again, I don't have the full context here, so with that in mind:

Open source is about the freedom to use the code base in any way you
like. Surely, Intel (as a collaborator in Tianocore) is entitled to
express a desire to retain the OpenSSL 1.1 version of CryptoPkg as an
option while we move it to OpenSSL 3? It is not even important how
they actually intend to use it, that is really their business.

Of course, if you *buy* from Intel, you have all reason to be annoyed
if their products are based on outdated crypto software. But that
doesn't mean it is up to the community to take away their ability to
do so.

Most Intel based consumer products don't have firmware that is
supplied by Intel directly, and the IBVs have their own forks anyway,
so it is not even clear to me who would be affected by this.

As for the use of mbetls or other [better] TLS libraries: I'd be all
for that, but I'm not sure how much work those libraries need to be
usable in the context of EDK2. IIRC, some changes went upstream into
OpenSSL for the UEFI execution context, and we'd probably need to do
the same for mbedtls.