From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web11.2226.1675497928181373264 for ; Sat, 04 Feb 2023 00:05:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SYzmlx5T; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B12E8B80123 for ; Sat, 4 Feb 2023 08:05:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 64793C433EF for ; Sat, 4 Feb 2023 08:05:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1675497925; bh=u6ckObadeWiJhzqBgnGQgMAKgZVDK/HFq2KHn1oxydM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=SYzmlx5TRYYY9xVhk6/PONYib0IH8AwYRgEzi4p2f9nrZhnZ5yYR6gBJE9zjTd/1x tK88VpqkSSAtuAll3F3Mca+nZA77hN4wdOs9HJ4TfNrXfb4S+x0UQiVJoGCnAXjDnK 3Mi/vpyRhPAextNXerG/uIIR6wOgclvX9RQ9dYPynJVqB9d+vX5K5b06ynBdE4r1ml MHKjG5KaXVxTRUcZul5AqgjeTg0zo5cG8SIv46t9J//LLAAFb2ZRoRTKIGapzb6S9O +4Vg1u3E4ORKUVHIFu36j+Zj6Pw2dPqDUHBVe4VnTIrYVkIsdsxM6DIw7ukfIh8dx+ ns6sdZ7un+rQA== Received: by mail-lf1-f41.google.com with SMTP id cf42so10952194lfb.1 for ; Sat, 04 Feb 2023 00:05:25 -0800 (PST) X-Gm-Message-State: AO0yUKWFbfuFMVfDYnzcKOdioF7CA1Q8M9CVAKaP8/vkaIDaAPTkuK2V Sgoy3J+3cyYfepIYKBv6rijoEyrtnHqmo8PnpHQ= X-Google-Smtp-Source: AK7set/VWeht3VEqa2eXYBtyAUX36ZzTgviCIbiMoKG7jSPqGJVdhItVXG05TcHFmxvGyP1MGH3AItDzKE1luchd3Dw= X-Received: by 2002:ac2:53b3:0:b0:4b6:e197:3aeb with SMTP id j19-20020ac253b3000000b004b6e1973aebmr2547274lfh.233.1675497923427; Sat, 04 Feb 2023 00:05:23 -0800 (PST) MIME-Version: 1.0 References: <31418.1675473207981561000@groups.io> In-Reply-To: <31418.1675473207981561000@groups.io> From: "Ard Biesheuvel" Date: Sat, 4 Feb 2023 09:05:11 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support To: =?UTF-8?Q?Marvin_H=C3=A4user?= Cc: devel@edk2.groups.io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 4 Feb 2023 at 02:13, Marvin H=C3=A4user wrote: > > Hi Ard, > > While I agree the tone is a bit irritating, I am not sure what kind of co= ntext you expect there to be. The library is nearing EOL and usage beyond E= OL is unacceptable. It will take significant time to solve the related issu= es, test them, have them merged, and for them to trickle down the IBV chain= s. > > OpenSSL is quite "big" in general and many consider it to not be a good c= hoice for embedded usage. Do you know of any discussion regarding alternati= ves? I've heard folks use libsodium or mbedtls outside edk2, but don't have= any experience with either. (Not necessarily looking to *start* a discussi= on, but mostly references / reading material, if you have any.) > Again, I don't have the full context here, so with that in mind: Open source is about the freedom to use the code base in any way you like. Surely, Intel (as a collaborator in Tianocore) is entitled to express a desire to retain the OpenSSL 1.1 version of CryptoPkg as an option while we move it to OpenSSL 3? It is not even important how they actually intend to use it, that is really their business. Of course, if you *buy* from Intel, you have all reason to be annoyed if their products are based on outdated crypto software. But that doesn't mean it is up to the community to take away their ability to do so. Most Intel based consumer products don't have firmware that is supplied by Intel directly, and the IBVs have their own forks anyway, so it is not even clear to me who would be affected by this. As for the use of mbetls or other [better] TLS libraries: I'd be all for that, but I'm not sure how much work those libraries need to be usable in the context of EDK2. IIRC, some changes went upstream into OpenSSL for the UEFI execution context, and we'd probably need to do the same for mbedtls.