public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Marvin Häuser" <mhaeuser@posteo.de>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: devel@edk2.groups.io, Pedro Falcato <pedro.falcato@gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support
Date: Sat,  4 Feb 2023 09:58:26 +0000	[thread overview]
Message-ID: <EDF1409C-56A5-4B62-BE32-1C8259A06F2B@posteo.de> (raw)
In-Reply-To: <CAMj1kXGwHUYrVRWA+D8H1iZaWU91CS-3v-7jt-NCntg_S5OmJQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2826 bytes --]


> On 4. Feb 2023, at 09:05, Ard Biesheuvel <ardb@kernel.org> wrote:
> 
> On Sat, 4 Feb 2023 at 02:13, Marvin Häuser <mhaeuser@posteo.de> wrote:
>> 
>> Hi Ard,
>> 
>> While I agree the tone is a bit irritating, I am not sure what kind of context you expect there to be. The library is nearing EOL and usage beyond EOL is unacceptable. It will take significant time to solve the related issues, test them, have them merged, and for them to trickle down the IBV chains.
>> 
>> OpenSSL is quite "big" in general and many consider it to not be a good choice for embedded usage. Do you know of any discussion regarding alternatives? I've heard folks use libsodium or mbedtls outside edk2, but don't have any experience with either. (Not necessarily looking to *start* a discussion, but mostly references / reading material, if you have any.)
>> 
> 
> Again, I don't have the full context here, so with that in mind:
> 
> Open source is about the freedom to use the code base in any way you
> like.

This is a point that can trivially be driven ad absurdum, so I’ll not press further. I think everyone agrees to *an extent* and *nobody* will agree to the full extent.

> Surely, Intel (as a collaborator in Tianocore) is entitled to
> express a desire to retain the OpenSSL 1.1 version of CryptoPkg as an
> option while we move it to OpenSSL 3? It is not even important how
> they actually intend to use it, that is really their business.
> 
> Of course, if you *buy* from Intel, you have all reason to be annoyed
> if their products are based on outdated crypto software. But that
> doesn't mean it is up to the community to take away their ability to
> do so.

Not if they drive the deprecation at a reasonable schedule. Regarding which, just in: https://edk2.groups.io/g/devel/message/99638
*Thank you*, Jiewen!

> 
> Most Intel based consumer products don't have firmware that is
> supplied by Intel directly, and the IBVs have their own forks anyway,
> so it is not even clear to me who would be affected by this.

In my experience, things like security get little attention and thus, at least at first, forks will use whatever upstream uses. :(

> 
> As for the use of mbetls or other [better] TLS libraries: I'd be all
> for that, but I'm not sure how much work those libraries need to be
> usable in the context of EDK2. IIRC, some changes went upstream into
> OpenSSL for the UEFI execution context, and we'd probably need to do
> the same for mbedtls.

Not so sure, the big issue with OpenSSL is its embedded-unfriendly design. The biggest reason I could think of would be the ConvertPointer() theatre. I know for a fact that some folks use mbedtls even for UEFI purposes, but not whether that’s for RT code. It’s all closed source, so… :(

Best regards,
Marvin

[-- Attachment #2: Type: text/html, Size: 4142 bytes --]

  reply	other threads:[~2023-02-04  9:58 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-03 13:27 [PATCH 00/11] OvmfPkg: add Crypto Driver support Gerd Hoffmann
2023-02-03 13:27 ` [PATCH 01/11] CryptoPkg: move Driver PCD configs to include files Gerd Hoffmann
2023-02-03 13:27 ` [PATCH 02/11] OvmfPkg: add OvmfCryptoLibs.dsc.inc Gerd Hoffmann
2023-02-03 13:27 ` [PATCH 03/11] OvmfPkg: OvmfPkgX64: use Crypto Libs include Gerd Hoffmann
2023-02-03 13:27 ` [PATCH 04/11] OvmfPkg: Add Crypto driver support, add more OvmfCrypto*.inc files Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 05/11] OvmfPkg: OvmfPkgX64: use new Crypto support includes Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 06/11] OvmfPkg: add OVMF_X64_CRYPTO_DRIVER test case Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 07/11] OvmfPkg: OvmfPkgIa32X64: use crypto includes Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 08/11] OvmfPkg: OvmfPkgIa32: " Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 09/11] OvmfPkg: Microvm: " Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 10/11] OvmfPkg: IntelTdx: " Gerd Hoffmann
2023-02-03 13:28 ` [PATCH 11/11] OvmfPkg: AmdSev: " Gerd Hoffmann
2023-02-03 13:33 ` [PATCH 00/11] OvmfPkg: add Crypto Driver support Ard Biesheuvel
2023-02-03 15:36   ` [edk2-devel] " Gerd Hoffmann
2023-02-03 15:57     ` Ard Biesheuvel
2023-02-03 16:28       ` Gerd Hoffmann
2023-02-03 19:45         ` Pedro Falcato
2023-02-03 23:24           ` Ard Biesheuvel
2023-02-04  1:08             ` Pedro Falcato
2023-02-04  7:56               ` Ard Biesheuvel
2023-02-04  1:13             ` Marvin Häuser
2023-02-04  8:05               ` Ard Biesheuvel
2023-02-04  9:58                 ` Marvin Häuser [this message]
2023-02-04  8:10         ` Ard Biesheuvel
2023-02-06  8:21           ` Gerd Hoffmann
2023-02-07  3:15             ` Li, Yi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=EDF1409C-56A5-4B62-BE32-1C8259A06F2B@posteo.de \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox