On 4. Feb 2023, at 09:05, Ard Biesheuvel <ardb@kernel.org> wrote:

On Sat, 4 Feb 2023 at 02:13, Marvin Häuser <mhaeuser@posteo.de> wrote:

Hi Ard,

While I agree the tone is a bit irritating, I am not sure what kind of context you expect there to be. The library is nearing EOL and usage beyond EOL is unacceptable. It will take significant time to solve the related issues, test them, have them merged, and for them to trickle down the IBV chains.

OpenSSL is quite "big" in general and many consider it to not be a good choice for embedded usage. Do you know of any discussion regarding alternatives? I've heard folks use libsodium or mbedtls outside edk2, but don't have any experience with either. (Not necessarily looking to *start* a discussion, but mostly references / reading material, if you have any.)


Again, I don't have the full context here, so with that in mind:

Open source is about the freedom to use the code base in any way you
like.

This is a point that can trivially be driven ad absurdum, so I’ll not press further. I think everyone agrees to *an extent* and *nobody* will agree to the full extent.

Surely, Intel (as a collaborator in Tianocore) is entitled to
express a desire to retain the OpenSSL 1.1 version of CryptoPkg as an
option while we move it to OpenSSL 3? It is not even important how
they actually intend to use it, that is really their business.

Of course, if you *buy* from Intel, you have all reason to be annoyed
if their products are based on outdated crypto software. But that
doesn't mean it is up to the community to take away their ability to
do so.

Not if they drive the deprecation at a reasonable schedule. Regarding which, just in: https://edk2.groups.io/g/devel/message/99638
*Thank you*, Jiewen!


Most Intel based consumer products don't have firmware that is
supplied by Intel directly, and the IBVs have their own forks anyway,
so it is not even clear to me who would be affected by this.

In my experience, things like security get little attention and thus, at least at first, forks will use whatever upstream uses. :(


As for the use of mbetls or other [better] TLS libraries: I'd be all
for that, but I'm not sure how much work those libraries need to be
usable in the context of EDK2. IIRC, some changes went upstream into
OpenSSL for the UEFI execution context, and we'd probably need to do
the same for mbedtls.

Not so sure, the big issue with OpenSSL is its embedded-unfriendly design. The biggest reason I could think of would be the ConvertPointer() theatre. I know for a fact that some folks use mbedtls even for UEFI purposes, but not whether that’s for RT code. It’s all closed source, so… :(

Best regards,
Marvin