From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"kraxel@redhat.com" <kraxel@redhat.com>
Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal
Date: Thu, 9 Feb 2023 03:21:28 +0000 [thread overview]
Message-ID: <MW4PR11MB587200D576D80CE12D40077D8CD99@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org>
If you are asking how to do that best *at this moment*, I suggest we create a branch in https://github.com/tianocore/edk2-staging and continue the research work. Before September 2023, we need community's help to resolve openssl-3 size issue, before check in.
If you are asking how to do that best after September 2023, we have no choice but put to edk2 main branch. We have to remove openssl-11.
If we have either openssl-30 and mbedtls work (size/feature), we can replace openssl-11 with either openssl-30 or mbedtls.
Worst case, if we have to support dual-crypto module, I think to:
1) replace openssl-11 with openssl-30 directly.
2) add mbedtls as another cryptolib instance.
Thank you
Yao, Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
> Hoffmann
> Sent: Wednesday, February 8, 2023 7:45 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement
> proposal
>
> Hi,
>
> > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto lib.
> > If both 1 and 2 fail, we may use *dual-crypto module*. For example: mbedtls
> for PEI and openssl3.0 for DXE.
> > The source code size will become larger, more time to download the tree.
>
> Suggestions how to do that best, ideally without duplicating CryptoPkg
> for that?
>
> A while back I've tried to add openssl-3 in parallel to openssl-11,
> with the idea to allow projects picking the one or the other, and quicky
> ran into problems because apparently libraries can't add include
> directories. Only packages can do that (see Includes.Common.Private in
> CryptoPkg/CryptoPkg.dec which adds Library/OpensslLib/openssl/include).
>
> take care,
> Gerd
>
>
>
>
>
next prev parent reply other threads:[~2023-02-09 3:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <MW4PR11MB58723F4FCC357DCDADBFEE238CD49@MW4PR11MB5872.namprd11.prod.outlook.com>
2023-02-04 9:25 ` [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Yao, Jiewen
2023-02-04 16:04 ` [edk2-devel] " Marvin Häuser
2023-02-08 11:45 ` Gerd Hoffmann
2023-02-09 3:21 ` Yao, Jiewen [this message]
[not found] ` <174209E894D5CF7F.15261@groups.io>
2023-02-11 2:20 ` Yao, Jiewen
[not found] ` <1742A3BAD41DE0F1.13814@groups.io>
2023-03-10 12:28 ` Yao, Jiewen
2023-03-10 15:50 ` Gerd Hoffmann
2023-03-10 16:06 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB587200D576D80CE12D40077D8CD99@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox