From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web11.5770.1675912905617989131 for ; Wed, 08 Feb 2023 19:21:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=gT4bTmhD; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675912905; x=1707448905; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=VCg+d1QZeaQtC6DorknpQEUr9bv4Ug49F1nkZLnG23M=; b=gT4bTmhDnmMO2KDsVW3QP5OiuhN+rw2cjmQqsJCDq8b7OBK60QuKJ65P rrL/BtzUKVYO07jhEV6cenKlm0gncHba7J+FmT279TYpDBYz80FFTqW1h mCG3ZREAvyip4SyPNNkFB/3kEUIRBGSF7R4UYIlCWRlh+3FppiTOPYcOl nQaEyonbcJiBRl5R1fGBWzerKyYrOq3HFwUdWcfO68Za6IkSza0d2WIyn x7ASnZGo5FW8rs1S5TgNQn9qFMJCSa0lCJNmdRpFSHG6O7s+oZ2QFXfxg dPMxhKVFOwOubeYzf9NYTBoP93Gz6pTUAQwmBrkaKPVebV5XtKo1PM60r Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10615"; a="332122636" X-IronPort-AV: E=Sophos;i="5.97,281,1669104000"; d="scan'208";a="332122636" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Feb 2023 19:21:37 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10615"; a="736158489" X-IronPort-AV: E=Sophos;i="5.97,281,1669104000"; d="scan'208";a="736158489" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga004.fm.intel.com with ESMTP; 08 Feb 2023 19:21:37 -0800 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Wed, 8 Feb 2023 19:21:36 -0800 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Wed, 8 Feb 2023 19:21:36 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Wed, 8 Feb 2023 19:21:36 -0800 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.173) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Wed, 8 Feb 2023 19:21:35 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KEa2YI8pp020FS3KKYLww2h4ctOGj6O4gElRhkKJ7M6Oj9tI5AkRRXrGRpFM+/gJqJOCCfYADjukbU4b4wubfNVXWz2+zO4Eu+LCkYnsFqg5/2mlDOs+mCsUaxNIFr3Vz/dE1uZM5l7XSWsufOhPbMmyrdtEwMVdYiqROyuefB1pYtgDqfFajefkiucPxdtzuCyBmC7IPAd+5onVyeEcTMSd3+lIAIIDUHf2CJDDp8eOaAj0iHgNiSMQ29Etf7BXcsFAkBcK4rRUiYhe2wtVOeTNJ1jPWnw96fPn3DcML8b7vR2VNzqszqVHTlzoscFf4LzJiRxtgu3s2EnpuXb61Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7fotWArnko6sClBdgIX4GBwYgUiw8sh8vrzdzDf+vzk=; b=RpzvB63krxs2JryBpItsSfMgEo94Sf5UuyIrNmMxbeMr8k1l8qwzYLIY0pj3pA0bk4/6qQzEji8j3DKvsi5a+ljjd1qt/8LbL1MyV75sEPsdUa4w4u/pIlIcKnGZvd4ryc6jsoEWwGTkKxG4duJgV9qbJPgxKBSLUoUk/hZESe7IbjVrCKxm2xxxfFvjJHtOQ4rNsuFPjbRPmGC50p8EPDESTgqNPwAfLH6y4kMBkaoID0UPYolDXUQwp1pfUCP88PdPEoaaV8OR6quQp/K0xxtZ884O6SgOZKCnZVPOKsjSshBIjQbiIkuqGQqphhhe74/jzNU9tlMJhXer/kkk2A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by PH7PR11MB6450.namprd11.prod.outlook.com (2603:10b6:510:1f5::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.34; Thu, 9 Feb 2023 03:21:29 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d%7]) with mapi id 15.20.6064.032; Thu, 9 Feb 2023 03:21:29 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "kraxel@redhat.com" Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Topic: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Index: Adk4csuO07OjcS6ETc6HFXunhAS8NwAB5MAQAM4azwAAIGT4AA== Date: Thu, 9 Feb 2023 03:21:28 +0000 Message-ID: References: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> In-Reply-To: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|PH7PR11MB6450:EE_ x-ms-office365-filtering-correlation-id: c13c2908-a02d-4233-0793-08db0a4cbbf3 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: xQzNf6uRlWh5dgw0qtsjGRfaFwb+/iYw1M+9HBWJEAiCSDG0Pj5zPznVMYUHbLGsYoPSwVTHS3+AqXdvx7iJ5740rhwO6La/IWnnRYJoSWgLCbmqxgEZel+STcM+qXDbdUYe8LPKRTIPI053hBRsJUe0/Xi5XimmuwIvW3OR49uWC6iu+pLU1RzEL520xDAhE4SFrlNpCWKx0aGxCAv4FcHgDxYgb+Xdm88JSkBuoiXSW/lCyOuDiKSfs5AKwximlAchUv+MvStYclhRX1a1HFisCDudcULQmRTr5CsTMEdy8HP42qnyNGSCxGI/4snEQ0H17PH6kvJXzDVf+D0BOEzqPRiW/9axXtqFazcjY8waL5cfBWEqiQ5xh7m+6Jo2obssHNlyetXntCXwObF3GmfiB9w/4l4dXC/HFkSKGNr079ksTP+G5g1FB04nm+6GPGLEzItFS6CzIqKsaoF2Fe/Km5/gfZlzu0g+OHt2wA3Z/X3vztqXx0TMyp72j40dkb2UoKvXTvBTa6Xxewak1BtCwTHKIjS2u58IzPIosmSjXwVDWffHaETZb4gCNWNYeDWgeMPYN/F8krGUOabZEU8vbpdoxvKdkTp36wuEaZF0wGBxamdUpOE1G5+xQ2Q1JNKMXue0V3n0PXgeMeJyYKmC+ylfvBCxMdRxtdT2hFlKiSqRkcPjBoFXAHINl2wYMfn+uSDQtzYev30G6xOsnphFqaJ699KiO7yBrb+6Gls/eBrqh5EOyWd9y7l7DI+Qw4K9QCe2Z3vibduD6Qn43A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(136003)(39860400002)(376002)(366004)(346002)(396003)(451199018)(8936002)(966005)(52536014)(9686003)(186003)(26005)(5660300002)(53546011)(8676002)(66556008)(66946007)(316002)(64756008)(76116006)(41300700001)(33656002)(6506007)(55016003)(2906002)(7696005)(110136005)(83380400001)(86362001)(66476007)(478600001)(66446008)(38070700005)(71200400001)(122000001)(38100700002)(82960400001)(66899018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?86BnrLQyya/WeZTSBpSmvMEeaOQMMyniTgvQ66RcQ30JKVR8TjwBuH4rQoL3?= =?us-ascii?Q?Rr9UmYYZieAvfEt+/ReP4OOPg5pRIa3SjTyn32qm2+4CHhKwbqlpeYRWE4p2?= =?us-ascii?Q?JjTKVrH6y7IIRRzhMiNr/21GjFum3PojkZ29SlM5gFdrCH41Y+Hv3U9dHbsJ?= =?us-ascii?Q?B4ayuNf4mY0tvwYrhyRzU8mQmVuYG3w9NYucbZZyuJqrJz7rmbbnPaHi1jr8?= =?us-ascii?Q?PthTtN+fRvyT3IeVkppXs8z7YnNgYuXpPNntpzq7SXd3jcnDpukig/G+TAkx?= =?us-ascii?Q?hvt3JJBbFiIWQqd9l0wyqJEkyRe4zgDzUbxQcZ81TTMxbt/ux5Xe8oonyqH5?= =?us-ascii?Q?4l5bf05jH0qBDqWjXFY7emXxl9d6nnYW3WoH0oKjoGZa4wM1ObKUdbc3KzEM?= =?us-ascii?Q?NeLs6LMOo4wKsEgh1xVIW3khDdBWN0eDM4m19RVf/thA1d9rCX4IOBnsGLoR?= =?us-ascii?Q?Mgz4jil+Cf/ZBg5QXLbeVJehJHbGMuPhRJhDtGaWQOggL0wdOJAtN1C16rPt?= =?us-ascii?Q?oUoUTrscTon41QW7ZxiJYkCXBjJA+uOBNDbTLQ3dL2v1QxIeWl59hrohuV5y?= =?us-ascii?Q?FpuOhq74XcSELqxWeCx7EeXM+0ad/39pfq+nt0vW39cakquLb6C6a2Y6XPyA?= =?us-ascii?Q?2fTD3DS+ABMBMuzlAMC+WVW+V7NznGw4Bi6ur6zxoPQ3cq/lDZU+klg0I2lq?= =?us-ascii?Q?kZblJrn8/EidQSAn0MQEIcYSdRanL94PkdbS/pglBLnauZIrFT6GZs6gu3Pm?= =?us-ascii?Q?nxrcyonhqg2ZzlPAUkSPuKjAH/+g+b7i8d8NZB1zQHJrKTMJ8wEp/0/CTW0j?= =?us-ascii?Q?pGZN9ejiXH865FgcNdMtSUZkkA0UEvFedgn/x8lbDmpYoRCPNpZ42GCW8el2?= =?us-ascii?Q?D0WGPIua2HJr6oHY2R+B6RbjziIErb6RuMhprlQtnXkWuqIGkC2vwvtdcgaO?= =?us-ascii?Q?Hs3ChKt2p1fncrNchOFHm6IP3Ggrc2TFTfqrTc/J2wx3SGNnTLv7dKPnCAYD?= =?us-ascii?Q?zzux9SCvEaXYt7sPSxCMCHBiOwbp5TrlIku8PPXvvcWf5DGvVo35AjzrPrMh?= =?us-ascii?Q?f3z2nJuMZlTv6p5gq3/URrNSWyF2gSQb0Wh4d5ttRBVd1UN9tM0yo8d0mXJp?= =?us-ascii?Q?1H6CRFzSXOBjIZAohJDDDB85n83wDdRtOU3kzFv0uzLDA30JcIeDBJlzFgFC?= =?us-ascii?Q?1yWMntFTAAxeNwgCf51UsWUelFNNwDYD9mcXQnaMe6l14DX1HMzQeGcQLAY9?= =?us-ascii?Q?0y1YefG6WcQwP5OKRUz8XO07m6MfyKiXoSuRnAI8PTGRvvYEjv6yX61UTZvL?= =?us-ascii?Q?pp/JBsVJ/m3UWQDC5g3brzcqNFwoFcoZqH+yT1Uug+OhzTjKU9ySCnDAaZG9?= =?us-ascii?Q?rLm9ahFhs2JufiBQazPQ0WN72ZbCRgSFpBIeRNlDnnHKAoo7dbH9bPV0PYxQ?= =?us-ascii?Q?h2FFKcoUMa5L6BbtVNz0IUUTV7ZYyBtB4TyPQZQJLv0FKbORkEdkWtn0r6Hf?= =?us-ascii?Q?oX7sKHC2ZiL3K+vnpiUTqww1odC4XBBsvvsZM27W+iXRdRWhHy8ybXL5BOs2?= =?us-ascii?Q?VD5mrgzWZ0e5+LCdnAJTcpEpg/xeKYaJxMb9Xx/5?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c13c2908-a02d-4233-0793-08db0a4cbbf3 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2023 03:21:28.9959 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ttUHO2+nWnMc0fUXTBnhN09PRrYr77LQsu7Zf80boR6pbBKNV/qY6ofsgJemVnWwE3SQvJjP24gDsXxmw51j6w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6450 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable If you are asking how to do that best *at this moment*, I suggest we create= a branch in https://github.com/tianocore/edk2-staging and continue the res= earch work. Before September 2023, we need community's help to resolve open= ssl-3 size issue, before check in. If you are asking how to do that best after September 2023, we have no choi= ce but put to edk2 main branch. We have to remove openssl-11. If we have either openssl-30 and mbedtls work (size/feature), we can replac= e openssl-11 with either openssl-30 or mbedtls. Worst case, if we have to support dual-crypto module, I think to: 1) replace openssl-11 with openssl-30 directly. 2) add mbedtls as another cryptolib instance. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Gerd > Hoffmann > Sent: Wednesday, February 8, 2023 7:45 PM > To: devel@edk2.groups.io; Yao, Jiewen > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replac= ement > proposal >=20 > Hi, >=20 > > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto li= b. > > If both 1 and 2 fail, we may use *dual-crypto module*. For example: mbe= dtls > for PEI and openssl3.0 for DXE. > > The source code size will become larger, more time to download the tree= . >=20 > Suggestions how to do that best, ideally without duplicating CryptoPkg > for that? >=20 > A while back I've tried to add openssl-3 in parallel to openssl-11, > with the idea to allow projects picking the one or the other, and quicky > ran into problems because apparently libraries can't add include > directories. Only packages can do that (see Includes.Common.Private in > CryptoPkg/CryptoPkg.dec which adds Library/OpensslLib/openssl/include). >=20 > take care, > Gerd >=20 >=20 >=20 >=20 >=20