From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web11.2046.1676082033368339053 for ; Fri, 10 Feb 2023 18:20:34 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=JXmnvYeA; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676082033; x=1707618033; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=DmNdRnGtUYsUYcS/1LqgghHCBLIT2pcZrVeWGdrkK3A=; b=JXmnvYeAL9zlDRg++mmrCVkcl6DZnSYo1pbdFclzZEVS3csHU/HQ+C5x 7HwA/VYII4DAsLZ3uWwFg9yCyh+ymux4iwNOVkPlht4M60j5y0G3oRkCE oyplttDSdoYq4qD3Vuj1qTrqtkX5oslqaRBya9CJA/AM4qKZWxU7w0U+e x5pwQblC5NxPoavLSNt1CjsmOqgltp6nkNV6UzzymVsLX78PLiJpJt5pE 5iNLuOWoJM6eOc6xhw7ZgAZ4iZyNA4+9INb4CEBje6gAAhQ3mkaZcY9et 2lEpEUF3pNqx4MDnWPjfYxsruityTVRw2YYUwpeLKHKj6q3RMwKOjCgOf A==; X-IronPort-AV: E=McAfee;i="6500,9779,10617"; a="332712631" X-IronPort-AV: E=Sophos;i="5.97,287,1669104000"; d="scan'208";a="332712631" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2023 18:20:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10617"; a="698603299" X-IronPort-AV: E=Sophos;i="5.97,287,1669104000"; d="scan'208";a="698603299" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga008.jf.intel.com with ESMTP; 10 Feb 2023 18:20:32 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Fri, 10 Feb 2023 18:20:31 -0800 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Fri, 10 Feb 2023 18:20:31 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Fri, 10 Feb 2023 18:20:31 -0800 Received: from NAM04-MW2-obe.outbound.protection.outlook.com (104.47.73.168) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 10 Feb 2023 18:20:31 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b5TB/bgHIINcGHLMjflvHClG0Q4cQnvgk7K2O0R6ahaJHE445SW83T1/TCFWNl/2r2VlEy2Jl4UrHCpI/Q1nhA7QMk3Emx8VtZ/qwx9hn4UPVVb14xit9COT+YwmMwUYcsksL+InRLpFtTd0zkMnyQLpm851XxRuiYdHOZYoO6fgf7LTuGrgzpSR16x/g8NFfPGMhHwqE0W5HV5NogRWMwP8T31ZN2Ydg19MHvT1Mxt7PJLBdvTLsns5PjPkZ0+hdXr26Z4cIwBmZLYErQsHYyXeMDUt8OPQ8B1wQw8EuKcPQefGIsUIuIdkVt3uCCvH8T/liGt9E2yPKqbtUKB9Zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RXDuhszNUqN9DUye8qjwiNEMdEcJaMWJ4GICLAGddJA=; b=SjnvdYp0rlkBHrfQvqE0R9lfDhKuHejA0yjf4f42t5LetsiDFIYycYI8rdkf89kdBo7xFQ5Mt9kwf+Pob9mP/BA0FEMOhEic+tuvehMfAtApaz6OSkaUt402/HY7Nj4fP7U7cv356giY413RSdj9Aq7dFjk2sApkoLX23Hooiqs4T7EqIDPd+kMXLXvdrnpGJa3AqB/v7Z/Vw3+tSCnLY9+xDDE9+2N6aJrnz83Jm0R2gLTfbTzm3Ldd3Dnlgtjh6gCQROLwwt/1P62AF9/kNFDG1M6vZ7XzydqAf5aeirsG0x6dEuewaQeeExE/kO83jF0M+nHAm4jNpseyMK5zsw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DS0PR11MB6495.namprd11.prod.outlook.com (2603:10b6:8:c1::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.17; Sat, 11 Feb 2023 02:20:23 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d%7]) with mapi id 15.20.6064.032; Sat, 11 Feb 2023 02:20:23 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "Yao, Jiewen" , "kraxel@redhat.com" Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Topic: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Index: Adk4csuO07OjcS6ETc6HFXunhAS8NwAB5MAQAM4azwAAIGT4AABigKWA Date: Sat, 11 Feb 2023 02:20:22 +0000 Message-ID: References: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> <174209E894D5CF7F.15261@groups.io> In-Reply-To: <174209E894D5CF7F.15261@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|DS0PR11MB6495:EE_ x-ms-office365-filtering-correlation-id: e14963b9-14c4-4cd5-5251-08db0bd687b0 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: L0PGQjIHKbx8C8GLVmQuWu/FOxcYx2qErlWVzIdyH4CGV9HB0srLP/HfHxC766fRedIbDHgr15qsi832Rv5IcsTRcQ0dclAicCWUlz/ySW43QCXnvJ5oWRVaiKYy1ws+EhIdT8N7sx38MwlGvALI3Smd0BdK4T9SxmnU9jc/HU3u8i0U9vhLbbg3iqS41qhb/+81a28KBPT2sJ2a5DCce0KBqfTjPaFoHTFdBQnmWIgbgVzVFK94cqB6NOw3fihupn6HlAIexHhd1qN5Yueb5Tstmi7EUbTTlN7M2Wt3k3RQG6j1HC9/k7ZDEyfFBrEY0A4xYFo95NgjBKv1NFmf4Yn2zFPY8XOX/gow+g2r+dCdC6rpaZBmSqhgYtAjWvE9hZG2jaHS24SVn88mUlt+6EWyrZkPqmG0QOXo2OQWLm9bV8TCvXYeA0ulRV7WVJ9T/nOkmJfsaU94V/aA9DIFd5nWOBUZ5ZF2dEhwIqPDo0Wra29L89dhExGr65teh00lvVNwaYxYj8ElCmtFA8H2i9JjGXdhiEj2G1K5luwwRRRTer9b7/fc45JylKA+fqzZXAEdJdL1lTD+SpcV1iqVWb9LcWHp9q5/r/A4mo/eJ4bmkVnu9lYzJ+b5y+PJvSQMXYJsZUMKnGOStb610BpWmAHkvJ5p4IOObILLO8MulnAu5p2szPsp7IDMYYar53hJ+TrBNGRLLmV7GRZvtG63MSmMFHutXNKwphEadfZcpdqMOopSKjoLbH5BgFJoElrh0sMdpy0U/JYPYwEP9xZ2sA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(376002)(39860400002)(346002)(396003)(136003)(366004)(451199018)(7696005)(966005)(66899018)(71200400001)(8936002)(478600001)(9686003)(41300700001)(5660300002)(55016003)(26005)(66476007)(186003)(52536014)(53546011)(6506007)(316002)(110136005)(8676002)(66446008)(33656002)(82960400001)(66946007)(64756008)(76116006)(83380400001)(38100700002)(66556008)(122000001)(86362001)(2906002)(38070700005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?rgO/f+oMithVwrOW66kThl+po8oLG4APTt70fnEvir8s5v8lx4s477L3CRE5?= =?us-ascii?Q?kwczq3qOOChhWdBVeQ6LdwCam2i4i4e5p0NNmxP6Dvi1P1BlA6a0/fpP4gbk?= =?us-ascii?Q?xkjBpNDSR++O8NetRKHhlqMNIpOvG/UPmJr13/ddYpCUvMv5t+2jDEh36f/u?= =?us-ascii?Q?F/vmX6IozCgSRLgAjcp1zLKWH4uDwd40nSWAzIM+SOUMQtHAj+ivrvA1TOqF?= =?us-ascii?Q?MJSJLuYPP8H6LWjQsmjDXKeqQA6lvJlbR7e6APlhwVLr4O2cfVHT4B+5AJIf?= =?us-ascii?Q?DOczQDNBP54iNqwSjhnFIXdBhuO/5G95qtmo1lqcANhwtyhAO2K/tUu9+U7x?= =?us-ascii?Q?KJdmFgQvtI9D/651nMcNqHwFIUUrAwBuUBvjheOQWP7fLVdNxwei/LFmHR4U?= =?us-ascii?Q?YoSJISTRsettpwVhaRy5oHe2cDpskzRDyBoTuWNo6PG91FKUPoBNsgCLV/QU?= =?us-ascii?Q?0c0lRcUbmfsValWvoCJYTn47cwPa2WT8uNJ+isF3G8viQUUUZndYoXXqPLDk?= =?us-ascii?Q?CtBVcLytej60LgEUuN8rYHE6ctu1krlH0Hg79TRPZF1yDa5j+GPJolIBzl3x?= =?us-ascii?Q?mrUqMetN0fMkg8yu3+wtELU7xTXyOwEaaJvvowWRfiDjOLlJ+NxbBTtMIWFz?= =?us-ascii?Q?tl7nw/9fT7Rr38dJwVSw20pu7W7fGTFKa3VEZRzeK8XNJeRIjEdJkOf6Ibw1?= =?us-ascii?Q?a3hvBUZlQWT6CwOrx6bqKr9SZvgOZJKB7sUv4q/zL/EBhME0rrF9+ybrT7It?= =?us-ascii?Q?qhAD5HMJHjcXSNUpjsXKiGALGhDe0lNDR/twzhCeV7cKUNgtcGQ0xw8GXOiL?= =?us-ascii?Q?DMekIZ12VwOJ1uryZ/LiCky1cvw1GjJvnhLW3Kx8m8FpzoZtnMkMg4sRftpI?= =?us-ascii?Q?iqjpBRxcmbAme6aUQxFYLei1SDylMusatiFbgOIUZWfKIf0EuMWqyqfR+mMr?= =?us-ascii?Q?xbn3KASzi9uCVe4iMXabx5V8c0VZtG7QgMmXmdfhVQg0klULzYP2V1FbuJfV?= =?us-ascii?Q?imZXjfSTVTCGGe3INNhn1UdJfvO2OKRqe2qT7H8A5lU/+E2ENclBq/xGYFGW?= =?us-ascii?Q?fyG1MbeU1VFO/nfPSw8ztUxanyx/OxvITaUNMl8HZelH2qTnxzd+Wxn1TCZ0?= =?us-ascii?Q?i/M5eQyx3pHmEr72cnwRhsFhajdNr21Re65muuT3Klfq1zW0LpvWWbgg4KXw?= =?us-ascii?Q?77i+NgKOabYn8Oko2i8mrxSaQ7p3ACXzVOmzn+TcNGmmCTrd+u/A0DUXfY8I?= =?us-ascii?Q?UJ/jWUr76pAIGAYMhA5ZYYPmb0OAUygAORJ5F7Wp/9vUJ5BVZkNf7k4Xtv3v?= =?us-ascii?Q?8IJCFBbfoQHPFO0FTt2Xt7f8MqHcmYEetTXs98PLS/Uovq90TBaNPqR5tn3S?= =?us-ascii?Q?h+YjI3KiAh7ftvxqapGC6I4pm5BDH9yistE7UN9+UKU9k0Gb9gsUtf1sztNp?= =?us-ascii?Q?5Q8EfsAsL6i02NzD+mnd4TYE1zaUwwjwqCB/kKZHyqruRlWAQ2OonktKnFjj?= =?us-ascii?Q?P6BP1GXTSwGuBNIbgaD0KbHUx98GvZ1ZaC2obL/Mo6pChA8XmJZxndTdtzNc?= =?us-ascii?Q?pXE7IM1muIH7rf0f7uc2Tkg4AQ2377fnd/gs71w7?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e14963b9-14c4-4cd5-5251-08db0bd687b0 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2023 02:20:23.0131 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Ui91nXerqs7jzNfpHh2wh43TkLbKlbXedbakyYLmmL6vtwA9sRPDu3TcMw6P2FWKpnVS2/A3LImCvDHh+AoC2A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB6495 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi All I have created staging branch - https://github.com/tianocore/edk2-staging/t= ree/OpenSSL11_EOL based upon latest trunk today. Let's use this branch to collaborate the work on openssl 1.1 deprecation an= d continue improving, before we can merge back to trunk. The process is defined at https://github.com/tianocore/edk2-staging/. Feature missing or size increasing won't be a blocking issue for this stagi= ng branch. Any feedback is welcome. Hi Gerd If you don't mind, please submit your latest openssl-3.0 patch to the stagi= ng for broader evaluation and improvement. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Yao, Jiewe= n > Sent: Thursday, February 9, 2023 11:21 AM > To: devel@edk2.groups.io; kraxel@redhat.com > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replac= ement > proposal >=20 > If you are asking how to do that best *at this moment*, I suggest we crea= te a > branch in https://github.com/tianocore/edk2-staging and continue the rese= arch > work. Before September 2023, we need community's help to resolve openssl-= 3 > size issue, before check in. >=20 > If you are asking how to do that best after September 2023, we have no ch= oice > but put to edk2 main branch. We have to remove openssl-11. >=20 > If we have either openssl-30 and mbedtls work (size/feature), we can repl= ace > openssl-11 with either openssl-30 or mbedtls. >=20 > Worst case, if we have to support dual-crypto module, I think to: > 1) replace openssl-11 with openssl-30 directly. > 2) add mbedtls as another cryptolib instance. >=20 > Thank you > Yao, Jiewen >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Gerd > > Hoffmann > > Sent: Wednesday, February 8, 2023 7:45 PM > > To: devel@edk2.groups.io; Yao, Jiewen > > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 > replacement > > proposal > > > > Hi, > > > > > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto = lib. > > > If both 1 and 2 fail, we may use *dual-crypto module*. For example: m= bedtls > > for PEI and openssl3.0 for DXE. > > > The source code size will become larger, more time to download the tr= ee. > > > > Suggestions how to do that best, ideally without duplicating CryptoPkg > > for that? > > > > A while back I've tried to add openssl-3 in parallel to openssl-11, > > with the idea to allow projects picking the one or the other, and quick= y > > ran into problems because apparently libraries can't add include > > directories. Only packages can do that (see Includes.Common.Private in > > CryptoPkg/CryptoPkg.dec which adds Library/OpensslLib/openssl/include). > > > > take care, > > Gerd > > > > > > > > > > >=20 >=20 >=20 >=20 >=20