From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web11.4809.1646204392465486371 for ; Tue, 01 Mar 2022 22:59:52 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ZsXGeO32; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646204392; x=1677740392; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=l4k3TkKhe60FRim+MbetiK5YFdWJQNjsGZEz8rhVNCM=; b=ZsXGeO32dbPkmoxHHjPKizLeVSKv2iMF5u80d2cjGPYHwvgDfpohBCuf aKHZG5YtIBcxHhQIx1xz09cUBEC080NQLjjq1PQDIa35D0I1TfU/RiZqC qqtGa5+3DIxuXx9F52dc7yDbKcZzKt4iC9BKByBBuSpyM0Bh6oD48s5qh WGZW5jyWlI4iVcjYKZKW87UcDNF3NyX67mEX78ELsaSNXszx2UVY/toew azIgDFWzHa0qasEAhzDnihyH1xpYwFOvuYHM5Cg6eUwQ6HNasJYzvSsRE aN1tBf+IfvCFRGoxxIaAv9OptDySONkp2X2+bDzlknwfibTwr4RsCHgaJ w==; X-IronPort-AV: E=McAfee;i="6200,9189,10273"; a="339756529" X-IronPort-AV: E=Sophos;i="5.90,148,1643702400"; d="scan'208";a="339756529" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Mar 2022 22:59:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,148,1643702400"; d="scan'208";a="609110750" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by fmsmga004.fm.intel.com with ESMTP; 01 Mar 2022 22:59:51 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Tue, 1 Mar 2022 22:59:51 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21 via Frontend Transport; Tue, 1 Mar 2022 22:59:51 -0800 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.103) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.21; Tue, 1 Mar 2022 22:59:51 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PZPbeSW4zcnAxjOTnGEtPKFZGNk1CvJKd4VEeQP480VhWK7r1y7AXZNPdexgw+YPi4Kt7cNiJ9d0S43BCRVHLR4iiDkcZ67bdOt+Lo5CULfdhNHX/SBowirtaAFbVwQrOSsk5rgLUm5wD6x87fnJDkqH+2hqjt2Dpo5pe9IIaR4vrt0u8tPQNDDZzvISeOHveMXGHOXYrQNbgNAiHVWK7qObqTy5m6tb27NWY4r//CIYeEviSlzQ7FSLUedsx7rkNpjGCBWE0uAKLzcQ9bgc5Wr8k4myrT3Wef343o+qHVAKR+r8qYMtr+AP5HF1RSBHrJmdZoWjfp+4J8v6QSEy+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GQF0oJ1nCkc055ks8lQQePFaVv68L0FKDEtS3Kyf6Ho=; b=lojfpafIB1rlvubMueKUEb5rQDdhdQZN3UM59/jfc4pI9gk/+tKY1DY5GhqoViendwIMLoLXSZsekv/ZJXe+az631b7m3iEQe+N8R1599b/gqkrSzvVAIXdOTQbDogc4Yr6bR28TFzsVIhSnP8pWTuWm5YVC79tpJ1NntEmLvzFQAeLr89hUeNkeFFAex9r/fVKggjGyIk3MPu7FaOooaiTSdX6DqufkS2lbP+woakugI9dPA/5jra1rDhJwPklLJ713c86Fhn1V3mhwTpwGOTx9yIoHaAh3mesLEawYuualmOH3jlu+nsoBnQzWgI0F3sJSojCyte4+9dovCC5h3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CY4PR11MB1350.namprd11.prod.outlook.com (2603:10b6:903:2e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.26; Wed, 2 Mar 2022 06:59:48 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292%6]) with mapi id 15.20.5038.014; Wed, 2 Mar 2022 06:59:48 +0000 From: "Yao, Jiewen" To: "Li, Yi1" , Gerd Hoffmann , "devel@edk2.groups.io" CC: "Kovvuri, Vineel" , "Luo, Heng" Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Index: AQHXvytzNc37dLSAJ0CsBYnYdS6rHqvWhHbwgAK0coCAF96cwIAAhVgAgAjFBQCAAJ/dcIAAD8CAgAINR4CAAVyZAIAAA/uAgAtZ6QCAl2OpgIAAA7+AgAACd4CAAdRugIAAGOKAgAIx/YCABgnz+4AA79OAgAArLPA= Date: Wed, 2 Mar 2022 06:59:48 +0000 Message-ID: References: <26433.1645811519240546455@groups.io> <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a8aed24c-0d86-4a78-5e3d-08d9fc1a3d9c x-ms-traffictypediagnostic: CY4PR11MB1350:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: g7ExSPuqQRUY2ohy2cWXGUEQ2TNjvu1OPTXDpYCLU0Iz68S6xQyCoX49Z7uG51IlqyxlQNfd8mIIZh+bQz3DmOUb7Cyjiuxz7yrPHaTU7ujZgUyBJyfm9HlBiCf6zUNDQp46LQRlZ1qZdXgvPdN14rvX90OUS0GKzQNudtwWUKYRbUSUzGmgIBgCHl3FXuE4jgh+QFq+m9PoTn1KCQy+h1qt+UPAM2JZHJXwUFSaqvcOM0PVK/AuUkPEo+hydpDI6dHajeRKRzUqFFBkThDn5xXiMzcpKOlHvumd9OeKQyUFZQK8XvlVzS3+20d5LulBd9Cr8ncz39TH80srW7f+5znd9a5CMQezOFrmFOgz+zS8tXI1oviLVMi7iwJ7D+RJHxwBzHTS71UctagoBNkyxaJYnt2PWiO8PaHRU+3SXKuSbY/RQ8SbdhuPuTfRJ+ArqnbUewct1vFANzszN7JN2m0J1g070fmg06UIkaNrV3qHyXNUX0SwG5doMvThMZryPMD5Ic7Y/yCJ9EjnRrDaVk5MCXlT/EQgpdyrYz1KCxA9X8MjgO2wGXkTwvA/Zrm6r/IcUquUkrY6MmonPaLU1fwST/wJX4iW8VoIj+CsU8lp9brJaaWaaL0YJdi9gVaUDEaR3F6KraoMMnUen7A8XMXO5VlEj0mVA9ugbm425AUWkeEP6YvTSgo42HrTxgmOBN4kCwFcZoRS7TTmDu2yA/WSleTIqDD4ru6ljSz9x/w/kThqVEuIczPNcQynMLRBJ8+XvCfDTeblXfS9BapNmGZzNqCmulcYJC11EzVCeIVAtZTtwJ36YQ4SC6CyJrODLJYO7cJsn+pcUZpeyRDyVA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(71200400001)(966005)(508600001)(53546011)(6506007)(7696005)(8676002)(110136005)(54906003)(316002)(82960400001)(122000001)(38100700002)(64756008)(66446008)(66476007)(4326008)(83380400001)(66556008)(66946007)(33656002)(8936002)(76116006)(107886003)(55016003)(38070700005)(186003)(26005)(52536014)(2906002)(86362001)(9686003)(5660300002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?Tn9e8U3nnxYzoe/by+S59sK6wgzAjW+1uF21rNUZ3lZAnmnabOh2MGLrdOdA?= =?us-ascii?Q?1P4tOXva2a9UgNPRCEjm44RA53RbFHBKX3PDVIMmb4XB86l+IOCcLT2m7p5W?= =?us-ascii?Q?O10IazTebzKXQgZYqAaQTIMGFXp2iEC0h5sVTVdga15TgUfpvEtGvFxVonv4?= =?us-ascii?Q?TgJwBOmh9Mab4mAghEA5FjX4HCgWRpZWLL34+cmWSDCI0TehTGDfEPlP6CEZ?= =?us-ascii?Q?Xo61d2iQmhI6uHlj0HFkcRzOEUH+rnHiaNwq8rNJbIMXz1p//5Zu7WTpiLZA?= =?us-ascii?Q?crQOFpWz4O637QpKj85ENfv2i/Vemrku9vKYdbiBnoadT0T26yDckaNR5wxf?= =?us-ascii?Q?PxMXzh19xkVtBNIQClrXixmO+foR0z9FE/EWFG/nKhMHjGqz+agR2kodeqsE?= =?us-ascii?Q?mL9PK7vqYOkvvVH0UG2hrzQoJc/S4uafkDqg9eCD29PLYvTKUA6gyPEZ5FAW?= =?us-ascii?Q?yW6RL0TgwDHaymG65sN2MeQE75zKS+HsLkuhM9LZaUHFfMs0mn/JcuQl+D9d?= =?us-ascii?Q?WVDqyLc3gQZiw4ok9tBMQuQazyacpNtB3wNRngtxrBgoMExVgrCY0gqmcoZe?= =?us-ascii?Q?wG6a3HpDO4/C6q28axBosXGLYVtZMf4KkcioVydmH1Lnnl/0l3Q/H8im1ur3?= =?us-ascii?Q?BqP3/UMk5HexAOITDAvBjPDZXoErUiun2Mk20tnhep5+sz7ALY4VPP9QprcA?= =?us-ascii?Q?z754hvZ3uPnaFg3855Ha4OfKZ1K3u/BTtZQ5iIMTQSQKxpsmppLQCcokRvEl?= =?us-ascii?Q?nNRxHPvcTyYNX6IFuvd80YpOm1SOBq+k10Wxhwqj3QrDBPtmQxIr8Co3uo1W?= =?us-ascii?Q?lI6mYTdHV1987pLDdoyYIitrdJn76EQBWakO3iHA59kzF4w61zLUtT+sRcw6?= =?us-ascii?Q?y2FtOcxkhIY0GJtIK24gw0AAEh+PSBmWg7m39TJRGUFf6UblgO/LYL8mbkbt?= =?us-ascii?Q?cFz5GqE3VPS6uTg8hKFmwIrqZ6bWYrEFOjSMERqZ319cyYl2j2/SX8gIk+ua?= =?us-ascii?Q?eIF68UDqftmxZsXHq/id22sXLZVwvKGodIVbxOVa+aM6VKdQXNttwVu6ZVlN?= =?us-ascii?Q?Tp7UhqiV2bhd9WjrKMyc7ocC6mNBWmVvsEuCb2FXmnlbnNJ07wCG+11kMWrs?= =?us-ascii?Q?QDk3LhB1pGtHPeFa0+DJt0XFpfe4whhOZsbj9K0THZOPA8pbYZMdgbrG8nR3?= =?us-ascii?Q?HAUd9d9llT1Mz4lF9cLPobKFK2/Hch0+q3KNNnW8R5HuVCyFtV0xYR53PNjt?= =?us-ascii?Q?uxFlkg8FYK/TBkpe9/eWBTKp5tKar37HmoNApbNj4Ta5AncIigziV3dIa58c?= =?us-ascii?Q?9+fLiw0JoHe7U1T92H5iAB9eHXH+cn1DYsa8dgS3fFoiC1h+TVb1dXRWWfXF?= =?us-ascii?Q?ofPUOQzogg6mBWU7aXHx3UxP/tcFRjc5cDysrK0o/CZw3PUoq+h8m/PTJd+M?= =?us-ascii?Q?Vi103WauuqDNaY5iOtTa+3YyDh1eTFX1eamNsddOGok1XXhb6DiNtO+XtwGj?= =?us-ascii?Q?6UebsGAzAugrRze6E9Q/MES/3JIorj6hzFppcdy4TXYMb9zEIPivyo9F+icZ?= =?us-ascii?Q?kr/kiRV7vPtaThiWl/gXAxzwtQCmmAW0k6wTNT2Bj5S6YN76KSSn4qqhPYNa?= =?us-ascii?Q?eFpkwjdZJui/m6G9h/kNjTk=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a8aed24c-0d86-4a78-5e3d-08d9fc1a3d9c X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2022 06:59:48.1706 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: gH0vQSPvtTrt8LvWtcEMhR2NcTceJC/cbUu5jda8GJq1IgC31hmcWe7bgt3pwYuu3Pt90nGKUW565JB5YSmboA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1350 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I think another option to pursue is to how to control the openssl configura= tion from module or platform level. E.g. what if platform-A has enough size and wants to use ECC, while platfor= m-B has size constrain and wants to disable ECC ? We can let platform choose if ECC is needed or not? I hope so. Thank you Yao Jiewen > -----Original Message----- > From: Li, Yi1 > Sent: Wednesday, March 2, 2022 12:24 PM > To: Gerd Hoffmann ; devel@edk2.groups.io > Cc: Kovvuri, Vineel ; Yao, Jiewen > ; Luo, Heng > Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > Thanks for your information, >=20 > 1.See also https://edk2.groups.io/g/devel/message/87130 & followups. > git branch here: https://github.com/kraxel/edk2/commits/intrinsics >=20 > It's good to me, make code more clear. >=20 > 2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead o= f > linking openssl as Library, so we have only one copy of the code. Not > investigated yet. >=20 > Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and > OpensslLib directly? Sounds will be a big change. > Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and > OpensslLib? > I would like to point out that once we close macro OPENSSL_NO_EC, The siz= e of > Openssllib will inevitably increase due to some enabled feature and excee= d limit > of Ovmf, > Such in x509_vry.c: > static int check_curve(X509 *cert) > { > #ifndef OPENSSL_NO_EC > EVP_PKEY *pkey =3D X509_get0_pubkey(cert); >=20 > /* Unsupported or malformed key */ > if (pkey =3D=3D NULL) > return -1; >=20 > if (EVP_PKEY_id(pkey) =3D=3D EVP_PKEY_EC) { > int ret; >=20 > ret =3D > EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey)); > return ret < 0 ? ret : !ret; > } > #endif >=20 > 3. Also: what do you need ecc support for? >=20 > WPA3 needs ECC's support, and I think Vineel's work will be the foundatio= n. > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3828 >=20 > Thanks! > Yi Li > -----Original Message----- > From: Gerd Hoffmann > Sent: Tuesday, March 1, 2022 10:05 PM > To: devel@edk2.groups.io; Li, Yi1 > Cc: Kovvuri, Vineel ; Yao, Jiewen > > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > > CryptoPkg: Add instrinsics to support building ECC on IA32 windows >=20 > See also https://edk2.groups.io/g/devel/message/87130 & followups. > git branch here: https://github.com/kraxel/edk2/commits/intrinsics >=20 > > OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related > > changes >=20 > Changing flash size breaks backward compatibility, so this is a problem. > openssl3 porting runs into this too, not solved yet. >=20 > Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of l= inking > openssl as Library, so we have only one copy of the code. Not investigat= ed yet. >=20 > Also: what do you need ecc support for? >=20 > take care, > Gerd