From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.11288.1642504324522781871 for ; Tue, 18 Jan 2022 03:12:04 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ZtnknSsj; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1642504324; x=1674040324; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=rcJZUo/COd74nUudABTXMT6lZQmvFKfUs4ewUH7OSr8=; b=ZtnknSsjaNmhaJUIr7EmEieKW/yUmOGU7BfPxszVxQGVZIh451CSEELA dElhFcUXV1hZAD8ZVgIktIO/ToVZtEJTJk+xdb26qJAuF5QJ5uIBmrzv5 FEE7ERDgOs945UX3fFvc5BZtepQYKwlYoWeDj/7b7zX8Z+kxR8MuNFY8h eyG1iGRD1sz/u+m2rQK0XSF/ry97Wl3MsfyZMdXg7i+jjJBk8c1IqEYK2 ltsiB8kCBdBfVjiUJCjWRmxTdWC0rLpxN7BpvQwA6f1CsdArR81RHDofW JDCBnqe7wFehg2Ib2H0/jzKX6mNQQTZVY7lB5s3ZYI0NW1blucf5IXFOi A==; X-IronPort-AV: E=McAfee;i="6200,9189,10230"; a="232151785" X-IronPort-AV: E=Sophos;i="5.88,297,1635231600"; d="scan'208";a="232151785" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Jan 2022 03:12:03 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.88,297,1635231600"; d="scan'208";a="517728226" Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orsmga007.jf.intel.com with ESMTP; 18 Jan 2022 03:12:03 -0800 Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 18 Jan 2022 03:12:03 -0800 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 18 Jan 2022 03:12:02 -0800 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Tue, 18 Jan 2022 03:12:02 -0800 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.41) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.20; Tue, 18 Jan 2022 03:12:02 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=marYQRBA5F1OcKiu0BPWfx2azL8DUXhDeq9d3LFOd/+q8+Hflv/SdEcmMOfOGZ0tsroXO6i7BNQyifIHdjxS0FObqS56WMYTAfT4WlPDYjqhAaO3iP66WOl8A8I58RIOZR4DJrnVUf7TvbJfpi3ApTfnMwIcXlCEc4AlPLW1LG5Gp7tcFigA+TP2FUKugfuGsmkYHVYrqPwhlGkQoRSKKcU2meQqjOd8WkBlTmPwuSvvMzYGP0Eov7NFpIhVugWGe+zIQoNZyFPFLejGCSxgIPoVpIh4hjvrwk1+8GaZXULs8jHv2NSVmJigEqBz69xWNntUR3eITX+FBPR6WJoopw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dsCfZd4+1VjbdR/DXiREPHw8FFgLrpBdIVqafg/ACB4=; b=NoiuwbH1xHJaf5DJTePQQ2UQz/HeSYfB921DC0q0d+zKMPrWWS0kvYHGt346w7+nXc9zuRbFmXDX9HdyKhYvfl0G7LfTwbM/D4nBe0b/MufSA/ZBdj+O3w9xlMFKy0185Ie1qufdM0qKBK0xfvoMvsMhaVoDuIfCoxhNKvpqVdQA3QqvXIxOgTwcetz4eA0McIT2Oo6FhlchxHFap6ficUNoWrSe8GC3l2s0MkTEQkETQGFakEzT9VRLE9xHBBEyBnL08YCwo3g4GDP0XEZiL0/YPekpYiBKJ5Mvab7WGXr+O7D7O1EAzGKOFPBKHUTwJW9/SyhL5UadwBZULxy3mA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by MWHPR11MB2061.namprd11.prod.outlook.com (2603:10b6:300:28::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.12; Tue, 18 Jan 2022 11:12:00 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::b8a9:e4f7:e037:771b]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::b8a9:e4f7:e037:771b%8]) with mapi id 15.20.4888.013; Tue, 18 Jan 2022 11:12:00 +0000 From: "Yao, Jiewen" To: "kraxel@redhat.com" , "devel@edk2.groups.io" CC: "Kinney, Michael D" , "Wang, Jian J" , "Jiang, Guomin" , "Pawel Polawski" , "Lu, XiaoyuX" Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0 Thread-Topic: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0 Thread-Index: AQHX6GCcrSX+iLuApUagd2b7DY3nF6wg9g8AgAABa2CARmd9gIABhH+A Date: Tue, 18 Jan 2022 11:12:00 +0000 Message-ID: References: <20211203160748.866150-1-kraxel@redhat.com> <20220117114627.ji5cyqxkca6bmiaf@sirius.home.kraxel.org> In-Reply-To: <20220117114627.ji5cyqxkca6bmiaf@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: eed7d08b-cdff-4b79-7ace-08d9da735951 x-ms-traffictypediagnostic: MWHPR11MB2061:EE_ x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: kazS+QP286O9D0DxCXx5AKqLN5BXrGAJh3RlQhC9FlfhD4rpU9UZeCGFX99LPfM4IgiwMgfkJo8ti/aFrsXf92+VjSeKPfLy0WbW9QsKY8dzvzK+AYXKBacUzAqorQxdTW8mgfofuG1VjKbE2k5mGV04fLdREluDHrZmvDeMEKnhKYcJ2zpKR9fstOljwfHsTvCMhplNwR30qgta7lXtMmSFWFMXAeA/BsRDK7fjRmGAzvnHyF7PMxiRtiw4aYunBpqueyR5mDoxnKe0d8hoMfcLUM2NKEd7MaQIGnHS/HF397JZuCeAdtH+g3KSd6dAlMS3UOvYI8yAC/G9/kltmGHm7LaWgII+5QeLsgnyso0WghXSItn4eawWnV8WFBMGP5orcSZZqlwK49Vnq4VhLJgaDwudEfdkia93VerHXLq7YwGC0gV+YC/EvJaO94OVlxanmOttZmYbDhx0Yk8jNtj+S2nzoVPfWvztMhOGGT3NinmwzVtaD/0SVZf1uVFZsi1oaQvDFAIq7yKPzW67gYnI+XFTAvUbTbOYZlHaZGwHGhXRMk/Zyp2/G1CxzvyDS+8namvRBdfjgZwLvqnE9GFJtPINUBZ8RbE+zSOOT+T3G3s17h9H91FjcIWc7GEIosUON3O6JlCGnATMUWmvNYN6ZMEWDhX/YUKRJSd2fTgS+5bhR24a94ywmhseZCRv3XLl3aV41LgwHTfxy7dYo/4Odr7pjcHMPZnZj9TOq8bW5BC09XfNvcvnSXIlBiMGQ6wO3Qn0e+ULaehUeunYmXmT/bl00xPPY/mHnCZKpLOmH6S/Pqq1T7PHGFZUli1N x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(9686003)(107886003)(76116006)(33656002)(186003)(2906002)(316002)(54906003)(8936002)(82960400001)(7696005)(8676002)(122000001)(5660300002)(66946007)(66476007)(53546011)(38100700002)(6506007)(110136005)(52536014)(508600001)(26005)(64756008)(4326008)(66556008)(55016003)(86362001)(15650500001)(71200400001)(38070700005)(66446008)(83380400001)(966005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?dJUvnOndb0hgVccnumC5l2OHudpjE4GD70+tGwoduRVgS2m17KZbDcpUkJSY?= =?us-ascii?Q?Pmm9DG4niM9k1MDY0cqAFAEKaQlMY8pcZmGI6Gp0Y/QO77lJAt9UpQvD7Tui?= =?us-ascii?Q?1mzWdzmC/rB2DlvS8D2e22bpw/tDor6rOQAXsr/B8UGbASBz2rTspBxhlPqr?= =?us-ascii?Q?2vFSLuxxjtqfqsOsaeNE98QQOrGFzHA3018WJxzSN7Sw47rqFmzjHrJMjRC2?= =?us-ascii?Q?REKN+IAJqyqWbBIwuKrCUMJyWa3ZJlICALb2J+fZjOGXb4lQlfyO0XTlvsDp?= =?us-ascii?Q?Uurqs67Zdw0Vj2MUWKDbZYs7Pv/qMZ7tPV8ek7bLSLcyemmPTDWobLz8UCYZ?= =?us-ascii?Q?QQ6jq0GnTXf5/Z2Ga4dARLyVPWb8b9bOO2nyHRg2XhBNZiB39dJoE0+oNX7M?= =?us-ascii?Q?Qy/MZ2e1yBJPWvb3LVGnPe6vIbevZwMN2cO35SuXg31EejPcN0fvy6ncB5CD?= =?us-ascii?Q?g41bCOPped11RzlQgIClb7BWRY8KP5+NnTY+NOpkDHH6qByzWKaUEeSqkEce?= =?us-ascii?Q?efrnOSBsK8l1TeW0aNIkkIuPHXkjHklj6EeN5LV9z74oIyNmmJM1h5qQYGjH?= =?us-ascii?Q?x20fT6X3WvMV5uKmZZTKSUDNLA+M38EYtbYOivEIf8w+RZPGIeWRAwpr/O9y?= =?us-ascii?Q?7ToNa1yunVFg4YqPR4i/JAiCB9l2RJsMYRj4gtr5d57iHklFARRlCieJQgAq?= =?us-ascii?Q?zh69eyJ9rQ64dRcvRSRDWpCbmlxxdEybUfHoc2Q7iiT+EjlxT7OcYcaulSgT?= =?us-ascii?Q?xhmWBZOekSDtkYwwJ/m8knNcAT8c5s2lh0q09HDq6pU1ZrwaGwZtirzxPHq8?= =?us-ascii?Q?B08gcvQ+nT6HHdhNiMu9NHWZXDnKS6sJw/PFW1eH0POvWXIiHBxIAizvaUP9?= =?us-ascii?Q?QjkYfKJ7ywBk8MzCLZ/Osq1o9yw1RMPMF2lDDti8NMxnEOIDT4C7oICQ6OFd?= =?us-ascii?Q?DrnMbus9jsOCzHsLkliC1kjYwTaJr5MiTZ3IgC1SE79YtAoiX5nIO41P8R85?= =?us-ascii?Q?QE+3EhG6qU5/HLNg2a0YmV4dm0ijGzX1So7mMAqPvI09JOvJ5gvmoVFTjzEg?= =?us-ascii?Q?4hyqAH3x3bndvcv3M7x5fSE/SCpjRY6o65TiKu0zCzpwCTOtNBk8DX46CEUh?= =?us-ascii?Q?CEw6pBmaTs54+Tg1WkutkyKhUIZ0t9g5CpINl79LNAXzHJ4hqN1QzRr0Qtn/?= =?us-ascii?Q?8fP+oeJO8jzwlLwLLwpTeHodA4dZnCJFHwQavndfIJ/0gBGavnsyejqlaR0g?= =?us-ascii?Q?jiK5dWny7xxJczbOx8+/0OWsXAV6DsiLVsL3aPk/rQsSxzyb9szosBkCPLJy?= =?us-ascii?Q?3Pu9vkdeZkJ2WHHYhpNVqebGPReAYAMJTuvymlw905WjYQJ4oXJ3Gp9Szifh?= =?us-ascii?Q?4WLbU8aBzJpElfVyGvtoly2nyu5HymCmqWpnyLwb/EOLvf+D2y7b1qyBIewe?= =?us-ascii?Q?vS35k47ibBFR0Lw2V//mwJbR4gnVqQG4ta/p1ue+xpTnvXRbDv8mW/4GOZDy?= =?us-ascii?Q?bAcVMJdxavdKi+ty7i2Q71Kq4FpB67ioj9QDW3UbTwPkEX/XfFs/oTRuR79Z?= =?us-ascii?Q?gJ++KfLaPqDGJSRoMyseGa3hY9mXQIX0xxEw5mhcvBDCE+1PM2bUmLxV3e9T?= =?us-ascii?Q?vEdsNLVO2/p8AJa9EqmNxLI=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: eed7d08b-cdff-4b79-7ace-08d9da735951 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2022 11:12:00.2992 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: RruBS00ePNxIr85pmCk5WTcVvOuM6dLsaudIqNGbKuh5N3gGVl3aMqArLTXudcTUF6BCDeg4+iglUZw35smL0Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB2061 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thank you! Good result. Comment below: > -----Original Message----- > From: kraxel@redhat.com > Sent: Monday, January 17, 2022 7:46 PM > To: devel@edk2.groups.io; Yao, Jiewen > Cc: Kinney, Michael D ; Wang, Jian J > ; Jiang, Guomin ; Pawel > Polawski ; Lu, XiaoyuX > Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl > submodule to v3.0 >=20 > Hi, >=20 > I've continued working on this over the last weeks. Time for a status > update. All applies to the latest tree, sneak preview is here: > https://github.com/kraxel/edk2/commits/openssl3 >=20 > > Also, assuming you have done enough test, would you please provide: > > 1) size difference, Including PEI, SMM, DXE. >=20 > No changes in SEC and PEI. [Jiewen] Do you mean the Crypto consumer in PEI has no size difference? Suc= h as https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Tcg2Pei , https://github.com/tianocore/edk2/tree/master/SecurityPkg/FvReportPei , https://github.com/tianocore/edk2/tree/master/SignedCapsulePkg/Universal/Re= coveryModuleLoadPei linking https://github.com/tianocore/edk2/tree/master/S= ecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256. DXE: >=20 > openssl 1.1 > - 399582 SecureBootConfigDxe > - 472182 SecurityStubDxe > - 532626 VariableSmm > - 656382 TlsDxe >=20 > openssl 3.0 > + 809886 SecureBootConfigDxe > + 912310 SecurityStubDxe > + 970898 VariableSmm > + 1125758 TlsDxe >=20 > Most of that seems to come from some openssl core changes (the new > 'provider' concept) and I don't see an easy way to cut that down. >=20 > That is with the same feature set we have right now (i.e. no elliptic > curves and thus no TLS 1.3 support). [Jiewen] It almost doubles the size, which will becomes a big challenge for= openssl3.0 adoption. >=20 > > 2) performance difference, Including PEI, SMM, DXE. >=20 > Suggestions how to measure that? [Jiewen] Please just write an app to call the crypto API, multiple times. https://github.com/tianocore/edk2/tree/master/CryptoPkg/Test/UnitTest/Libra= ry/BaseCryptLib I think we can focus on SHA256/RSA2048 + AES, which is used in secure boot,= and HTTPS boot. >=20 > > 3) what unit test you have done (such as each crypto API) >=20 > CryptoPkg/UnitTest passes. [Jiewen] Good enough. >=20 > > 4) what system test you have done (such as secure boot, trusted boot) >=20 > Secure boot works. > TlsDxe (boot from https server) works. > TPM not tested yet. [Jiewen] Good enough. TPM only includes HASH. I am not too worry about that= . >=20 >=20 > I still have a bunch of failures in CI, for some of them I'm not sure > how to handle them best: >=20 > (1) 32-bit builds on windows fail: >=20 > INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved exte= rnal > symbol __allmul > INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved exte= rnal > symbol __aulldiv > INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved ex= ternal > symbol __aulldvrm > INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved ex= ternal > symbol __ftol2_sse >=20 > Those symbols look like they reference helper functions to do 64bit math > on 32bit architecture. Any hints how to fix that? [Jiewen] Please add them to https://github.com/tianocore/edk2/tree/master/C= ryptoPkg/Library/IntrinsicLib >=20 >=20 > (2) va_arg is not working with floats due to SEE being disabled: >=20 > INFO - > /home/vsts/work/1/s/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bio_p= ri > nt.c:265:28: error: SSE register argument with SSE disabled > INFO - fvalue =3D va_arg(args, LDOUBLE); >=20 > I can't see a way to fix that given that va_arg typically refers to a > compiler builtin so I don't think there is a way to declare that a > EFIAPI function to change the calling convention. Not all builds fail > though, possibly because the compiler inlines with optimization turned > on. >=20 > Suggestions anyone? [Jiewen] This seems infrastructure issue. Any suggestion, Mike ? >=20 >=20 > (3) Some NOOPT builds are failing due to the size growing ... [Jiewen] Size becomes big challenge... Have you tried to use https://github.com/tianocore/edk2/tree/master/CryptoP= kg/Driver solution? >=20 >=20 > take care, > Gerd