From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+108198+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 02B5F740037
	for <rebecca@openfw.io>; Thu, 31 Aug 2023 16:13:03 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=k417mKybt6Bho4yrCoqen74/Kp1JYEiLWKWhhZoltME=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1693498382; v=1;
 b=tulJ4p10sJ0IpBNDR3/Rd+ef3Vjq1/+D88cBRt7cbIRb2XWPZPJyjRnzdz4KaPw+WhnEJdut
 wJvAsCriK+xLjGXK5YOwIAWUvYgWIvy+/lNnbzFb4xic5/xiNMJCiYdtyT7F4X09jt93ib9JQta
 wV+pJvXOyRJVTiLXUiwfZUiA=
X-Received: by 127.0.0.2 with SMTP id ElQFYY7687511xw4tk3hFzDV; Thu, 31 Aug 2023 09:13:02 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.151])
 by mx.groups.io with SMTP id smtpd.web10.1972.1693498381557316635
 for <devel@edk2.groups.io>;
 Thu, 31 Aug 2023 09:13:01 -0700
X-IronPort-AV: E=McAfee;i="6600,9927,10819"; a="356301717"
X-IronPort-AV: E=Sophos;i="6.02,217,1688454000"; 
   d="scan'208";a="356301717"
X-Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2023 09:07:34 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10819"; a="768844790"
X-IronPort-AV: E=Sophos;i="6.02,217,1688454000"; 
   d="scan'208";a="768844790"
X-Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82])
  by orsmga008.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 31 Aug 2023 09:07:31 -0700
X-Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by
 fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.27; Thu, 31 Aug 2023 09:07:30 -0700
X-Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by
 fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.27 via Frontend Transport; Thu, 31 Aug 2023 09:07:30 -0700
X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.101)
 by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.27; Thu, 31 Aug 2023 09:07:30 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ehzhNs0PVCQ/bIeitfyPvpKZz8WDTSrTz6VhD7PeLtOj8ntJViIdRRMr+PW8Tv1vBSxO99J0he70hPykY6nv3dptFcydVDDqrAWMsvbJrLxCjzKJYdCv5YSNbRbrNHWG+SLTWG/UB7mrDCK8hOyZlEhxqVo6hCUrdjfa4KzDR6CsNPAn0YQ5RgX8PDBW5GiJhXM25v+cKDMETr109e3FjyKhE4XNkWrtjB+1fPxaleID9eyqHtXUObu4Hys3Z7UUzZ6qwEk6QeC2nUdo0YN7JEsRY5w4cZoxvdlwEAESCWovThDB7wAqFu2oZEf56XQzZ5+EmZKjkruq9b/crZHaLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=pc5Wc2FbFW/C8ER4a9ApjskLvDQ+lI0fzmmYB1Bmzm4=;
 b=dgC3hHRmIzUtGaXUpltxULQxg7sn5Uv50dfKAhDyXD6MDMiuUvpc2N9K8vfx4gpp6Dzs1NsvQxiiCZIBjnvSk4h3dXgLRbr78iFEXwKWppn+zjFyrq7if5T7FPHkEVzAb54mEL7/fI800wY9cLSAHVvLA9KlLo0BiW7zeM2GzSNXRjjdqnEpb7Na6gEFEbm1d++78k2PalFwMWFXC9g0+qU+F+QFwwmM3WSTcElMjulGXJP0Ujc6a6TjYUi8Uo6AS/opvOHN3blD/dGzP5zIr17WnLMT61ogygBzn1t9R3XAunVlTzRXqtBHHimnC/fC2+O8yeel9gR5u0ivXJGttA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by SJ0PR11MB4798.namprd11.prod.outlook.com (2603:10b6:a03:2d5::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.34; Thu, 31 Aug
 2023 16:07:27 +0000
X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::fdf8:dc0e:db69:f35b]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::fdf8:dc0e:db69:f35b%4]) with mapi id 15.20.6699.035; Thu, 31 Aug 2023
 16:07:27 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Kinney, Michael D" <michael.d.kinney@intel.com>, Leif Lindholm
	<quic_llindhol@quicinc.com>, "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"spbrogan@outlook.com" <spbrogan@outlook.com>, "Hou, Wenxing"
	<wenxing.hou@intel.com>
CC: "afish@apple.com" <afish@apple.com>
Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add HMAC/HKDF/RSA/HASH features based on Mbedtls ***
Thread-Topic: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add
 HMAC/HKDF/RSA/HASH features based on Mbedtls ***
Thread-Index: AQHZ20SWsc1e5v5aKUiHQYITCMkw5rADMN8AgABVBrCAACjFgIAAk38AgABLgwCAAAWmsA==
Date: Thu, 31 Aug 2023 16:07:27 +0000
Message-ID: <MW4PR11MB58723229DF0A4A094227433A8CE5A@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <20230830075220.2070-1-wenxing.hou@intel.com>
 <BY3PR19MB4900AA417F61A5B67ADB4311C8E6A@BY3PR19MB4900.namprd19.prod.outlook.com>
 <MW4PR11MB5872F4BE24086F6D4D40E1728CE5A@MW4PR11MB5872.namprd11.prod.outlook.com>
 <MW4PR11MB5872730A76886016FC873E348CE5A@MW4PR11MB5872.namprd11.prod.outlook.com>
 <0cca40e7-d050-4e2b-bbdd-ebdc800124e5@quicinc.com>
 <CO1PR11MB4929A7E8134D18D11AFB77D6D2E5A@CO1PR11MB4929.namprd11.prod.outlook.com>
In-Reply-To: <CO1PR11MB4929A7E8134D18D11AFB77D6D2E5A@CO1PR11MB4929.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SJ0PR11MB4798:EE_
x-ms-office365-filtering-correlation-id: b32ee6b4-c4a4-457f-99d1-08dbaa3c5f5f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam-message-info: FbtZJCh6w19p046s3ay7JD6sV4WDY5H6X35tvVK8Xf8hm1jO076dOQwa32N6eCKg7jq+hRVrgdwwDJfNFp+Lz0Sto0dxdxCaOYiJbnxeydrC+11Is4TqQ2i2P8iilVpfATBp4U2xjApe6zzAorrGYwjGiL8UOKftmZMnfjdYAItUFcnC9VQv9v51mIZKZapgrN9rs0LenedoA9MwjtNICkNaR/CqV4dzWFEKwH8h7eqXRF/PeXtxao7Slh6FCgXque7RRFEciWmZKikHyqdnpPhi4/Wh1oy7Shdrk11+xVfcuibMCilMICZaOqDeiG8rUwpDkUqoPZNuocMArED9F3DdM8JOrMCn/k7wgM2WZsw8ALOHsQ+eTj5qFj3LJyOeyg/TQcuPCpV9ssn7Db1LYAA/SttMZtAa5ofQADu535Isi3cEWzLGPcp9NkloHVx+ORIxa8F2dvvnAMl1MjjOWsX+/hv1b7vjeMJQkNIAIienQMw4QcU7ffk6eevvFQaN3GIDu7zmwhQeN/hya3cYhbRYIvJVSGTBObnOGnUapL488BI2kFQztKyXQXbJ/xPviI930FYqkSLb9U2zLWtz5SuG1t0z04sQGcDon4euxxrzvYrsyEunOB2OjP57Ig3zprriBrje+0XXThDb3rtviA==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?oSmd6htixWktx5uuQHc10HvdXtOS1gAMfts6fgW2v40v1Xnc4rw7uEjHoB?=
 =?iso-8859-1?Q?IAvDqYIYp2xD2ZPqo4XpuNbd5VdtRcIBiyXPJhL1VNxrGr8qwcdfpIOo4g?=
 =?iso-8859-1?Q?7xhT04XN4J116DJEVKoh5m/do1IsR1eeQ5TQ/AQ3jcEtPvM/FSVZta0I/9?=
 =?iso-8859-1?Q?UNDki08LpeE4w3JyROWIxeJxQof9Afpi/NCZhoJeDZtPax4G6K0og8wUtG?=
 =?iso-8859-1?Q?RwVNS8h1Mq5D/DPU1Cg+Oay4RQ3K+uPayxkfXr6RE9GqWHdhyUz0mtySgh?=
 =?iso-8859-1?Q?JbA9K/DBYgxr1NnjoNJrMnB0K/eAgk3NT7UJLsHpVbkHpbdtOhlOC9wMav?=
 =?iso-8859-1?Q?CJatbLn3DUsx8w2shiqj52gehlkLeyZudKX+YjQ/XUd5QaThyMgwQIFZk0?=
 =?iso-8859-1?Q?qjkYxKLJG7mrE97QNpW1nIBnJMVduwkfSruIIotZkTewLzxrGjF8e02jeT?=
 =?iso-8859-1?Q?xVMQNA5u2JB64GA4Po6bl+PiVs1tpLh/nYWsQF3mbNWq/5q1daQu5DGp3F?=
 =?iso-8859-1?Q?Ay38WO8rQn2mvSGGHO3jSgM4XdKUwfN3NN0XL41bnDU74b6OCVQSoHnLr7?=
 =?iso-8859-1?Q?2kisMgytDRjQnFdAQlxdQmUD08sgKsM2KBUy5hFK1hrely4ulqr2nVK9Tw?=
 =?iso-8859-1?Q?ZnK379s9ysNXrPaPHx4B1jLT1GaYwtIqAR1pRDEO6E1LsdgHU7lMTWcy6h?=
 =?iso-8859-1?Q?cZjAHutDpxHBbQe5kwjg54UtOXK0+CLfM1V6H9qDhmgPgo/hQossDvGOWi?=
 =?iso-8859-1?Q?aLO546gRZZdDfYaUYq6wZJlCv8NVmX7X3bPbHn82AKsRfp72n37vuoKm7k?=
 =?iso-8859-1?Q?FUu8nQDVPNtwliGH5o97lzVXzqIqb3gYCJjsnn8aeVCOQ6ZrNVhRRAz1Am?=
 =?iso-8859-1?Q?xLQjxnH5a6yNJWQy2PXhwMSN3q21UxeQgWJx5haQ3evNoPlsB/k9Ph6t/H?=
 =?iso-8859-1?Q?kCf7djvAlt52PIHSlYJNcO/ZlyBN0EJAHlwFEzqj0e1X+fytp5wGp1CE91?=
 =?iso-8859-1?Q?DrUSCsitGLUDRr9ML4zqhJpph8TbezSnNhzDQPxoDSjfkk5hh42zTmIBFQ?=
 =?iso-8859-1?Q?aZprFTsslDQPQgRKrtRakGX37Ki7BeqTFiDCtdbhs1rq8oPaVl80sFrT65?=
 =?iso-8859-1?Q?FZw6jee+qn3VFdO+oR1SRyh7hjGqd9pPSW0XsTO06SZpg1eg4ZmSulzhXK?=
 =?iso-8859-1?Q?Qq4CSquQZFFOEgTQXMGEIrpVZZefJL3ouu0WlzK5xzxOJPl/6NPVxqfpNQ?=
 =?iso-8859-1?Q?DHYc1i53F6dTB8hBcIA9pEgCziwCjEeeErTTPnqc7pZ0rV8TOe1fmXZgZW?=
 =?iso-8859-1?Q?gei8L5HR0o/RDTvHC81PYl3CbwdKxEf++4aIyzObNhTL9vl2M1CjiSlVAE?=
 =?iso-8859-1?Q?oKT29sMXWhbn4gEGD+kd/7OUJBFAZPTjF89WaW042503n/QGnODavlCm4Z?=
 =?iso-8859-1?Q?Yy6uNID+8Hc+YFLiFECts6YeEo0Rzk2RpeoRL7ynw8XX+GMSKwt8M/xnBl?=
 =?iso-8859-1?Q?WJ/cxYCF1ZAqk0QDJpRlCtORlPOacwfPMuLbju4910+e9mop+pkNQcYriS?=
 =?iso-8859-1?Q?dgrqaD/F6jzct1lqs3MH8i/OQjDAhqRKnjK9i5w16Rg9ILR1dWhh3u98TY?=
 =?iso-8859-1?Q?SoVP6XIrui0zH1C/ys8OikabASHI48/xkF?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b32ee6b4-c4a4-457f-99d1-08dbaa3c5f5f
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2023 16:07:27.7850
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JJ7ZcmiUcodqYUwdyaGiX4zg903mf30ByJamiIvfgD0g1k6N7OCoqrPoS63uaN2OOfzNbIJ9ezi1o+04emzb+g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4798
X-OriginatorOrg: intel.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: 0acjP4q6J3yJhGkwpnuWWYKhx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=tulJ4p10;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")

Hi Mike
We are using submodule for mbedtls in this patch. Copying source code is no=
t preferred.

I think we are discussing multiple ways to layout the *mbedtls crypto wrapp=
er*. See following 4 options.

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Thursday, August 31, 2023 11:45 PM
> To: Leif Lindholm <quic_llindhol@quicinc.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; devel@edk2.groups.io; spbrogan@outlook.com; Hou,
> Wenxing <wenxing.hou@intel.com>
> Cc: afish@apple.com; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add
> HMAC/HKDF/RSA/HASH features based on Mbedtls ***
>=20
> I have not looked at the Mbedtls patches in detail yet, but I
> am curious if it is possible to add the mbedtls based library
> instances of the edk2 crypto libraries to the existing
> CryptoPkg and pull the mbedtls sources into the CryptoPkg using
> a submodule just like openssl?  This way, platforms can choose
> either openssl or mbedtls library instances from CryptoPkg and
> all INFs would continue to only list CryptoPkg.dec.
>=20
> I think use of submodules makes the most sense for content that
> edk2 consumes as read-only and edk2 makes decisions to jump from
> one validated release to the next validated release of the submodule
> content.
>=20
> In general, we do not want to copy source from a different project
> into TianoCore repos because of the overhead to keep them in sync.
> An exception to this is something like cmocka where this was done
> for CI stability issues and the copy in TianoCore is an automated
> sync of the upstream repo.
>=20
> Thanks,
>=20
> Mike
>=20
>=20
> > -----Original Message-----
> > From: Leif Lindholm <quic_llindhol@quicinc.com>
> > Sent: Thursday, August 31, 2023 4:15 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
> > spbrogan@outlook.com; Hou, Wenxing <wenxing.hou@intel.com>
> > Cc: afish@apple.com; Kinney, Michael D <michael.d.kinney@intel.com>
> > Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add
> > HMAC/HKDF/RSA/HASH features based on Mbedtls ***
> >
> > Like Sean, I'm very positive to the work - and I'm excited about the
> > opportunity to formalise the abstractions.
> >
> > But Sean is also asking to import the mbedTLS code outright instead of
> > using submodules, which adds an additional dimension to the matrix belo=
w.
> >
> > I'm not too concerned over the infrastructure change as such, but I
> > would prefer to not move the dial even further in the direction of
> > "upstream is a swarm of repositories". This adds complexity for new
> > developers. And submodules are way easier for upstream to track externa=
l
> > projects through. At the cost of complicating the maintenance process
> > for released products. Which isn't great.
> >
> > Am I kicking the can too far down the road if I suggest we do some
> > brainstorming around ways to achieve this with the least amount of
> > friction for everyone at the plugfest in October?
> >
> > Regards,
> >
> > Leif
> >
> > On 2023-08-31 03:34, Yao, Jiewen wrote:
> > > Hi Sean/Andrew/Leif/Mike
> > > Now, I think we actually have multiple options to handle this:
> > >
> > > 1) CryptoPkg in edk2 repo (add MbedTls to existing CryptoPkg)
> > >
> > > 2) CryptoPkg in edk2 repo + a new MbedTlsCryptoPkg in edk2 repo
> > >
> > > 3) CryptoPkg in edk2 repo + MbedTlsCryptoPkg in a new repo
> > >
> > > 4) Move CryptoPkg from edk2 repo to OpensslCryptoPkg in a new repo +
> > MbedTlsCryptoPkg in another new repo
> > >
> > >
> > >
> > > Current patch is for option 1).
> > > Sean's proposal is for option 4).
> > >
> > > I feel 4) is very aggressive. My worry is that it will involve many
> > infrastructure change such as CI, and all edk2 platforms.
> > >
> > > What about 2) or 3) ?
> > >
> > > Thank you
> > > Yao, Jiewen
> > >
> > >
> > >> -----Original Message-----
> > >> From: Yao, Jiewen
> > >> Sent: Thursday, August 31, 2023 8:10 AM
> > >> To: devel@edk2.groups.io; spbrogan@outlook.com; Hou, Wenxing
> > >> <wenxing.hou@intel.com>
> > >> Cc: afish@apple.com; quic_llindhol@quicinc.com; Kinney, Michael D
> > >> <michael.d.kinney@intel.com>
> > >> Subject: RE: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add
> > >> HMAC/HKDF/RSA/HASH features based on Mbedtls ***
> > >>
> > >> Hi Sean
> > >> Thanks for the feedback. Personally, I don't have strong opinion on =
this.
> > >>
> > >> Since this is a big change, I would like to have Steward member's op=
inion.
> > >>
> > >> Hi Andrew/Leif/Mike
> > >> What do you think?
> > >>
> > >> Thank you
> > >> Yao, Jiewen
> > >>
> > >>
> > >>> -----Original Message-----
> > >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean
> > >>> Sent: Thursday, August 31, 2023 2:57 AM
> > >>> To: devel@edk2.groups.io; Hou, Wenxing <wenxing.hou@intel.com>
> > >>> Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add
> > >>> HMAC/HKDF/RSA/HASH features based on Mbedtls ***
> > >>>
> > >>> I appreciate and really like this work to enable mbedtls but I don'=
t
> > >>> like the idea of adding another submodule to edk2.
> > >>>
> > >>> For a long time there has been discussion about formalizing the
> > >>> abstraction of the edk2 crypto api so that it would be practical to
> > >>> implement edk2's crypto using various libraries.=A0=A0 I propose we=
 remove
> > >>> openssl from the edk2 CryptoPkg and into the OpenSslCryptoPkg in an=
other
> > >>> new tianocore repository dedicated to OpenSsl.=A0 MbedTls could the=
n be
> > >>> checked into the MbedTlsCryptoPkg and added to another new reposito=
ry.
> > >>> This would also have the benefit of breaking the tight coupling of =
edk2
> > >>> stable tags from the crypto used in the code base (crypto has more
> > >>> widely tracked vulnerabilities).
> > >>>
> > >>> Happy to discuss more if others have different ideas.
> > >>>
> > >>> Thanks
> > >>>
> > >>> Sean
> > >>>
> > >>>
> > >>>
> > >>> On 8/30/2023 12:52 AM, Wenxing Hou wrote:
> > >>>> *** Add BaseCryptLibMbedTls for CryptoPkg, which can be an alterna=
tive
> > to
> > >>> OpenSSL in some scenarios. There are four features in the patch:
> > >>> HMAC/HKDF/RSA/HASH.***
> > >>>>
> > >>>> Wenxing Hou (9):
> > >>>>     CryptoPkg: Add mbedtls submodule for EDKII
> > >>>>     CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
> > >>>>     CryptoPkg: Add HMAC functions based on Mbedtls
> > >>>>     CryptoPkg: Add HKDF functions based on Mbedtls
> > >>>>     CryptoPkg: Add RSA functions based on Mbedtls
> > >>>>     CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
> > >>>>     CryptoPkg: Add Null functions for building pass
> > >>>>     CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
> > >>>>     CryptoPkg: Add Mbedtls submodule in CI
> > >>>>
> > >>>>    .gitmodules                                   |    3 +
> > >>>>    .pytool/CISettings.py                         |    2 +
> > >>>>    CryptoPkg/CryptoPkg.ci.yaml                   |   66 +-
> > >>>>    CryptoPkg/CryptoPkg.dec                       |    4 +
> > >>>>    CryptoPkg/CryptoPkgMbedTls.dsc                |  280 ++
> > >>>>    .../BaseCryptLibMbedTls/BaseCryptLib.inf      |   81 +
> > >>>>    .../BaseCryptLibMbedTls/Bn/CryptBnNull.c      |  520 +++
> > >>>>    .../Cipher/CryptAeadAesGcmNull.c              |  100 +
> > >>>>    .../BaseCryptLibMbedTls/Cipher/CryptAesNull.c |  159 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptMd5.c       |  234 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptMd5Null.c   |  163 +
> > >>>>    .../Hash/CryptParallelHashNull.c              |   40 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptSha1.c      |  234 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptSha1Null.c  |  166 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptSha256.c    |  227 +
> > >>>>    .../Hash/CryptSha256Null.c                    |  162 +
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptSha512.c    |  447 ++
> > >>>>    .../Hash/CryptSha512Null.c                    |  275 ++
> > >>>>    .../BaseCryptLibMbedTls/Hash/CryptSm3Null.c   |  164 +
> > >>>>    .../BaseCryptLibMbedTls/Hmac/CryptHmac.c      |  620 +++
> > >>>>    .../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c  |  359 ++
> > >>>>    .../BaseCryptLibMbedTls/InternalCryptLib.h    |   44 +
> > >>>>    .../BaseCryptLibMbedTls/Kdf/CryptHkdf.c       |  372 ++
> > >>>>    .../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c   |  192 +
> > >>>>    .../BaseCryptLibMbedTls/PeiCryptLib.inf       |  101 +
> > >>>>    .../BaseCryptLibMbedTls/PeiCryptLib.uni       |   25 +
> > >>>>    .../BaseCryptLibMbedTls/Pem/CryptPemNull.c    |   69 +
> > >>>>    .../Pk/CryptAuthenticodeNull.c                |   45 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptDhNull.c      |  150 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptEcNull.c      |  578 +++
> > >>>>    .../Pk/CryptPkcs1OaepNull.c                   |   51 +
> > >>>>    .../Pk/CryptPkcs5Pbkdf2Null.c                 |   48 +
> > >>>>    .../Pk/CryptPkcs7Internal.h                   |   83 +
> > >>>>    .../Pk/CryptPkcs7SignNull.c                   |   53 +
> > >>>>    .../Pk/CryptPkcs7VerifyEkuNull.c              |  152 +
> > >>>>    .../Pk/CryptPkcs7VerifyEkuRuntime.c           |   56 +
> > >>>>    .../Pk/CryptPkcs7VerifyNull.c                 |  163 +
> > >>>>    .../Pk/CryptPkcs7VerifyRuntime.c              |   38 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c    |  268 ++
> > >>>>    .../Pk/CryptRsaBasicNull.c                    |  121 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c      |  337 ++
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c  |  117 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c      |  164 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c  |   46 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c  |  231 +
> > >>>>    .../Pk/CryptRsaPssSignNull.c                  |   60 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptTsNull.c      |   42 +
> > >>>>    .../BaseCryptLibMbedTls/Pk/CryptX509Null.c    |  753 ++++
> > >>>>    .../BaseCryptLibMbedTls/Rand/CryptRandNull.c  |   56 +
> > >>>>    .../BaseCryptLibMbedTls/RuntimeCryptLib.inf   |   92 +
> > >>>>    .../BaseCryptLibMbedTls/RuntimeCryptLib.uni   |   22 +
> > >>>>    .../BaseCryptLibMbedTls/SecCryptLib.inf       |   84 +
> > >>>>    .../BaseCryptLibMbedTls/SecCryptLib.uni       |   17 +
> > >>>>    .../BaseCryptLibMbedTls/SmmCryptLib.inf       |   92 +
> > >>>>    .../BaseCryptLibMbedTls/SmmCryptLib.uni       |   22 +
> > >>>>    .../SysCall/ConstantTimeClock.c               |   75 +
> > >>>>    .../BaseCryptLibMbedTls/SysCall/CrtWrapper.c  |   58 +
> > >>>>    .../SysCall/RuntimeMemAllocation.c            |  462 ++
> > >>>>    .../SysCall/TimerWrapper.c                    |  198 +
> > >>>>    .../BaseCryptLibMbedTls/TestBaseCryptLib.inf  |   78 +
> > >>>>    CryptoPkg/Library/MbedTlsLib/CrtWrapper.c     |   96 +
> > >>>>    CryptoPkg/Library/MbedTlsLib/EcSm2Null.c      |  495 +++
> > >>>>    .../Include/mbedtls/mbedtls_config.h          | 3823
> > +++++++++++++++++
> > >>>>    CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf   |  173 +
> > >>>>    .../Library/MbedTlsLib/MbedTlsLibFull.inf     |  177 +
> > >>>>    CryptoPkg/Library/MbedTlsLib/mbedtls          |    1 +
> > >>>>    66 files changed, 14683 insertions(+), 3 deletions(-)
> > >>>>    create mode 100644 CryptoPkg/CryptoPkgMbedTls.dsc
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmac.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmacNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdf.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c
> > >>>>    create mode 100644
> > >> CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf
> > >>>>    create mode 100644
> > >> CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.uni
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c
> > >>>>    create mode 100644
> > >>>
> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.uni
> > >>>>    create mode 100644
> > >> CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf
> > >>>>    create mode 100644
> > >> CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.uni
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.uni
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/RuntimeMemAllocation.=
c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf
> > >>>>    create mode 100644 CryptoPkg/Library/MbedTlsLib/CrtWrapper.c
> > >>>>    create mode 100644 CryptoPkg/Library/MbedTlsLib/EcSm2Null.c
> > >>>>    create mode 100644
> > >>> CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
> > >>>>    create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf
> > >>>>    create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.=
inf
> > >>>>    create mode 160000 CryptoPkg/Library/MbedTlsLib/mbedtls
> > >>>>
> > >>>
> > >>>
> > >>>=20
> > >>>
> > >



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108198): https://edk2.groups.io/g/devel/message/108198
Mute This Topic: https://groups.io/mt/101048094/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-