From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.96086.1679644496786881169 for ; Fri, 24 Mar 2023 00:54:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=EUvn2Cv9; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679644496; x=1711180496; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=pMPdlgBsz/d1BBFh/H+Js8tPD6RqPgtdIld3u8zqwx4=; b=EUvn2Cv9zq78ZfhacMS9ZETi5ZDo+7Ylvbiqf0UmRjnXJZsAawzqPLlK zA4ZIkNAHgMRZCEvOATH6uBG+O60X8+Jk//6P5H9RnUnNJG7LR2xFu0g0 1bpA8AJX34scDWBFvV30NoBn3j1zCMNmvYmz3cYkgyOr8fTQCQupU7dZL QopjK+vx6pokLPxGoEQs1wY53YvpmsE1mhrcFj+2S2Jak6bo5wemGicXZ YaYt2O7x33OpVpHl6L7v2nkOqx1iHsGO6bwarv2RvngYpylPAJaZ8VYqd 2QiSn5wPeowwrsgaTmYdFW5/3T+bVzJkbFRgnCzB7bsuIk+wbRGQHiM9P g==; X-IronPort-AV: E=McAfee;i="6600,9927,10658"; a="339747579" X-IronPort-AV: E=Sophos;i="5.98,287,1673942400"; d="scan'208";a="339747579" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Mar 2023 00:54:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10658"; a="659965977" X-IronPort-AV: E=Sophos;i="5.98,287,1673942400"; d="scan'208";a="659965977" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga006.jf.intel.com with ESMTP; 24 Mar 2023 00:54:47 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 24 Mar 2023 00:54:47 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Fri, 24 Mar 2023 00:54:47 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.169) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Fri, 24 Mar 2023 00:54:06 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YdNudJjmQMOQJBUG257LLPeh00goLD+nymLig6m+ypBM8g7Lj2WaoGF+dI0O+cc2Qx9xDRaaqPcDM+LEOBDE4cyaPd/7bcOIQdPaY/nRY+TOCxWuxJRw2V+7o3bUO+zWxlkg5hwmoHyZvBogazLYT7G5p88G1ldvDh+NLysehevgYEgYvo01rLO6/FPJep+gOR7OL33ElJkrl8b+QaCFUEsirp5R9XafqnQtujMQEjtAO61MHolqfSOXMOHmb3TxlOsV2wYcCbMf/4hZFmUQ0cF4JqB6EMfvcCN7GMnwRPNMiB6ENo+FKmhcWJbYLPX5ljHtkyFExD2qbJI2lfonoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nCCkjwq7yUUZIiaPWvWM5tiIO+S/PeIvb5d3MTDnVkc=; b=hnVZm9dDACde4iuOmEsSqZtJUBPFCWTZ0KCz580KLoKhfy4Y9tc4WDJcTQOPblhaSoQgvysSH6GT+aHp8exg7pZpg2e3x2PWu9Q4oJMgf8Mzi2FebKgKqy4t0fIBaGe4lkR9npw00cCde72reS6LAed4WkiMXruTzqJYn1IvV+62pocQfdfcBwfZbpdZGyvC1L20sVhcbR2XoRAd1cEfiVimWb7kV3ERAFuhnSiek/zCD7wZIXcmWkzDqWo/cPbuvToXUMsx4JTaudO9eCjtzghEQ8EZLoqcUM66H7FVicEVMAzzhTi2uc1Br5AsvVwB4xDkqPKCBpiEYL6Ok8SBYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SA1PR11MB7013.namprd11.prod.outlook.com (2603:10b6:806:2be::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.38; Fri, 24 Mar 2023 07:54:04 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::c0c0:4b46:1dd4:80d6]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::c0c0:4b46:1dd4:80d6%5]) with mapi id 15.20.6178.037; Fri, 24 Mar 2023 07:54:04 +0000 From: "Yao, Jiewen" To: "Li, Yi1" , "devel@edk2.groups.io" , Gerd Hoffmann CC: "Yao, Jiewen" Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Thread-Topic: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Thread-Index: AQHZXTHCbRWXhrgOBEiySbW/gidfSK8IEE6AgAEaRwCAAEkmYIAAHJcAgAAAZhA= Date: Fri, 24 Mar 2023 07:54:04 +0000 Message-ID: References: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SA1PR11MB7013:EE_ x-ms-office365-filtering-correlation-id: 510a7876-12b5-49c0-9afb-08db2c3cf036 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 4ZG3plc539IeQy0AuMWJ0161AxhfIUZ6ZDqr2n3GqaftgwaiU0RXzqwnXS0+urhttfR2YyOpuR1EOsIR6VdTcwAvEtx5lgAtIIMTtGto35Q0ZcJp7iS9Hmx+mu9x6gwjA3/H0RNJ8OBFUGS/Ux094KC8stEyLjpK9xvNW72Rbelzi/su9pc+LJgom+95dCeR+sH0XSWjhmx081IZO/r4tWl0zFktOUZizYMYGEEmN/4duKSIxz/ZvfrrKTvS2iX5FCO6K5SyEXO8m8B22SroV057wcI/slZ+XKdkZr4ZLgx9Q5P+dfMZ3TQPir8h3zrFYCQ341+EdXQsR2vTa0Le00HrjV44Q1+XtrqkqgG9NSi5zoZAetw8gjq1ASx/b2LNRQ8/mvunP2H6jyNmpoZSobKhVIyXH2EU32/l4rnPqrMVLbAXw0YWv6ZF4fUvvZukTv8VJY8WYhdwOzRBjA8j0fhOvuCuRZhD8Oji9OFICjs953MmDhaLZY1OIAEEeNLtobVczuB12XARNH50gsLXUkRABNz3cZ7JeC0R65VOF6gukY9V9s0HLSvjW9zZckOZeQ2lFt5KbqKzWMuVtLyUQCIW5NzekuHBO/yF7sWjuciGistUisst4r6BQJ8VPzdKRkSTK1EWXNu43lDDDwu89wae9MqzoT/gerh4MGZe+9rKZkiImOU5jh863nA8Ed6riQR7vjz6pOLmKOS2U8EUvC1+X3NW4c2WtWlxrbyd3HI= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(39860400002)(376002)(346002)(136003)(366004)(396003)(451199018)(64756008)(66946007)(66446008)(8676002)(76116006)(66556008)(66476007)(110136005)(6506007)(5660300002)(122000001)(82960400001)(15650500001)(41300700001)(52536014)(316002)(8936002)(53546011)(26005)(107886003)(4326008)(186003)(33656002)(9686003)(83380400001)(71200400001)(966005)(86362001)(7696005)(478600001)(55016003)(38070700005)(38100700002)(2906002)(66899018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?CZaU/Tev9TcOKo0GBXV7Smy6GDynivnBdNbw+8v1m/sGbEqKDfsTThWwffBZ?= =?us-ascii?Q?BSALom/OsznMHVUkI5aUHcPQwRsOc2Z5ZdWEpJBvDfc3wcboPD2aV6pGo1lu?= =?us-ascii?Q?PQsdUkj7s+23XZ3ptRlSWDdm0wjcTmJN1vuJ8SUenb8V9leFEsut+zOs6DFI?= =?us-ascii?Q?tLS8yaVXrAFloPIvJ5HqPxrZkKQUz1QWLqjdsRLArC1BVtcGoQzctoWKU3rk?= =?us-ascii?Q?XnfKuIk2qCFAE97y5KlN58zz/BZ91Lrzd0csEjBwHk4gX29/rPBSlFwXoQAx?= =?us-ascii?Q?IowgyMjeC3M1J0uN554o0Q3+CoYjSoeyArqkcFqNbLQkeu0wcQjDIPpABp8f?= =?us-ascii?Q?/Seno/DQCmj/hJUcGJLx60YTLa1n2jhD9dpJksDXdXAsj5u+Nwf7N+co52Aq?= =?us-ascii?Q?f4j5pnyRlQE7OjDUE3e23viTAXDqaceRXwd3UB3+Av83J59dfjmQxm8FvMQS?= =?us-ascii?Q?M65RFxEINN6oPGhNGXMIobNN0g8LsTor3Mr5vHO1S0Hhm0KO85QrgWWr8F93?= =?us-ascii?Q?v7ilAAu8F0Yeot88/Vho3Oj9evQ7/Jx5SrV3kQmPCs6v9nF6UOvEmfkMFdfu?= =?us-ascii?Q?R1qsT8QpwdA06t5qk47SuBIcGN9LBd/B1MjbYy6pmvkjtYFb/AJI08giPe//?= =?us-ascii?Q?gc/5fnEs1h7wUambHPSv9dvnZvYUlCRjVBbZguiQKixh8SkL/c86UyfOFmxV?= =?us-ascii?Q?Od7MQFk8Hsb17V5v4IE2/aDQdvpWrF4H73Whe/75eC3iZVdKg88yePPjQIFI?= =?us-ascii?Q?q4xG75NwHgpil2yFJScqCWeIaEB0mCxGWutAlB/RavSvEgFt4EnyOEVSYTlO?= =?us-ascii?Q?eSzN6y/129ftDyq3IWnBXil3njb27jyKXxpWSqVEgd8nDrpbb+/DJqRH1Uys?= =?us-ascii?Q?eDs/dKNeeiI/hbBUAPwrBdILcE5KyAQfMXlcIrf7OmaUeSBpQkmEs0BwwilX?= =?us-ascii?Q?ep8d2XYAI39YbqSK2MC0u+T03EU+0DH0RALIqmxTb+5Z9dKVWpHQgM7EaVmL?= =?us-ascii?Q?op9iIFANpJlWzWSBCRLPUm7cqKb6949LexllCgJMM5VWRUIia1Ztn920/EEC?= =?us-ascii?Q?Qz5OaYO9Nx6I88GPjBULjaFL+W8AaFrvPis25vDBj6FgU1+/LuZGGlAZaFNf?= =?us-ascii?Q?9Cs4TJ2q62MrG1obQzgNwHbPXbHSBCAKEmnfnA78emZxtZuPb1K/+oXAvL7X?= =?us-ascii?Q?lVCCL8pdI22PMr7vux2r0zWVhLpcz3YGWUdOHGcoZfsUvzUVE+bi/evOw5qT?= =?us-ascii?Q?Sjk2nzmcTsghc+he5B7ysVU6tNaMduJp4OisoAKnxEYscnCkAuz2aEmzNfFE?= =?us-ascii?Q?+oc0qLd1kg3+YqcVWFh8lUXHiO2wy4rSKdPhd31trPL/dNoV3xkdSyiQkDgr?= =?us-ascii?Q?KTqPbV4MQMSg5sSjRJNA3Y/DiQ9KG2k2d2+zPJ2MVJG8zzy9AovFZDTJMGGY?= =?us-ascii?Q?ZWTgZWAo+T7kJ313orfSkh/MDshgLj0zXNL2GqBKJQfPe2Dx15mv3wLmhslI?= =?us-ascii?Q?7xR65rDbHWcPriYBV31PYYvOljHzBkVzpE/CbUsjQx2+5a1N5jeL6D79MvvD?= =?us-ascii?Q?/DnT4uUzEDCbo14+SS5EGncjCkwB2V/qrLe6bkgm?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 510a7876-12b5-49c0-9afb-08db2c3cf036 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2023 07:54:04.2358 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 7+h7QRuBP9wg49Ra5n/aHWCAbTAWdlwXGrYIJpRaCWwMVo3YnWi6klTR+G0I5g6anIj7cCWsb4XqFKwPFUeqYw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB7013 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks. That means we need revisit the API in crypto library. The original idea of crypt API is suitable for all crypto implementation. But if they cannot be implemented with opensssl 3.0 mode, the crypto API d= esign is problematic... Sigh... > -----Original Message----- > From: Li, Yi1 > Sent: Friday, March 24, 2023 3:51 PM > To: Yao, Jiewen ; devel@edk2.groups.io; Gerd > Hoffmann > Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] > Readme: 0322 update >=20 > Not easy, I have tried to update, but blocked at the RSA and MAC part, th= ere > will be many strange problems such as: > the context generated by RsaNew and RsaSetKey cannot be used for > sign/verify, > the hmac_duplicate (*src,*dst) function needs to expose the openssl > structure details... > https://github.com/liyi77/libspdm/tree/openssl-3-rsa > https://github.com/liyi77/libspdm/tree/openssl-3-work-mac >=20 > I didn't have enough time to debug it. >=20 > Even if the API is updated, we still need to delete legacy code inside op= enssl > to reduce size. >=20 > Regards, > Yi >=20 > -----Original Message----- > From: Yao, Jiewen > Sent: Friday, March 24, 2023 2:11 PM > To: devel@edk2.groups.io; Li, Yi1 ; Gerd Hoffmann > > Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] > Readme: 0322 update >=20 > We have 2 level APIs. >=20 > 1) EDKII other code -> CryptoPkg. > 2) CryptoPkg -> Openssl. >=20 > Current strategy of openssl 3.0 update is to keep both 1) and 2). That is > minimal impact. >=20 > Do you think if we can keep 1) and only update 2) to use new API in opens= sl > 3.0? >=20 >=20 >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Li, Yi > > Sent: Friday, March 24, 2023 9:47 AM > > To: Gerd Hoffmann ; devel@edk2.groups.io > > Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] > > Readme: 0322 update > > > > Hi Gerd, > > > > Thanks for review, > > > > >> +### Level 2: A bit like workaround, with possibility of upstream > > >> +to openssl 1. Enable the legacy path for X509 pubkey decode and > > >> +pmeth initialization, The purpose is to avoid the use of EN/DECODE > > >> +and > > Signature provider, will reduce size about 90KB. > > >> +(commit: x509: enable legacy path in pub decode) > > >> > > > +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd > > 6 > > >> +ef7045646ef0 > > >> +(commit: evp: enable legacy pmeth) > > >> > > > +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1 > > bf > > >> +e1d0263f074b > > > > >I suspect that is not going to work well long-term, probably openssl > > >will > > remove the code paths they consider being "legacy" at some point in > > the future. Probably not 3.0.x but maybe in 3.1 branch. > > > > Yes, I think in long-term the better way is to remove all legacy code > > paths, this will also help reduce the size. > > The problem is that a large number of legacy APIs are currently used > > in the > > EDK2 code. > > In the future, it may be a big update to throw all the legacy code. > > > > >> +### Level 3: Totally workaround and hard to upstream to openssl, > > >> +may need scripts to apply them inside EDK2 1. Provider cut. > > >> +(commit: CryptoPkg: add own openssl provider) > > >> +https://github.com/liyi77/edk2- > > staging/commit/c3a5b69d8a3465259cfdca8 > > >> +f38b0dc7683b3690e > > > > >Allow people implement their own providers looks like an openssl > > >feature to > > me. So I don't think this will be a big problem to maintain, I expect > > they try to keep the interfaces stable to not break apps doing so. > > > > >The only little detail we do differently here is to remove the > > >default > > providers so LTO can actually remove the unused code. > > > > >> +(commit: x509: remove print function 7KB) > > >> > > > +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e > > >> +2955d7ff4306 > > > > >Did you double-check this doesn't break something? > > > > >It did for me, due to some code in openssl depending on a working > > bio_sprintf() implementation. > > > > I don't do any more test than unit test. > > I am sick of this part, but I currently have no other way to reduce > > the size. I would like to drop those changes first if i find another wa= y. > > > > Regards, > > Yi > > > > > > > >=20 > >