From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Pawel Polawski <ppolawsk@redhat.com>,
"Li, Yi1" <yi1.li@intel.com>,
"Oliver Steffen" <osteffen@redhat.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Ard Biesheuvel" <ardb+tianocore@kernel.org>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
"Lu, Xiaoyu1" <xiaoyu1.lu@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>
Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Date: Mon, 9 May 2022 01:38:35 +0000 [thread overview]
Message-ID: <MW4PR11MB58729A85832816FA3FF737588CC69@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20220505091536.llguh4dzozqtiiob@sirius.home.kraxel.org>
Thank you Gerd.
I collected feedback from Intel BIOS team, both client and server, both old platform and new platform.
In general, the new platform will leave enough space for crypto improvement. Size is not a big issue. The delta is acceptable.
However, the old launched platforms only has limited flash space. This patch will break the current build because of size increase. Option (1) is not acceptable.
In conclusion:
For OvmfPkg update: Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
For SecurityPkg update: I recommend we consider option (2).
(1) Drop the idea to make EC configurable and just enable it
unconditionally. I think long-term there is no way around
this anyway as EC is a hard requirement for TLS 1.3.
(2) Keep the EC config option, but update process_files.pl to
automatically add the PcdEcEnabled config option handling
to the files it generates.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Thursday, May 5, 2022 5:16 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Pawel Polawski
> <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver Steffen
> <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Jiang, Guomin <guomin.jiang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
>
> Hi,
>
> > > I am not convinced that "EC is hard requirement for EDKII" just because "EC
> is a hard requirement for TLS 1.3". My reason below:
> > > A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact
> PEI/DXE. (Unless size of PEI/SMM is unchanged).
> >
> > Well, the PcdEcEnabled switch we have in the tree right now enables or
> > disables EC for everybody, it doesn't support enabling EC for DXE only.
> >
> > In we want change that we'll need two different *.inf files I guess,
> > one for openssl with ec and one for openssl without ec.
> >
> > I'll check the effect on image sizes.
>
> Here we go:
>
> --- master.stats 2022-05-05 10:05:03.791368600 +0200
> +++ openssl-ec.stats 2022-05-05 10:35:44.429412053 +0200
> @@ -137,8 +137,8 @@
> 124410 BdsDxe
> 145534 DxeCore
> 148078 UiApp
> - 400158 SecureBootConfigDxe
> - 472950 SecurityStubDxe
> - 532626 VariableSmm
> - 658174 TlsDxe
> + 575390 SecureBootConfigDxe
> + 643062 SecurityStubDxe
> + 700562 VariableSmm
> + 847422 TlsDxe
> 946646 Shell
>
> So no effect on PEI size but SMM is affected.
>
> take care,
> Gerd
next prev parent reply other threads:[~2022-05-09 1:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-02 10:34 [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 1/5] Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming OpensslLib" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 2/5] Revert "CryptoPkg: Make EC source file config-able" Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 3/5] OvmfPkg: make DXEFV larger Gerd Hoffmann
2022-05-02 19:39 ` Ard Biesheuvel
2022-05-02 10:34 ` [PATCH 4/5] CryptoPkg/openssl: update generated files Gerd Hoffmann
2022-05-02 10:34 ` [PATCH 5/5] CryptoPkg/openssl: disable codestyle checks for " Gerd Hoffmann
2022-05-03 15:39 ` [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally Yao, Jiewen
2022-05-05 8:06 ` Gerd Hoffmann
2022-05-05 9:15 ` [edk2-devel] " Gerd Hoffmann
2022-05-09 1:38 ` Yao, Jiewen [this message]
2022-05-09 9:45 ` Gerd Hoffmann
2022-05-09 10:17 ` Yao, Jiewen
2022-05-09 11:27 ` Gerd Hoffmann
2022-05-09 11:47 ` James Bottomley
2022-05-09 12:03 ` Yao, Jiewen
2022-05-09 13:41 ` James Bottomley
2022-05-10 10:40 ` Gerd Hoffmann
2022-05-10 11:20 ` Yao, Jiewen
2022-05-10 14:31 ` James Bottomley
[not found] ` <16ED6E30C7B1AB9D.18911@groups.io>
2022-05-09 12:12 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB58729A85832816FA3FF737588CC69@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox