From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web11.27141.1652060318944801680 for ; Sun, 08 May 2022 18:38:40 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=VAhiap3B; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652060318; x=1683596318; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5wGPUJlnKJePjOxzqbyBu9sjzXseitUuW5IzKR6tSVc=; b=VAhiap3BbbTVSZSIxCGEAYClEZuGz6sFy+vmb8rHui9QaZBX8XLijKPu p26QZthamy2gDw06Iy7atcAg69m/Kh/Qox7so4R6gQWnayCiM49tkNcdj vq8IVaWlNMu7QDy0TiuBEwq82xBIQL1t2C78ZQUFN01cbzXyrpcYPXahN cc03PbTke/XcuVR6bHlqkN+ckz1wgGX26eli1BvhU1KFRkrXcxBFyIL4h ZXfWzpmfe1fpsfUppYja0I6D1Rl7ckxz0ee7f8HAlex4gVU/jqF7Ow8UD baElFTiau9G9KqcZSo56ZTzGzb5O0omxcUEXT3z0/WKcXoIQZhnLztcuS A==; X-IronPort-AV: E=McAfee;i="6400,9594,10341"; a="266498759" X-IronPort-AV: E=Sophos;i="5.91,210,1647327600"; d="scan'208";a="266498759" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2022 18:38:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,210,1647327600"; d="scan'208";a="601725916" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by orsmga001.jf.intel.com with ESMTP; 08 May 2022 18:38:37 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Sun, 8 May 2022 18:38:37 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Sun, 8 May 2022 18:38:37 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Sun, 8 May 2022 18:38:37 -0700 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.41) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Sun, 8 May 2022 18:38:36 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b8slfNFm+J9/u3wvhznNmgCOJUbVyH84Bt6guOFgBcQcAXxDlW9OZCzF8nU5b3V6chM/WI5lTbpVBFvdDy0DXUM5TLzdPtq653q7PxG1Gx0BUx+UFofzPcHkwc/sRnoCtMUUFVBJr2HZ4mGnkma13F55oz0wF6v0ixXICNlcy3yj1HqwRnrHGtQFL7jbzO9FhadSGNjajEy+ZB4xtokxhI2LawLeLplO1grRsZywlkKzFzcix87ON488VQWcnAZk2J5vDd2ATjUryFr9K6qxnIknvamho3Sc/mTlSd/FZ+T2rRINf4VNvKVzk6G7/cKChkKLVcjZjeua8MuD4ipGFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ofufP/Qg5S84bsYUPffwm/SDspn6HPbkjboRmtXf6C8=; b=Vl1nNUQ2jq3FmqhCvBlGDB0gShyFOlmoWMTBWqMahY+O5lVWiaKauuxrUaFTkSkEliYrzxutjrk2pwdiMkyz41o7hRQEGD4QU6ZDorb8rhE25TnX55tRQKOPDgsVkNOMka5Srgp862rd5Gp95yw+8UlIooEZrtbTFoE9BufHAAithmfa/MvxcAlnjhV8f82ZYQ2U2uet4k5PMQalZRq6p/jX1UDPAZiPqWXh84kAs8oKpanDy6jjZ3gwLYSfs2Yn9IWUnN/N6oOwfUFmxnFCzBRipNo1u4iIWRkH1t/9FvcM+c1umj07uFZQ9UaxvG6JMepebf1YESufuHNcuh+WsQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SA0PR11MB4574.namprd11.prod.outlook.com (2603:10b6:806:71::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20; Mon, 9 May 2022 01:38:35 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd%6]) with mapi id 15.20.5206.024; Mon, 9 May 2022 01:38:35 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann , "devel@edk2.groups.io" CC: Pawel Polawski , "Li, Yi1" , "Oliver Steffen" , "Wang, Jian J" , "Ard Biesheuvel" , "Jiang, Guomin" , "Lu, Xiaoyu1" , "Justen, Jordan L" Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally. Thread-Topic: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally. Thread-Index: AQHYXhBMFEKLC4OMd06GIdUF/28hw60Mc8XQgAN+MQCAABNFAIAFx4JQ Date: Mon, 9 May 2022 01:38:35 +0000 Message-ID: References: <20220502103436.3274412-1-kraxel@redhat.com> <20220505080638.rmrw3f773rkw3ljl@sirius.home.kraxel.org> <20220505091536.llguh4dzozqtiiob@sirius.home.kraxel.org> In-Reply-To: <20220505091536.llguh4dzozqtiiob@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 443023e3-78a6-473d-5d3f-08da315ca22c x-ms-traffictypediagnostic: SA0PR11MB4574:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lH9Ii17+q0rEqXtK8y0p6QFEf17Lmk8fYmYLuLwXyfviPv3Jn+F1Jm0hPHgzfgEpxDUJG7hlYKcnqS/l6BXBlgZtvtltpAlLNrLWKkw+/wOL7PDla7XE0CxHKX2Xedkn3PpgRaG6JFfc2BDUzO06GI1ZI4FsDIrlu3hmMv2/la8G2/ElpzLQtitebnwJGobm3vmtFYs5cN3AqfK1DWOq7fjZnumkdzO2m6B7Suun5fpLZN/m9Czs0LagdwYgp13XtA7fqckWA4Ev85MZNyHk39ejyhOAd2UvoShioiOCtodoQrAI2TEiTLC6sl5KO24Px3lyvi5C5qavHd+NJj+UdQL1EZoU/s0xUrqwqsRMDgySzGNUmhTZptJq3KLSgQ+8VWwSRaUpJn4OcAPSu0/ILFZLHXwjQB7y5/rduM1lxq7h7tQFUmQ2/dYL0NiRK4FiO49bMhLeLD803qs3IF6BZNCFxuleSQQlN3bHFWvmX4hwbJ/LTIeCy8DzIO4pnUwaYv3hqLzYWEkmktV+OYbm1B+VvKaJovMw5z+3ob2gJVmep+2Zo4yzFjV3dADGJb1/4RBCpZbkuicqM7x7zjUKtFBLbhV5tgQ4rXLpjTa8ztowUjNhmO4OqOfGWXjUGUB4rDis9CG0ON/L2VdLKSXKOnM3fD8IckwQTY1ukxgIfd3B/zIsV0rGK7QF2lRvCrstBqfdY/14C/+cG2UohjYA0g== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(5660300002)(9686003)(53546011)(6506007)(7696005)(82960400001)(38100700002)(26005)(38070700005)(54906003)(8936002)(2906002)(107886003)(186003)(83380400001)(33656002)(52536014)(55016003)(508600001)(71200400001)(110136005)(86362001)(4326008)(76116006)(316002)(64756008)(66446008)(8676002)(66476007)(66556008)(66946007)(122000001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/K7NlectFpEEx49OnXvAaIUmVrIJwFvmdWjDNVgqOgUUQhtqQc7bSODhv6Dl?= =?us-ascii?Q?B2HEgMgSVnz2SVAViRn/iGM+LRk1VXAV05hUSjl2g1iIgaX6XYmzxLLumPZq?= =?us-ascii?Q?jSCFPOG3BFLnRFp3TfKDufkflfWSVM7tqxOzuN9av/69x9fpW5nQXci/uaJf?= =?us-ascii?Q?4LPjldcJWgzV0KzxeK+kkw84KCg/NSXQHVMtwQK5wIB4hSc82/XYUApxyHsY?= =?us-ascii?Q?djnN2qBYr3XukQLqXXtTJ1vmwZlfAKZ1gbwmYjrS0vmVbw1/jX57FOBU8CXD?= =?us-ascii?Q?ukK3AyQBXqETjMK0RmU4m0PLv7K2i2PdVP5+//vRCKfNuaqD+ROo7LjJVFHD?= =?us-ascii?Q?/w/9EaROiCQdiFZ+3EIdNXiA/XgpLsaGBoTM85v4JqGBX82KPhbTD0TK7KAO?= =?us-ascii?Q?847lUZdc6IgeZsTYJCbkA7WCRB85ju5AK7Bp4BP6+BqZnzYdoih+HbhtYgd3?= =?us-ascii?Q?k4OwJP5J3dkl291CeIeWYgGMFE6vKjgvtWNtFuZPRlPh4HypeCvRURD1h+Dq?= =?us-ascii?Q?gOkISK8DGw/DTCqRprLv68R/F4FRjSrGtSoo8EoWu215m74aojZT38DjWztZ?= =?us-ascii?Q?NZW6XbzruIsTTcYyQrb2nDDM3DZVv/LIMnf/4njm2KvVj7/4Ecy5uZkb7zmE?= =?us-ascii?Q?FuYXhNPnI3E63dCyMfPUqV99OSbFJHfEYoULTMptrRDRFGtA1JHP5KdxYx2e?= =?us-ascii?Q?n25pH2ccfDA94IyMNiyHG2iJKh8YlXKzxTI1ijiZA1/p7WYAHFaX6xxP4Zkf?= =?us-ascii?Q?ct1aOWoHfzvGZ3IGI0zyz5gr8/zFPImQmYuvnWgKWD4hnJwXtaga41BfKYfC?= =?us-ascii?Q?56zVkBj5C8v6/QV+13kQ9yS7LUHCwl20icF6+42m7JT61JM560Dlo5pg7F8e?= =?us-ascii?Q?Zlvf6oAA8QIhMR44rjCrATU//touFQ+VClbaUnQBuuALaqps2suQD+vxkxkp?= =?us-ascii?Q?fML1aWg096ikh2BtiNbm974WPkBGkusZ9m+S76QpylHix1SlRvdw6mbUEGZY?= =?us-ascii?Q?wDhTK0bub78T5gorhOuRAjw3zFduaRr5Gee0SEhttYrLy15+Jod6hbv5bTz0?= =?us-ascii?Q?xi5t9Jr9hpfXhyvQCSPr4hT+9xZil5x2ann3O1IUpevz9JbkCbxVOu4UbLeY?= =?us-ascii?Q?/z9aVM8KsudzhyFBY/m/X2w72ONc4U6NreGMLvvWlgZy5msy/C6Q/LS5IFNX?= =?us-ascii?Q?iGQI8k9WkOhIYbSKClpgkeIQLvQ0UdOWk5Bafxa0OAHd3KKxf97FrqRATZH+?= =?us-ascii?Q?ipJx3sQj90vbSOdRpd9TUI3o6nSa/+IQDXMv3gwy+Qcz46SmM8/kIfoLiVCf?= =?us-ascii?Q?hqNLa+Il4+CWFMje/sV6+szoUhlo7TQBWFGAe7iyTtiOt5AFeS+LBK4bR2Qk?= =?us-ascii?Q?gL9EWNV++jzk36lZvsjPGz7Ik+pn0eg2bIiWaUeoB8+x7m75YnaRwAG1kC2/?= =?us-ascii?Q?xMxjbH/U864LaPoa8q8+3mrdDcsWQT2mH1o4eXQI8Pj9rl+L9PcuUXuPJLuW?= =?us-ascii?Q?gWWP957ABHEka1iyMlTA6TwLREZfCDfDtakPdWMvOe/S6eRfrslf6/fjrJ++?= =?us-ascii?Q?ZXi4RShSq0Sc2179idVIa3bHvMQkMEY40jBGaKtNYOkagW54zfGzEc1So0cw?= =?us-ascii?Q?UbidGo2ok6eCsOEQIE/o8m7gNyWTwkI++c2piwW2vhkiZq7QxeUsHRpPWbDE?= =?us-ascii?Q?+EONccZKUbX+X4cgsETmh/t+hvmHU8U2iT75YNereN7HUUfwYa0aMH+3Cpz0?= =?us-ascii?Q?iR0XbcNauA=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 443023e3-78a6-473d-5d3f-08da315ca22c X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2022 01:38:35.3290 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: HFzftpGR1GNy4BOe66grk3nKW/5KLKnJmEfkC1PDF0hkZwJJKPBN2fv2/s+33vk1fVh/OV0Uh7DHNL5a3XP8Sg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4574 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thank you Gerd. I collected feedback from Intel BIOS team, both client and server, both old= platform and new platform. In general, the new platform will leave enough space for crypto improvement= . Size is not a big issue. The delta is acceptable. However, the old launched platforms only has limited flash space. This patc= h will break the current build because of size increase. Option (1) is not = acceptable. In conclusion: For OvmfPkg update: Acked-by: Jiewen Yao For SecurityPkg update: I recommend we consider option (2). (1) Drop the idea to make EC configurable and just enable it unconditionally. I think long-term there is no way around this anyway as EC is a hard requirement for TLS 1.3. (2) Keep the EC config option, but update process_files.pl to automatically add the PcdEcEnabled config option handling to the files it generates. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann > Sent: Thursday, May 5, 2022 5:16 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Pawel Polawski > ; Li, Yi1 ; Oliver Steffen > ; Wang, Jian J ; Ard Biesheuv= el > ; Jiang, Guomin ; Lu, > Xiaoyu1 ; Justen, Jordan L > Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC > unconditionally. >=20 > Hi, >=20 > > > I am not convinced that "EC is hard requirement for EDKII" just becau= se "EC > is a hard requirement for TLS 1.3". My reason below: > > > A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impac= t > PEI/DXE. (Unless size of PEI/SMM is unchanged). > > > > Well, the PcdEcEnabled switch we have in the tree right now enables or > > disables EC for everybody, it doesn't support enabling EC for DXE only. > > > > In we want change that we'll need two different *.inf files I guess, > > one for openssl with ec and one for openssl without ec. > > > > I'll check the effect on image sizes. >=20 > Here we go: >=20 > --- master.stats 2022-05-05 10:05:03.791368600 +0200 > +++ openssl-ec.stats 2022-05-05 10:35:44.429412053 +0200 > @@ -137,8 +137,8 @@ > 124410 BdsDxe > 145534 DxeCore > 148078 UiApp > - 400158 SecureBootConfigDxe > - 472950 SecurityStubDxe > - 532626 VariableSmm > - 658174 TlsDxe > + 575390 SecureBootConfigDxe > + 643062 SecurityStubDxe > + 700562 VariableSmm > + 847422 TlsDxe > 946646 Shell >=20 > So no effect on PEI size but SMM is affected. >=20 > take care, > Gerd