Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal

["Yao, Jiewen" <jiewen.yao@intel.com>]

Hello
We have created initial POC version CryptoPkg upgrade.

OpenSSL 3.0 POC: https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
The size is reduced a lots. But it still exceeds some platforms.

MbedTls 3.0 POC: https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/ReadmeMbedtls.md
The feature is not complete yet, especially SHA3 support is missing, which is required for ParallelHash.

You may try to use it to see if there is any gap.
Also, please let us know if anyone has good idea.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> Jiewen
> Sent: Saturday, February 11, 2023 10:20 AM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
> kraxel@redhat.com
> Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1
> replacement proposal
> 
> Hi All
> I have created staging branch - https://github.com/tianocore/edk2-
> staging/tree/OpenSSL11_EOL based upon latest trunk today.
> 
> Let's use this branch to collaborate the work on openssl 1.1 deprecation and
> continue improving, before we can merge back to trunk.
> 
> The process is defined at https://github.com/tianocore/edk2-staging/.
> 
> Feature missing or size increasing won't be a blocking issue for this staging
> branch.
> 
> Any feedback is welcome.
> 
> Hi Gerd
> If you don't mind, please submit your latest openssl-3.0 patch to the staging
> for broader evaluation and improvement.
> 
> Thank you
> Yao, Jiewen
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> Jiewen
> > Sent: Thursday, February 9, 2023 11:21 AM
> > To: devel@edk2.groups.io; kraxel@redhat.com
> > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1
> replacement
> > proposal
> >
> > If you are asking how to do that best *at this moment*, I suggest we
> create a
> > branch in https://github.com/tianocore/edk2-staging and continue the
> research
> > work. Before September 2023, we need community's help to resolve
> openssl-3
> > size issue, before check in.
> >
> > If you are asking how to do that best after September 2023, we have no
> choice
> > but put to edk2 main branch. We have to remove openssl-11.
> >
> > If we have either openssl-30 and mbedtls work (size/feature), we can
> replace
> > openssl-11 with either openssl-30 or mbedtls.
> >
> > Worst case, if we have to support dual-crypto module, I think to:
> > 1) replace openssl-11 with openssl-30 directly.
> > 2) add mbedtls as another cryptolib instance.
> >
> > Thank you
> > Yao, Jiewen
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
> > > Hoffmann
> > > Sent: Wednesday, February 8, 2023 7:45 PM
> > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> > > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1
> > replacement
> > > proposal
> > >
> > >   Hi,
> > >
> > > > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto lib.
> > > > If both 1 and 2 fail, we may use *dual-crypto module*. For example:
> mbedtls
> > > for PEI and openssl3.0 for DXE.
> > > > The source code size will become larger, more time to download the
> tree.
> > >
> > > Suggestions how to do that best, ideally without duplicating CryptoPkg
> > > for that?
> > >
> > > A while back I've tried to add openssl-3 in parallel to openssl-11,
> > > with the idea to allow projects picking the one or the other, and quicky
> > > ran into problems because apparently libraries can't add include
> > > directories.  Only packages can do that (see Includes.Common.Private in
> > > CryptoPkg/CryptoPkg.dec which adds
> Library/OpensslLib/openssl/include).
> > >
> > > take care,
> > >   Gerd
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> 
> 
> 
> 
>