From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web10.17791.1678451339170440140 for ; Fri, 10 Mar 2023 04:28:59 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=UitRBTwL; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1678451339; x=1709987339; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=8F43qno7Hr8MtK4qhUW7QY8LWamz5R7t9nB1t5I+jFA=; b=UitRBTwLQm2gHFXigfgGaNnv3NaIyeVIbgyOPpo539GbmmfSIGsl/rBn xlbBqGo9w//Uz6bvcEnZCMPnv1fHkz4/bcOagncmjhK6q6KhXXmbZmnXT 77El+S39bWKGknOSFLk/iSKu3veimQP8SXtVddG3UZPLcirODauBfWwSA U4QxqE1PnXdwaOBSNTrF5tJG0/zZWqO4yc84gEeXwTcTv2bMWf4hmNbxc +1hfqorS/vdTPeqvHnhDSNCIf4Ey09LGKfBCzRPvclFe4lIaBIqkvKPUI XdD8/6ombXNRbvVNfO7i0mnc0sH4U7YAtBULfg6J8+TMQ+gft3VTpFNMd Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10644"; a="334192919" X-IronPort-AV: E=Sophos;i="5.98,249,1673942400"; d="scan'208";a="334192919" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2023 04:28:58 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10644"; a="707986222" X-IronPort-AV: E=Sophos;i="5.98,249,1673942400"; d="scan'208";a="707986222" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga008.jf.intel.com with ESMTP; 10 Mar 2023 04:28:58 -0800 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 10 Mar 2023 04:28:57 -0800 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 10 Mar 2023 04:28:57 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Fri, 10 Mar 2023 04:28:57 -0800 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Fri, 10 Mar 2023 04:28:57 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ENrfSdT2nT6tusXCCV4WRudHfoDK9fiDZsvclo3oqOL99NIHDuGvfvKFFpT03ETkqDOOdrgLjXtMqqDh+5VwchNkcX86r7S+XlZZCfIOzphkBQLGbgZmvEU7nvhzvDdNCPtxklZe9tO9mIORlxX0oPAo3vRYHAORWfmZmO8CL011YS0ACndkeMRj9F5Gwg8QlMdLoomidfsfMkJU81JY5GyDClSztP7EdOM6V5dp/hC6Q6wNkSRB6EItK37hfhxka0N3nBlmuWmeKnqNCZUkwYwwZZ6Sy2MRepHAlpG7WjGjaH3a3NZX38dzByJFJKI5nOEZmYA5lHzc3YX8MfAxKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LUKUgcSRlEQxz22sQwuiJCZ7887R5lGllbrLYmpOl3g=; b=EDOiHxK0cCkK7RxXA2CdUpK47Lhq1wJg1qHtYgBpkIIR+RB3B6B7wtZzOTGXn4vZccgKl8jC6f6viiZ8ksbJno5DYSnjuSWHrGt2D29ctpwM76G57ALirZE+WW5CquuLuU/JbeSYJXCZfW27fxL1EjAcdw+YO1vJNRfPnCbAOouO2tz4Rh3tW5wkEXPYp5gEZP+kpv4aGlwQ1YeHJDmsF19uT1yCo+W9yWXoq4kLVG5YxKYgmml0vE1iYIJk1xJGw+wR2RZkJJTq6YLoZ9U6uCH/IoQXc2gg0rD5g7iJKzCqd7vLZnwkfPF9hQEberOTGzQdj1gREnYfrfL3EqYxFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DM4PR11MB6117.namprd11.prod.outlook.com (2603:10b6:8:b3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.19; Fri, 10 Mar 2023 12:28:55 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d%9]) with mapi id 15.20.6156.028; Fri, 10 Mar 2023 12:28:55 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "Yao, Jiewen" , "kraxel@redhat.com" Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Topic: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal Thread-Index: Adk4csuO07OjcS6ETc6HFXunhAS8NwAB5MAQAM4azwAAIGT4AABigKWABWMt8TA= Date: Fri, 10 Mar 2023 12:28:54 +0000 Message-ID: References: <20230208114506.otktqepwuapbxgf6@sirius.home.kraxel.org> <174209E894D5CF7F.15261@groups.io> <1742A3BAD41DE0F1.13814@groups.io> In-Reply-To: <1742A3BAD41DE0F1.13814@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|DM4PR11MB6117:EE_ x-ms-office365-filtering-correlation-id: a6d1a5c8-9570-4db6-78af-08db2163039e x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: E6aIhqU5AXS6sCCjbdbQAHO6hiDwyARRCze6JI2s1X1splHL0vPz2fBpPFYc/OaS29nqM+7tyfy79lwbPnX1NhR+lJf97DR4b/o+KUNWnGvvYuGG1pAWoAjOwwu++249S+jA7ctxHrAkDoUi/aY1O+vl1UoGT/09fC+6jBe+B9j+hTkqf2+lE4Ru7Xw2rc764bl2J2+RV/V3N2Xo7ZGxxe01gGgbxy+vUmWLRz8ARyR37M5F2l7PKoaIutpIlNBM8muhci9FYB7JaTnVI6mYlIbPvkCNb5Wke+myJH7QA3HBjjW/NutcCLiciQ1g9VXXu9IljyGpFAbtbLkBJN1lk/oYAtuNl8Dtri0tRJUajhcl+9b4ljsP3oxYWSoeABBojWOOvhmgMh/MuF5jFPsJAOSLXpBXwztJkYwLwF0OzLvoUnfuXgUj1wHhCKJokpxs37SRravblaKnkyQfxGwSpBcxkDbDN6Ol3DeXK5qGpQdyj70ErLOVlr5iVpCHt08PlvehZQ/RwpMBPAmQFZvOAuRavp/8OI8SmGoByjs+GNumTo57va+z+Yoke4GV9ZdF+K/9AYUfzmWrdTSkq7UNXORfBNM9EqhGsl/FNlaoYkl4zAsB//N76cmHQaEqiqTMu0Lfgf7XqZteN/5muAnCHb/KTzw3iyRmlge3hW90Re4vqIQ/dOe3vXn5J1l3v947w2HYx4gLEL9HrZ/N6OtnNYG7MeAt7rWCvzo4u/I78P4= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(39860400002)(376002)(396003)(366004)(346002)(136003)(451199018)(66899018)(55016003)(7696005)(82960400001)(186003)(966005)(71200400001)(33656002)(122000001)(478600001)(38070700005)(38100700002)(19627235002)(316002)(110136005)(86362001)(83380400001)(26005)(41300700001)(9686003)(53546011)(5660300002)(66946007)(6506007)(66556008)(52536014)(64756008)(8936002)(66446008)(66476007)(76116006)(2906002)(8676002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?fiXl/kPFfNdgYWhlTZKXOtTXL+e0IDCQxHli02JLhazvPmSUM2N4OX9OYTTk?= =?us-ascii?Q?chs0kRgocd1412hq3aPg6krauW7e35m75PXgWCV6FPNsXJU8DWR1J6nXpLUc?= =?us-ascii?Q?uA54RoyhLCY1YMDLaj6h1KkJi+Aav8k8+ZAJCMOAmU/XtsecSLrU12+lS/Ms?= =?us-ascii?Q?69XgtBcL/Eq1AdT2qcfg/ZZfKd1jFzW+7XzYoXE7CVkfvUMgud9xlYQ+pb4Z?= =?us-ascii?Q?erxZ5FwiFNFjMWqsblF68l6HWQoLS/j1wbI0lm9dqC4rUjOarh0I6JUnyqGY?= =?us-ascii?Q?o/gElwi6LIF8NpG9L99naYpjCdoZJnNngTT9uGLK5kHbGkhnEAiio4RQjjPP?= =?us-ascii?Q?PkVdCilPBSACsoo0sEdt9N63Z0tIHdEEhaqwttL4+Q0QoD3g27grnGsJcus7?= =?us-ascii?Q?9+ge2oKYOn8JMfWml4QLJSOGIAib7frZC5k8YZKk680JNRP+sShhixPWFWWj?= =?us-ascii?Q?Grj+dU+ePX5OsFylXxnZJKTJLtP+h2krZhoMCYaEyXYGsQUdHpOlD/c5vI/f?= =?us-ascii?Q?ammcopC3hpgSLN1YPsl+TDYBOqXwqbJsS+j+UDHsIaaGtb1Ksk9MSx2zCw46?= =?us-ascii?Q?wdc8B1t8XuTmY92Yd7ftroIpwUVhI0Sfi6qdMLwMzvrX6FXm6wNxNEfIFZKs?= =?us-ascii?Q?3qrcp/rfk7PefzL0SPNQ34GHDcZrrXcEFUTwBkIMSYRG3MJnVBpd4mZftsIZ?= =?us-ascii?Q?b7lbOqfFusWsJE8v8kz29X0evYfvRfriCkaBEEoGVtp3tdj4j/+gNDPAuKN1?= =?us-ascii?Q?MbUVnH7ioj92CvfQ8rL/ju+jMn+c2F/xnNzXXVPm90RbtRrDi64BRC4rUDhW?= =?us-ascii?Q?qkf0cWrGEt3UqwY+eIujJPP4npdPvwti9zogWE4WKAFFa04ESkeSAPPD8ejL?= =?us-ascii?Q?AOF+vsCCq2bB+yz3TakIMI43YF32SK75RFuXlEK5osX+8CSJs+Db7FoMhJMQ?= =?us-ascii?Q?PuoJ0pCKkS+Zk2Y9HjIIYiVOd1w7hAInnZEjNC6CXmADWfawUrLTICwwsyHq?= =?us-ascii?Q?ZWv1GWINFaObqcq2/rvLXbOFgXBzatLOyPhfe4KeyP/DSEWiMw2kJbJdJQ8A?= =?us-ascii?Q?ZDpHtragYeWebFHAuctFSm1+/UqYDWHy9dFpm1OPT38PAxgO2MYJO1dwDhD0?= =?us-ascii?Q?fCF/Br6YOvH/CHfoMR5lkkpld1BgAuUAxOblwEtoG8d3lwbScaGN3iwb1x/A?= =?us-ascii?Q?03G6I0tP/lmP2aqykcSaw3YhnKyRqjY2ctjh9glUfjMYLotSqiHQWCRUmKpk?= =?us-ascii?Q?2DY/uhFP4APMrvhhfej9oCJsZhcVTyjH+jxmerahrg53gw5N3PLO1g5JpK8Q?= =?us-ascii?Q?ZFox+9PsYoJm+F//Q873FqeC5qJ/AlEXhm8s5tbtvwMJR5+7mAEgKE9WSOkB?= =?us-ascii?Q?PZVIGJfKbG3Bmu+SB3bDMB+IQF3x1OYDKDmh7tHTeltOm30zGR3eeDRk8O8/?= =?us-ascii?Q?Hw/WIQj5y14mVQ3G2NAi1iWn67SqdeemQUmw+FJbHDj0dm8cH+iN0J87rlUy?= =?us-ascii?Q?sccrTNhnT0UTWLF84esOGNMGJy5IaxsZ+Tv2hORfJgivrwLu7yOu1RGV9Ixw?= =?us-ascii?Q?/tc1eWdTx1PhdJcBjKe7zzKiMXyTRKrKzzMCFNPR?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a6d1a5c8-9570-4db6-78af-08db2163039e X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2023 12:28:54.8627 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: NMjJZ+lSX317AyfjMc9c8+YC6kleEWac35gVvM14ZzWir9AKF++0mqr0zlO94yF/EmMk0IPVACndva8Nb15naQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB6117 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello We have created initial POC version CryptoPkg upgrade. OpenSSL 3.0 POC: https://github.com/tianocore/edk2-staging/blob/OpenSSL11_E= OL/CryptoPkg/Readme-OpenSSL3.0.md The size is reduced a lots. But it still exceeds some platforms. MbedTls 3.0 POC: https://github.com/tianocore/edk2-staging/blob/OpenSSL11_E= OL/CryptoPkg/ReadmeMbedtls.md The feature is not complete yet, especially SHA3 support is missing, which = is required for ParallelHash. You may try to use it to see if there is any gap. Also, please let us know if anyone has good idea. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Yao, > Jiewen > Sent: Saturday, February 11, 2023 10:20 AM > To: devel@edk2.groups.io; Yao, Jiewen ; > kraxel@redhat.com > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 > replacement proposal >=20 > Hi All > I have created staging branch - https://github.com/tianocore/edk2- > staging/tree/OpenSSL11_EOL based upon latest trunk today. >=20 > Let's use this branch to collaborate the work on openssl 1.1 deprecation = and > continue improving, before we can merge back to trunk. >=20 > The process is defined at https://github.com/tianocore/edk2-staging/. >=20 > Feature missing or size increasing won't be a blocking issue for this sta= ging > branch. >=20 > Any feedback is welcome. >=20 > Hi Gerd > If you don't mind, please submit your latest openssl-3.0 patch to the sta= ging > for broader evaluation and improvement. >=20 > Thank you > Yao, Jiewen >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Yao, > Jiewen > > Sent: Thursday, February 9, 2023 11:21 AM > > To: devel@edk2.groups.io; kraxel@redhat.com > > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 > replacement > > proposal > > > > If you are asking how to do that best *at this moment*, I suggest we > create a > > branch in https://github.com/tianocore/edk2-staging and continue the > research > > work. Before September 2023, we need community's help to resolve > openssl-3 > > size issue, before check in. > > > > If you are asking how to do that best after September 2023, we have no > choice > > but put to edk2 main branch. We have to remove openssl-11. > > > > If we have either openssl-30 and mbedtls work (size/feature), we can > replace > > openssl-11 with either openssl-30 or mbedtls. > > > > Worst case, if we have to support dual-crypto module, I think to: > > 1) replace openssl-11 with openssl-30 directly. > > 2) add mbedtls as another cryptolib instance. > > > > Thank you > > Yao, Jiewen > > > > > -----Original Message----- > > > From: devel@edk2.groups.io On Behalf Of Gerd > > > Hoffmann > > > Sent: Wednesday, February 8, 2023 7:45 PM > > > To: devel@edk2.groups.io; Yao, Jiewen > > > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 > > replacement > > > proposal > > > > > > Hi, > > > > > > > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypt= o lib. > > > > If both 1 and 2 fail, we may use *dual-crypto module*. For example: > mbedtls > > > for PEI and openssl3.0 for DXE. > > > > The source code size will become larger, more time to download the > tree. > > > > > > Suggestions how to do that best, ideally without duplicating CryptoPk= g > > > for that? > > > > > > A while back I've tried to add openssl-3 in parallel to openssl-11, > > > with the idea to allow projects picking the one or the other, and qui= cky > > > ran into problems because apparently libraries can't add include > > > directories. Only packages can do that (see Includes.Common.Private = in > > > CryptoPkg/CryptoPkg.dec which adds > Library/OpensslLib/openssl/include). > > > > > > take care, > > > Gerd > > > > > > > > > > > > > > > > > > > > > > > > > >=20 >=20 >=20 >=20 >=20