From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web12.6480.1646222196331597011 for ; Wed, 02 Mar 2022 03:56:37 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=MGSkyMjN; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646222196; x=1677758196; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KqsyhU+XBdaJf9wuLtyx38v1itq04Hh/2psgeZGE1A8=; b=MGSkyMjNSvvCMdbB3MYqgNgoQSH/KvUSWRGD0dEBU4L+cQSUt1t8ZUeR 6fTR4tCtEVgRnW9BstGhaimo+RhlL+KkT8HQKRhm3v0hMfh9mXU2uiIaN Wi06UgXxLCzUbIHF8CrLrlukM5kXj3c17kiQi3ffhCkuCLnBsKjEgiSEM 7ElRIXGIkdynAldzQ+4yOzaoYWV9x5fb/e0Kj4PsPZ6MRqy4lqXs9UJpS FIGgVZuHK1Zwj3l5f5B9EPhAHzbxVcLfxx5koa2sfUmXwoi35FeSVpnxD 41KI/41b9TIykha/7ZSYtTt5+Z1c9GD0GbVXmTfSA28kxSvh6HZr0UNg/ w==; X-IronPort-AV: E=McAfee;i="6200,9189,10273"; a="278054215" X-IronPort-AV: E=Sophos;i="5.90,148,1643702400"; d="scan'208,223";a="278054215" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Mar 2022 03:56:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,148,1643702400"; d="scan'208,223";a="535360925" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by orsmga007.jf.intel.com with ESMTP; 02 Mar 2022 03:56:35 -0800 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Wed, 2 Mar 2022 03:56:34 -0800 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21 via Frontend Transport; Wed, 2 Mar 2022 03:56:34 -0800 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.46) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.21; Wed, 2 Mar 2022 03:56:34 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nwW/IX+pe8K/Fsw5ls7MOzZXNHTVLP3BaaviUK+a6XJZr6DcVBNZPowbY5t7eL2VVhxj5gG30GX0cSaih60oNwUWoxxIoo+OAn0tqqJSJGiIDdEza2pZ9CeINkBDOCh+CzQFzn/eCG+4Bsz3rvuh4kVXQWzCMo0uE9EuZ8GAR1mbz7onMps7UHbWhYuSrzFCe1zctYgVH+5s9A9KH/q3kAypkKceCBiMiXyg2WH0aIVbBjTwkBlzZbpPX6SK3a56bcZtmjb6C+dr5seG0acPEQsWH2KR33+D4IPBbROgwzl7G5WsJpqhmtSfFtk/M+XzDWmgug1x8UFzFvV0C4lIKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a0ng43hmdUWxGdNHBgZHlvrbQk8N5untc5wDVJsHtHI=; b=gLDEOi/CvOWHKDSJQiqEKQ+Kl9D3OASSJKQLYhVcse+okt3eYL01TLLd45zjnJeCfiKOUiEY+K1yYaj5Siz+dkiCxF6+F3Y55tT3JJFLXZMaTkleCW5FGSw+0n6/UvMQn9YNdxGurSBjfP06V0PqHX0pg0pwU8qmDs2/8ymXRtH6UrJcfnpw50tzWveqpm9GIMrexPrsk7/M/wCIlQbXnxR0sDjZhlFORlgmtknc0xRY7Oyo6aFT6zHeF2pPo3wqKsu8uTpmlET/9/Yb1c75GVEQw66e+wDwHUAUqji1vm2Eh5FwkUGedmUZ5vn3ur4OSYU31vqywiLNttLQpeI3ig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DM6PR11MB4674.namprd11.prod.outlook.com (2603:10b6:5:2a0::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.13; Wed, 2 Mar 2022 11:56:31 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292%6]) with mapi id 15.20.5038.014; Wed, 2 Mar 2022 11:56:31 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann CC: "Li, Yi1" , "devel@edk2.groups.io" , "Kovvuri, Vineel" , "Luo, Heng" Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Index: AQHXvytzNc37dLSAJ0CsBYnYdS6rHqvWhHbwgAK0coCAF96cwIAAhVgAgAjFBQCAAJ/dcIAAD8CAgAINR4CAAVyZAIAAA/uAgAtZ6QCAl2OpgIAAA7+AgAACd4CAAdRugIAAGOKAgAIx/YCABgnz+4AA79OAgAArLPCAAAxLAIAAPlNQ Date: Wed, 2 Mar 2022 11:56:31 +0000 Message-ID: References: <26433.1645811519240546455@groups.io> <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org> <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org> In-Reply-To: <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 588375d5-a8ae-4ca9-12e0-08d9fc43b156 x-ms-traffictypediagnostic: DM6PR11MB4674:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: IG1Lr3AjCdVLYkCvvn0ZzmiFai7btA4MJItdsuBpzKASAcbnDBUanUWjYgFjx1WGJ1WQWAhlwlESja90AbZmWsO0tYvURQz+MLgN8QgHNk6AQ/tZtLS0y+LGyxtQx/5f8ohzA+6ATl2vrtQiCdd9hdFjgen6otYQfYe3BDSRCGgY91Bcdv5RrtBXIDZKuZgobWRapIvJMDQVDXGDbV6/K8jrirrTuoTIHnM+klMypfZK4xuCx6J82dSCyGsfF0Ch1L7+khJtyi8yOo+Mqau0CwU1Ti/lCawVblUByfKtFvFXwpJEtQvGljr4HjT27vn4Qb0d2ECB+wYe4/JbaEGrBSJ3M/71/Ws0/XAaRCU4SUOnpuQXvkhtO8iI+61Xwt7/OMqr3EvxLsb4RMvZA7p33cV6G+dYk3XqJhex1DUKjLSghcI2D4rhCLFZbYAAKHWEPUS5QQGwnyH7MmayuNBsFzXc66xiPUHtGndbA4W47c6BZeJxEoWxQLi8J84hSMkZL64+fUfC5rqWqOafA9vaf5aNVbh6xUqza8oSuFOHSPPPcPlX+yyQr4H26oroLUwm4PMUaNTbmpI/zCWuuATny18JCFJ2/QrdtMLxSdDicl6FBhU/4TQI7e8NlA5+wycs1a72slBE7Rd85NaFfGX6TsIi1UR95Za3yMYaONGdE1t/jTgGTnlLApDvOnAZw926sU4Y4QIhloilCjzxW6AXKoJYBdd+7t5MbSfrIZc2tE63XAhrzYGUmcOrxemBu469dWNIh+rX9JiX2nmDRhBpflwTKLIMHAuF1N2k928+i46/RZJR9YcAS2IsfWN/63eFc4Wngl4FI7SOut5/NtLwTQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(71200400001)(316002)(8936002)(966005)(64756008)(66556008)(66446008)(66476007)(52536014)(8676002)(4326008)(107886003)(5660300002)(26005)(6916009)(54906003)(38070700005)(86362001)(508600001)(76116006)(66946007)(2906002)(7696005)(9686003)(53546011)(82960400001)(122000001)(6506007)(38100700002)(33656002)(83380400001)(186003)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?HNB6bo1svNhmiDgWcf6AUTDmfm57E1b9JIwFomV/HNZnc05guLp9tLKSlI+f?= =?us-ascii?Q?qbyHWUtdkSbcTfVNhms3k2PSeWpBK7m/KrBNxbpUOGp7WQBL4iFgapdF4SHa?= =?us-ascii?Q?wQPzBTiD+YFcqX2gQ4/LWbXZtZlcCSRxMdP8A2nLZiqlOCOQqO6+caemLy41?= =?us-ascii?Q?hZqOITkV0oRrGojzrMj5ucF6n/2ohzjv6C/AjxCHKPoMhyfgRmHs6GuLQCuF?= =?us-ascii?Q?Qg6JGNFvnMo+TNHWIa9bQp0iDST5BEFs1pDruUM/7PJuuSB5oKCmmB+QHv+y?= =?us-ascii?Q?6YpQfRMXY15iY4qNJYbpZE52D5PAyLN24ZTT4hgIan6QhRaORsFh4FomOGZL?= =?us-ascii?Q?dhcn5SD1oVdT4hrEUDqCKa8k61E8e9ZtEj17SUSVJmmUrT06kxyZWtcDBT6v?= =?us-ascii?Q?IF6HUaEvLcg1kCABOqan5vwNP1NCQkH78sZVkYQhUrgC4L+JsrlGy1pwzVlD?= =?us-ascii?Q?8V8Bbk5Oml1ZFAj2GLxsyVZkDBo4gBFh3SHjO/+1ARfJc3e1Szv5OqwSnw9S?= =?us-ascii?Q?qumUs+Muvaz9x+xTJeCi0tJuKAii9wZc8pbHX7cRddhp/FOhX+jzZL+PU/BJ?= =?us-ascii?Q?D47aMtXFnApOyAGDpyYud9EBSD3cvUWrqbQrt9ph+xnhCKaJ6P2FmRTW3PZi?= =?us-ascii?Q?SiPaTgGFBqakMuFkX6IvMG0GAOQcp2Un3aRIf19TZzgUH0CNNCqH9c4IsMKS?= =?us-ascii?Q?vT5Bqm79wtDSE+mccRnP1Uv5AE4jO6E7SfP2+0poQggHV1wLIl02Zx7MKjc5?= =?us-ascii?Q?PWfPpk7q+FxZI7oyA6CW9eJ2p733Bfuno0d650GSMMXXxdTjciAoXJfr6Vj4?= =?us-ascii?Q?tWmqFiD31T5A5GiVaiuMxlM8frjzxe8nbDtNGy2ao0ICE9InCF5vj5WvM1vu?= =?us-ascii?Q?18spEZFdb8BLbn6joT4l8Z4RUQSXuuHDU63elN5Kyt3rIW2rkXi4WdmQaPL2?= =?us-ascii?Q?RyOuz4JvODV07YtPO/lQH+ojM8M3LVvPePCMfHaFhs93nzkvjg4HfZQ2foE0?= =?us-ascii?Q?8einodK9IllqvuNAruA+3mvJC8pkD238Mcp3TS9Maub/ltmqomo9NcMiJHM8?= =?us-ascii?Q?IP+EFC4MxQqOpkz/5KekUUHNPf54Y4/ptS2D/DmWK7KlngRJJJ3kJXLmUZXg?= =?us-ascii?Q?Jn6jjAeagI8pdwJLOZZERzVrIIoNoHvJNw47pdZJH4eh+dW3y6+RLs+/lXDF?= =?us-ascii?Q?s9HxK82oRwCxBJodm/uuFRX9DHaqH7L9OJjZpzyvdNAjCHuxcKLNizTQAOnD?= =?us-ascii?Q?KnJG8fX9o12gMxTFbp8NdnByLzomt8N3WO24RiQ18srthkYOQSgTr93kUc5Z?= =?us-ascii?Q?bwSHeP3mqnAIdH44ywqBZUZUm7iIK8HnDFFCM693L2XhT1sdGoFH7cgT5V7C?= =?us-ascii?Q?UHeWzO1gFxE0fBxDll93HDrLP41VcgpkHgWa33cayRMdXIA1pcHUu56hLkiv?= =?us-ascii?Q?vzZHGaJ2cvcgtk+JtS5Vohm6EFfZEPU9xvsZf6KYRnDlRXoU06nYZnK/7HBx?= =?us-ascii?Q?Ik3qi/ah7dqyWxGLMAnzMq5PNVNRcD32plW/gTjZO/5oxghddfK/ultS/NvA?= =?us-ascii?Q?9q0MQdVDx/cxqyrHVZw+eX0agxyima3MzBvTqPfWwxQF9t4gnto42P4MVQql?= =?us-ascii?Q?B50H/CBrX5ek49kxD7OeXR8=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 588375d5-a8ae-4ca9-12e0-08d9fc43b156 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2022 11:56:31.7215 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CGMRj2Bz2mRr8WwB+oVINJ+Xmkgn2O26AyoCFSyMA4+snn8p6gp7HBZWJcXL08IvcaXK9SAwbUFMSChYW0ZYcg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4674 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable >>From requirement perspective, I am thinking more broadly than just ECC. Looking at https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/= Include/openssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA= , TLS1_3, which might be potential useful. While the algorithm we used toda= y such as FFDHE, MD5, SHA1, might be not useful. Even for ECC, some platform may need normal ECDH/ECDSA. However, some platf= orm may or might not need EdDSA or X-Curve DH. I am not sure if we really n= eed to enable all of them in previous patch set. SM3 and SM2 are another category. It might be useful for one particular seg= ment, but not useful for others. For example, a SMx-compliant only platform= may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only platfo= rm might not required SMx. If a platform does have flash size constrain, why it cannot do customizatio= n? Why we enforce every platform, from an embedded system to a server use t= he same default configuration ? openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also doe= s same thing, such as https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mbedtls= _config.h, https://github.com/wolfSSL/wolfssl/tree/master/examples/configs Why we cannot allow a platform override such configuration ? I am not saying we must do it. But I believe it is worth to revisit, to see= if any platform has such need, before draw the conclusion so quick. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann > Sent: Wednesday, March 2, 2022 3:42 PM > To: Yao, Jiewen > Cc: Li, Yi1 ; devel@edk2.groups.io; Kovvuri, Vineel > ; Luo, Heng > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote: > > I think another option to pursue is to how to control the openssl confi= guration > from module or platform level. > > > > E.g. what if platform-A has enough size and wants to use ECC, while pla= tform- > B has size constrain and wants to disable ECC ? > > > > We can let platform choose if ECC is needed or not? I hope so. >=20 > Not so easy. Would require to put the way openssl is integrated upside > down. Today openssl is configured and the results (header files etc) > are committed to the repo, so the openssl config is the same for > everybody. >=20 > Also I expect there is no way around ecc long-term. WPA3 was mentioned > elsewhere in the thread. For TLS it will most likely be a requirement > too at some point in the future. With TLS 1.2 it is possible to choose > ciphers not requiring ECC, for TLS 1.3 ECC is mandatory though. >=20 > So I doubt making ECC optional is worth the trouble. >=20 > take care, > Gerd