From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by mx.groups.io with SMTP id smtpd.web11.8510.1652181651841069364
 for <devel@edk2.groups.io>;
 Tue, 10 May 2022 04:20:53 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=R5WBEVNI;
 spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: jiewen.yao@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1652181651; x=1683717651;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=F4ETo21W0xtihJFoGdWcV/tw1qesbIClmUbJKCM7qec=;
  b=R5WBEVNIUIe37h06DtrR4glI8VEl3q8DTMYkWovpNEWTQLJKfSScy1Vv
   epZt2dVsdjemgSJ1IPvtF80qG0upi1bN3p72GR8BfVZhzfMPirn92rDDJ
   35xxHRWTpdjqIL57I2CT57k1Cm8Ie4YRK94cQ5+hbaLu+Xe1BwTyEitQd
   R/iUcdiNhDGApTn/ZllNSAFNKqfhUU+DS5oczSPamfD/yP7mwDc/1SyF9
   rFurCnJSSj5+HrTEQB+ojizwnM0piSxE46ewm3STH3HMPoPIFdsrSpLBl
   nWP9yNHAJ/Vr5qOqaTBhrW9GNJn33IsjJ2HWX0qS/OCOdY016l/HLLHWb
   g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10342"; a="332377055"
X-IronPort-AV: E=Sophos;i="5.91,214,1647327600"; 
   d="scan'208";a="332377055"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 May 2022 04:20:50 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.91,214,1647327600"; 
   d="scan'208";a="602418216"
Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17])
  by orsmga001.jf.intel.com with ESMTP; 10 May 2022 04:20:50 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27; Tue, 10 May 2022 04:20:49 -0700
Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by
 ORSMSX610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27; Tue, 10 May 2022 04:20:49 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by
 orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.27 via Frontend Transport; Tue, 10 May 2022 04:20:49 -0700
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.171)
 by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.27; Tue, 10 May 2022 04:20:48 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=kbx6Fy9AgmmCd3em3y+t1XsPk+tjWE/YLxI9Jdqb6twPL+g1nyVMfLdNyJQg5/rD7OyBmxeDSOoJUIobBnP2488gWszckalt3uGupI8Xk4r8d+g8oRkNGPAHykO6QmWizJ9haxng3pdsr9+JekhLIkPRbIS7L7uvG9mCMyq1jOzjCKmsYYYhTSokCHbfaaP8Tq5GtN0SoXueAqEb2hp6WSzcCw0xwKRKpHXK5rehFhcJRDxeNgDCuxecUwJuzkzYTK2riPAcY1BkGq0JHsMkGeyeL29+mkF81v7wplnDLYSbcSN6Z3cN7Zs/GFJE/rdkFwCakEp/N6SdJRAlr3wEsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=dL2oPA0nom7TgSf1zZlEgex249HkccecwaX+uzh8AMM=;
 b=Q7tsGZXMl01wupzdD1Vyp1uIRvzTqrxEswc8el66WmmsGRoYqawA5IpfoLInq1wWZYTtwkm7ay44eKwSiPxCiXmH9kAbJYYwnD0Ox6t3bWvHvtl6mzWo2KKrQaIZYqxGtoy4AcFqWL1RYpTpw/Hn6n7ef7PvN/Tv9Zwx3NLNtU3h8MGEg/dMABFt2UpT1GgvSONIwzajOteczg8kRVO9EAgwnD7Notgb4bni8G3g3wWvh0Pnvs70zeSfxPPxzwvNhYbVrUiRSW0zoMGnuNVrw29KAPotW/jVw0QFmPKsYr4Ox/w9mTmqCZlgF01tEyjq3/0ksD336wEbcJridiuntg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by MN0PR11MB6256.namprd11.prod.outlook.com (2603:10b6:208:3c3::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.21; Tue, 10 May
 2022 11:20:47 +0000
Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::d55d:28c1:bfab:3dd]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::d55d:28c1:bfab:3dd%5]) with mapi id 15.20.5227.023; Tue, 10 May 2022
 11:20:46 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "kraxel@redhat.com" <kraxel@redhat.com>, James Bottomley
	<James.Bottomley@hansenpartnership.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Pawel Polawski
	<ppolawsk@redhat.com>, "Li, Yi1" <yi1.li@intel.com>, Oliver Steffen
	<osteffen@redhat.com>, "Wang, Jian J" <jian.j.wang@intel.com>, Ard Biesheuvel
	<ardb+tianocore@kernel.org>, "Jiang, Guomin" <guomin.jiang@intel.com>, "Lu,
 Xiaoyu1" <xiaoyu1.lu@intel.com>, "Justen, Jordan L"
	<jordan.l.justen@intel.com>
Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Thread-Topic: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
 unconditionally.
Thread-Index: AQHYXhBMFEKLC4OMd06GIdUF/28hw60Mc8XQgAN+MQCAABNFAIAFx4JQgACKFYCAAAF/gIAAGygAgAAFk4CAAADYMIABfq/agAAJm4A=
Date: Tue, 10 May 2022 11:20:46 +0000
Message-ID: <MW4PR11MB5872BA00E1EF2BF6DC134DCD8CC99@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <MW4PR11MB58724592EC5CAC17CD8FE28F8CC09@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220505080638.rmrw3f773rkw3ljl@sirius.home.kraxel.org>
 <20220505091536.llguh4dzozqtiiob@sirius.home.kraxel.org>
 <MW4PR11MB58729A85832816FA3FF737588CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220509094511.px6cl7jtjejr4y4x@sirius.home.kraxel.org>
 <MW4PR11MB58724EBDA20EAA10F5B8F1CC8CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220509112744.msdph5d35ph24l4p@sirius.home.kraxel.org>
 <97444089e5113f5b5c5f538635ff1821f1c62cb2.camel@HansenPartnership.com>
 <MW4PR11MB587217CC56D43B7B0C38BC528CC69@MW4PR11MB5872.namprd11.prod.outlook.com>
 <98f4a21f4ce5cb50331177dd8b6aa53dc932561b.camel@HansenPartnership.com>
 <20220510104001.rqddxn53euydk2ns@sirius.home.kraxel.org>
In-Reply-To: <20220510104001.rqddxn53euydk2ns@sirius.home.kraxel.org>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.6.401.20
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eea95daa-fdd1-49d9-b160-08da32772156
x-ms-traffictypediagnostic: MN0PR11MB6256:EE_
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-microsoft-antispam-prvs: <MN0PR11MB6256C0BFA06CE93D251377438CC99@MN0PR11MB6256.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yCRtJIkVuXj/5yekBfN3UnlMckO8kDz/UPc4NjASr5ReMkepLY4gSKPBiGfOQtosJvv6zN23ukq91fiMSDGTYb9RyRHUIDH2BDQsMecKBEcCKni0VuHTFz6GEMp77NFCOcPSqtWfDm0SrMuIKxwDQt48JIXy6pHlG6r8jXsaKAhDKkZLuRfxTYP8cDOxMIRhAtJVEBd0ev4HuzBCpEHI8gqg6Df2jT3+GBU0xDPNtBLjc88fFGh6L0Ae6RCmrxiBu3R4iQb6ai8HNhWlzFofqYmRI4ww6tXGwEaV+4nMLBvmbVqYvF4atGLxFM9xhi7BRQoiH+RTKT0Vj8m+yYl8NkA7DlXR1RZrhfP8LuWzCXuArTtnt68VKz0hqqvCAoiJjr9ka6t8SENAfmv1TH3367Q9eO6GRkUL/kifjywF0Sc8lCag+78XJ/Z9VbkBlw0bur6VuvdYdpAM1Ioa9NM5WRM5b3AM73abXDGzGSwK9zcb7uy+zUD04uBZsG6XLpsg8aFTlNIJhwSYjInSzpWss2iF93uWARwEe78PQ6+zpmxcUnfVXEDuzuaoXfQZvZnjKLg6lf6JSrxHW9kQhvIXsTyRhQOIYtyq4tRSJGTtPTylJ2uMuvBXugEC0OWiXvGxl1bUFZvV91Ie0OZy0OinukLhe3UvQzukkTZKzgXTR8SCsY7+o9FjuifBKXjbu86zDesCo/OZlF8I2qCrWor5phbClN4QxuKmBkPb1edi+D6cy87FU6CFqWhM0tqTY6oq58OjRP7yYDMCDlkrASX794LBwxAGVUe9UlkFNCLLE+V3xNe2t4r1AYOjzt4cZu83iPuOwFX5xGsI/a5DHWM3eQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(26005)(38070700005)(9686003)(122000001)(107886003)(82960400001)(55016003)(38100700002)(66446008)(64756008)(8676002)(4326008)(186003)(316002)(110136005)(66556008)(76116006)(54906003)(66946007)(66476007)(966005)(53546011)(71200400001)(2906002)(5660300002)(86362001)(6506007)(508600001)(7696005)(52536014)(8936002)(33656002)(83380400001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?XBwM8WRocFDKUV6SvvAy4fy8a/isaKY2SFvX61tgXfq76GC0JAgkt/Dipcb7?=
 =?us-ascii?Q?XMsclR+AXlfn9uXSRKDwjCqc6iu1P68VcWCyOsYqY+jX67LBt9MsOYFTE5IK?=
 =?us-ascii?Q?t26ZSkj3UHAwWMrEkPlIhMVAQlE8W6iFukeLoZyoVDlCzas2Jexpo0hwcCqP?=
 =?us-ascii?Q?9sO6vSWgJrzSHApy6iNILczLanA/qA1DV15nBSoDOlft7nXUyPijNWx9duhT?=
 =?us-ascii?Q?KN0J0e0TKi8NANqtfGRJHma2wO5bW7FpUEslp5yBiqoOaSK5ATHS0K2515f8?=
 =?us-ascii?Q?FrDJuqkyDeOTDZVP0Ll85wZs9HUlPxFZ+vSR1cKblflfMQTfA84+ZjL4Jqw3?=
 =?us-ascii?Q?BpZz+TJmd3LQ5vz0ZQCbJ0U5WVfE0HZv61AIQK2YJx3/ynvOGEHHyZqaoAbQ?=
 =?us-ascii?Q?myCswvp+i4nj1NOraUShpguwhCZhq/dD7dHOxvsWm1OeQVo7Hlrb3BnjHDGi?=
 =?us-ascii?Q?doabyXrnh0ZbRPAnJDZ5+Jwa2lH0pyn78xmDqqPdGI6hJ/5dx9JxW+WmRIwT?=
 =?us-ascii?Q?tWGN01go9HHJ6dJEocENapucE/fm0FfEycZZMwMR7nlKWEEvuFBmqUxgnezl?=
 =?us-ascii?Q?aKwB33Bf/rut+eZAfkskw4TmrQFHmOMekJnEE4GLrz4UuYavvY8JvawOdiIk?=
 =?us-ascii?Q?dSM+qZuD9XEv4ac4FrXR6Jscs74Ryx6vZ2h2X2hem2NrM5FCnFDZvjXFjJh+?=
 =?us-ascii?Q?BPUhCIshriox8ukGC22Q+JVafpIgRk0WwGnsimwiwhncEXejWYLwlyGI4aaf?=
 =?us-ascii?Q?a/JIMdFW52FHSVawu3iP7y5qd9h7GBKtq5Wu7Y/tX73IEwY6lvb1gZxyeeiU?=
 =?us-ascii?Q?UFQx2LHGbMLPLfpXBnzCJ9ie+f2PN7FsK5PrIJnyLXwgZIAb7idcFbaw4a4U?=
 =?us-ascii?Q?xy3jVTxhWq3L4f2t5b0+Q5E7LjYeiMe9tRodCLml6oKlm2wPtpqo/lqyRV2O?=
 =?us-ascii?Q?1hsTBWU2mDDRryGA1XOORJ/a0j224VWfGj2p1jPuiRHUn/KjF+iA2l0sRPAE?=
 =?us-ascii?Q?lMeNzh0TmfaxEw8FVQ0Trc/rr0SbpbV7VUVTqZHAOhF/PakdS7k0BRdNYiMR?=
 =?us-ascii?Q?hszBv0t6ZjRpfzUKggXd+5rqobDw5fVBdeS1Ko+OKtZxvoNdFrKQrzNHPgqu?=
 =?us-ascii?Q?39d77gXmp9uyM5BeO2oSNTuViuDiN6c4ALUKdCFULYVyNUYoYH7+AXUrHaoZ?=
 =?us-ascii?Q?JFw7tnJA4NHIjda1XPmUdUDrLgmVHxWAqk4GTyFfNSbIK+kNNEockEDxjgee?=
 =?us-ascii?Q?fHo/UX0PjQxh+XEp9a1JRLIj72ytaJa6/vCDGuyrPHuwvrQo7uyo4jYS6PqO?=
 =?us-ascii?Q?6vznosbx9qi83ndRK/toCX++vFinFGVa/F6P2VfuSu/ZwIAVxwztQQad8/R4?=
 =?us-ascii?Q?5J+nwNiu3zwPhyxgUxuDwiOrR+ZtW60fqIOE72MdYE3jc+kap0ffNLrdgMYc?=
 =?us-ascii?Q?aX9Pzr2KY/U2gwzxQti8wZNad+t/VrqSprwFUKon+H/isIRGSftRTrfyudED?=
 =?us-ascii?Q?SOtWIRKy/DFesAiiIIcY/smgAy/iHGID4uTHthtFdoEHJIz6pN76p9JFcYWs?=
 =?us-ascii?Q?T53MDCJKCKIKySpyFtPMRpXrTuTP6NPou1HzM1MBT7GqxycAsr9eMDD74CKk?=
 =?us-ascii?Q?5vhnLXvMolpPfdUcr2E3GbZeeRF7J9tdw0b2LzJg7RUfCtZZdpK63Cu6+bXQ?=
 =?us-ascii?Q?hB1QuvZhEZG4refAG3p6J2X1B9lmR0Px2UoYXheQRnfAHfSNvRPJKOLXM+l5?=
 =?us-ascii?Q?OEDzLlNVtw=3D=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eea95daa-fdd1-49d9-b160-08da32772156
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2022 11:20:46.7704
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: m9nz2y+LAlyDiGC99u2MfmHYxNKJbJdSoZbxlf7aqNwcXtq2npiS74eRrtWA+pKLRvVLHqXrF82I7edoqLwlwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR11MB6256
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

> I'm wondering where the crypto algorithm selection in
> CryptoPkg/CryptoPkg.dsc comes from though, specifically for
> MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
> for DXE and SMM?  Specifically why TLS is enabled for SMM?

[Jiewen] So far, I don't know if any SMM feature requires TLS.

I guess we may win the flash size by creating identical binary for CryptoDx=
e and CryptoSmm *with compression*. But I don't have data and I am not sure=
. Just guess.

You may have a try to remove TLS for SMM and check the final compressed FV =
size.




> -----Original Message-----
> From: kraxel@redhat.com <kraxel@redhat.com>
> Sent: Tuesday, May 10, 2022 6:40 PM
> To: James Bottomley <James.Bottomley@hansenpartnership.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Pawel
> Polawski <ppolawsk@redhat.com>; Li, Yi1 <yi1.li@intel.com>; Oliver Steffe=
n
> <osteffen@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>; Ard Biesheuv=
el
> <ardb+tianocore@kernel.org>; Jiang, Guomin <guomin.jiang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Justen, Jordan L <jordan.l.justen@intel.c=
om>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
>=20
> On Mon, May 09, 2022 at 09:41:02AM -0400, James Bottomley wrote:
> > On Mon, 2022-05-09 at 12:03 +0000, Yao, Jiewen wrote:
> > > It is possible to switch to other crypt lib.
> > >
> > > For example, the *mbedtls* version POC can be found at
> > > https://github.com/jyao1/edk2/tree/DeviceSecurity/CryptoMbedTlsPkg
> > > The advantage is: the size is much smaller.
> > > The disadvantage is: some required functions are not available, such
> > > as PKCS7.
> >
> > Perhaps as a first step, we should look at our options.  I would say
> > missing functionality is problematic, but not necessarily a killer:
> > we'd have to help the chosen project develop the capability and figure
> > out how to maintain the fork while it was going upstream.
>=20
> I don't feel like entering the business of maintaining a tls
> library ...
>=20
> > Other libraries could be:
> >
> > wolfssl
>=20
> Hmm?  Apparently no git repository?
>=20
> > gnutls
>=20
> Might be a issue license-wise.
>=20
> > boringssl
>=20
> Looks like an option worth investigating.
>=20
> The "designed to meet Google's needs" and "not intended for general use"
> notes in the toplevel README don't look that great though.  Might turn
> out to be be difficult to get changes needed for edk2 merged (hasn't
> been a problem so far for me with openssl).
>=20
> > LibreSSL
>=20
> There was some hype around it after it was forked from openssl in the
> heartbleed aftermath.  More recent news are less enthusiastic:
> https://lwn.net/Articles/841664/
>=20
> Another possible option would be to add openssl3 as alternative
> OpensslLib implementation, so platforms can pick the one or the
> other depending on size constrains.
>=20
>=20
> I've also experimented a bit with CryptoPkg/Driver.  It's not a
> clear win, at least for OVMF.
>=20
> PEI FV is larger in any case.  Seems LTO works very well for the
> few hashes needed by TPM support code, and so the overhead added
> by using the crypto service protocol instead of direct linking is
> much larger than the savings by sharing code.
>=20
> DXE FV is smaller in the builds with secure boot and smm support,
> seems with the large tls codebase included we have enough wins by
> sharing the crypto code then, so the protocol overhead is worth
> the effort.
>=20
> I'm wondering where the crypto algorithm selection in
> CryptoPkg/CryptoPkg.dsc comes from though, specifically for
> MIN_DXE_MIN_SMM.  Why is the crypto feature selection identical
> for DXE and SMM?  Specifically why TLS is enabled for SMM?
>=20
> take care,
>   Gerd