From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web11.9133.1646301982646780757 for ; Thu, 03 Mar 2022 02:06:22 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=M1FpAvCO; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646301982; x=1677837982; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=VB0yS2A/Mm2AO5zKVBoAP+xkQh1aOoe1anNt4PAnpHY=; b=M1FpAvCOXGXCcGKQmfvIIoRZK4xMa8H/Idlyx/MI2FnCxVhtEmP7Q5D+ FqJZffOMIbQEiKxT7t9Yar3vMkCoJJ6ZrkctlE4U3KAoZXAlHcq3nxcrb vDc2SRjQKtV4GqTEHMI+yVyVuvbu8vviVd1cZExOmfjwkejx2hcfdObYx UH8Hhz53joe1+SSh9q2LgHdztYGG1HJSi/PM1epSaeafvR0VPc4zAuVu7 hVa7ce1drQnOXWs4RKr0Kx7gA+uPz5stMMonrouAwsmWwigofHMAZQBS7 t3TIozCbsmZBhFPVJzDZ94QdezHvfmta1zjv9mcEXm445cFkuk87fIpri Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10274"; a="252460575" X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; d="scan'208";a="252460575" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Mar 2022 02:06:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; d="scan'208";a="576438434" Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17]) by orsmga001.jf.intel.com with ESMTP; 03 Mar 2022 02:06:21 -0800 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Thu, 3 Mar 2022 02:06:20 -0800 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21 via Frontend Transport; Thu, 3 Mar 2022 02:06:20 -0800 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.173) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.21; Thu, 3 Mar 2022 02:06:19 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kQAF1XmTgKikcp4ItTitEqNn4zJvYmgBLqVNdsBebshdeK9r0e1yEOxC4LSZGOdsgYVxCQNl3Oe7Wnxz5qSgRLGWPDuzgVtgVelia+3rQIvteg0jgI+C5tUAbR3aE7KhmMhloK4/W98QBZMbGKJdF2uSVvX7Ea6K/AY6/xaqixI0m2tiCSkw7jHU2dLrS1DBRnC2/gm7t1rOJ5l3xeP9jRbciUbF0c8oCMdWAB/J6PpmmCEFnkasn+iEScxwGYEXvcws1qrP4O/pM3cnry5SDu+iEPaSDb4piuauSD58E0AC3qWSKZHP48yf+ZgxSTspWiJ850dIQGrkKdf1VopgnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=s7c6h4pvQ1jE4CkpXbRfJQl6srtdXSZRrP02/2Pj3EQ=; b=aTjx0hruDeQBJU4MSLl5gcb/AgBHN9Q2kgwWFdvw29tOrVwgM0qEirUBDRgn5i90ow7M47WygrsXylg6Op3UQxyV2m6Dg+TBWDY3yhMiRTDkqonRPgv5XfKPFGeUj1nJjQ/tAQ7h5svw8cueRLfFBigRXxq9KwLrQ7MSjudOH8tfJ9mIaB96WhIyUZnbb5xCQmRaY9wO+VZDTN1lPeHbyX3BwUhMpWIBQhkzptTjaYjwieEXqMVc6crprfyqJTPlxQh0Ia9IatM6ZEQ3I8PaZnEpEvneztYxOthhxJHq9PjtiAFwHYx2jKO+m/fUVZcQ9dBEWAhbCoT5W7/FRSpyBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DM6PR11MB4363.namprd11.prod.outlook.com (2603:10b6:5:14f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14; Thu, 3 Mar 2022 10:05:54 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::21db:e2fd:b9a3:9292%6]) with mapi id 15.20.5038.014; Thu, 3 Mar 2022 10:05:54 +0000 From: "Yao, Jiewen" To: "Li, Yi1" , Gerd Hoffmann CC: "devel@edk2.groups.io" , "Kovvuri, Vineel" , "Luo, Heng" Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Index: AQHXvytzNc37dLSAJ0CsBYnYdS6rHqvWhHbwgAK0coCAF96cwIAAhVgAgAjFBQCAAJ/dcIAAD8CAgAINR4CAAVyZAIAAA/uAgAtZ6QCAl2OpgIAAA7+AgAACd4CAAdRugIAAGOKAgAIx/YCABgnz+4AA79OAgAArLPCAAAxLAIAAPlNQgAFlFACAABYrwA== Date: Thu, 3 Mar 2022 10:05:54 +0000 Message-ID: References: <26433.1645811519240546455@groups.io> <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org> <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4ea5ec40-a925-40da-76a0-08d9fcfd6774 x-ms-traffictypediagnostic: DM6PR11MB4363:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: BOclj4lcrcxUAFPiFXZLIZPNo78rdx2EnN5PP6bYpsDfL50kuZ17h8LPI84255XLMfQk2uZgat7XlKqKrVZHiBylpVJh2nntq/s7yxHGnO8+vpOC6ZxD3f+78/KoWOtW/azNYGDPZZ93TzgRUbZyvlFmndDOz4djkQblGfWni373QjOUt/4cxijZxWzI0rumbTUNiS+OzqBGzIueCledXHV7r8zM1PSaSkRB6aCXeBpfHrrZQwZCtJ57HLi5euCjnyz228P7BzVTUyyfgWmuMPj7fi/FQGaz4/dMgWkTfKJB7Ii81e6PbEJ8aUuiS2uzjOKoabFzxZwIsn4BxssuxJ2swIZKsdtJmwnaKJqdCW9alW6GI0exVG0J82nY+isoIjlGDWdn6Cv6V2cmp14BBh5B8eVAAtQ7r83bkvBt9NvKWX2qT5ao0Pwr3tD6YRGuVUlOf2wNxxPj6b/jiTXKac87DrSm8/f3dwh5w22voJle7vV0YiYedr2ZNFLz1nTI7X5oTrkdvzKr/a+ZU01hESwYbHidR37xUgYW6e7WPPPXiNZKH0HcqASHzJsbX4sjowXOCSqOiWyf64YInD1Yk1vFrzMGXqlqgo43YXZ1jHbaBWGExy1gYjzH4wVyQa5gg54I2+0YO6k+lHDoou5e0F2GtGL5HwsLNRMVWecHsPm084G5oTGqIG9xgWljtag+Dwtktk1q0RiP+SyI4bVtvOHaJHzpEVFHUfkkBj8CN8hZuW4LwtxzU+wtlGV3nZiHUVT9fk97rjipSKSbJyV+1NYbDsNvX6GggT/6ZnKYqA92KcCPXd5H+n+d+cBbdYM+4A0MTocp/UOsfDujmsMezA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(86362001)(66476007)(52536014)(64756008)(8936002)(4326008)(66556008)(66946007)(8676002)(66446008)(71200400001)(76116006)(6506007)(2906002)(508600001)(966005)(5660300002)(38070700005)(110136005)(316002)(38100700002)(7696005)(53546011)(82960400001)(122000001)(83380400001)(9686003)(54906003)(26005)(33656002)(55016003)(186003)(107886003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?lhpq4w5ZXkqrJdxDhmFUGlaZL2PS9VsQw+BU+8oI3lZhsIJZq5ipylTwjght?= =?us-ascii?Q?X7YjGyN5p/6hnzDghkHAv8DTIu0gvA5eG/Cb6EPA+gqSIUxsPr4YIYOKJl56?= =?us-ascii?Q?5VQ33gjNRL3gFek1/QdV1QZLehEz0msmakP0IWeB28Q7899sPUjFVF8GGKHo?= =?us-ascii?Q?tRh66o8EnxnV6SMmph5EQBERGpXMUVKiV0+kZPBpU5Nl0p5XRIhATHutKSWh?= =?us-ascii?Q?mTAK18DQvL9iI5YSrLrCl0nNoVxUipiyEvYEjJRYwExOyUWcwF863TikmPvH?= =?us-ascii?Q?CFrR05XdIEDLrQ2CljixSekoYI62g7iMykHvCHlk1eDy621Anv6/r+wid6M5?= =?us-ascii?Q?JzPK8fbR5b2hIfNDUtndqYNvwjVKnYFBLrEFfgUI+n8LykEMRaJh4w7ykiHb?= =?us-ascii?Q?mVAFLh7Sd48Z0D9qk0M0DG3o+iigpRCv7vVPWB8WyeoKDUmaF6QKVo4RChmB?= =?us-ascii?Q?NTFlzHl/68oBXs8uHPhTj/jrZVgDJw52GdFuhzL5DejAzC3aVdP2mLFyArFN?= =?us-ascii?Q?FQl7qV7nELuv+xn4uNKAF9TEPFtFTipViR/18UNiJ3dJ02qymn4WZmCqsmbp?= =?us-ascii?Q?/SRcYJMFo5jfN6SxpVKeiDMnbBn7/x81iM16ah9LTRz80YJxvoO0xvjHGqvO?= =?us-ascii?Q?GW8he/3R+vN1lmqDFV34u6gIFM0lt0WAYvhL5h78TtxEToYT9YPcz3daqyZw?= =?us-ascii?Q?yRsZTIr6Oy5mGnCXhhfGufMVZaKPEJLNaIsmSN0tSbITthkazb6G6B2wLALu?= =?us-ascii?Q?Zk9fsPEWY/jTOuWJLkEFuzF/p8ODLmhTxb0xqrxtxqA3qe3Ncor4ch62JmAG?= =?us-ascii?Q?eHUTvgX1i3CcW1hrdaGziPKwzNuoBwuzceS///eA8r6sZ47He319TvJIDHE1?= =?us-ascii?Q?wzBsF74qvgkuzH59VQm+EaX8nKnt8ImN96+ydWpdo7DpPKWS8+AOkPwkHRGD?= =?us-ascii?Q?TukiyoclDK/5ZX9vEkRvuE9BiaGC3Daenw0KQd2c840IlsnDLJ83T2jBb9XE?= =?us-ascii?Q?2LFrBRFL4iOYO5znEuTHhuejAFHXMfFBfTdkQs3ryhr58oW6gyLLpqoVJI9f?= =?us-ascii?Q?QtGQqAo7/x3WFtpVZIO+21w5HqI1z7VLPBqtzDvdUhNmK6ybBjpaFHl9755N?= =?us-ascii?Q?vYbp7QrT905s6TbsW9T8BEI3yollwRQtMhfqiiW96C1ANRDd2J1eH2H403Dz?= =?us-ascii?Q?rRonbWghnmq4qgdfN0lu6W9L0f9y/EnCE2NRfTReWpBqdiW5RurYd0s40Tfn?= =?us-ascii?Q?9G/pfTygVphxZP0dpIUoYGywQNMK0npTEhumTaTs1jvuxmYggFlfM900MJv5?= =?us-ascii?Q?nV2Peuk8MvIqJZoxj5DF3rHANiOzmjPqtCkrUjyrKiAkGtNIxK2d5DAYX5bk?= =?us-ascii?Q?dKbb7x8TTLAJzt7TWV83Gtn06bEtRr0Icuxw5i1jxiiNcrik64RnGz+iyMcZ?= =?us-ascii?Q?tkvtsUpe8/055xYVMjZw3IWLWp4fqRentlkNahyu4ZGOAIQx8oK7T5b+CrzX?= =?us-ascii?Q?Gfx/2ZNxyY0BkxUAklfESikuZHH1+9hw3OA2ylkzewvm4cxo9AXGcIZZOqZB?= =?us-ascii?Q?Z82wSijXKMP2ReeIokm+QyUX+WrueJQTGSH8L0Szp94mu5Mlo6qSGkIQJIyi?= =?us-ascii?Q?1p9Ja7YV0C7913icY2kcBG8=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4ea5ec40-a925-40da-76a0-08d9fcfd6774 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2022 10:05:54.1309 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ABOovCr0DYpQpfUFs9rsBgBPL6aU1Q2QFgVSOViq7kvrvZISMdHRmraTrbFHQbO0j0nLYsdD0p/GJcNMLfZh6w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4363 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I don't like OpensslEclib, it seems a workaround. We already have 5 INF und= er BaseCryptLib. It is complicated enough. And I am not sure how OpensslEclib can resolve size issue... > -----Original Message----- > From: Li, Yi1 > Sent: Thursday, March 3, 2022 4:43 PM > To: Yao, Jiewen ; Gerd Hoffmann > Cc: devel@edk2.groups.io; Kovvuri, Vineel ; Luo, > Heng > Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > Agree with that and I think the first issue is OPENSSL_NO_* be not cover = every > file related to some feature in openssl (like ec). > Once those macro defines can cover everything, we can put all files in > OpensslLib.inf [Source], > and control macro defines in opensslconf.h by PCDs to do customization. > Openssl community feels ok to it and that's exactly what they do, like as= n1, just > not covering all features. > https://github.com/openssl/openssl/issues/17801 >=20 > I am glad to push it forward, but, it seems will be a long time and platf= orm needs > to support WPA3 as soon as possible. > I'm thinking about whether we can use a new OpensslEclib.inf to enable EC= C > firstly to meet customer needs? >=20 > Thanks! > Yi Li > -----Original Message----- > From: Yao, Jiewen > Sent: Wednesday, March 2, 2022 7:57 PM > To: Gerd Hoffmann > Cc: Li, Yi1 ; devel@edk2.groups.io; Kovvuri, Vineel > ; Luo, Heng > Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > From requirement perspective, I am thinking more broadly than just ECC. >=20 > Looking at > https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/o= p > enssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA, TLS1_3= , > which might be potential useful. While the algorithm we used today such a= s > FFDHE, MD5, SHA1, might be not useful. >=20 > Even for ECC, some platform may need normal ECDH/ECDSA. However, some > platform may or might not need EdDSA or X-Curve DH. I am not sure if we r= eally > need to enable all of them in previous patch set. >=20 > SM3 and SM2 are another category. It might be useful for one particular > segment, but not useful for others. For example, a SMx-compliant only pla= tform > may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only > platform might not required SMx. >=20 >=20 > If a platform does have flash size constrain, why it cannot do customizat= ion? > Why we enforce every platform, from an embedded system to a server use th= e > same default configuration ? >=20 > openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also d= oes same > thing, such as > https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mb > edtls_config.h, > https://github.com/wolfSSL/wolfssl/tree/master/examples/configs > Why we cannot allow a platform override such configuration ? >=20 > I am not saying we must do it. But I believe it is worth to revisit, to s= ee if any > platform has such need, before draw the conclusion so quick. >=20 > Thank you > Yao Jiewen >=20 >=20 > > -----Original Message----- > > From: Gerd Hoffmann > > Sent: Wednesday, March 2, 2022 3:42 PM > > To: Yao, Jiewen > > Cc: Li, Yi1 ; devel@edk2.groups.io; Kovvuri, Vineel > > ; Luo, Heng > > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add > > elliptic curve chipher algorithms > > > > On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote: > > > I think another option to pursue is to how to control the openssl > > > configuration > > from module or platform level. > > > > > > E.g. what if platform-A has enough size and wants to use ECC, while > > > platform- > > B has size constrain and wants to disable ECC ? > > > > > > We can let platform choose if ECC is needed or not? I hope so. > > > > Not so easy. Would require to put the way openssl is integrated > > upside down. Today openssl is configured and the results (header > > files etc) are committed to the repo, so the openssl config is the > > same for everybody. > > > > Also I expect there is no way around ecc long-term. WPA3 was > > mentioned elsewhere in the thread. For TLS it will most likely be a > > requirement too at some point in the future. With TLS 1.2 it is > > possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandat= ory > though. > > > > So I doubt making ECC optional is worth the trouble. > > > > take care, > > Gerd