From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web11.9133.1646301982646780757
 for <devel@edk2.groups.io>;
 Thu, 03 Mar 2022 02:06:22 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=M1FpAvCO;
 spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1646301982; x=1677837982;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=VB0yS2A/Mm2AO5zKVBoAP+xkQh1aOoe1anNt4PAnpHY=;
  b=M1FpAvCOXGXCcGKQmfvIIoRZK4xMa8H/Idlyx/MI2FnCxVhtEmP7Q5D+
   FqJZffOMIbQEiKxT7t9Yar3vMkCoJJ6ZrkctlE4U3KAoZXAlHcq3nxcrb
   vDc2SRjQKtV4GqTEHMI+yVyVuvbu8vviVd1cZExOmfjwkejx2hcfdObYx
   UH8Hhz53joe1+SSh9q2LgHdztYGG1HJSi/PM1epSaeafvR0VPc4zAuVu7
   hVa7ce1drQnOXWs4RKr0Kx7gA+uPz5stMMonrouAwsmWwigofHMAZQBS7
   t3TIozCbsmZBhFPVJzDZ94QdezHvfmta1zjv9mcEXm445cFkuk87fIpri
   Q==;
X-IronPort-AV: E=McAfee;i="6200,9189,10274"; a="252460575"
X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; 
   d="scan'208";a="252460575"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Mar 2022 02:06:21 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; 
   d="scan'208";a="576438434"
Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17])
  by orsmga001.jf.intel.com with ESMTP; 03 Mar 2022 02:06:21 -0800
Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by
 ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21; Thu, 3 Mar 2022 02:06:20 -0800
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by
 orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21 via Frontend Transport; Thu, 3 Mar 2022 02:06:20 -0800
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.173)
 by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.21; Thu, 3 Mar 2022 02:06:19 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=kQAF1XmTgKikcp4ItTitEqNn4zJvYmgBLqVNdsBebshdeK9r0e1yEOxC4LSZGOdsgYVxCQNl3Oe7Wnxz5qSgRLGWPDuzgVtgVelia+3rQIvteg0jgI+C5tUAbR3aE7KhmMhloK4/W98QBZMbGKJdF2uSVvX7Ea6K/AY6/xaqixI0m2tiCSkw7jHU2dLrS1DBRnC2/gm7t1rOJ5l3xeP9jRbciUbF0c8oCMdWAB/J6PpmmCEFnkasn+iEScxwGYEXvcws1qrP4O/pM3cnry5SDu+iEPaSDb4piuauSD58E0AC3qWSKZHP48yf+ZgxSTspWiJ850dIQGrkKdf1VopgnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=s7c6h4pvQ1jE4CkpXbRfJQl6srtdXSZRrP02/2Pj3EQ=;
 b=aTjx0hruDeQBJU4MSLl5gcb/AgBHN9Q2kgwWFdvw29tOrVwgM0qEirUBDRgn5i90ow7M47WygrsXylg6Op3UQxyV2m6Dg+TBWDY3yhMiRTDkqonRPgv5XfKPFGeUj1nJjQ/tAQ7h5svw8cueRLfFBigRXxq9KwLrQ7MSjudOH8tfJ9mIaB96WhIyUZnbb5xCQmRaY9wO+VZDTN1lPeHbyX3BwUhMpWIBQhkzptTjaYjwieEXqMVc6crprfyqJTPlxQh0Ia9IatM6ZEQ3I8PaZnEpEvneztYxOthhxJHq9PjtiAFwHYx2jKO+m/fUVZcQ9dBEWAhbCoT5W7/FRSpyBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by DM6PR11MB4363.namprd11.prod.outlook.com (2603:10b6:5:14f::24) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14; Thu, 3 Mar
 2022 10:05:54 +0000
Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::21db:e2fd:b9a3:9292]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::21db:e2fd:b9a3:9292%6]) with mapi id 15.20.5038.014; Thu, 3 Mar 2022
 10:05:54 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Li, Yi1" <yi1.li@intel.com>, Gerd Hoffmann <kraxel@redhat.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Kovvuri, Vineel"
	<vineelko@microsoft.com>, "Luo, Heng" <heng.luo@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms
Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
 curve chipher algorithms
Thread-Index: AQHXvytzNc37dLSAJ0CsBYnYdS6rHqvWhHbwgAK0coCAF96cwIAAhVgAgAjFBQCAAJ/dcIAAD8CAgAINR4CAAVyZAIAAA/uAgAtZ6QCAl2OpgIAAA7+AgAACd4CAAdRugIAAGOKAgAIx/YCABgnz+4AA79OAgAArLPCAAAxLAIAAPlNQgAFlFACAABYrwA==
Date: Thu, 3 Mar 2022 10:05:54 +0000
Message-ID: <MW4PR11MB5872C72D24E4585FEF0117C68C049@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <MWHPR11MB1597A4F02A5D0E215EE00069C53D9@MWHPR11MB1597.namprd11.prod.outlook.com>
 <26433.1645811519240546455@groups.io>
 <DM5PR11MB15953EDFD7C5C291BF98951BC5019@DM5PR11MB1595.namprd11.prod.outlook.com>
 <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org>
 <DM5PR11MB1595F12CDBFB281D7F2D5B2CC5039@DM5PR11MB1595.namprd11.prod.outlook.com>
 <MW4PR11MB5872069BA15060123FB6AA368C039@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org>
 <MW4PR11MB5872AD7A6BE0302F384DD79D8C039@MW4PR11MB5872.namprd11.prod.outlook.com>
 <MWHPR11MB15972F28EA37362A3D3011CFC5049@MWHPR11MB1597.namprd11.prod.outlook.com>
In-Reply-To: <MWHPR11MB15972F28EA37362A3D3011CFC5049@MWHPR11MB1597.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.6.401.20
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4ea5ec40-a925-40da-76a0-08d9fcfd6774
x-ms-traffictypediagnostic: DM6PR11MB4363:EE_
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-microsoft-antispam-prvs: <DM6PR11MB4363CE2E89F17E4CFEF9DC4F8C049@DM6PR11MB4363.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BOclj4lcrcxUAFPiFXZLIZPNo78rdx2EnN5PP6bYpsDfL50kuZ17h8LPI84255XLMfQk2uZgat7XlKqKrVZHiBylpVJh2nntq/s7yxHGnO8+vpOC6ZxD3f+78/KoWOtW/azNYGDPZZ93TzgRUbZyvlFmndDOz4djkQblGfWni373QjOUt/4cxijZxWzI0rumbTUNiS+OzqBGzIueCledXHV7r8zM1PSaSkRB6aCXeBpfHrrZQwZCtJ57HLi5euCjnyz228P7BzVTUyyfgWmuMPj7fi/FQGaz4/dMgWkTfKJB7Ii81e6PbEJ8aUuiS2uzjOKoabFzxZwIsn4BxssuxJ2swIZKsdtJmwnaKJqdCW9alW6GI0exVG0J82nY+isoIjlGDWdn6Cv6V2cmp14BBh5B8eVAAtQ7r83bkvBt9NvKWX2qT5ao0Pwr3tD6YRGuVUlOf2wNxxPj6b/jiTXKac87DrSm8/f3dwh5w22voJle7vV0YiYedr2ZNFLz1nTI7X5oTrkdvzKr/a+ZU01hESwYbHidR37xUgYW6e7WPPPXiNZKH0HcqASHzJsbX4sjowXOCSqOiWyf64YInD1Yk1vFrzMGXqlqgo43YXZ1jHbaBWGExy1gYjzH4wVyQa5gg54I2+0YO6k+lHDoou5e0F2GtGL5HwsLNRMVWecHsPm084G5oTGqIG9xgWljtag+Dwtktk1q0RiP+SyI4bVtvOHaJHzpEVFHUfkkBj8CN8hZuW4LwtxzU+wtlGV3nZiHUVT9fk97rjipSKSbJyV+1NYbDsNvX6GggT/6ZnKYqA92KcCPXd5H+n+d+cBbdYM+4A0MTocp/UOsfDujmsMezA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(86362001)(66476007)(52536014)(64756008)(8936002)(4326008)(66556008)(66946007)(8676002)(66446008)(71200400001)(76116006)(6506007)(2906002)(508600001)(966005)(5660300002)(38070700005)(110136005)(316002)(38100700002)(7696005)(53546011)(82960400001)(122000001)(83380400001)(9686003)(54906003)(26005)(33656002)(55016003)(186003)(107886003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?lhpq4w5ZXkqrJdxDhmFUGlaZL2PS9VsQw+BU+8oI3lZhsIJZq5ipylTwjght?=
 =?us-ascii?Q?X7YjGyN5p/6hnzDghkHAv8DTIu0gvA5eG/Cb6EPA+gqSIUxsPr4YIYOKJl56?=
 =?us-ascii?Q?5VQ33gjNRL3gFek1/QdV1QZLehEz0msmakP0IWeB28Q7899sPUjFVF8GGKHo?=
 =?us-ascii?Q?tRh66o8EnxnV6SMmph5EQBERGpXMUVKiV0+kZPBpU5Nl0p5XRIhATHutKSWh?=
 =?us-ascii?Q?mTAK18DQvL9iI5YSrLrCl0nNoVxUipiyEvYEjJRYwExOyUWcwF863TikmPvH?=
 =?us-ascii?Q?CFrR05XdIEDLrQ2CljixSekoYI62g7iMykHvCHlk1eDy621Anv6/r+wid6M5?=
 =?us-ascii?Q?JzPK8fbR5b2hIfNDUtndqYNvwjVKnYFBLrEFfgUI+n8LykEMRaJh4w7ykiHb?=
 =?us-ascii?Q?mVAFLh7Sd48Z0D9qk0M0DG3o+iigpRCv7vVPWB8WyeoKDUmaF6QKVo4RChmB?=
 =?us-ascii?Q?NTFlzHl/68oBXs8uHPhTj/jrZVgDJw52GdFuhzL5DejAzC3aVdP2mLFyArFN?=
 =?us-ascii?Q?FQl7qV7nELuv+xn4uNKAF9TEPFtFTipViR/18UNiJ3dJ02qymn4WZmCqsmbp?=
 =?us-ascii?Q?/SRcYJMFo5jfN6SxpVKeiDMnbBn7/x81iM16ah9LTRz80YJxvoO0xvjHGqvO?=
 =?us-ascii?Q?GW8he/3R+vN1lmqDFV34u6gIFM0lt0WAYvhL5h78TtxEToYT9YPcz3daqyZw?=
 =?us-ascii?Q?yRsZTIr6Oy5mGnCXhhfGufMVZaKPEJLNaIsmSN0tSbITthkazb6G6B2wLALu?=
 =?us-ascii?Q?Zk9fsPEWY/jTOuWJLkEFuzF/p8ODLmhTxb0xqrxtxqA3qe3Ncor4ch62JmAG?=
 =?us-ascii?Q?eHUTvgX1i3CcW1hrdaGziPKwzNuoBwuzceS///eA8r6sZ47He319TvJIDHE1?=
 =?us-ascii?Q?wzBsF74qvgkuzH59VQm+EaX8nKnt8ImN96+ydWpdo7DpPKWS8+AOkPwkHRGD?=
 =?us-ascii?Q?TukiyoclDK/5ZX9vEkRvuE9BiaGC3Daenw0KQd2c840IlsnDLJ83T2jBb9XE?=
 =?us-ascii?Q?2LFrBRFL4iOYO5znEuTHhuejAFHXMfFBfTdkQs3ryhr58oW6gyLLpqoVJI9f?=
 =?us-ascii?Q?QtGQqAo7/x3WFtpVZIO+21w5HqI1z7VLPBqtzDvdUhNmK6ybBjpaFHl9755N?=
 =?us-ascii?Q?vYbp7QrT905s6TbsW9T8BEI3yollwRQtMhfqiiW96C1ANRDd2J1eH2H403Dz?=
 =?us-ascii?Q?rRonbWghnmq4qgdfN0lu6W9L0f9y/EnCE2NRfTReWpBqdiW5RurYd0s40Tfn?=
 =?us-ascii?Q?9G/pfTygVphxZP0dpIUoYGywQNMK0npTEhumTaTs1jvuxmYggFlfM900MJv5?=
 =?us-ascii?Q?nV2Peuk8MvIqJZoxj5DF3rHANiOzmjPqtCkrUjyrKiAkGtNIxK2d5DAYX5bk?=
 =?us-ascii?Q?dKbb7x8TTLAJzt7TWV83Gtn06bEtRr0Icuxw5i1jxiiNcrik64RnGz+iyMcZ?=
 =?us-ascii?Q?tkvtsUpe8/055xYVMjZw3IWLWp4fqRentlkNahyu4ZGOAIQx8oK7T5b+CrzX?=
 =?us-ascii?Q?Gfx/2ZNxyY0BkxUAklfESikuZHH1+9hw3OA2ylkzewvm4cxo9AXGcIZZOqZB?=
 =?us-ascii?Q?Z82wSijXKMP2ReeIokm+QyUX+WrueJQTGSH8L0Szp94mu5Mlo6qSGkIQJIyi?=
 =?us-ascii?Q?1p9Ja7YV0C7913icY2kcBG8=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ea5ec40-a925-40da-76a0-08d9fcfd6774
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2022 10:05:54.1309
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ABOovCr0DYpQpfUFs9rsBgBPL6aU1Q2QFgVSOViq7kvrvZISMdHRmraTrbFHQbO0j0nLYsdD0p/GJcNMLfZh6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4363
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I don't like OpensslEclib, it seems a workaround. We already have 5 INF und=
er BaseCryptLib. It is complicated enough.
And I am not sure how OpensslEclib can resolve size issue...


> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Thursday, March 3, 2022 4:43 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Gerd Hoffmann <kraxel@redhat.com>
> Cc: devel@edk2.groups.io; Kovvuri, Vineel <vineelko@microsoft.com>; Luo,
> Heng <heng.luo@intel.com>
> Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip=
tic
> curve chipher algorithms
>=20
> Agree with that and I think the first issue is OPENSSL_NO_* be not cover =
every
> file related to some feature in openssl (like ec).
> Once those macro defines can cover everything, we can put all files in
> OpensslLib.inf [Source],
> and control macro defines in opensslconf.h by PCDs to do customization.
> Openssl community feels ok to it and that's exactly what they do, like as=
n1, just
> not covering all features.
> https://github.com/openssl/openssl/issues/17801
>=20
> I am glad to push it forward, but, it seems will be a long time and platf=
orm needs
> to support WPA3 as soon as possible.
> I'm thinking about whether we can use a new OpensslEclib.inf to enable EC=
C
> firstly to meet customer needs?
>=20
> Thanks!
> Yi Li
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Wednesday, March 2, 2022 7:57 PM
> To: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel
> <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip=
tic
> curve chipher algorithms
>=20
> From requirement perspective, I am thinking more broadly than just ECC.
>=20
> Looking at
> https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/Include/o=
p
> enssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA, TLS1_3=
,
> which might be potential useful. While the algorithm we used today such a=
s
> FFDHE, MD5, SHA1, might be not useful.
>=20
> Even for ECC, some platform may need normal ECDH/ECDSA. However, some
> platform may or might not need EdDSA or X-Curve DH. I am not sure if we r=
eally
> need to enable all of them in previous patch set.
>=20
> SM3 and SM2 are another category. It might be useful for one particular
> segment, but not useful for others. For example, a SMx-compliant only pla=
tform
> may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only
> platform might not required SMx.
>=20
>=20
> If a platform does have flash size constrain, why it cannot do customizat=
ion?
> Why we enforce every platform, from an embedded system to a server use th=
e
> same default configuration ?
>=20
> openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also d=
oes same
> thing, such as
> https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/mb
> edtls_config.h,
> https://github.com/wolfSSL/wolfssl/tree/master/examples/configs
> Why we cannot allow a platform override such configuration ?
>=20
> I am not saying we must do it. But I believe it is worth to revisit, to s=
ee if any
> platform has such need, before draw the conclusion so quick.
>=20
> Thank you
> Yao Jiewen
>=20
>=20
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Wednesday, March 2, 2022 3:42 PM
> > To: Yao, Jiewen <jiewen.yao@intel.com>
> > Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel
> > <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add
> > elliptic curve chipher algorithms
> >
> > On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> > > I think another option to pursue is to how to control the openssl
> > > configuration
> > from module or platform level.
> > >
> > > E.g. what if platform-A has enough size and wants to use ECC, while
> > > platform-
> > B has size constrain and wants to disable ECC ?
> > >
> > > We can let platform choose if ECC is needed or not? I hope so.
> >
> > Not so easy.  Would require to put the way openssl is integrated
> > upside down.  Today openssl is configured and the results (header
> > files etc) are committed to the repo, so the openssl config is the
> > same for everybody.
> >
> > Also I expect there is no way around ecc long-term.  WPA3 was
> > mentioned elsewhere in the thread.  For TLS it will most likely be a
> > requirement too at some point in the future.  With TLS 1.2 it is
> > possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandat=
ory
> though.
> >
> > So I doubt making ECC optional is worth the trouble.
> >
> > take care,
> >   Gerd