From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web12.5087.1600138445090058390
 for <devel@edk2.groups.io>;
 Mon, 14 Sep 2020 19:54:05 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=sqIVfnir;
 spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: christopher.j.zurcher@intel.com)
IronPort-SDR: U+s3BzXSQGYAQbn/7oNnzySEk7A9hiilln/vLPJSSKYOIJJ8+/+KJr9wLBSA+x4/UasB04RY+T
 BnEQyP52QI1w==
X-IronPort-AV: E=McAfee;i="6000,8403,9744"; a="156583961"
X-IronPort-AV: E=Sophos;i="5.76,428,1592895600"; 
   d="scan'208";a="156583961"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 19:54:03 -0700
IronPort-SDR: vFXbfBQe40J9yAJmn+sep9KnvRtuKxNLyxKnRAiL3rKgXPYdPTHMMMrf9oNZzimP06s4OJuWZ3
 HQzKvLq3Smxg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.76,428,1592895600"; 
   d="scan'208";a="338489781"
Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85])
  by fmsmga002.fm.intel.com with ESMTP; 14 Sep 2020 19:54:03 -0700
Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by
 fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1713.5; Mon, 14 Sep 2020 19:54:03 -0700
Received: from fmsmsx105.amr.corp.intel.com (10.18.124.203) by
 fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5
 via Frontend Transport; Mon, 14 Sep 2020 19:54:03 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Mon, 14 Sep 2020 19:54:03 -0700
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.174)
 by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.1713.5; Mon, 14 Sep 2020 19:54:02 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=M2L9VnnFEn7auWn+z1S3kFMwoYH/6AEVUGg1vRm8xKJHJEELRbjep58Myn4qmwJl/uHSHe0qLogztfJISLm7Wjd6OGZppvS/PFRsU5xPnN1nQmxssDIhcwUXpU7s8Yprb3RBC5CEbVZCSATbzWHUY5msBuC7QcmaRcTNHIBomgxnAmU/geEQM3qI1L/8bqqc81oeREBotMeJLI/LNhJh8WbnSQmqVrBzWeJMuPl+7Zd+M1/wo6brz2SvoR5IvdeF+fkasdQa0y3k99lUT1rcYIzaW0XWi3/MpQ6wVorIUEWmvYm5+/IJCzvXEVdq02aQLpt4+7Q+BH21KNUROOICsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=mVFaHvHBfvX7XeMXq28KROie1SwAgmPTQvTDyp7CSds=;
 b=PgR+UtudFNGpFch4CavKSBJdY0JtdrjX/7Aebe9eIzXbrr1WLh+jvEJ+0D/OMFkU70fW67XZhGTVyNu4d2pfEaZLBwFAT6Dzhg0Izv6SMBEOu+Jy59OXKzY50oyyKJTrUTPPFpHRZ8XuDdPp5a/nUXEncgp9BJwmdFPgBTHfXtI5QTAjU/b3BaTFqZ1X6gkC0FH5BlsnOEJs6CAGmSECJDa5m64pJ7Y91M0VEDGnc8V/ZIzBSbjr7CdTK+k8AlLX2Ht7jcke/TKFb9K68DbPH1MyUI57Uaz9rVa/OpEk+1K8ZO/q9L99Lp1lBi3HmZuAIYz8CNq5X/gvSdB8tj15XA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=mVFaHvHBfvX7XeMXq28KROie1SwAgmPTQvTDyp7CSds=;
 b=sqIVfnirYz18jz8yGXFgYdAYZYyytGAFJQ7lyp8K4ksmkXJ5mqIVdlOoqTLnygufYckhNbdsfkGl8ahd5DhrO7WrxM8FLWJ8VFEkzv9i2mF3GXsJrlUZjVhA59HUOWemoZQldMhksCsqRKCe5967uv3gmZ6bki4V0oQCB+SPVHw=
Received: from MWHPR1101MB2125.namprd11.prod.outlook.com
 (2603:10b6:301:4d::10) by MWHPR11MB1712.namprd11.prod.outlook.com
 (2603:10b6:300:29::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.18; Tue, 15 Sep
 2020 02:54:01 +0000
Received: from MWHPR1101MB2125.namprd11.prod.outlook.com
 ([fe80::6cbb:9c13:41f0:ce20]) by MWHPR1101MB2125.namprd11.prod.outlook.com
 ([fe80::6cbb:9c13:41f0:ce20%3]) with mapi id 15.20.3370.019; Tue, 15 Sep 2020
 02:54:01 +0000
From: "Zurcher, Christopher J" <christopher.j.zurcher@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: Laszlo Ersek <lersek@redhat.com>, "Wang, Jian J" <jian.j.wang@intel.com>,
	"Lu, XiaoyuX" <xiaoyux.lu@intel.com>
Subject: Re: [PATCH v2 0/3] CryptoPkg/BaseCryptLib: Add EVP (Envelope) Digest interface
Thread-Topic: [PATCH v2 0/3] CryptoPkg/BaseCryptLib: Add EVP (Envelope) Digest
 interface
Thread-Index: AQHWivtIUEOHQlkeLUqCBsPLoNwCvqlo5MuAgAADHEA=
Date: Tue, 15 Sep 2020 02:54:01 +0000
Message-ID: <MWHPR1101MB21259225EFA6D4FDD3B275FAB3200@MWHPR1101MB2125.namprd11.prod.outlook.com>
References: <20200915005749.5331-1-christopher.j.zurcher@intel.com>
 <CY4PR11MB1288AC4183AE900A3F65A6A78C200@CY4PR11MB1288.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR11MB1288AC4183AE900A3F65A6A78C200@CY4PR11MB1288.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.5.1.3
dlp-reaction: no-action
dlp-product: dlpe-windows
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [50.53.185.44]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d3547f0-bb05-4b34-2a7f-08d859229997
x-ms-traffictypediagnostic: MWHPR11MB1712:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MWHPR11MB171290622AE399EB34DE0860B3200@MWHPR11MB1712.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WqtYpGpQvLOWRjFH9nROKQ1RorbWqlwWIMqiLEdjrQ0K+BS4xwPKSf4bJK2z9arbJUVl5kShpkxoZg2XJVEtVkfjhG+TKMJ82J/QcogAug/sRjMJskhoD1jnh7ahUwMz4Z0G1SVRxrs3LmMaqotADm2/I4XcvsXRrv1uJxPeQOhZk9TmzPYeAO9Ep2ML0zUXL3on3IpL1+3eW4oRqWUoppagABCiV1xEdboKbuNW/dnrs8L0QJUxVB4HnSUuNekrwN7n1pFVuBrj+tf81AV5M6ug6C7EQrV1K0iWQvbBpSyhEjPW+d9GX1ogAtJcTsGLydblqI9uReEJomjx5/PYn/siqnjbUE0aLyrQYnsjMyHWj4SDMqW6TnMUR0fB3ThGhp5b+OQhpWJ1O0vXCW4GoA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR1101MB2125.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(376002)(396003)(136003)(346002)(366004)(5660300002)(316002)(71200400001)(52536014)(8676002)(83380400001)(107886003)(19627235002)(86362001)(76116006)(66946007)(66556008)(66446008)(64756008)(66476007)(8936002)(7696005)(2906002)(478600001)(6506007)(53546011)(110136005)(9686003)(55016002)(4326008)(966005)(54906003)(26005)(33656002)(186003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: 12j+Ch6Ek3vVvnIMfsJvDj2k0mMUONeHfTaGR/9eopbaixSMtAZzUKrnrcyTcH16R4zAuCr4vH2E1jo3fg0sKwg7sx1c1zHpUdDhcYQeqsgBx1SNAEs4Dg+7lbYUI2Hpy753sSS57LtAFUmq60twrvVpfR0qIiIpnzgo2DZQOF2O8XGmvCQuBLy/1ApXPdfSbNf0L99siXJtCPhkvLN6iiRkviCx2pBCZShrds3vA3dZa4jxIJAwZr7BIx/UJyqLuw3/OUTWDSYusCbVALI0Od6Z8OZP2utS38zXjIRvhwUXIKjfS+c8KOWsutOtmkBHe/CiQFzHItsNX0f62JygDaZfs1miEFUYWXMcTB7qYyWScuERlp6Bgpsjg2LIM4RxY5L2iI2bxT9kdJ3Ipoy+7eNIwixji5JFymWwuwUWKB8k1/lzr3YrW5pbvE3HPtY/FueaGB0b5UvQHmaOGY6zBE+8jYQOicJemjKMTkTlJgdBZUB4TV28NW1ZklbI2vM2VJdvZMHQi2rIAH4r+kd81XPdCVkQOVoFpgS6w51o3pOLh4njjOqqIoKQpZAnmCPoYVMGtBCaRqrrwNkvdw3EEcUH+/axt2uEOFa2CRhxVNj4/6PTRdSxGjf/fxajVzfW9Jm57xzeoxhFAW+uu1Lm2A==
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR1101MB2125.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d3547f0-bb05-4b34-2a7f-08d859229997
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2020 02:54:01.0867
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8c+08/EVfNT8gNCogbjvz4HcoTxGr50ky13/wox6AO/PiFHwTBYslPGzHdSjd2yfOLlMgO8zzeOFN6Vt5tcNdlOQg7dzlSGRV4OcQygAB0k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1712
Return-Path: christopher.j.zurcher@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Replies inline

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, September 14, 2020 18:22
> To: Zurcher, Christopher J <christopher.j.zurcher@intel.com>;
> devel@edk2.groups.io
> Cc: Laszlo Ersek <lersek@redhat.com>; Wang, Jian J <jian.j.wang@intel.com=
>;
> Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [PATCH v2 0/3] CryptoPkg/BaseCryptLib: Add EVP (Envelope) Di=
gest
> interface
>=20
> Hi Zurcher:
> Thanks for your work.
> 1) Please share with us what unit test you have done for all new APIs.

I unit tested both the native and Crypto Service implementations through th=
e modified Hash2DxeCrypto protocol.
I tested the Init/Update/Final flow as well as the HashAll function.

>=20
> 2) Please add comment on what is the valid DigestName in EvpMdInit().
> Otherwise, people will have no idea on that.

I will add valid options in a comment.
I have to send another patch anyway to add a file in my commit (missed the =
second copy of CryptEvpMdNull.c in the NullLib folder).

>=20
> 3) I assume the size will be unchanged if a module does not use the new E=
VPMD
> API, such as UEFI secure boot, TCG trusted boot. Please double confirm if
> that is right understanding.

Yes, if a module does not call the EVPMD API, it should not grow in size.
The Crypto Service build output CryptoDxe.efi grew less than 1% after enabl=
ing the EvpMd function family through PcdCryptoServiceFamilyEnable.
I suspect this is because the HmacSha256 Family was already enabled, and in=
side OpenSSL the HMAC functions are wrappers for EVP functions.
So even with library-mode BaseCryptLib, any module that already calls the H=
MAC functions should not see any size change by adding EVP.

>=20
> Hi all:
> I would like collect feedback on below:
> -- "I replaced the MD5 and SHAx functions with EVP functions in
> Hash2DxeCrypto, and it grew from ~26k to ~253k."
>=20
> If there is negative size impact for the platform BIOS that is using
> Hash2DxeCrypto, please share with the community.

The size change in Hash2DxeCrypto was seen while using the library-mode Bas=
eCryptLib implementation, not the Crypto Services driver.
We cannot move to OpenSSL 3 without replacing all low-level algorithm funct=
ions with EVP calls, so platforms using Hash2DxeCrypto will have to eat the=
 size increase eventually.
For platforms using Hash2DxeCrypto, moving to the Crypto Services model sho=
uld help offset this increase.

Thanks,
Christopher Zurcher

>=20
> Thank you
> Yao Jiewen
>=20
> > -----Original Message-----
> > From: Christopher J Zurcher <christopher.j.zurcher@intel.com>
> > Sent: Tuesday, September 15, 2020 8:58 AM
> > To: devel@edk2.groups.io
> > Cc: Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen <jiewen.yao@intel.com=
>;
> > Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com=
>
> > Subject: [PATCH v2 0/3] CryptoPkg/BaseCryptLib: Add EVP (Envelope) Dige=
st
> > interface
> >
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2545
> >
> > V2 changes:
> > Added NullLib implementation
> > Added Crypto Service implementation
> > Rebased Hash2DxeCrypto to use EVP interface instead of low-level functi=
ons
> > Removed unnecessary casts
> > Added "HashAll" utility function
> > Merged "New" and "Init" functions as well as "Final" and "Free" functio=
ns
> >   Retained "Init/Update/Final" naming instead of "New/Update/Free" as t=
his
> >   conforms with common usage
> >
> > Low-level interfaces to message digest (hash) functions have been
> deprecated
> > in OpenSSL 3. In order to upgrade to OpenSSL 3, all direct calls to
> > low-level functions (such as SHA256_Init() in CryptSha256.c) will need =
to
> > be replaced by EVP inteface calls.
> >
> > References:
> >   https://www.openssl.org/docs/manmaster/man7/evp.html
> >   https://www.openssl.org/docs/manmaster/man3/SHA256_Init.html
> >
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> >
> > Christopher J Zurcher (3):
> >   CryptoPkg/BaseCryptLib: Add EVP (Envelope) Digest interface
> >   CryptoPkg: Add EVP to Crypto Service driver interface
> >   SecurityPkg/Hash2DxeCrypto: Rebase Hash2DxeCrypto onto the EVP
> >     interface
> >
> >  CryptoPkg/CryptoPkg.dsc                                 |   3 +
> >  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf         |   1 +
> >  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf          |   1 +
> >  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf      |   1 +
> >  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf          |   1 +
> >  CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf |   1 +
> >  CryptoPkg/Include/Library/BaseCryptLib.h                | 125 +++++++
> >  CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h    |  10 +
> >  CryptoPkg/Private/Protocol/Crypto.h                     | 127 +++++++
> >  SecurityPkg/Hash2DxeCrypto/Driver.h                     |   1 -
> >  CryptoPkg/Driver/Crypto.c                               | 148 ++++++++=
-
> >  CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c         | 253
> ++++++++++++++
> >  CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c     | 124 +++++++
> >  CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c  | 140 ++++++++
> >  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c             | 345 ++------=
----
> --------
> >  15 files changed, 965 insertions(+), 316 deletions(-)
> >  create mode 100644 CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMd.c
> >  create mode 100644 CryptoPkg/Library/BaseCryptLib/Evp/CryptEvpMdNull.c
> >
> > --
> > 2.28.0.windows.1