From: "Zurcher, Christopher J" <christopher.j.zurcher@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"ard.biesheuvel@linaro.org" <ard.biesheuvel@linaro.org>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
"david.harris4@hp.com" <david.harris4@hp.com>
Subject: Re: [edk2-devel] [PATCH 0/1] CryptoPkg/OpensslLib: Add native instruction support for IA32 and X64
Date: Thu, 26 Mar 2020 01:04:22 +0000 [thread overview]
Message-ID: <MWHPR1101MB2125EFFB95259C6A91080964B3CF0@MWHPR1101MB2125.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CAKv+Gu_bnr01gX-AsOdHdVJo1_Xs76Q21jtxKDMKr3iHyjmbSQ@mail.gmail.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ard Biesheuvel
> Sent: Wednesday, March 25, 2020 11:40
> To: Zurcher, Christopher J <christopher.j.zurcher@intel.com>
> Cc: edk2-devel-groups-io <devel@edk2.groups.io>; Wang, Jian J
> <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Eugene Cohen
> <eugene@hp.com>
> Subject: Re: [edk2-devel] [PATCH 0/1] CryptoPkg/OpensslLib: Add native
> instruction support for IA32 and X64
>
> On Tue, 17 Mar 2020 at 11:26, Christopher J Zurcher
> <christopher.j.zurcher@intel.com> wrote:
> >
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2507
> >
> > This patch adds support for building the native instruction algorithms for
> > IA32 and X64 versions of OpensslLib. The process_files.pl script was
> modified
> > to parse the .asm file targets from the OpenSSL build config data struct,
> and
> > generate the necessary assembly files for the EDK2 build environment.
> >
> > For the X64 variant, OpenSSL includes calls to a Windows error handling
> API,
> > and that function has been stubbed out in ApiHooks.c.
> >
> > For all variants, a constructor was added to call the required CPUID
> function
> > within OpenSSL to facilitate processor capability checks in the native
> > algorithms.
> >
> > Additional native architecture variants should be simple to add by
> following
> > the changes made for these two architectures.
> >
> > The OpenSSL assembly files are traditionally generated at build time using
> a
> > perl script. To avoid that burden on EDK2 users, these end-result assembly
> > files are generated during the configuration steps performed by the package
> > maintainer (through process_files.pl). The perl generator scripts inside
> > OpenSSL do not parse file comments as they are only meant to create
> > intermediate build files, so process_files.pl contains additional hooks to
> > preserve the copyright headers as well as clean up tabs and line endings to
> > comply with EDK2 coding standards. The resulting file headers align with
> > the generated .h files which are already included in the EDK2 repository.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Eugene Cohen <eugene@hp.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> >
> > Christopher J Zurcher (1):
> > CryptoPkg/OpensslLib: Add native instruction support for IA32 and X64
> >
>
> Hello Christopher,
>
> It would be helpful to understand the purpose of all this. Also, I
> think we could be more picky about which algorithms we enable - DES
> and MD5 don't seem highly useful, and even if they were, what do we
> gain by using a faster (or smaller?) implementation?
>
The selection of algorithms comes from the default OpenSSL assembly targets; this combination is validated and widely used, and I don't know all the consequences of picking and choosing which ones to include. If necessary I could look into reducing the list.
The primary driver for this change is enabling the Full Flash Update (FFU) OS provisioning flow for Windows as described here:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats
This item under "Reliability" is what we are speeding up: "Includes a catalog and hash table to validate a signature upfront before flashing onto a device. The hash table is generated during capture, and validated when applying the image."
This provisioning flow can be performed within the UEFI environment, and the native algorithms allow significant time savings in a factory setting (minutes per device).
We also had a BZ which requested these changes and the specific need was not provided. Maybe David @HP can provide further insight?
https://bugzilla.tianocore.org/show_bug.cgi?id=2507
There have been additional platform-specific benefits identified, for example speeding up HMAC authentication of communication with other HW/FW components.
Thanks,
Christopher Zurcher
>
>
>
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf |
> 2 +-
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf |
> 2 +-
> > CryptoPkg/Library/OpensslLib/OpensslLibIa32.inf |
> 680 ++
> > CryptoPkg/Library/OpensslLib/OpensslLibX64.inf |
> 691 ++
> > CryptoPkg/Library/Include/openssl/opensslconf.h |
> 3 -
> > CryptoPkg/Library/OpensslLib/ApiHooks.c |
> 18 +
> > CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c |
> 34 +
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/aes/aesni-x86.nasm |
> 3209 ++++++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/aes/vpaes-x86.nasm |
> 648 ++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/bn-586.nasm |
> 1522 ++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/co-586.nasm |
> 1259 +++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/x86-gf2m.nasm |
> 352 +
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/x86-mont.nasm |
> 486 ++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/des/crypt586.nasm |
> 887 +++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/des/des-586.nasm |
> 1835 +++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/md5/md5-586.nasm |
> 690 ++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/modes/ghash-x86.nasm |
> 1264 +++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/rc4/rc4-586.nasm |
> 381 +
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha1-586.nasm |
> 3977 ++++++++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha256-586.nasm |
> 6796 ++++++++++++++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha512-586.nasm |
> 2842 +++++++
> > CryptoPkg/Library/OpensslLib/Ia32/crypto/x86cpuid.nasm |
> 513 ++
> > CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-mb-x86_64.nasm |
> 1772 +++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-sha1-x86_64.nasm |
> 3271 ++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-sha256-x86_64.nasm |
> 4709 +++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-x86_64.nasm |
> 5084 ++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/aes/vpaes-x86_64.nasm |
> 1170 +++
> > CryptoPkg/Library/OpensslLib/X64/crypto/bn/rsaz-avx2.nasm |
> 1989 +++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/bn/rsaz-x86_64.nasm |
> 2242 ++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-gf2m.nasm |
> 432 +
> > CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-mont.nasm |
> 1479 ++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-mont5.nasm |
> 4033 ++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/md5/md5-x86_64.nasm |
> 794 ++
> > CryptoPkg/Library/OpensslLib/X64/crypto/modes/aesni-gcm-x86_64.nasm |
> 984 +++
> > CryptoPkg/Library/OpensslLib/X64/crypto/modes/ghash-x86_64.nasm |
> 2077 +++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/rc4/rc4-md5-x86_64.nasm |
> 1395 ++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/rc4/rc4-x86_64.nasm |
> 784 ++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/keccak1600-x86_64.nasm |
> 532 ++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha1-mb-x86_64.nasm |
> 7581 ++++++++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha1-x86_64.nasm |
> 5773 ++++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha256-mb-x86_64.nasm |
> 8262 ++++++++++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha256-x86_64.nasm |
> 5712 ++++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha512-x86_64.nasm |
> 5668 ++++++++++++++
> > CryptoPkg/Library/OpensslLib/X64/crypto/x86_64cpuid.nasm |
> 472 ++
> > CryptoPkg/Library/OpensslLib/process_files.pl |
> 208 +-
> > CryptoPkg/Library/OpensslLib/uefi-asm.conf |
> 14 +
> > 46 files changed, 94478 insertions(+), 50 deletions(-)
> > create mode 100644 CryptoPkg/Library/OpensslLib/OpensslLibIa32.inf
> > create mode 100644 CryptoPkg/Library/OpensslLib/OpensslLibX64.inf
> > create mode 100644 CryptoPkg/Library/OpensslLib/ApiHooks.c
> > create mode 100644 CryptoPkg/Library/OpensslLib/OpensslLibConstructor.c
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/aes/aesni-
> x86.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/aes/vpaes-
> x86.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/bn-586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/co-586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/x86-
> gf2m.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/bn/x86-
> mont.nasm
> > create mode 100644
> CryptoPkg/Library/OpensslLib/Ia32/crypto/des/crypt586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/des/des-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/md5/md5-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/modes/ghash-
> x86.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/rc4/rc4-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha1-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha256-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/sha/sha512-
> 586.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/Ia32/crypto/x86cpuid.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-mb-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-sha1-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-
> sha256-x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/aes/aesni-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/aes/vpaes-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/bn/rsaz-
> avx2.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/bn/rsaz-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-
> gf2m.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-
> mont.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/bn/x86_64-
> mont5.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/md5/md5-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/modes/aesni-
> gcm-x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/modes/ghash-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/rc4/rc4-md5-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/rc4/rc4-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/keccak1600-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha1-mb-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha1-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha256-mb-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha256-
> x86_64.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/X64/crypto/sha/sha512-
> x86_64.nasm
> > create mode 100644
> CryptoPkg/Library/OpensslLib/X64/crypto/x86_64cpuid.nasm
> > create mode 100644 CryptoPkg/Library/OpensslLib/uefi-asm.conf
> >
> > --
> > 2.16.2.windows.1
> >
>
>
next prev parent reply other threads:[~2020-03-26 1:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-17 10:26 [PATCH 0/1] CryptoPkg/OpensslLib: Add native instruction support for IA32 and X64 Zurcher, Christopher J
2020-03-17 10:26 ` [PATCH 1/1] " Zurcher, Christopher J
2020-03-26 1:15 ` [edk2-devel] " Yao, Jiewen
[not found] ` <15FFB5A5A94CCE31.23217@groups.io>
2020-03-26 1:23 ` Yao, Jiewen
2020-03-26 2:44 ` Zurcher, Christopher J
2020-03-26 3:05 ` Yao, Jiewen
2020-03-26 3:29 ` Zurcher, Christopher J
2020-03-26 3:58 ` Yao, Jiewen
2020-03-26 18:23 ` Michael D Kinney
2020-03-27 0:52 ` Zurcher, Christopher J
2020-03-23 12:59 ` [edk2-devel] [PATCH 0/1] " Laszlo Ersek
2020-03-25 18:40 ` Ard Biesheuvel
2020-03-26 1:04 ` Zurcher, Christopher J [this message]
2020-03-26 7:49 ` [edk2-devel] " Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MWHPR1101MB2125EFFB95259C6A91080964B3CF0@MWHPR1101MB2125.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox