From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by mx.groups.io with SMTP id smtpd.web08.8783.1646296993788752766
 for <devel@edk2.groups.io>;
 Thu, 03 Mar 2022 00:43:14 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=LLkno9v/;
 spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: yi1.li@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1646296993; x=1677832993;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=PLd3/4TO7znzmL2E9H+mkuefNcgvyU8LWMFpXnkKq2M=;
  b=LLkno9v/t067rSsY2g57nhtZi+jjLDA/1F/CLeSClbN6dztYZLP0s3kd
   leLAKJs9p/2C01rJl2DA2/lrHaiJ3zjE07zvs7n0cOfYI6a+3j/OBKTAy
   ze0AV/XEq13gI6h+YDeExnerVV+g0z3Pywu7XN2BQ84fQ0ZuqX6icoNVx
   EHCBDCzTlb1rpzwNN1h1gTdaJ1PiyGVwrZjS68CL5bxEwfS9iSJ3CNXnj
   oYvMSJSbdXKqNPlrZdwnkJXL8DAnr1DV29IaXRzFPXkR8o+bDcE32lLrT
   9Hmz7qK/s8VW0yKB1Iozh6QZVRjdNyk0CPiv+wtlqL5NABJ5aVJy6fubw
   A==;
X-IronPort-AV: E=McAfee;i="6200,9189,10274"; a="253547283"
X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; 
   d="scan'208,223";a="253547283"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Mar 2022 00:43:12 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.90,151,1643702400"; 
   d="scan'208,223";a="609500892"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16])
  by fmsmga004.fm.intel.com with ESMTP; 03 Mar 2022 00:43:12 -0800
Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by
 ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21; Thu, 3 Mar 2022 00:43:11 -0800
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by
 orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21 via Frontend Transport; Thu, 3 Mar 2022 00:43:11 -0800
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.177)
 by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.21; Thu, 3 Mar 2022 00:43:11 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=TWJwkFXkc9rbK2Zb27fs96Gwl7icZhj+46NcSOX95Wao1JGzKc8d4TXjoykEwfhJqxM0bCDQ1gBRMZUG0qBvsIQUsghlmtaW1kbuqaFWBv95et2vamAp7XRq87xswjJeDAHIf8Eav0KoZUfRH38UsgTtomAU07q5VBopqMvAZ3remAnm3Z08lAF4Ul011U5wYZFJSSRZp2IffzKZBFlj9bbHaK0BULnHAJoZRBvP2uOzgGh+j/dXQgBbQzTNCugvXhgDexipVfWCCga6P9fJfY4wMr93smbIchB4lVXQUWNU3FowGOQRivrxn9AvSlrthsIPQwcQgihc57aKp8jj5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=vz3ID3Xip9JLNZ6bSiaZXBKZOaehIh7tpVHqX1LLWqI=;
 b=JB8hVs3ryWyaHJqQgsqJd6M40nANkf+ViXC0UBy5/eNQ/SGJXaZlbQmcAljSp7cN/ATWEiA3/J1XnirDmVVZlCjlnJUn+twhnAmNdRYpZU3s5jir0+ppW24py/hAK+xCrQO3qgFTtqtlCF9Ar3/mMqF4x4iSrdCkBqhnX4im+WYID0bIN5pmeUD3CwNxk6DZ4GbtN4nwaHzWOhPGLMy9csetuDLxKA5GdoPHhJ6A9PMop5k0v9kMhLn4mcrOlhM6BexCjBkLFQRKC33WipyvnousUJ/bTDDTyr18Esx0bgcMZJpr4KJwcVq4HFdX61y/ZkXVpD2+jMahejUf6plT6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MWHPR11MB1597.namprd11.prod.outlook.com (2603:10b6:301:d::13)
 by CO1PR11MB5092.namprd11.prod.outlook.com (2603:10b6:303:6e::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.13; Thu, 3 Mar
 2022 08:43:09 +0000
Received: from MWHPR11MB1597.namprd11.prod.outlook.com
 ([fe80::551c:c7d3:9cc6:b10f]) by MWHPR11MB1597.namprd11.prod.outlook.com
 ([fe80::551c:c7d3:9cc6:b10f%10]) with mapi id 15.20.5038.014; Thu, 3 Mar 2022
 08:43:09 +0000
From: "yi1 li" <yi1.li@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>, Gerd Hoffmann <kraxel@redhat.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, "Kovvuri, Vineel"
	<vineelko@microsoft.com>, "Luo, Heng" <heng.luo@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms
Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
 curve chipher algorithms
Thread-Index: AQHYKUr7vUGmNd7pj0+IVIzbTxqxk6yiT6WggAI+ioCABBhfoIAB8X+AgADcLaCAAD9mAIAAC8wAgABHGoCAAVaVcA==
Date: Thu, 3 Mar 2022 08:43:08 +0000
Message-ID: <MWHPR11MB15972F28EA37362A3D3011CFC5049@MWHPR11MB1597.namprd11.prod.outlook.com>
References: <MWHPR11MB1597A4F02A5D0E215EE00069C53D9@MWHPR11MB1597.namprd11.prod.outlook.com>
 <26433.1645811519240546455@groups.io>
 <DM5PR11MB15953EDFD7C5C291BF98951BC5019@DM5PR11MB1595.namprd11.prod.outlook.com>
 <20220301140451.wtqcyt6vyus5klgw@sirius.home.kraxel.org>
 <DM5PR11MB1595F12CDBFB281D7F2D5B2CC5039@DM5PR11MB1595.namprd11.prod.outlook.com>
 <MW4PR11MB5872069BA15060123FB6AA368C039@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220302074202.xtjfu4yqi3vxm7ec@sirius.home.kraxel.org>
 <MW4PR11MB5872AD7A6BE0302F384DD79D8C039@MW4PR11MB5872.namprd11.prod.outlook.com>
In-Reply-To: <MW4PR11MB5872AD7A6BE0302F384DD79D8C039@MW4PR11MB5872.namprd11.prod.outlook.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11698dc6-4fd2-4f27-1702-08d9fcf1d7ff
x-ms-traffictypediagnostic: CO1PR11MB5092:EE_
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-microsoft-antispam-prvs: <CO1PR11MB50928FF9568556AF3C8A4D77C5049@CO1PR11MB5092.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P/Uul0EfjbXcH8ZQIEij/P1wOMd+xhyjgcZ5kG+oeQUHikIrLO8q90Bb6eeR2JxjNGoNRx+3tKCWJm7qbc1/9IADv4Qf9FgB47aYhNyCvfynAkAO//yIcz44IMgWre/xRxuKyoNka+3dFzfw97waGjpH4HhuXZRBliwIu5Qbj1FCbv0j1OSRyRj03wSJsyreEr9C3zjzRzU2n7rnkn2oZbxPrppIRt6dpvN1ZPswL4ZUXq/tu0c0EWQKJi9Jyz9NSPb/uA5yvxgLefsTGnjESZbhLDMnSEK/cZXGRVI9Ajz8Xsb7vQhha6QfdumlvmHjohGBV0g6EFmVKfMt3Bzbj24Oy2jgwFn4uxX4e7SLm3rJfyz1Q3tMRUXNyAVA988BoOJQpAvXl5SZcwU0pgYt8vazbsgRiK9WkexB9jA2Oij4IxuUFhXygUucwWUOhtwbAYTsAHIbaN23wwksy794Jfwr6z/uKj42wbxBnusir5+WP6/2cWQoe2zWIaFCT+huYsLbkSb3kgq/UiRdR4TvA40/WeEurQzER3nG94fPhTXryraC8dx23MjH2iQHPCG5d5s+1E3yClEthCT8IwqCPCZAnMqOv5EHJ2Xks/FRK3mAKnRz1p/K2luyC9BHsibPzRnQAUB5+Y7Yj3TN0pFR3X8t66H3X0j2ykDuwsdgAupdsF06luxCq6GsQWD4lmfHCDx/XqdQW75d9q9mDSGhYvsBaZSnNIb4AHlRpPLK6p4qKq2Ate1bGdYJc/mEWh+pZUG8DrLL+5kyyzEaypNVjrQwYibl/YH4D274nCADuHzPM8yYNkWb2qoLfag0eKKxSWcFmKyCCx2w6NkHt8hYvw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR11MB1597.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(64756008)(66446008)(66476007)(66556008)(8676002)(66946007)(4326008)(76116006)(38070700005)(107886003)(55016003)(8936002)(52536014)(966005)(71200400001)(5660300002)(316002)(54906003)(110136005)(508600001)(86362001)(82960400001)(38100700002)(6506007)(7696005)(83380400001)(2906002)(33656002)(122000001)(9686003)(26005)(186003)(53546011);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?i3Hc41It9lbDCyQteqAvfWGj8FkHyg1Y59C2+exCWHDFFX6o05Ma3QwmcQEv?=
 =?us-ascii?Q?EMQaB7AtBKA6RJ9TaIwGVSCDfeYoonV7RxEpH9cPk3E7ziCLLW0NYKLuL5xo?=
 =?us-ascii?Q?GNDvDOkZvu8hU2+4h9kyvuaQ7mGef5u56IUANDqgPpvYI51b1pJJPRoDf1lw?=
 =?us-ascii?Q?zZKRAJNwfxp2iM5jYGwlw7ei1FwzM+kGrilEHCFvJAEMmS88UoxxDcb70uTk?=
 =?us-ascii?Q?dR+aBpj7jDVP1eMRrTD2zh87dNppPEeuy+uXD+afRUwVg5S5biQFMOViAXCd?=
 =?us-ascii?Q?vBHX69R89hX3G6mwl90KZuowgSeEuLh60S+jDS9kCABNIeyF+PNQyCPveA9N?=
 =?us-ascii?Q?QNxQ0NYphyS5N6YSMj58gUxDAtpKfuiy9Vurxi9GLxQzUbFWWUQSXoF2wvMi?=
 =?us-ascii?Q?JwnzxkSUA8aRPz+GTsewbTSVJIJKdXdHEcygQ+s0d6MLnpOOTwei0Tu+THfo?=
 =?us-ascii?Q?UejLcTggeRMwAD2LuhVLxNhUNeN10VheX612oKsKQ4UbNwwcykeXGnN+k8un?=
 =?us-ascii?Q?qMU0LSVgMKgCW5Akw2XRVSG3YT0vEieTaJrZS1gkXm0Qkz5+8+jwmN3YfeK7?=
 =?us-ascii?Q?O6X1m3rzxY70aep5je1XCJt3rLLd7skKMgqAGyKF46ppB3J8FPjdgF1L26Mv?=
 =?us-ascii?Q?HSEsAedW0J292KFK4Of5TGZ2ApWDuieIbSyRXOMLOdjeWfVPtGbs7ZqjyJoz?=
 =?us-ascii?Q?eYWIwNUphzUBlQ0kp8DtVI4uUxItrvsqaY3icinQ6EmB1SwoXk/EhFH/xfWs?=
 =?us-ascii?Q?GYU2xmnb2dqyttuQnDdQoSE0ItoPIvP2NZY5iUhoPmX31hKG/cv+xa9OjceR?=
 =?us-ascii?Q?vhfSiNvOKzzRXjYqLapFHvFmnuSc1ztAx8yy/luD80DLRi9pxPAXpTtcGzh9?=
 =?us-ascii?Q?aixIHLl2dcUU6DDMMagelC04LtMdywLlwU7kd8BRtK4mlVcgcokLYiVKD2BQ?=
 =?us-ascii?Q?OrN896qJI7bKmJjIPiPag1kmfOT4fcK9us1YG3ZuhiQc0bIxYtIVwfeVNSnP?=
 =?us-ascii?Q?0hUu214zN0RMPTGUXg8DaLWa0vDjm2uq38FxoX3eAwoUauW0PhcOL63bRXtB?=
 =?us-ascii?Q?Qvbj24L/Mj/ic3eej0PA/8Glo5947j7uhngU/QbzbkEGlyNnIXnb1k1i9BV6?=
 =?us-ascii?Q?C6gw0zFcm6B8OL/E3oW7FvaAYpTzRtdr/0iSO6/l7KfCQNY1KlsbGVeQxNWw?=
 =?us-ascii?Q?8DvehIeI/k2pNxQtAdyzzf50CVXJs7oBQ74ZdcQn9KOOB3MSdZGqke46EDav?=
 =?us-ascii?Q?hG36zjpgN1KwagaDGTir4zPcTxs1EG1HwHdL3/yxOuAqCIRKIuveBtf6kxjx?=
 =?us-ascii?Q?LAX1en+yBthj9B7hD6FOLwPej/cDrxlOLiwmLV3TO0mspt1FESJIrDIOD5o+?=
 =?us-ascii?Q?aV0ZTOtMsJLs6R3VK5plGnA+XnfDa+fP0aW/bYI+mAfPFlIeW70r3h7u3or3?=
 =?us-ascii?Q?fzlY2Q0/G3Y+dnA2G53CCdftACyw+X/udDgSq7RMuTqDE4eG2qNFkhN7+PS8?=
 =?us-ascii?Q?YYDZndhahtaRkTxzye0ucHvvRwB6Ne/CA6GwYLQ2Qa8YOdSed2kZ0jzfhDq1?=
 =?us-ascii?Q?SSBDSiWhz/1/qYUanwL9nKyeVGNVBGapQeebj72YKzkgkUAx7xI4zbV5BZ8W?=
 =?us-ascii?Q?iYZcFC8Q+5qMler1StvXZR8=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1597.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11698dc6-4fd2-4f27-1702-08d9fcf1d7ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2022 08:43:08.9522
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: i672fm1KmHvNutJvJJn6GxwrAvDPT9+I+y6YMYiy7FZM7E8eyuj3SzHEruE6XLx3jI0T6bJwVa+ajvlP2iGrtw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5092
Return-Path: yi1.li@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Agree with that and I think the first issue is OPENSSL_NO_* be not cover ev=
ery file related to some feature in openssl (like ec).
Once those macro defines can cover everything, we can put all files in Open=
sslLib.inf [Source],
and control macro defines in opensslconf.h by PCDs to do customization.
Openssl community feels ok to it and that's exactly what they do, like asn1=
, just not covering all features.
https://github.com/openssl/openssl/issues/17801

I am glad to push it forward, but, it seems will be a long time and platfor=
m needs to support WPA3 as soon as possible.
I'm thinking about whether we can use a new OpensslEclib.inf to enable ECC =
firstly to meet customer needs?

Thanks!
Yi Li
-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>=20
Sent: Wednesday, March 2, 2022 7:57 PM
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel <vine=
elko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellipti=
c curve chipher algorithms

>>From requirement perspective, I am thinking more broadly than just ECC.

Looking at https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/=
Include/openssl/opensslconf.h today, we disabled lots of thing, ECDH, ECDSA=
, TLS1_3, which might be potential useful. While the algorithm we used toda=
y such as FFDHE, MD5, SHA1, might be not useful.

Even for ECC, some platform may need normal ECDH/ECDSA. However, some platf=
orm may or might not need EdDSA or X-Curve DH. I am not sure if we really n=
eed to enable all of them in previous patch set.

SM3 and SM2 are another category. It might be useful for one particular seg=
ment, but not useful for others. For example, a SMx-compliant only platform=
 may only requires SM2/SM3 (no RSA/ECC), which a NIST-compliant only platfo=
rm might not required SMx.


If a platform does have flash size constrain, why it cannot do customizatio=
n? Why we enforce every platform, from an embedded system to a server use t=
he same default configuration ?

openssl exposes a config file, other crypto lib (mbedtls, wolfssl) also doe=
s same thing, such as https://github.com/ARMmbed/mbedtls/blob/development/i=
nclude/mbedtls/mbedtls_config.h,
https://github.com/wolfSSL/wolfssl/tree/master/examples/configs
Why we cannot allow a platform override such configuration ?

I am not saying we must do it. But I believe it is worth to revisit, to see=
 if any platform has such need, before draw the conclusion so quick.

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Wednesday, March 2, 2022 3:42 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Kovvuri, Vineel=20
> <vineelko@microsoft.com>; Luo, Heng <heng.luo@intel.com>
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add=20
> elliptic curve chipher algorithms
>=20
> On Wed, Mar 02, 2022 at 06:59:48AM +0000, Yao, Jiewen wrote:
> > I think another option to pursue is to how to control the openssl=20
> > configuration
> from module or platform level.
> >
> > E.g. what if platform-A has enough size and wants to use ECC, while=20
> > platform-
> B has size constrain and wants to disable ECC ?
> >
> > We can let platform choose if ECC is needed or not? I hope so.
>=20
> Not so easy.  Would require to put the way openssl is integrated=20
> upside down.  Today openssl is configured and the results (header=20
> files etc) are committed to the repo, so the openssl config is the=20
> same for everybody.
>=20
> Also I expect there is no way around ecc long-term.  WPA3 was=20
> mentioned elsewhere in the thread.  For TLS it will most likely be a=20
> requirement too at some point in the future.  With TLS 1.2 it is=20
> possible to choose ciphers not requiring ECC, for TLS 1.3 ECC is mandator=
y though.
>=20
> So I doubt making ECC optional is worth the trouble.
>=20
> take care,
>   Gerd