From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web11.10323.1636637217625999022 for ; Thu, 11 Nov 2021 05:26:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=iXz6eW04; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10164"; a="231632605" X-IronPort-AV: E=Sophos;i="5.87,226,1631602800"; d="scan'208";a="231632605" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Nov 2021 05:26:56 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,226,1631602800"; d="scan'208";a="534406799" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by orsmga001.jf.intel.com with ESMTP; 11 Nov 2021 05:26:56 -0800 Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 11 Nov 2021 05:26:55 -0800 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 11 Nov 2021 05:26:55 -0800 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.177) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 11 Nov 2021 05:26:55 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LZ73ENSbWRihdXgbP22WdhVB87Re2aDSEL6pycxBa3Hf3+yUNR3t0kNuPGQlvQQ1qjdaeBmwaAukcWbUhsWprO78iME9D4sTWzstDEpKDS3x9dm7s2mu0qh06Fc9xiEhcplSN74NGtHJ/l9b4PGu8R6ma3giSs/qo/5VeBWLeIgE+iCZwqTfA8GXTjH2Z9oMZcDsEQPMNle8zvSzydclaStFrmVACzs4RxqX6GST45q1Ul4MuBEuRHv+GppmgzI9sZRxaMpsRAjIOL/bYv7B3Vs3bQw0WksgjZkrXV66S7vxIP8sxaHmPzJ0w+GZQiZG0N/9sHncGhq3yPFjDzJZsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NCOzqgSD/CkV61HRV5hm4YzxXjTCqGJpXQrK/KqFob0=; b=kOkkG+Mgnx913GKGa6U38xClrXiQp408KE5qtdO+WN20c2GxhdNplVp7xHbf/r/U4Se/sdmtB5Zbt4UDa/rGwhw+36eiRvU66vw1PzgRBLiGrFCwFnYPkMSs3ujIdkHHBfoFN4jwPxl5811fE8jv311TF8OF6aNgd9DF2JIt8s/Iz2uGgd/Td9LoWghjbcJXxhnDi/d61anYF6qAIKqYZwChOOCMZh0RbifWac0DcNDueMYrWhvu5DUtXd5Il2xULp3k6BRiJK+2tvjSU08W9r7gF8W+S+kx/q9Z7O389YWi6TJEtFNG1yP17C00fhNWoqKhjj1BCHOVe5dhW/1tvA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NCOzqgSD/CkV61HRV5hm4YzxXjTCqGJpXQrK/KqFob0=; b=iXz6eW04mw6jNDltDOVQxhWGZT/QxGSXgqK6v1J5ZDLgkWHzFTdvfZfszJWJBMvf8BBhXqDRSV+ol+UNpD3K+EgB2y5ol1xjM2qfm15IP2LQHBD5mapcUJKlJU46ZiOM89UuEb5gApPtTPfWnvWEo5zlXqled/JRteFFDdQin0Q= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH7PR11MB5861.namprd11.prod.outlook.com (2603:10b6:510:133::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15; Thu, 11 Nov 2021 13:26:49 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80%6]) with mapi id 15.20.4669.016; Thu, 11 Nov 2021 13:26:49 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann , Vineel Kovvuri CC: "devel@edk2.groups.io" , "vineelko@microsoft.com" Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Topic: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms Thread-Index: AQHXvytzNc37dLSAJ0CsBYnYdS6rHqvWhHbwgAK0coCAF96cwIAAhVgAgAjFBQCAAJ/dcIAAD8CAgAINR4CAAVyZAIAAA/uA Date: Thu, 11 Nov 2021 13:26:49 +0000 Message-ID: References: <23891.1636410576311055186@groups.io> <20211109085809.22kqmzd6zxu465ua@sirius.home.kraxel.org> <20211111130552.qo5a33ki7ikipqpf@sirius.home.kraxel.org> In-Reply-To: <20211111130552.qo5a33ki7ikipqpf@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8ec0b5b0-6f29-4975-d7ea-08d9a516ea90 x-ms-traffictypediagnostic: PH7PR11MB5861: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: MQjlTYmV9MCeoV+Ah3PkTLkcjb6JzPgivIU5jprsmSdSySjZ3g7LQeFBdB4EydlW0YPHAoDWiNyt32zoQfCRl20VmsUUK56Hi0jsFhdCiiTRDxQUkgWvtXDvhu4dsujjymrIY8J/qakul3MVtoV9trjvE+fqsT89IHanULA2o6jvKlCBTzbY3ooTzZDfYx8KEa+CucnBw4j+Ysb4lFrJVpgyCURtwc094M1BGUZh4AqsywsgKDrtT1o2sQhU2mAoNJncQj9r9DILY2NmkoZROjI/EbAdmL8rasX4NuYLFGDD2qlE5u69OcdnALtx3A8MyaL+96W3Obj1GpB5Oq9Vo0gTVirp67Fr2jdIUh1ExvlzRRwSA7wuxGyAK7Cl6+1WA97LrY3dZV3q5Khh/B1uJ+fx3j5Bnk/ILq7H6dpwcP4Zl9U3OCB7EQoNmvhEqOZZABrnwwCyIrHIBy+s0BESIeP2kVPl9SrkPBi9PhK5mZ0JTB2TZUkB/QYh2qQUdQLJODqRhd/zUnAhWrSWGPu2ukh6cOyaXRNNpQDamca4gN4Bu1TTIUOUcx1TpC6j8kB2W7Q1ktwlXU0q03/TRCIg/Yu7YIPgeW12ClFDsydNSKL0p5qCNQGF12+1Ei64Jde5IpJEfNqgYz6AS/NQ2vBo1PzJFUKClA2RWf4n6kkjOba0t4fO6JHbojLDIrkf2yOy/eU6iqv8Mm6Kpd9wZLrtNA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(52536014)(7696005)(26005)(8676002)(53546011)(186003)(5660300002)(82960400001)(86362001)(66476007)(6506007)(4326008)(54906003)(71200400001)(110136005)(8936002)(38070700005)(508600001)(45080400002)(33656002)(2906002)(122000001)(66556008)(64756008)(83380400001)(66446008)(38100700002)(316002)(76116006)(66946007)(55016002)(9686003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?NtLe4iIhvshyCLN9THuR4GZ74P/V0IAr5MwGKbQv621eHC/aW69moi+E4sTG?= =?us-ascii?Q?KArHuminzlHMHNopS7g2nUkwB0CFyxUimjNUk0VpKYP0Qjr8NSctlu0HraZC?= =?us-ascii?Q?8EgGgSDUm99wLqGvzHNOGmjEItNwV+9uaLXR1o6FGS9p0vEgxODuAM1KZ5MS?= =?us-ascii?Q?2AsVutA3E3Uq3ybT1LtzDE4Dfnm+RmOWe34KD7V4kic6iwg+9H6G6eKakwT2?= =?us-ascii?Q?HU6Jpa/Cd/LCGh6/NHsefdQCVFC5GOHDshBhe8MWfYT3guGDGs6wwZOEJ0fy?= =?us-ascii?Q?Lhafr5wIJdGXxjYEe5zP++eApKYFvKYGV1WAVmCUhMj424Qmd9x+FIsPa/pk?= =?us-ascii?Q?GzVKpcx6KJTlbcVV9jzSyEC0LHqpFh9x+oGD9empyDWP0Q+n6ecR0Ylhon2q?= =?us-ascii?Q?hihswfBQLKQp4MEraOLON0UkpKbgnQaxYsmUniZxsk0v2Gxq5E0TaVfXITRV?= =?us-ascii?Q?2buEwzqxn9Rkx1IZXgbLS8LXXedjyQAsxvcIt7ZQOrRf/YB2TfigVuTHMNEv?= =?us-ascii?Q?4bjsPWesYKSkjYyPfVaB4IVSNZtlkUY7w8Z8P4uHb70Q673pc9C9uQpzPkco?= =?us-ascii?Q?6zuq7zhdFIOHtSSVvulqPbnXgX7gzGs0fwFPuaWShPTs5KXCl3xVNGyauzsw?= =?us-ascii?Q?Xu9YUz9GeTi29VJOWSwqTXZApM9KWgS72iG3F+hXGU0P6xgsZIpwX9kABgI1?= =?us-ascii?Q?w0WJvN19Vcr0ervqMRe4fh8wYp0LEdXQ5/tlN2Au7OArmSG24tgn8V/FmVaB?= =?us-ascii?Q?+0SlKW4/SNHtR40Be4O22F9t4wsX8QYZw9Qirc0tAOoS6RG5ynw5H1hDesJh?= =?us-ascii?Q?/fOsDuQcSS5/8cAguiFa6vc8v79mS73nIjRCS5Lf7MNTdy/Ksc7FxCwE65k8?= =?us-ascii?Q?5qlaD3zK5N4ztU52lPEj+2+DttavtBwICpMXlzWcWrz6ddccoWXldfFyFEVo?= =?us-ascii?Q?DRxosKJdn5GmvwHVyMYfcRs7JYHIY4LrwnUHzt/jmKlUZ9F4vEBS/09rneEz?= =?us-ascii?Q?c1N+xxFBboiT2zvaxLPAT2X7i0VoA+mu0kwajFOFwVC1SEewhFWJJpxmKmIa?= =?us-ascii?Q?rTOpYA2jK72jZdVXjNPOT4hEiIJl1wpRoZOd5aWKWaPBkMnXk06T7G1EUB5A?= =?us-ascii?Q?GtTx7ypQTUMz6FaGAMaVCa5sEKQJ/HlbGE9PnzYAgOPlaTT0EcZSVzT5j3HL?= =?us-ascii?Q?64MWfkmNxR275foeXX6srf1lQ8NQgY8VxwkEZqp02HX9dTuNG+mwGZKQ4MFO?= =?us-ascii?Q?5kVb2qRN/18t/SYQRw5xBQOUiYfJJljGkgHGXIhqgMEfrZ2Uu+O5Co/v/JXu?= =?us-ascii?Q?4hw36357aEy4Bq6LdtDOKHYYq4gqA1oXg8QG51ulitQei58VFpQKKuCTXBoi?= =?us-ascii?Q?BfghJInWiobNJuqFDKgCGNrEDzzrOgAhalIcn8CsIIA9/WsPGux6hMRfLmmL?= =?us-ascii?Q?RpHMMPiIMh8brmvWenllOEQeOALiKvyuUhlRqKVfAi1TzL7MgGjsT1uy6Xa6?= =?us-ascii?Q?1g2kmvYBkVz5e85Odu+M9lgLqHO4/y2MpMp4VEPWvkCM043zzDZzBvCDRk1l?= =?us-ascii?Q?aH2evpZrBXvUaHf53uYzJyH7BFJ1LN3PcEidFqqzpBGNJVOv4pgM0aoGWDlC?= =?us-ascii?Q?xxdXHmO5tmcp/v5U/fliGDE=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8ec0b5b0-6f29-4975-d7ea-08d9a516ea90 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2021 13:26:49.1476 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ddbNlTF7I4VBBFP0MKGan68g241NScjd8KWfqayo3hiSKezIbex7+K4XlGDX8ZbD7CVLFzSh6qxuBbFbgfJi8A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB5861 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sorry, I don't mean: one platform uses 2 different configuration. That might be worse, because we lose the benefit on compression. Ideally, no matter how many *same* copies you have, the compression algo wi= ll handle it and make only *one* copy. If you have two *different* copies, = then compression also may finally make *two* different copy. I don't have data. I just feel it might be worse. I mean two platform can choose 2 different configuration. But eventually, o= ne platform should select one of them consistently, such as using only one = CryptoDxe.inf. In this case, you need carefully remove all unneeded algo. For example, do you really need SM2 ? Do you really need EdDSA ? Do you really need ECX ? Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann > Sent: Thursday, November 11, 2021 9:06 PM > To: Vineel Kovvuri > Cc: devel@edk2.groups.io; Yao, Jiewen ; > vineelko@microsoft.com > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add ellip= tic > curve chipher algorithms >=20 > Hi, >=20 > > The difference I see without ecc change and with the change is the incr= ease > > in file sizes for below ffs files,(other .ffs files remained unchanged) > > > > Without ecc change: > > 794742 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9- > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646- > 88E33EF71DFC.ffs > > 653470 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F- > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3- > AC64-54F202CD0A21.ffs > > 1174654 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0- > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56- > 74d435052646.ffs > > 872594 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3- > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB- > 43E3298C2343.ffs > > > > With ecc change: > > 1058678 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9- > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646- > 88E33EF71DFC.ffs > > 917214 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F- > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3- > AC64-54F202CD0A21.ffs > > 1470718 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0- > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56- > 74d435052646.ffs > > 1134738 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3- > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB- > 43E3298C2343.ffs >=20 > Uh. So each driver which needs openssl has its own copy of the library? >=20 > I wasn't aware of that, but yes, given we don't have dynamic linking > this makes sense and also easily explains why we see such a big jump in > size. >=20 > > I am wondering, removing existing ciphers might impact other platforms. > > Could you please suggest any less intrusive options without impacting > > other platforms. >=20 > I was thinking more about reviewing the chipers added. Pick the most > commonly used ones instead of just adding them all for example. >=20 > > I am new to EDK and what compile time options are you referring to? Ple= ase > > let me know if any other information is needed from the build. >=20 > Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch. >=20 > But I think Jiewen meant something else with "2 profiles": >=20 > We could create two OpensslLib variants. One full-featured build with > ecc enabled which TlsDxe could use (assuming better TLS support is your > use case). And one less-featured variant for VariableSmm + > SecureBootConfigDxe + SecurityStubDxe. >=20 > That way we have the ecc code only once not four times in the firmware > build. Possibly the less-featured could be stripped down even more when > it doesn't need to support TLS any more. >=20 > I'm also wondering why SecurityStubDxe needs OpensslLib ... >=20 > take care & HTH, > Gerd