From: "Li, Yi" <yi1.li@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"spbrogan@outlook.com" <spbrogan@outlook.com>,
"Hou, Wenxing" <wenxing.hou@intel.com>
Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add HMAC/HKDF/RSA/HASH features based on Mbedtls ***
Date: Thu, 31 Aug 2023 08:25:28 +0000 [thread overview]
Message-ID: <SJ1PR11MB62273A98E1FC4F1436E8483DC5E5A@SJ1PR11MB6227.namprd11.prod.outlook.com> (raw)
In-Reply-To: <BY3PR19MB4900AA417F61A5B67ADB4311C8E6A@BY3PR19MB4900.namprd19.prod.outlook.com>
Hi Sean,
> I propose we remove openssl from the edk2 CryptoPkg and into the OpenSslCryptoPkg in another new tianocore repository dedicated to OpenSsl. MbedTls could then be checked into the MbedTlsCryptoPkg and added to another new repository.
It may be a better choice to put openssl and mbedtls in the one CryptoPkg, and the users can more easily choose the lib they wants to use in different scenarios. openssl and mbedtls have their own disadvantages: mbedtls lacks the implementation of SM3 and SHA3, and most of the algorithms of openssl3.0 cannot be used in the PREMEM stage due to known issue.
New tianocore repository is a good proposal, actually we did encounter similar problems: EDK2 of the old platform was frozen on a Stable tag, but we had to continue to apply new patches under EDK2 because of the openssl vulnerability.
Can we use another bugzilla to track this proposal? It will be a complicated thing, I can imagine that CI and customer's EDK2 sync-test process needs lots changes.
I hope to merge this patch series first, because some EDK2 users have requested to use HKDF, HMAC or RSA algorithms in the PREMEM stage.
Thanks,
Yi
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean
Sent: Thursday, August 31, 2023 2:57 AM
To: devel@edk2.groups.io; Hou, Wenxing <wenxing.hou@intel.com>
Subject: Re: [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add HMAC/HKDF/RSA/HASH features based on Mbedtls ***
I appreciate and really like this work to enable mbedtls but I don't like the idea of adding another submodule to edk2.
For a long time there has been discussion about formalizing the abstraction of the edk2 crypto api so that it would be practical to implement edk2's crypto using various libraries. I propose we remove openssl from the edk2 CryptoPkg and into the OpenSslCryptoPkg in another new tianocore repository dedicated to OpenSsl. MbedTls could then be checked into the MbedTlsCryptoPkg and added to another new repository. This would also have the benefit of breaking the tight coupling of edk2 stable tags from the crypto used in the code base (crypto has more widely tracked vulnerabilities).
Happy to discuss more if others have different ideas.
Thanks
Sean
On 8/30/2023 12:52 AM, Wenxing Hou wrote:
> *** Add BaseCryptLibMbedTls for CryptoPkg, which can be an alternative
> to OpenSSL in some scenarios. There are four features in the patch:
> HMAC/HKDF/RSA/HASH.***
>
> Wenxing Hou (9):
> CryptoPkg: Add mbedtls submodule for EDKII
> CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
> CryptoPkg: Add HMAC functions based on Mbedtls
> CryptoPkg: Add HKDF functions based on Mbedtls
> CryptoPkg: Add RSA functions based on Mbedtls
> CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
> CryptoPkg: Add Null functions for building pass
> CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
> CryptoPkg: Add Mbedtls submodule in CI
>
> .gitmodules | 3 +
> .pytool/CISettings.py | 2 +
> CryptoPkg/CryptoPkg.ci.yaml | 66 +-
> CryptoPkg/CryptoPkg.dec | 4 +
> CryptoPkg/CryptoPkgMbedTls.dsc | 280 ++
> .../BaseCryptLibMbedTls/BaseCryptLib.inf | 81 +
> .../BaseCryptLibMbedTls/Bn/CryptBnNull.c | 520 +++
> .../Cipher/CryptAeadAesGcmNull.c | 100 +
> .../BaseCryptLibMbedTls/Cipher/CryptAesNull.c | 159 +
> .../BaseCryptLibMbedTls/Hash/CryptMd5.c | 234 +
> .../BaseCryptLibMbedTls/Hash/CryptMd5Null.c | 163 +
> .../Hash/CryptParallelHashNull.c | 40 +
> .../BaseCryptLibMbedTls/Hash/CryptSha1.c | 234 +
> .../BaseCryptLibMbedTls/Hash/CryptSha1Null.c | 166 +
> .../BaseCryptLibMbedTls/Hash/CryptSha256.c | 227 +
> .../Hash/CryptSha256Null.c | 162 +
> .../BaseCryptLibMbedTls/Hash/CryptSha512.c | 447 ++
> .../Hash/CryptSha512Null.c | 275 ++
> .../BaseCryptLibMbedTls/Hash/CryptSm3Null.c | 164 +
> .../BaseCryptLibMbedTls/Hmac/CryptHmac.c | 620 +++
> .../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c | 359 ++
> .../BaseCryptLibMbedTls/InternalCryptLib.h | 44 +
> .../BaseCryptLibMbedTls/Kdf/CryptHkdf.c | 372 ++
> .../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c | 192 +
> .../BaseCryptLibMbedTls/PeiCryptLib.inf | 101 +
> .../BaseCryptLibMbedTls/PeiCryptLib.uni | 25 +
> .../BaseCryptLibMbedTls/Pem/CryptPemNull.c | 69 +
> .../Pk/CryptAuthenticodeNull.c | 45 +
> .../BaseCryptLibMbedTls/Pk/CryptDhNull.c | 150 +
> .../BaseCryptLibMbedTls/Pk/CryptEcNull.c | 578 +++
> .../Pk/CryptPkcs1OaepNull.c | 51 +
> .../Pk/CryptPkcs5Pbkdf2Null.c | 48 +
> .../Pk/CryptPkcs7Internal.h | 83 +
> .../Pk/CryptPkcs7SignNull.c | 53 +
> .../Pk/CryptPkcs7VerifyEkuNull.c | 152 +
> .../Pk/CryptPkcs7VerifyEkuRuntime.c | 56 +
> .../Pk/CryptPkcs7VerifyNull.c | 163 +
> .../Pk/CryptPkcs7VerifyRuntime.c | 38 +
> .../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c | 268 ++
> .../Pk/CryptRsaBasicNull.c | 121 +
> .../BaseCryptLibMbedTls/Pk/CryptRsaExt.c | 337 ++
> .../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c | 117 +
> .../BaseCryptLibMbedTls/Pk/CryptRsaPss.c | 164 +
> .../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c | 46 +
> .../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c | 231 +
> .../Pk/CryptRsaPssSignNull.c | 60 +
> .../BaseCryptLibMbedTls/Pk/CryptTsNull.c | 42 +
> .../BaseCryptLibMbedTls/Pk/CryptX509Null.c | 753 ++++
> .../BaseCryptLibMbedTls/Rand/CryptRandNull.c | 56 +
> .../BaseCryptLibMbedTls/RuntimeCryptLib.inf | 92 +
> .../BaseCryptLibMbedTls/RuntimeCryptLib.uni | 22 +
> .../BaseCryptLibMbedTls/SecCryptLib.inf | 84 +
> .../BaseCryptLibMbedTls/SecCryptLib.uni | 17 +
> .../BaseCryptLibMbedTls/SmmCryptLib.inf | 92 +
> .../BaseCryptLibMbedTls/SmmCryptLib.uni | 22 +
> .../SysCall/ConstantTimeClock.c | 75 +
> .../BaseCryptLibMbedTls/SysCall/CrtWrapper.c | 58 +
> .../SysCall/RuntimeMemAllocation.c | 462 ++
> .../SysCall/TimerWrapper.c | 198 +
> .../BaseCryptLibMbedTls/TestBaseCryptLib.inf | 78 +
> CryptoPkg/Library/MbedTlsLib/CrtWrapper.c | 96 +
> CryptoPkg/Library/MbedTlsLib/EcSm2Null.c | 495 +++
> .../Include/mbedtls/mbedtls_config.h | 3823 +++++++++++++++++
> CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf | 173 +
> .../Library/MbedTlsLib/MbedTlsLibFull.inf | 177 +
> CryptoPkg/Library/MbedTlsLib/mbedtls | 1 +
> 66 files changed, 14683 insertions(+), 3 deletions(-)
> create mode 100644 CryptoPkg/CryptoPkgMbedTls.dsc
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmac.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmacNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdf.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.uni
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.uni
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.uni
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.uni
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/RuntimeMemAllocation.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c
> create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf
> create mode 100644 CryptoPkg/Library/MbedTlsLib/CrtWrapper.c
> create mode 100644 CryptoPkg/Library/MbedTlsLib/EcSm2Null.c
> create mode 100644 CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
> create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf
> create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf
> create mode 160000 CryptoPkg/Library/MbedTlsLib/mbedtls
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108186): https://edk2.groups.io/g/devel/message/108186
Mute This Topic: https://groups.io/mt/101048094/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2023-08-31 8:25 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 7:52 [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add HMAC/HKDF/RSA/HASH features based on Mbedtls *** Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 1/9] CryptoPkg: Add mbedtls submodule for EDKII Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 2/9] CryptoPkg: Add mbedtls_config and MbedTlsLib.inf Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 3/9] CryptoPkg: Add HMAC functions based on Mbedtls Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 4/9] CryptoPkg: Add HKDF " Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 5/9] CryptoPkg: Add RSA " Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 6/9] CryptoPkg: Add all .inf files for BaseCryptLibMbedTls Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 7/9] CryptoPkg: Add Null functions for building pass Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 8/9] CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls Wenxing Hou
2023-08-30 7:52 ` [edk2-devel] [edk2/add_mbedtls PATCH 9/9] CryptoPkg: Add Mbedtls submodule in CI Wenxing Hou
2023-08-30 17:49 ` [edk2-devel] [edk2/add_mbedtls PATCH 0/9] *** Add HMAC/HKDF/RSA/HASH features based on Mbedtls *** Michael Kubacki
2023-08-30 18:56 ` Sean
2023-08-31 0:09 ` Yao, Jiewen
2023-08-31 2:34 ` Yao, Jiewen
2023-08-31 11:14 ` Leif Lindholm
2023-08-31 15:45 ` Michael D Kinney
2023-08-31 16:07 ` Yao, Jiewen
2023-08-31 17:24 ` Michael D Kinney
2023-08-31 17:52 ` Sean
2023-08-31 18:45 ` Michael D Kinney
2023-08-31 18:49 ` Sean
2023-09-04 6:04 ` Li, Yi
2023-08-31 8:25 ` Li, Yi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SJ1PR11MB62273A98E1FC4F1436E8483DC5E5A@SJ1PR11MB6227.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox