From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.96052.1679644257850406514 for ; Fri, 24 Mar 2023 00:50:59 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=hADfev4j; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: yi1.li@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679644257; x=1711180257; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=AUPwJQsDrm4qC1zCILldfWzyZbOgwXylOKp2E+OcEQI=; b=hADfev4jwlxIjqw1POS0gv1PBs6ltTR/JjW56mWkVruDu4ldMrMG5d+H N1Zjqde0WOX0R+lNPkrxTNY7nkpnVSIBg17yP4AGYvcdiHWz8BbqLPuLn QemvBuTzRDsQOEDWCTUzZjShCKJQluiK195q8wzxgXDUml8cMiJBfXpe1 FdP7Y93YNRAg1rnJGM9J1bbEN2jidqzgSyWoSXEu9Go0toT/CO/0JwLfc oRT2yIcLayndwUTvDsHT7c/QOjYeelb24uA6hIWUr2cM8RaJ0x49+EUWD q+hfliO9Il7Z6OSaNmrGCOdY4NtKeXX9wm7U3W+Zd79UJvzmdwfPVsJUQ w==; X-IronPort-AV: E=McAfee;i="6600,9927,10658"; a="323591972" X-IronPort-AV: E=Sophos;i="5.98,287,1673942400"; d="scan'208";a="323591972" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Mar 2023 00:50:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10658"; a="806556363" X-IronPort-AV: E=Sophos;i="5.98,287,1673942400"; d="scan'208";a="806556363" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga004.jf.intel.com with ESMTP; 24 Mar 2023 00:50:56 -0700 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 24 Mar 2023 00:50:56 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 24 Mar 2023 00:50:55 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Fri, 24 Mar 2023 00:50:55 -0700 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.105) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Fri, 24 Mar 2023 00:50:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZTrkJnTB8s/pSFu63boDUUOWicSxZO7UwqAVtO69VHdhnLZY7m70owsaDeOiQZJKCbbowIsOPkuqx5Zp3hTdtcjsloWAjEEEJk/kghkmdjbUMLpg91tdKaI6xfukd+aqmWCZvt60QkU6cgM2J04oqk93FIAuM3iF6v50Ldr5PqMafpZCR4VPnp1qvZ6xDzVrixZakqaA8SMKcrbJeDq4CHd161WvSwqnWHEJ4XDeSOAlCczvq3c1As09obDMdi5pRtDJ52rpeLzjJXXL39xVx9cUcGUIDkgmfgTSlTVmy5iEltTL1QFvDcF5Vb944/7m6OBuNxixHfg39+jO6J25iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GS7PHK8+1U/xfdeLQaL9FeEFdn44Poh+DARNOVF59sU=; b=JJbPlpZucT9PeZQfBK9MpOfMaySfpfsjpqVLbc/zujbP+J3+fySuqDN4mQOXNYT2mijmQGKDjj3lRG9nVQEy/CH42anposPoMwbMuzJhmYFN47pS06VOwCHw55tLPjMMVymfiS3rYJjiUfVpj8dOcd44LuZfqcaGnBpnxIMEqGgaY7FA5j6imdWLil9RqLjwmuCSEQyHoivheKKS65wtXQBU+lCqMOutjHVj238R4SqUV/o7sx7zuMB2TpVFtqMNYgwHs0wP7cLkRFuUrW55mHO+5oMNU0JjDdkmxFhaTf2CqiWVpjSLRmJXbyEoaWdOXd4YduNhNvLoQH9jLiQgfQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from SJ1PR11MB6227.namprd11.prod.outlook.com (2603:10b6:a03:45a::10) by IA1PR11MB7822.namprd11.prod.outlook.com (2603:10b6:208:3f2::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.38; Fri, 24 Mar 2023 07:50:53 +0000 Received: from SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::afe8:db97:cbaf:cd17]) by SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::afe8:db97:cbaf:cd17%9]) with mapi id 15.20.6178.037; Fri, 24 Mar 2023 07:50:53 +0000 From: "Li, Yi" To: "Yao, Jiewen" , "devel@edk2.groups.io" , Gerd Hoffmann Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Thread-Topic: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Thread-Index: AQHZXTFzxlHYYekcqE67y/QfxCNdhq8IEE+AgAEUIRCAAFABAIAADvXg Date: Fri, 24 Mar 2023 07:50:52 +0000 Message-ID: References: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SJ1PR11MB6227:EE_|IA1PR11MB7822:EE_ x-ms-office365-filtering-correlation-id: 01b252d0-899b-4425-86c1-08db2c3c7e27 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: wWQ0E6E+9gsNoy+P1dxI8p4lwLd3TFx9OxMseF5E2rUJ8XRW7hiM4+cym4Ty5apGlEqeDtVo8K3iy6PpfeW5Er3F6PYBs116aCer4Q5BfA/0i4QnpFalJ41/AnqBJOGE13qiwgdw39BqPN4slYeCfDjnQ7WYszkCmVrxxBzOkjwop++ZlIa3JbXJOomTikBwv3BDW34bgHA74BpjJvob3LKc8NMR5CvsnAK0s8NIfOqbwXJN8IAixf59ShahUg9gp6Wgs30tRNXZm2I7diCtIL916H0Mt0a0NqUXx0AJnk6PfLxjsEsaF9yCj9moNXg6p9kYQoLiJtmUCdtn4qKELmX7PhftE87fuHMk9U6//Mkj0NYK/3j9emM2CdeoPUZl3CNwxvctdPf6w6Kpu3adGt5/cGaNNo4C/jVNU+yo24plMnpsxHoQkBG/61mwYHvJ+GoTR+CSCGQPfBGrIcxZ0KYvyINc9f9/j0pNkPNA606BRWc9P7+ZBuIs3GiRlLFVt7P6RK5m1jQw8dOaQr2YUk0g2S+vWM/zMU+x5ikErQuJv0oaWFu81PFNvY7BR5CLp7sApF9yAXEz5/fVJCJFRtYTkdbNg57jxBZdxCBbtQukNp5XL5O7QQUYXXD7YE3/ouZ0M2f5Eb/psgr5WnWnXhSPexy+sDKj5vcEPBDMwryOARBBNMlOaBcCLrx5vrIai7O4fnUey021lFL/ccMt1dHeK2JpRL0sriQg9I/G/00= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ1PR11MB6227.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(136003)(366004)(39860400002)(346002)(376002)(451199018)(33656002)(41300700001)(8676002)(76116006)(66946007)(66476007)(64756008)(8936002)(66556008)(66446008)(52536014)(7696005)(966005)(316002)(478600001)(110136005)(5660300002)(2906002)(15650500001)(82960400001)(71200400001)(38070700005)(86362001)(55016003)(38100700002)(122000001)(53546011)(83380400001)(186003)(9686003)(26005)(6506007)(66899018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ZPui1pxvCNYOQhceNBhGTsLuUQIARZd7jajI1MEhSq+e258/ocwfNGIq20wG?= =?us-ascii?Q?2rs4+HOhtUTackrIVS7NGEBAYyCThGRbQFbAK5OmEzjRJyM0Q11yz8+h4nBO?= =?us-ascii?Q?+F9EuVelXPSqvktIUYeaPkc3Lu44PZbUpwSb8B21pESoIxqiEv2eSZXRhhNG?= =?us-ascii?Q?6MDbh6RKFDQHrLR5Efb00e2YCzXH96Xh3s2cRZQKVfC6ETetRTFl8rr3xG7M?= =?us-ascii?Q?ZLRGRdbU11TgJZnGPwUZy5DfXwQdzqQeyC7eUtzSkzHGCPjQ/vvoP6Nkp5TS?= =?us-ascii?Q?Whz/OWiPC+ZpOofn6OzkiIV7kLNyS8xWkoeDDAb6Djz4PBVdZGd2KUVzbvp4?= =?us-ascii?Q?9fV/9QGBbolUHbarzFW6OUc214R8Qa6g1oOgHfY/E2BPJYQ7z7TQtK+g9pDA?= =?us-ascii?Q?VTMDYy8IBihWsMCCRd/wiia4JzGfwM6SqEjBmb5anAfvwC+C3f7CfYkCeH1Y?= =?us-ascii?Q?K2WOV/XexFTFkxDIbetdtsTYdxyNDoH6iABlqRfj0mVJ0yhMdxuLm64Vf2c+?= =?us-ascii?Q?62NpftJfq93Izrqwl36t/dnKRYm55H0xIG0JhXdcFezShoydbjmkNda3AmZs?= =?us-ascii?Q?XIRiegCPkJrpAsoM6/NTJ1MMv1XKVzbHz9F6kTr/8ovcNOY9dpm84pyXLJTO?= =?us-ascii?Q?NRX1bdeIfj2y/2Z6N37UD/pbfp2P3g2ElmYf8oVehco5sUxNViLjxxpMohX8?= =?us-ascii?Q?7SQbqv8p5PXu6YKVBuFnu4gpcFsZYSwWw2AwaKelXcLjqTk6OKNXTrl8ITBE?= =?us-ascii?Q?VpGIg64fUmSaMITz9DRkURwx+KL0zCcS81xfsOi34HNSnKtzDFv/4YEqKzL2?= =?us-ascii?Q?B3/eSuZWk66fbeOi6jS8yzj65CMrpjLY6Y0GZfM3qbTOxvwhqcp4LQyo0IMn?= =?us-ascii?Q?JM45ET9EDiA+wmbdIwX9BArymHVXJq98OQM9j1FWhV2oEnLpdZQ2ME05FXwa?= =?us-ascii?Q?imJiP8pM51BiSdV2V05wYlSQjoG11yT0zGt87Uj5Z2xcd9IMX77/0ZJLzjyF?= =?us-ascii?Q?iBhq/Nu+hHAOJ6yaPXJarh4z1nBIyyVQtT7nkLOPsLeXp6RJhKXn6O81FqPA?= =?us-ascii?Q?oWtSBg7Sp59GgXRfX9N79+EEY7R+E8lws+bGHolrKr731+IqfpSOSUg5nIZ4?= =?us-ascii?Q?RZyKl2vnIix85/Tzf/+vFnQa9CSc1oR1csNmbf+KPlaOUNZfVwuK3SvlKFfe?= =?us-ascii?Q?1rpzJingLgi3T8VkGYUknrsU3+GgVtvkb9NBD2qqmjPIL1aeKvKrW5xmRXhk?= =?us-ascii?Q?egb0OyvNCS84dXtK8A5OWbJWtzjIXe6Q/AlvvuhQzxznvOABEnbW1WCgr2K3?= =?us-ascii?Q?/HMLosQd1KKCnse5WbXCetLbnAv0UfbmiaF+gznmCMEc7nTshgD4PfNLK0XH?= =?us-ascii?Q?4f1+EIP8RCu4UPL3gyWGAko+4zOS/iXQWa6m/XQTJCEKvT41DwjoV/VxIsv5?= =?us-ascii?Q?D2VuuIGfot3H2+MDwRqIZuk0e7/XJvZ8JvLNzLCjTOZiLEzW1+USmVKaJfmV?= =?us-ascii?Q?RPoy5w2tanJKEqqIgo9KVo1DHmO7K2j4s/cFYlIL6enl0nmAlJL1BWWYeqep?= =?us-ascii?Q?kOuOyLQLukjXsKm6r8o=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ1PR11MB6227.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 01b252d0-899b-4425-86c1-08db2c3c7e27 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2023 07:50:52.9079 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 5SLbbrbKDZ+2U2hGNXmKNkLebqqhuRrSw/YuAlkPYjGwhcN0WBHCwS3QUG8HgbK+QhcWcb9YtZJ+9kCx73aNVw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB7822 Return-Path: yi1.li@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Not easy, I have tried to update, but blocked at the RSA and MAC part, ther= e will be many strange problems such as: the context generated by RsaNew and RsaSetKey cannot be used for sign/verif= y,=20 the hmac_duplicate (*src,*dst) function needs to expose the openssl structu= re details... https://github.com/liyi77/libspdm/tree/openssl-3-rsa https://github.com/liyi77/libspdm/tree/openssl-3-work-mac I didn't have enough time to debug it. Even if the API is updated, we still need to delete legacy code inside open= ssl to reduce size. Regards, Yi -----Original Message----- From: Yao, Jiewen =20 Sent: Friday, March 24, 2023 2:11 PM To: devel@edk2.groups.io; Li, Yi1 ; Gerd Hoffmann Subject: RE: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0= 322 update We have 2 level APIs. 1) EDKII other code -> CryptoPkg. 2) CryptoPkg -> Openssl. Current strategy of openssl 3.0 update is to keep both 1) and 2). That is m= inimal impact. Do you think if we can keep 1) and only update 2) to use new API in openssl= 3.0? > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Li, Yi > Sent: Friday, March 24, 2023 9:47 AM > To: Gerd Hoffmann ; devel@edk2.groups.io > Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] > Readme: 0322 update >=20 > Hi Gerd, >=20 > Thanks for review, >=20 > >> +### Level 2: A bit like workaround, with possibility of upstream=20 > >> +to openssl 1. Enable the legacy path for X509 pubkey decode and=20 > >> +pmeth initialization, The purpose is to avoid the use of EN/DECODE=20 > >> +and > Signature provider, will reduce size about 90KB. > >> +(commit: x509: enable legacy path in pub decode) > >> > +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd > 6 > >> +ef7045646ef0 > >> +(commit: evp: enable legacy pmeth) > >> > +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1 > bf > >> +e1d0263f074b >=20 > >I suspect that is not going to work well long-term, probably openssl=20 > >will > remove the code paths they consider being "legacy" at some point in=20 > the future. Probably not 3.0.x but maybe in 3.1 branch. >=20 > Yes, I think in long-term the better way is to remove all legacy code=20 > paths, this will also help reduce the size. > The problem is that a large number of legacy APIs are currently used=20 > in the > EDK2 code. > In the future, it may be a big update to throw all the legacy code. >=20 > >> +### Level 3: Totally workaround and hard to upstream to openssl,=20 > >> +may need scripts to apply them inside EDK2 1. Provider cut. > >> +(commit: CryptoPkg: add own openssl provider) > >> +https://github.com/liyi77/edk2- > staging/commit/c3a5b69d8a3465259cfdca8 > >> +f38b0dc7683b3690e >=20 > >Allow people implement their own providers looks like an openssl=20 > >feature to > me. So I don't think this will be a big problem to maintain, I expect=20 > they try to keep the interfaces stable to not break apps doing so. >=20 > >The only little detail we do differently here is to remove the=20 > >default > providers so LTO can actually remove the unused code. >=20 > >> +(commit: x509: remove print function 7KB) > >> > +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e > >> +2955d7ff4306 >=20 > >Did you double-check this doesn't break something? >=20 > >It did for me, due to some code in openssl depending on a working > bio_sprintf() implementation. >=20 > I don't do any more test than unit test. > I am sick of this part, but I currently have no other way to reduce=20 > the size. I would like to drop those changes first if i find another way. >=20 > Regards, > Yi >=20 >=20 >=20 >=20 >=20