From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id E7210D80A38 for ; Mon, 18 Sep 2023 07:11:07 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=PbwkXhh1qdW2rkBDh9bmnSrCYsYl0q9ZVeen1zt1cms=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20140610; t=1695021066; v=1; b=M62G8bFRrRDT6k9HlW1DWu2X4/fYa7aelodgTZcRMVlFwMYEpRT937vuODbQnLjz8uMNliZd ZYKt7N1TCp9Lf+dq9sNEPAXank2cp7z+xrLjl4pNtvbVTe1TPjjVrDMsHtdeMbUk0f3YfmJvhZa yMb+ULguspDxlwQkC9MCvF24= X-Received: by 127.0.0.2 with SMTP id AL6oYY7687511xKfvZlDe56l; Mon, 18 Sep 2023 00:11:06 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.46109.1695021065920844392 for ; Mon, 18 Sep 2023 00:11:06 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-114-CgUWwTUoM_mnAbmWdMSUwA-1; Mon, 18 Sep 2023 03:11:01 -0400 X-MC-Unique: CgUWwTUoM_mnAbmWdMSUwA-1 X-Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C23EC101A53B; Mon, 18 Sep 2023 07:11:00 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.95]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8CD9A4026F8; Mon, 18 Sep 2023 07:11:00 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 33FFB18007A1; Mon, 18 Sep 2023 09:10:59 +0200 (CEST) Date: Mon, 18 Sep 2023 09:10:59 +0200 From: "Gerd Hoffmann" To: Laszlo Ersek Cc: "Yao, Jiewen" , Ard Biesheuvel , "devel@edk2.groups.io" , Ard Biesheuvel , "Justen, Jordan L" Subject: Re: [edk2-devel] [PATCH] OvmfPkg: raise DXEFV size to 14.5 MB in the traditional platform FDFs Message-ID: References: <20230912141849.75147-1-lersek@redhat.com> <696c06dc-f360-7d8b-b4df-b1f705c64351@redhat.com> MIME-Version: 1.0 In-Reply-To: <696c06dc-f360-7d8b-b4df-b1f705c64351@redhat.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Icuq2cR62yEYeejGBGZyRwVYx7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=M62G8bFR; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none) Hi, > In particular I suspect (but have no proof) that the OpenSSL 3.0 update > led to a size explosion. This latest increase both comes sooner and is > larger than the previous ones. Yes, it's openssl 3. > It could likely be mitigated by including the crypto driver in OVMF (as > opposed to linking openssl into every driver statically). But that just > re-raises the age-old question: how do you find the minimal openssl > service *set*, for the crypto driver, such that at OVMF runtime, all > service requests can be satisfied? > > (And, including the full crypto service set in the crypto DXE driver is > much worse than the current state (= static linking) -- I think I once > tested that, and the crypto DXE driver ended up so big that it > outweighed the static linking savings on all the other DXE drivers > combined. So trimming the feature set in the crypto DXE driver is > essential, but I don't know how it can be made *guaranteed* safe.) Played with the crypto driver a while back, guess I should undust those patches and resend them. IIRC the crypto driver is not useful for PEI (size increase), but can be useful for DXE: The driver is large but it is a net win nevertheless in case there is more than one user, i.e. builds with both TLS and secure boot support enabled. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108768): https://edk2.groups.io/g/devel/message/108768 Mute This Topic: https://groups.io/mt/101315785/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-