From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.67512.1679561791736752283 for ; Thu, 23 Mar 2023 01:56:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UocOie99; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679561790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BlP4Q8U4opW1KjBro3hluil82v3b9KiWWRVCNcwHBic=; b=UocOie99oe+grWr/mnU7IWa941Uztmfwsk5cc8Qpfa/OeIpU60XRU3Y8tMNQ+Ugu+62OZG SvDHOY45juB7hBXXmRtmtmIfaK6ease10w9DqLgaIWGFu/gd8kxSzp2FFl9n94K6a6crPX Nd98xo7ffheFfmV0gAnJ8e2hD2GvW1Q= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-632-bEfwhgvnN-WPrgF9xh0ZBA-1; Thu, 23 Mar 2023 04:56:27 -0400 X-MC-Unique: bEfwhgvnN-WPrgF9xh0ZBA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B9494884340; Thu, 23 Mar 2023 08:56:26 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.241]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 90A0F40C6E67; Thu, 23 Mar 2023 08:56:26 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5338B18000AA; Thu, 23 Mar 2023 09:56:25 +0100 (CET) Date: Thu, 23 Mar 2023 09:56:25 +0100 From: "Gerd Hoffmann" To: devel@edk2.groups.io, yi1.li@intel.com Subject: Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL][PATCH 4/4] Readme: 0322 update Message-ID: References: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> MIME-Version: 1.0 In-Reply-To: <99a218c205bcc4ddc7ef48ef875dc9361e53926f.1679537389.git.yi1.li@intel.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, > +### Level 2: A bit like workaround, with possibility of upstream to openssl > +1. Enable the legacy path for X509 pubkey decode and pmeth initialization, > +The purpose is to avoid the use of EN/DECODE and Signature provider, will reduce size about 90KB. > +(commit: x509: enable legacy path in pub decode) > +https://github.com/liyi77/openssl/commit/8780956da77c949ca42f6c4c3fd6ef7045646ef0 > +(commit: evp: enable legacy pmeth) > +https://github.com/liyi77/openssl/commit/a2232b35aa308198b61c5734c1bfe1d0263f074b I suspect that is not going to work well long-term, probably openssl will remove the code paths they consider being "legacy" at some point in the future. Probably not 3.0.x but maybe in 3.1 branch. > +### Level 3: Totally workaround and hard to upstream to openssl, may need scripts to apply them inside EDK2 > +1. Provider cut. > +(commit: CryptoPkg: add own openssl provider) > +https://github.com/liyi77/edk2-staging/commit/c3a5b69d8a3465259cfdca8f38b0dc7683b3690e Allow people implement their own providers looks like an openssl feature to me. So I don't think this will be a big problem to maintain, I expect they try to keep the interfaces stable to not break apps doing so. The only little detail we do differently here is to remove the default providers so LTO can actually remove the unused code. > +(commit: x509: remove print function 7KB) > +https://github.com/liyi77/openssl/commit/faa5d6781c3af601bcbc11ff199e2955d7ff4306 Did you double-check this doesn't break something? It did for me, due to some code in openssl depending on a working bio_sprintf() implementation. take care, Gerd