[edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Yao, Jiewen
jiewen.yao at intel.com
Tue May 3 15:39:03 UTC 2022
Hi Gerd
Thanks for the patch. Some initial thought:
I have no concern on OVMF package update. We can update if we want.
However, I do have concern for crypto package to enable ECC *unconditionally*.
I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).
B) TLS1.3 is only for special feature such as HTTPS boot, WIFI TLS-EAP. But not all platform requires HTTPS boot or WIFI TLS-EAP.
C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used.
It would be great if you can consider the option 2) below.
I am in holiday now. And I am starting collecting feedback from Intel platform BIOS team.
I will give official feedback after 1 week.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Gerd Hoffmann <kraxel at redhat.com>
> Sent: Monday, May 2, 2022 6:35 PM
> To: devel at edk2.groups.io
> Cc: Pawel Polawski <ppolawsk at redhat.com>; Li, Yi1 <yi1.li at intel.com>; Yao,
> Jiewen <jiewen.yao at intel.com>; Oliver Steffen <osteffen at redhat.com>; Wang,
> Jian J <jian.j.wang at intel.com>; Ard Biesheuvel <ardb+tianocore at kernel.org>;
> Jiang, Guomin <guomin.jiang at intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu at intel.com>;
> Justen, Jordan L <jordan.l.justen at intel.com>; Gerd Hoffmann
> <kraxel at redhat.com>
> Subject: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
>
> Re-opening the elliptic curves debate after running into the recent
> openssl changes. The current implementation is IMHO rather messy.
> It adds manual changes to a auto-generated files, which will make
> any updates a rather hard and error-prone process.
>
> I see two possible options how we can move forward:
>
> (1) Drop the idea to make EC configurable and just enable it
> unconditionally. I think long-term there is no way around
> this anyway as EC is a hard requirement for TLS 1.3.
> (2) Keep the EC config option, but update process_files.pl to
> automatically add the PcdEcEnabled config option handling
> to the files it generates.
>
> This patch set does (1). It also tweaks ovmf firmware volumes
> to make CI tests pass and it also excludes generated files from
> codestyle checks.
>
> take care,
> Gerd
>
> Gerd Hoffmann (5):
> Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming
> OpensslLib"
> Revert "CryptoPkg: Make EC source file config-able"
> OvmfPkg: make DXEFV larger
> CryptoPkg/openssl: update generated files
> CryptoPkg/openssl: disable codestyle checks for generated files
>
> CryptoPkg/CryptoPkg.dec | 4 -
> OvmfPkg/OvmfPkgIa32.fdf | 6 +-
> OvmfPkg/OvmfPkgIa32X64.fdf | 6 +-
> OvmfPkg/OvmfPkgX64.fdf | 6 +-
> .../Library/BaseCryptLib/BaseCryptLib.inf | 3 -
> .../Library/BaseCryptLib/PeiCryptLib.inf | 3 -
> .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 -
> .../Library/BaseCryptLib/SmmCryptLib.inf | 3 -
> .../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 3 -
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 99 ++++----
> .../Library/OpensslLib/OpensslLibCrypto.inf | 99 ++++----
> CryptoPkg/Library/TlsLib/TlsLib.inf | 3 -
> CryptoPkg/Library/Include/crypto/dso_conf.h | 7 +-
> .../Library/Include/openssl/opensslconf.h | 240 ++++++++----------
> CryptoPkg/CryptoPkg.ci.yaml | 10 +
> 15 files changed, 234 insertions(+), 261 deletions(-)
>
> --
> 2.35.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89483): https://edk2.groups.io/g/devel/message/89483
Mute This Topic: https://groups.io/mt/90832153/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list