[edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally.
Gerd Hoffmann
kraxel at redhat.com
Thu May 5 08:06:38 UTC 2022
Hi,
> However, I do have concern for crypto package to enable ECC *unconditionally*.
> I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below:
> A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged).
Well, the PcdEcEnabled switch we have in the tree right now enables or
disables EC for everybody, it doesn't support enabling EC for DXE only.
In we want change that we'll need two different *.inf files I guess,
one for openssl with ec and one for openssl without ec.
I'll check the effect on image sizes.
> C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used.
Yes, today this isn't much of a problem. But I expect that will change
in the future as browsers fade out support for older TLS versions to
improve security. Recent firefox versions have TLS 1.0 and 1.1 disabled
by default. So while this isn't urgent it is still something we should
consider and keep on our radar.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89528): https://edk2.groups.io/g/devel/message/89528
Mute This Topic: https://groups.io/mt/90832153/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list