[edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support

Sat Feb 4 09:58:26 UTC 2023

> On 4. Feb 2023, at 09:05, Ard Biesheuvel <ardb at kernel.org> wrote:
> 
> On Sat, 4 Feb 2023 at 02:13, Marvin Häuser <mhaeuser at posteo.de> wrote:
>> 
>> Hi Ard,
>> 
>> While I agree the tone is a bit irritating, I am not sure what kind of context you expect there to be. The library is nearing EOL and usage beyond EOL is unacceptable. It will take significant time to solve the related issues, test them, have them merged, and for them to trickle down the IBV chains.
>> 
>> OpenSSL is quite "big" in general and many consider it to not be a good choice for embedded usage. Do you know of any discussion regarding alternatives? I've heard folks use libsodium or mbedtls outside edk2, but don't have any experience with either. (Not necessarily looking to *start* a discussion, but mostly references / reading material, if you have any.)
>> 
> 
> Again, I don't have the full context here, so with that in mind:
> 
> Open source is about the freedom to use the code base in any way you
> like.

This is a point that can trivially be driven ad absurdum, so I’ll not press further. I think everyone agrees to *an extent* and *nobody* will agree to the full extent.

> Surely, Intel (as a collaborator in Tianocore) is entitled to
> express a desire to retain the OpenSSL 1.1 version of CryptoPkg as an
> option while we move it to OpenSSL 3? It is not even important how
> they actually intend to use it, that is really their business.
> 
> Of course, if you *buy* from Intel, you have all reason to be annoyed
> if their products are based on outdated crypto software. But that
> doesn't mean it is up to the community to take away their ability to
> do so.

Not if they drive the deprecation at a reasonable schedule. Regarding which, just in: https://edk2.groups.io/g/devel/message/99638
*Thank you*, Jiewen!

> 
> Most Intel based consumer products don't have firmware that is
> supplied by Intel directly, and the IBVs have their own forks anyway,
> so it is not even clear to me who would be affected by this.

In my experience, things like security get little attention and thus, at least at first, forks will use whatever upstream uses. :(

> 
> As for the use of mbetls or other [better] TLS libraries: I'd be all
> for that, but I'm not sure how much work those libraries need to be
> usable in the context of EDK2. IIRC, some changes went upstream into
> OpenSSL for the UEFI execution context, and we'd probably need to do
> the same for mbedtls.

Not so sure, the big issue with OpenSSL is its embedded-unfriendly design. The biggest reason I could think of would be the ConvertPointer() theatre. I know for a fact that some folks use mbedtls even for UEFI purposes, but not whether that’s for RT code. It’s all closed source, so… :(

Best regards,
Marvin

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99639): https://edk2.groups.io/g/devel/message/99639
Mute This Topic: https://groups.io/mt/96722233/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20230204/dd7fd2c5/attachment-0001.htm>