[edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement proposal

Yao, Jiewen jiewen.yao at intel.com
Sat Feb 11 02:20:22 UTC 2023 

Hi All
I have created staging branch - https://github.com/tianocore/edk2-staging/tree/OpenSSL11_EOL based upon latest trunk today.

Let's use this branch to collaborate the work on openssl 1.1 deprecation and continue improving, before we can merge back to trunk.

The process is defined at https://github.com/tianocore/edk2-staging/.

Feature missing or size increasing won't be a blocking issue for this staging branch.

Any feedback is welcome.

Hi Gerd
If you don't mind, please submit your latest openssl-3.0 patch to the staging for broader evaluation and improvement.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Thursday, February 9, 2023 11:21 AM
> To: devel at edk2.groups.io; kraxel at redhat.com
> Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1 replacement
> proposal
> 
> If you are asking how to do that best *at this moment*, I suggest we create a
> branch in https://github.com/tianocore/edk2-staging and continue the research
> work. Before September 2023, we need community's help to resolve openssl-3
> size issue, before check in.
> 
> If you are asking how to do that best after September 2023, we have no choice
> but put to edk2 main branch. We have to remove openssl-11.
> 
> If we have either openssl-30 and mbedtls work (size/feature), we can replace
> openssl-11 with either openssl-30 or mbedtls.
> 
> Worst case, if we have to support dual-crypto module, I think to:
> 1) replace openssl-11 with openssl-30 directly.
> 2) add mbedtls as another cryptolib instance.
> 
> Thank you
> Yao, Jiewen
> 
> > -----Original Message-----
> > From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Gerd
> > Hoffmann
> > Sent: Wednesday, February 8, 2023 7:45 PM
> > To: devel at edk2.groups.io; Yao, Jiewen <jiewen.yao at intel.com>
> > Subject: Re: [edk2-devel] [RFC] [staging/CryptoLibrary] Openssl1.1
> replacement
> > proposal
> >
> >   Hi,
> >
> > > 3. If 1 or 2 can success, we can replace openssl 1.1 with one crypto lib.
> > > If both 1 and 2 fail, we may use *dual-crypto module*. For example: mbedtls
> > for PEI and openssl3.0 for DXE.
> > > The source code size will become larger, more time to download the tree.
> >
> > Suggestions how to do that best, ideally without duplicating CryptoPkg
> > for that?
> >
> > A while back I've tried to add openssl-3 in parallel to openssl-11,
> > with the idea to allow projects picking the one or the other, and quicky
> > ran into problems because apparently libraries can't add include
> > directories.  Only packages can do that (see Includes.Common.Private in
> > CryptoPkg/CryptoPkg.dec which adds Library/OpensslLib/openssl/include).
> >
> > take care,
> >   Gerd
> >
> >
> >
> >
> >
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100040): https://edk2.groups.io/g/devel/message/100040
Mute This Topic: https://groups.io/mt/96741156/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list