Openssl 3.0 POC update Mar 17

[edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

Posted by Li, Yi 5 days, 18 hours ago

Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/359

Latest size data:
Binaries:				
	CryptoDxeFull		->	1.7%	17KB (New)
	CryptoDxe		14%	->	10.10%	82KB
	CryptoSmm		14%	->	8.20%	46KB
After LZMA:			
	CryptoDxe		15%	->	12.20%	39KB
	CryptoSmm		17%	->	12.80%	27KB
	FV (Dxe+Smm)	18%	->	15.40%	55KB

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Yi Li <yi1.li@intel.com>

Yi Li (7):
  OpensslLib: remove bio prov
  CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test
  CryptoPkg/OpensslLib: enable no autoalginit
  Readme: 0315 update
  bugfix: The order of NIDs should remain the same as before
  CryptoPkg/OpensslLibFull: apply all work to full inf
  Readme: 0317 update

 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |    4 +-
 .../Library/OpensslLib/OpensslLibFull.inf     |  171 +-
 .../OpensslStub/crypto/objects/obj_dat.h      | 6474 ++++++++---------
 .../OpensslStub/crypto/objects/obj_xref.h     |   72 +-
 .../OpensslLib/OpensslStub/openssl/obj_mac.h  | 1397 ++--
 .../Library/OpensslLib/OpensslStub/uefiprov.c |    8 +-
 CryptoPkg/Readme-OpenSSL3.0.md                |   22 +-
 .../Library/BaseCryptLib/RsaPkcs7Tests.c      |  145 +-
 8 files changed, 4197 insertions(+), 4096 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101291): https://edk2.groups.io/g/devel/message/101291
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

Posted by Gerd Hoffmann 5 days, 13 hours ago

On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/359

So it seems you are doing a number of larger changes to the openssl
code base.  What is the plan for those?

I'd prefer to not be in a situation where every openssl update needs
alot of work in our edk2-specific adaptions, especially as openssl
updates can be timing-sensitive when it comes to fixing security issues.

For changes where we only need dummy stub functions which don't do
anything is isn't a big problem.  But when changing the provider logic
to suit our needs it is probably much better to work with upstream
openssl to get the changes we need merged.

I did that in the past, worked fine.  See for example openssl commit
a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support
floating point for --target=UEFI).

take care,
  Gerd

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101326): https://edk2.groups.io/g/devel/message/101326
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

Posted by Li, Yi 5 days, 13 hours ago

The current purpose of this POC is to find all ways to reduce the size increase as much as possible to meet our goal of +10% size increase.

I understand that the current code changes seem unacceptable, and the next step of the POC is to find a suitable way to apply these changes (some breaking changes may be discarded): such as upstream to openssl or integrate into the configure script.

If all goes well, the next step will start at the end of March.

Regards,
Yi 

-----Original Message-----
From: Gerd Hoffmann <kraxel@redhat.com> 
Sent: Friday, March 17, 2023 6:03 PM
To: Li, Yi1 <yi1.li@intel.com>
Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Hou, Wenxing <wenxing.hou@intel.com>
Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/359

So it seems you are doing a number of larger changes to the openssl code base.  What is the plan for those?

I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues.

For changes where we only need dummy stub functions which don't do anything is isn't a big problem.  But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged.

I did that in the past, worked fine.  See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI).

take care,
  Gerd

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101328): https://edk2.groups.io/g/devel/message/101328
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

Posted by Yao, Jiewen 5 days, 13 hours ago

Hi Gerd
Currently, the *blocking issue* for openssl 3.0 adoption in EDKII is *size*. The big size increase will break exist platforms easily. As such, we are not able to switch to openssl 3.0 directly.

I have written the proposal at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/ReadMe.md
"It is possible that we may need add MACRO to OpenSSL 3.0 to reduce the size. We can do POC and submit to OpenSSL community."

My suggested plan is:
1) We do our best to reduce size, as much as possible.
2) We revisit openssl 3.0 change, to see if that is reasonable.
3) if we can figure out a better way to avoid the change, we redesign and avoid the change.
4) if we cannot figure out a better way, we submit the change to openssl 3.0 community.

You are welcome to review the change and send feedback.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Friday, March 17, 2023 6:03 PM
> To: Li, Yi1 <yi1.li@intel.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Hou,
> Wenxing <wenxing.hou@intel.com>
> Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar
> 17
> 
> On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> > Please check the patch series if interested.
> > PR: https://github.com/tianocore/edk2-staging/pull/359
> 
> So it seems you are doing a number of larger changes to the openssl
> code base.  What is the plan for those?
> 
> I'd prefer to not be in a situation where every openssl update needs
> alot of work in our edk2-specific adaptions, especially as openssl
> updates can be timing-sensitive when it comes to fixing security issues.
> 
> For changes where we only need dummy stub functions which don't do
> anything is isn't a big problem.  But when changing the provider logic
> to suit our needs it is probably much better to work with upstream
> openssl to get the changes we need merged.
> 
> I did that in the past, worked fine.  See for example openssl commit
> a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not
> support
> floating point for --target=UEFI).
> 
> take care,
>   Gerd

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101327): https://edk2.groups.io/g/devel/message/101327
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-