[edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

Li, Yi posted 7 patches 1 year ago
Failed in applying to current master (apply log)
CryptoPkg/Library/OpensslLib/OpensslLib.inf   |    4 +-
.../Library/OpensslLib/OpensslLibFull.inf     |  171 +-
.../OpensslStub/crypto/objects/obj_dat.h      | 6474 ++++++++---------
.../OpensslStub/crypto/objects/obj_xref.h     |   72 +-
.../OpensslLib/OpensslStub/openssl/obj_mac.h  | 1397 ++--
.../Library/OpensslLib/OpensslStub/uefiprov.c |    8 +-
CryptoPkg/Readme-OpenSSL3.0.md                |   22 +-
.../Library/BaseCryptLib/RsaPkcs7Tests.c      |  145 +-
8 files changed, 4197 insertions(+), 4096 deletions(-)
[edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Posted by Li, Yi 1 year ago
Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/359

Latest size data:
Binaries:				
	CryptoDxeFull		->	1.7%	17KB (New)
	CryptoDxe		14%	->	10.10%	82KB
	CryptoSmm		14%	->	8.20%	46KB
After LZMA:			
	CryptoDxe		15%	->	12.20%	39KB
	CryptoSmm		17%	->	12.80%	27KB
	FV (Dxe+Smm)	18%	->	15.40%	55KB

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Yi Li <yi1.li@intel.com>

Yi Li (7):
  OpensslLib: remove bio prov
  CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test
  CryptoPkg/OpensslLib: enable no autoalginit
  Readme: 0315 update
  bugfix: The order of NIDs should remain the same as before
  CryptoPkg/OpensslLibFull: apply all work to full inf
  Readme: 0317 update

 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |    4 +-
 .../Library/OpensslLib/OpensslLibFull.inf     |  171 +-
 .../OpensslStub/crypto/objects/obj_dat.h      | 6474 ++++++++---------
 .../OpensslStub/crypto/objects/obj_xref.h     |   72 +-
 .../OpensslLib/OpensslStub/openssl/obj_mac.h  | 1397 ++--
 .../Library/OpensslLib/OpensslStub/uefiprov.c |    8 +-
 CryptoPkg/Readme-OpenSSL3.0.md                |   22 +-
 .../Library/BaseCryptLib/RsaPkcs7Tests.c      |  145 +-
 8 files changed, 4197 insertions(+), 4096 deletions(-)

-- 
2.31.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101291): https://edk2.groups.io/g/devel/message/101291
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Posted by Gerd Hoffmann 1 year ago
On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/359

So it seems you are doing a number of larger changes to the openssl
code base.  What is the plan for those?

I'd prefer to not be in a situation where every openssl update needs
alot of work in our edk2-specific adaptions, especially as openssl
updates can be timing-sensitive when it comes to fixing security issues.

For changes where we only need dummy stub functions which don't do
anything is isn't a big problem.  But when changing the provider logic
to suit our needs it is probably much better to work with upstream
openssl to get the changes we need merged.

I did that in the past, worked fine.  See for example openssl commit
a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support
floating point for --target=UEFI).

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101326): https://edk2.groups.io/g/devel/message/101326
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Posted by Li, Yi 1 year ago
The current purpose of this POC is to find all ways to reduce the size increase as much as possible to meet our goal of +10% size increase.

I understand that the current code changes seem unacceptable, and the next step of the POC is to find a suitable way to apply these changes (some breaking changes may be discarded): such as upstream to openssl or integrate into the configure script.

If all goes well, the next step will start at the end of March.

Regards,
Yi 

-----Original Message-----
From: Gerd Hoffmann <kraxel@redhat.com> 
Sent: Friday, March 17, 2023 6:03 PM
To: Li, Yi1 <yi1.li@intel.com>
Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Hou, Wenxing <wenxing.hou@intel.com>
Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17

On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/359

So it seems you are doing a number of larger changes to the openssl code base.  What is the plan for those?

I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues.

For changes where we only need dummy stub functions which don't do anything is isn't a big problem.  But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged.

I did that in the past, worked fine.  See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI).

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101328): https://edk2.groups.io/g/devel/message/101328
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Posted by Yao, Jiewen 1 year ago
Hi Gerd
Currently, the *blocking issue* for openssl 3.0 adoption in EDKII is *size*. The big size increase will break exist platforms easily. As such, we are not able to switch to openssl 3.0 directly.

I have written the proposal at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/ReadMe.md
"It is possible that we may need add MACRO to OpenSSL 3.0 to reduce the size. We can do POC and submit to OpenSSL community."


My suggested plan is:
1) We do our best to reduce size, as much as possible.
2) We revisit openssl 3.0 change, to see if that is reasonable.
3) if we can figure out a better way to avoid the change, we redesign and avoid the change.
4) if we cannot figure out a better way, we submit the change to openssl 3.0 community.

You are welcome to review the change and send feedback.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Friday, March 17, 2023 6:03 PM
> To: Li, Yi1 <yi1.li@intel.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Hou,
> Wenxing <wenxing.hou@intel.com>
> Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar
> 17
> 
> On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
> > Please check the patch series if interested.
> > PR: https://github.com/tianocore/edk2-staging/pull/359
> 
> So it seems you are doing a number of larger changes to the openssl
> code base.  What is the plan for those?
> 
> I'd prefer to not be in a situation where every openssl update needs
> alot of work in our edk2-specific adaptions, especially as openssl
> updates can be timing-sensitive when it comes to fixing security issues.
> 
> For changes where we only need dummy stub functions which don't do
> anything is isn't a big problem.  But when changing the provider logic
> to suit our needs it is probably much better to work with upstream
> openssl to get the changes we need merged.
> 
> I did that in the past, worked fine.  See for example openssl commit
> a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not
> support
> floating point for --target=UEFI).
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101327): https://edk2.groups.io/g/devel/message/101327
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Posted by Rebecca Cran 12 months ago
This is going to be needed in the next 6 months because OpenSSL 1.1.1 is 
going EOL.

From https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ :


"We are now less than 6 months away from the End Of Life (EOL) date for 
the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their 
options and plan any actions they might need to take.

OpenSSL 1.1.1 is a Long Term Support (LTS) release. Our policy is to 
support LTS releases for a period of 5 years. During the last year of 
that we typically only backport security fixes to a release.

OpenSSL 1.1.1 was released on 11th September 2018, and so it will be 
considered EOL on 11th September 2023. It will no longer be receiving 
publicly available security fixes after that date."


-- 
Rebecca Cran


On 3/16/23 10:28 PM, Li, Yi wrote:
> Please check the patch series if interested.
> PR: https://github.com/tianocore/edk2-staging/pull/359
>
> Latest size data:
> Binaries:				
> 	CryptoDxeFull		->	1.7%	17KB (New)
> 	CryptoDxe		14%	->	10.10%	82KB
> 	CryptoSmm		14%	->	8.20%	46KB
> After LZMA:			
> 	CryptoDxe		15%	->	12.20%	39KB
> 	CryptoSmm		17%	->	12.80%	27KB
> 	FV (Dxe+Smm)	18%	->	15.40%	55KB
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Wenxing Hou <wenxing.hou@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Yi Li <yi1.li@intel.com>
>
> Yi Li (7):
>    OpensslLib: remove bio prov
>    CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test
>    CryptoPkg/OpensslLib: enable no autoalginit
>    Readme: 0315 update
>    bugfix: The order of NIDs should remain the same as before
>    CryptoPkg/OpensslLibFull: apply all work to full inf
>    Readme: 0317 update
>
>   CryptoPkg/Library/OpensslLib/OpensslLib.inf   |    4 +-
>   .../Library/OpensslLib/OpensslLibFull.inf     |  171 +-
>   .../OpensslStub/crypto/objects/obj_dat.h      | 6474 ++++++++---------
>   .../OpensslStub/crypto/objects/obj_xref.h     |   72 +-
>   .../OpensslLib/OpensslStub/openssl/obj_mac.h  | 1397 ++--
>   .../Library/OpensslLib/OpensslStub/uefiprov.c |    8 +-
>   CryptoPkg/Readme-OpenSSL3.0.md                |   22 +-
>   .../Library/BaseCryptLib/RsaPkcs7Tests.c      |  145 +-
>   8 files changed, 4197 insertions(+), 4096 deletions(-)
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#102347): https://edk2.groups.io/g/devel/message/102347
Mute This Topic: https://groups.io/mt/97666986/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-