Hi Folks, Sorry for the delay in my response. Thanks for the inputs. My bad for not understanding what Jiewen was referring to, I think he is suggesting to remove the unused algorithms with in the ECC cipher. Not removing already available ciphers.
Totally makes sense but it would involve more testing against each private bios with the narrowed list of algorithms. +Harshit from Intel for context Thanks, Vineel On Thu, Nov 11, 2021 at 5:26 AM Yao, Jiewen <jiewen....@intel.com> wrote: > Sorry, I don't mean: one platform uses 2 different configuration. > > That might be worse, because we lose the benefit on compression. > Ideally, no matter how many *same* copies you have, the compression algo > will handle it and make only *one* copy. If you have two *different* > copies, then compression also may finally make *two* different copy. > I don't have data. I just feel it might be worse. > > I mean two platform can choose 2 different configuration. But eventually, > one platform should select one of them consistently, such as using only one > CryptoDxe.inf. > > In this case, you need carefully remove all unneeded algo. > For example, do you really need SM2 ? > Do you really need EdDSA ? > Do you really need ECX ? > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Gerd Hoffmann <kra...@redhat.com> > > Sent: Thursday, November 11, 2021 9:06 PM > > To: Vineel Kovvuri <vineel.kovv...@gmail.com> > > Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen....@intel.com>; > > vinee...@microsoft.com > > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add > elliptic > > curve chipher algorithms > > > > Hi, > > > > > The difference I see without ecc change and with the change is the > increase > > > in file sizes for below ffs files,(other .ffs files remained unchanged) > > > > > > Without ecc change: > > > 794742 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9- > > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646- > > 88E33EF71DFC.ffs > > > 653470 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F- > > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3- > > AC64-54F202CD0A21.ffs > > > 1174654 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0- > > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56- > > 74d435052646.ffs > > > 872594 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3- > > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB- > > 43E3298C2343.ffs > > > > > > With ecc change: > > > 1058678 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9- > > 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646- > > 88E33EF71DFC.ffs > > > 917214 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F- > > 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3- > > AC64-54F202CD0A21.ffs > > > 1470718 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0- > > 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56- > > 74d435052646.ffs > > > 1134738 > > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3- > > EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB- > > 43E3298C2343.ffs > > > > Uh. So each driver which needs openssl has its own copy of the library? > > > > I wasn't aware of that, but yes, given we don't have dynamic linking > > this makes sense and also easily explains why we see such a big jump in > > size. > > > > > I am wondering, removing existing ciphers might impact other platforms. > > > Could you please suggest any less intrusive options without impacting > > > other platforms. > > > > I was thinking more about reviewing the chipers added. Pick the most > > commonly used ones instead of just adding them all for example. > > > > > I am new to EDK and what compile time options are you referring to? > Please > > > let me know if any other information is needed from the build. > > > > Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch. > > > > But I think Jiewen meant something else with "2 profiles": > > > > We could create two OpensslLib variants. One full-featured build with > > ecc enabled which TlsDxe could use (assuming better TLS support is your > > use case). And one less-featured variant for VariableSmm + > > SecureBootConfigDxe + SecurityStubDxe. > > > > That way we have the ecc code only once not four times in the firmware > > build. Possibly the less-featured could be stripped down even more when > > it doesn't need to support TLS any more. > > > > I'm also wondering why SecurityStubDxe needs OpensslLib ... > > > > take care & HTH, > > Gerd > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83892): https://edk2.groups.io/g/devel/message/83892 Mute This Topic: https://groups.io/mt/86257810/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
