Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
This is going to be needed in the next 6 months because OpenSSL 1.1.1 is going EOL. From https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ : "We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. OpenSSL 1.1.1 is a Long Term Support (LTS) release. Our policy is to support LTS releases for a period of 5 years. During the last year of that we typically only backport security fixes to a release. OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date." -- Rebecca Cran On 3/16/23 10:28 PM, Li, Yi wrote: Please check the patch series if interested. PR: https://github.com/tianocore/edk2-staging/pull/359 Latest size data: Binaries: CryptoDxeFull -> 1.7%17KB (New) CryptoDxe 14% -> 10.10% 82KB CryptoSmm 14% -> 8.20% 46KB After LZMA: CryptoDxe 15% -> 12.20% 39KB CryptoSmm 17% -> 12.80% 27KB FV (Dxe+Smm)18% -> 15.40% 55KB Cc: Jiewen Yao Cc: Wenxing Hou Cc: Gerd Hoffmann Signed-off-by: Yi Li Yi Li (7): OpensslLib: remove bio prov CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test CryptoPkg/OpensslLib: enable no autoalginit Readme: 0315 update bugfix: The order of NIDs should remain the same as before CryptoPkg/OpensslLibFull: apply all work to full inf Readme: 0317 update CryptoPkg/Library/OpensslLib/OpensslLib.inf |4 +- .../Library/OpensslLib/OpensslLibFull.inf | 171 +- .../OpensslStub/crypto/objects/obj_dat.h | 6474 - .../OpensslStub/crypto/objects/obj_xref.h | 72 +- .../OpensslLib/OpensslStub/openssl/obj_mac.h | 1397 ++-- .../Library/OpensslLib/OpensslStub/uefiprov.c |8 +- CryptoPkg/Readme-OpenSSL3.0.md| 22 +- .../Library/BaseCryptLib/RsaPkcs7Tests.c | 145 +- 8 files changed, 4197 insertions(+), 4096 deletions(-) -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102347): https://edk2.groups.io/g/devel/message/102347 Mute This Topic: https://groups.io/mt/97666986/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
The current purpose of this POC is to find all ways to reduce the size increase as much as possible to meet our goal of +10% size increase. I understand that the current code changes seem unacceptable, and the next step of the POC is to find a suitable way to apply these changes (some breaking changes may be discarded): such as upstream to openssl or integrate into the configure script. If all goes well, the next step will start at the end of March. Regards, Yi -Original Message- From: Gerd Hoffmann Sent: Friday, March 17, 2023 6:03 PM To: Li, Yi1 Cc: devel@edk2.groups.io; Yao, Jiewen ; Hou, Wenxing Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17 On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote: > Please check the patch series if interested. > PR: https://github.com/tianocore/edk2-staging/pull/359 So it seems you are doing a number of larger changes to the openssl code base. What is the plan for those? I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues. For changes where we only need dummy stub functions which don't do anything is isn't a big problem. But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged. I did that in the past, worked fine. See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI). take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101328): https://edk2.groups.io/g/devel/message/101328 Mute This Topic: https://groups.io/mt/97666986/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Hi Gerd Currently, the *blocking issue* for openssl 3.0 adoption in EDKII is *size*. The big size increase will break exist platforms easily. As such, we are not able to switch to openssl 3.0 directly. I have written the proposal at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/ReadMe.md "It is possible that we may need add MACRO to OpenSSL 3.0 to reduce the size. We can do POC and submit to OpenSSL community." My suggested plan is: 1) We do our best to reduce size, as much as possible. 2) We revisit openssl 3.0 change, to see if that is reasonable. 3) if we can figure out a better way to avoid the change, we redesign and avoid the change. 4) if we cannot figure out a better way, we submit the change to openssl 3.0 community. You are welcome to review the change and send feedback. Thank you Yao, Jiewen > -Original Message- > From: Gerd Hoffmann > Sent: Friday, March 17, 2023 6:03 PM > To: Li, Yi1 > Cc: devel@edk2.groups.io; Yao, Jiewen ; Hou, > Wenxing > Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar > 17 > > On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote: > > Please check the patch series if interested. > > PR: https://github.com/tianocore/edk2-staging/pull/359 > > So it seems you are doing a number of larger changes to the openssl > code base. What is the plan for those? > > I'd prefer to not be in a situation where every openssl update needs > alot of work in our edk2-specific adaptions, especially as openssl > updates can be timing-sensitive when it comes to fixing security issues. > > For changes where we only need dummy stub functions which don't do > anything is isn't a big problem. But when changing the provider logic > to suit our needs it is probably much better to work with upstream > openssl to get the changes we need merged. > > I did that in the past, worked fine. See for example openssl commit > a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not > support > floating point for --target=UEFI). > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101327): https://edk2.groups.io/g/devel/message/101327 Mute This Topic: https://groups.io/mt/97666986/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote: > Please check the patch series if interested. > PR: https://github.com/tianocore/edk2-staging/pull/359 So it seems you are doing a number of larger changes to the openssl code base. What is the plan for those? I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues. For changes where we only need dummy stub functions which don't do anything is isn't a big problem. But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged. I did that in the past, worked fine. See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI). take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101326): https://edk2.groups.io/g/devel/message/101326 Mute This Topic: https://groups.io/mt/97666986/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
Please check the patch series if interested. PR: https://github.com/tianocore/edk2-staging/pull/359 Latest size data: Binaries: CryptoDxeFull -> 1.7%17KB (New) CryptoDxe 14% -> 10.10% 82KB CryptoSmm 14% -> 8.20% 46KB After LZMA: CryptoDxe 15% -> 12.20% 39KB CryptoSmm 17% -> 12.80% 27KB FV (Dxe+Smm)18% -> 15.40% 55KB Cc: Jiewen Yao Cc: Wenxing Hou Cc: Gerd Hoffmann Signed-off-by: Yi Li Yi Li (7): OpensslLib: remove bio prov CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test CryptoPkg/OpensslLib: enable no autoalginit Readme: 0315 update bugfix: The order of NIDs should remain the same as before CryptoPkg/OpensslLibFull: apply all work to full inf Readme: 0317 update CryptoPkg/Library/OpensslLib/OpensslLib.inf |4 +- .../Library/OpensslLib/OpensslLibFull.inf | 171 +- .../OpensslStub/crypto/objects/obj_dat.h | 6474 - .../OpensslStub/crypto/objects/obj_xref.h | 72 +- .../OpensslLib/OpensslStub/openssl/obj_mac.h | 1397 ++-- .../Library/OpensslLib/OpensslStub/uefiprov.c |8 +- CryptoPkg/Readme-OpenSSL3.0.md| 22 +- .../Library/BaseCryptLib/RsaPkcs7Tests.c | 145 +- 8 files changed, 4197 insertions(+), 4096 deletions(-) -- 2.31.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101291): https://edk2.groups.io/g/devel/message/101291 Mute This Topic: https://groups.io/mt/97666986/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
