Hi Gerd Thanks for the patch. Some initial thought: I have no concern on OVMF package update. We can update if we want.
However, I do have concern for crypto package to enable ECC *unconditionally*. I am not convinced that "EC is hard requirement for EDKII" just because "EC is a hard requirement for TLS 1.3". My reason below: A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact PEI/DXE. (Unless size of PEI/SMM is unchanged). B) TLS1.3 is only for special feature such as HTTPS boot, WIFI TLS-EAP. But not all platform requires HTTPS boot or WIFI TLS-EAP. C) TLS1.3 is not a mandatory requirement. TLS1.2 can still be used. It would be great if you can consider the option 2) below. I am in holiday now. And I am starting collecting feedback from Intel platform BIOS team. I will give official feedback after 1 week. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann <[email protected]> > Sent: Monday, May 2, 2022 6:35 PM > To: [email protected] > Cc: Pawel Polawski <[email protected]>; Li, Yi1 <[email protected]>; Yao, > Jiewen <[email protected]>; Oliver Steffen <[email protected]>; Wang, > Jian J <[email protected]>; Ard Biesheuvel <[email protected]>; > Jiang, Guomin <[email protected]>; Lu, Xiaoyu1 <[email protected]>; > Justen, Jordan L <[email protected]>; Gerd Hoffmann > <[email protected]> > Subject: [PATCH 0/5] CryptoPkg/openssl: enable EC unconditionally. > > Re-opening the elliptic curves debate after running into the recent > openssl changes. The current implementation is IMHO rather messy. > It adds manual changes to a auto-generated files, which will make > any updates a rather hard and error-prone process. > > I see two possible options how we can move forward: > > (1) Drop the idea to make EC configurable and just enable it > unconditionally. I think long-term there is no way around > this anyway as EC is a hard requirement for TLS 1.3. > (2) Keep the EC config option, but update process_files.pl to > automatically add the PcdEcEnabled config option handling > to the files it generates. > > This patch set does (1). It also tweaks ovmf firmware volumes > to make CI tests pass and it also excludes generated files from > codestyle checks. > > take care, > Gerd > > Gerd Hoffmann (5): > Revert "CryptoPkg: Declare PcdEcEnabled in Library consuming > OpensslLib" > Revert "CryptoPkg: Make EC source file config-able" > OvmfPkg: make DXEFV larger > CryptoPkg/openssl: update generated files > CryptoPkg/openssl: disable codestyle checks for generated files > > CryptoPkg/CryptoPkg.dec | 4 - > OvmfPkg/OvmfPkgIa32.fdf | 6 +- > OvmfPkg/OvmfPkgIa32X64.fdf | 6 +- > OvmfPkg/OvmfPkgX64.fdf | 6 +- > .../Library/BaseCryptLib/BaseCryptLib.inf | 3 - > .../Library/BaseCryptLib/PeiCryptLib.inf | 3 - > .../Library/BaseCryptLib/RuntimeCryptLib.inf | 3 - > .../Library/BaseCryptLib/SmmCryptLib.inf | 3 - > .../BaseCryptLib/UnitTestHostBaseCryptLib.inf | 3 - > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 99 ++++---- > .../Library/OpensslLib/OpensslLibCrypto.inf | 99 ++++---- > CryptoPkg/Library/TlsLib/TlsLib.inf | 3 - > CryptoPkg/Library/Include/crypto/dso_conf.h | 7 +- > .../Library/Include/openssl/opensslconf.h | 240 ++++++++---------- > CryptoPkg/CryptoPkg.ci.yaml | 10 + > 15 files changed, 234 insertions(+), 261 deletions(-) > > -- > 2.35.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89483): https://edk2.groups.io/g/devel/message/89483 Mute This Topic: https://groups.io/mt/90832153/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
