Hi, > The difference I see without ecc change and with the change is the increase > in file sizes for below ffs files,(other .ffs files remained unchanged) > > Without ecc change: > 794742 > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs > 653470 > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs > 1174654 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs > 872594 > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs > > With ecc change: > 1058678 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs > 917214 > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs > 1470718 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs > 1134738 > > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs
Uh. So each driver which needs openssl has its own copy of the library? I wasn't aware of that, but yes, given we don't have dynamic linking this makes sense and also easily explains why we see such a big jump in size. > I am wondering, removing existing ciphers might impact other platforms. > Could you please suggest any less intrusive options without impacting > other platforms. I was thinking more about reviewing the chipers added. Pick the most commonly used ones instead of just adding them all for example. > I am new to EDK and what compile time options are you referring to? Please > let me know if any other information is needed from the build. Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch. But I think Jiewen meant something else with "2 profiles": We could create two OpensslLib variants. One full-featured build with ecc enabled which TlsDxe could use (assuming better TLS support is your use case). And one less-featured variant for VariableSmm + SecureBootConfigDxe + SecurityStubDxe. That way we have the ecc code only once not four times in the firmware build. Possibly the less-featured could be stripped down even more when it doesn't need to support TLS any more. I'm also wondering why SecurityStubDxe needs OpensslLib ... take care & HTH, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83645): https://edk2.groups.io/g/devel/message/83645 Mute This Topic: https://groups.io/mt/86257810/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
