Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

[yi1 li]

Thanks for your information,

1.See also https://edk2.groups.io/g/devel/message/87130 & followups.
git branch here: https://github.com/kraxel/edk2/commits/intrinsics

It's good to me, make code more clear.

2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of 
linking openssl as Library, so we have only one copy of the code.  Not 
investigated yet.

Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and OpensslLib 
directly? Sounds will be a big change.
Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and 
OpensslLib?
I would like to point out that once we close macro OPENSSL_NO_EC, The size of 
Openssllib will inevitably increase due to some enabled feature and exceed 
limit of Ovmf, 
Such in x509_vry.c:
static int check_curve(X509 *cert)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *pkey = X509_get0_pubkey(cert);

    /* Unsupported or malformed key */
    if (pkey == NULL)
        return -1;

    if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
        int ret;

        ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
        return ret < 0 ? ret : !ret;
    }
#endif

3. Also: what do you need ecc support for?

WPA3 needs ECC's support, and I think Vineel's work will be the foundation.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828

Thanks!
Yi Li
-----Original Message-----
From: Gerd Hoffmann <kra...@redhat.com> 
Sent: Tuesday, March 1, 2022 10:05 PM
To: devel@edk2.groups.io; Li, Yi1 <yi1...@intel.com>
Cc: Kovvuri, Vineel <vinee...@microsoft.com>; Yao, Jiewen <jiewen....@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic 
curve chipher algorithms

> CryptoPkg: Add instrinsics to support building ECC on IA32 windows

See also https://edk2.groups.io/g/devel/message/87130 & followups.
git branch here: https://github.com/kraxel/edk2/commits/intrinsics

> OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related 
> changes

Changing flash size breaks backward compatibility, so this is a problem.
openssl3 porting runs into this too, not solved yet.

Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of linking 
openssl as Library, so we have only one copy of the code.  Not investigated yet.

Also: what do you need ecc support for?

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#87188): https://edk2.groups.io/g/devel/message/87188
Mute This Topic: https://groups.io/mt/86257810/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-