I think another option to pursue is to how to control the openssl configuration from module or platform level.
E.g. what if platform-A has enough size and wants to use ECC, while platform-B has size constrain and wants to disable ECC ? We can let platform choose if ECC is needed or not? I hope so. Thank you Yao Jiewen > -----Original Message----- > From: Li, Yi1 <yi1...@intel.com> > Sent: Wednesday, March 2, 2022 12:24 PM > To: Gerd Hoffmann <kra...@redhat.com>; devel@edk2.groups.io > Cc: Kovvuri, Vineel <vinee...@microsoft.com>; Yao, Jiewen > <jiewen....@intel.com>; Luo, Heng <heng....@intel.com> > Subject: RE: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic > curve chipher algorithms > > Thanks for your information, > > 1.See also https://edk2.groups.io/g/devel/message/87130 & followups. > git branch here: https://github.com/kraxel/edk2/commits/intrinsics > > It's good to me, make code more clear. > > 2. Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of > linking openssl as Library, so we have only one copy of the code. Not > investigated yet. > > Does it means OvmfPkg will use CryptDxe instead of BaseCryptoLib and > OpensslLib directly? Sounds will be a big change. > Or a separate ECC Driver such CryptEcDxe and still use BaseCryptoLib and > OpensslLib? > I would like to point out that once we close macro OPENSSL_NO_EC, The size of > Openssllib will inevitably increase due to some enabled feature and exceed > limit > of Ovmf, > Such in x509_vry.c: > static int check_curve(X509 *cert) > { > #ifndef OPENSSL_NO_EC > EVP_PKEY *pkey = X509_get0_pubkey(cert); > > /* Unsupported or malformed key */ > if (pkey == NULL) > return -1; > > if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { > int ret; > > ret = > EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey)); > return ret < 0 ? ret : !ret; > } > #endif > > 3. Also: what do you need ecc support for? > > WPA3 needs ECC's support, and I think Vineel's work will be the foundation. > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3828 > > Thanks! > Yi Li > -----Original Message----- > From: Gerd Hoffmann <kra...@redhat.com> > Sent: Tuesday, March 1, 2022 10:05 PM > To: devel@edk2.groups.io; Li, Yi1 <yi1...@intel.com> > Cc: Kovvuri, Vineel <vinee...@microsoft.com>; Yao, Jiewen > <jiewen....@intel.com> > Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic > curve chipher algorithms > > > CryptoPkg: Add instrinsics to support building ECC on IA32 windows > > See also https://edk2.groups.io/g/devel/message/87130 & followups. > git branch here: https://github.com/kraxel/edk2/commits/intrinsics > > > OvmfPkg: Increase DXEFV size to accommodate ECC ciphers related > > changes > > Changing flash size breaks backward compatibility, so this is a problem. > openssl3 porting runs into this too, not solved yet. > > Jiewen (Cc'ed) suggested to look into using CryptoPkg/Driver instead of > linking > openssl as Library, so we have only one copy of the code. Not investigated > yet. > > Also: what do you need ecc support for? > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#87193): https://edk2.groups.io/g/devel/message/87193 Mute This Topic: https://groups.io/mt/86257810/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
