Thank you Gerd.
I collected feedback from Intel BIOS team, both client and server, both old
platform and new platform.
In general, the new platform will leave enough space for crypto improvement.
Size is not a big issue. The delta is acceptable.
However, the old launched platforms only has limited flash space. This patch
will break the current build because of size increase. Option (1) is not
acceptable.
In conclusion:
For OvmfPkg update: Acked-by: Jiewen Yao <jiewen....@intel.com>
For SecurityPkg update: I recommend we consider option (2).
(1) Drop the idea to make EC configurable and just enable it
unconditionally. I think long-term there is no way around
this anyway as EC is a hard requirement for TLS 1.3.
(2) Keep the EC config option, but update process_files.pl to
automatically add the PcdEcEnabled config option handling
to the files it generates.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Gerd Hoffmann <kra...@redhat.com>
> Sent: Thursday, May 5, 2022 5:16 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen....@intel.com>; Pawel Polawski
> <ppola...@redhat.com>; Li, Yi1 <yi1...@intel.com>; Oliver Steffen
> <ostef...@redhat.com>; Wang, Jian J <jian.j.w...@intel.com>; Ard Biesheuvel
> <ardb+tianoc...@kernel.org>; Jiang, Guomin <guomin.ji...@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1...@intel.com>; Justen, Jordan L <jordan.l.jus...@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/5] CryptoPkg/openssl: enable EC
> unconditionally.
>
> Hi,
>
> > > I am not convinced that "EC is hard requirement for EDKII" just because
> > > "EC
> is a hard requirement for TLS 1.3". My reason below:
> > > A) TLS1.3 is only for DXE, but enabling ECC unconditionally may impact
> PEI/DXE. (Unless size of PEI/SMM is unchanged).
> >
> > Well, the PcdEcEnabled switch we have in the tree right now enables or
> > disables EC for everybody, it doesn't support enabling EC for DXE only.
> >
> > In we want change that we'll need two different *.inf files I guess,
> > one for openssl with ec and one for openssl without ec.
> >
> > I'll check the effect on image sizes.
>
> Here we go:
>
> --- master.stats 2022-05-05 10:05:03.791368600 +0200
> +++ openssl-ec.stats 2022-05-05 10:35:44.429412053 +0200
> @@ -137,8 +137,8 @@
> 124410 BdsDxe
> 145534 DxeCore
> 148078 UiApp
> - 400158 SecureBootConfigDxe
> - 472950 SecurityStubDxe
> - 532626 VariableSmm
> - 658174 TlsDxe
> + 575390 SecureBootConfigDxe
> + 643062 SecurityStubDxe
> + 700562 VariableSmm
> + 847422 TlsDxe
> 946646 Shell
>
> So no effect on PEI size but SMM is affected.
>
> take care,
> Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89589): https://edk2.groups.io/g/devel/message/89589
Mute This Topic: https://groups.io/mt/90832153/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
