Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support

[Li, Yi]

Add -DOPENSSL_NO_AUTOALGINIT flag will reduce PEI size by ~60KB, based on patch 
you attached.

This flag will break PKCS7, Authenticode and Ts, but will be fine if only used 
in PEI builds.

Regards,
Yi

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd Hoffmann
Sent: Monday, February 6, 2023 4:21 PM
To: Ard Biesheuvel <a...@kernel.org>
Cc: devel@edk2.groups.io; Xu, Min M <min.m...@intel.com>; Ard Biesheuvel 
<ardb+tianoc...@kernel.org>; Michael Roth <michael.r...@amd.com>; Yao, Jiewen 
<jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com>; Justen, Jordan L 
<jordan.l.jus...@intel.com>; Pawel Polawski <ppola...@redhat.com>; Oliver 
Steffen <ostef...@redhat.com>; Tom Lendacky <thomas.lenda...@amd.com>; Lu, 
Xiaoyu1 <xiaoyu1...@intel.com>; Aktas, Erdem <erdemak...@google.com>; Jiang, 
Guomin <guomin.ji...@intel.com>; James Bottomley <j...@linux.ibm.com>
Subject: Re: [edk2-devel] [PATCH 00/11] OvmfPkg: add Crypto Driver support

> > > > PEI jumps up in size even though I'm using the min_pei config 
> > > > for CryptoPei, seems it *still* has way too much bits compiled 
> > > > in (didn't look into tweaking the config yet, hints are welcome).
> > > >
> > > > +  333950 CryptoPei
> > >
> > > Why would we use this for PEI if the size increases?

> Could we build CryptoPei with fewer algorithms built into it?

Patch attached below brings it down to

  211582 CryptoPei

Which still is quite big for some reason ...

take care,
  Gerd

commit a0ecb20af423d4b97fd008ac05807c46dcad3a53
Author: Gerd Hoffmann <kra...@redhat.com>
Date:   Mon Feb 6 08:52:41 2023 +0100

    pei needs hashes only

diff --git a/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc 
b/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
new file mode 100644
index 000000000000..1ead17340b6c
--- /dev/null
+++ b/CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
@@ -0,0 +1,10 @@
+##
+#  SPDX-License-Identifier: BSD-2-Clause-Patent ##
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family   
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family   
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family         
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family       
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family       
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family       
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family          
            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc 
b/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
index e34444dde470..3ab90d7718f5 100644
--- a/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfCryptoComponents.dsc.inc
@@ -12,7 +12,8 @@
       TlsLib|CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
       OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
     <PcdsFixedAtBuild>
-!include CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
+#!include CryptoPkg/Include/Dsc/CryptoServicePcd.min_pei.dsc.inc
+!include CryptoPkg/Include/Dsc/CryptoServicePcd.hash_only.dsc.inc
   }
 
   CryptoPkg/Driver/CryptoSmm.inf {








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99717): https://edk2.groups.io/g/devel/message/99717
Mute This Topic: https://groups.io/mt/96722233/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-