Re: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms


Gerd Hoffmann
 

Hi,

The difference I see without ecc change and with the change is the increase
in file sizes for below ffs files,(other .ffs files remained unchanged)

Without ecc change:
794742
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
653470
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1174654
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
872594
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

With ecc change:
1058678
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
917214
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1470718
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
1134738
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs
Uh. So each driver which needs openssl has its own copy of the library?

I wasn't aware of that, but yes, given we don't have dynamic linking
this makes sense and also easily explains why we see such a big jump in
size.

I am wondering, removing existing ciphers might impact other platforms.
Could you please suggest any less intrusive options without impacting
other platforms.
I was thinking more about reviewing the chipers added. Pick the most
commonly used ones instead of just adding them all for example.

I am new to EDK and what compile time options are you referring to? Please
let me know if any other information is needed from the build.
Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.

But I think Jiewen meant something else with "2 profiles":

We could create two OpensslLib variants. One full-featured build with
ecc enabled which TlsDxe could use (assuming better TLS support is your
use case). And one less-featured variant for VariableSmm +
SecureBootConfigDxe + SecurityStubDxe.

That way we have the ecc code only once not four times in the firmware
build. Possibly the less-featured could be stripped down even more when
it doesn't need to support TLS any more.

I'm also wondering why SecurityStubDxe needs OpensslLib ...

take care & HTH,
Gerd

Join devel@edk2.groups.io to automatically receive all group messages.