Date
1 - 5 of 5
[edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17
|
Li, Yi
Please check the patch series if interested.
PR: https://github.com/tianocore/edk2-staging/pull/359 Latest size data: Binaries: CryptoDxeFull -> 1.7% 17KB (New) CryptoDxe 14% -> 10.10% 82KB CryptoSmm 14% -> 8.20% 46KB After LZMA: CryptoDxe 15% -> 12.20% 39KB CryptoSmm 17% -> 12.80% 27KB FV (Dxe+Smm) 18% -> 15.40% 55KB Cc: Jiewen Yao <jiewen.yao@...> Cc: Wenxing Hou <wenxing.hou@...> Cc: Gerd Hoffmann <kraxel@...> Signed-off-by: Yi Li <yi1.li@...> Yi Li (7): OpensslLib: remove bio prov CryptoPkg/Test: Remove Pem and Pkcs7Sign func in test CryptoPkg/OpensslLib: enable no autoalginit Readme: 0315 update bugfix: The order of NIDs should remain the same as before CryptoPkg/OpensslLibFull: apply all work to full inf Readme: 0317 update CryptoPkg/Library/OpensslLib/OpensslLib.inf | 4 +- .../Library/OpensslLib/OpensslLibFull.inf | 171 +- .../OpensslStub/crypto/objects/obj_dat.h | 6474 ++++++++--------- .../OpensslStub/crypto/objects/obj_xref.h | 72 +- .../OpensslLib/OpensslStub/openssl/obj_mac.h | 1397 ++-- .../Library/OpensslLib/OpensslStub/uefiprov.c | 8 +- CryptoPkg/Readme-OpenSSL3.0.md | 22 +- .../Library/BaseCryptLib/RsaPkcs7Tests.c | 145 +- 8 files changed, 4197 insertions(+), 4096 deletions(-) -- 2.31.1.windows.1 |
|
|
|
Gerd Hoffmann
On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote:
Please check the patch series if interested.So it seems you are doing a number of larger changes to the openssl code base. What is the plan for those? I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues. For changes where we only need dummy stub functions which don't do anything is isn't a big problem. But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged. I did that in the past, worked fine. See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI). take care, Gerd |
|
|
|
Yao, Jiewen
Hi Gerd
toggle quoted message
Show quoted text
Currently, the *blocking issue* for openssl 3.0 adoption in EDKII is *size*. The big size increase will break exist platforms easily. As such, we are not able to switch to openssl 3.0 directly. I have written the proposal at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/ReadMe.md "It is possible that we may need add MACRO to OpenSSL 3.0 to reduce the size. We can do POC and submit to OpenSSL community." My suggested plan is: 1) We do our best to reduce size, as much as possible. 2) We revisit openssl 3.0 change, to see if that is reasonable. 3) if we can figure out a better way to avoid the change, we redesign and avoid the change. 4) if we cannot figure out a better way, we submit the change to openssl 3.0 community. You are welcome to review the change and send feedback. Thank you Yao, Jiewen -----Original Message----- |
|
|
|
Li, Yi
The current purpose of this POC is to find all ways to reduce the size increase as much as possible to meet our goal of +10% size increase.
toggle quoted message
Show quoted text
I understand that the current code changes seem unacceptable, and the next step of the POC is to find a suitable way to apply these changes (some breaking changes may be discarded): such as upstream to openssl or integrate into the configure script. If all goes well, the next step will start at the end of March. Regards, Yi -----Original Message-----
From: Gerd Hoffmann <kraxel@...> Sent: Friday, March 17, 2023 6:03 PM To: Li, Yi1 <yi1.li@...> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@...>; Hou, Wenxing <wenxing.hou@...> Subject: Re: [edk2-staging/OpenSSL11_EOL 0/7] Openssl 3.0 POC update Mar 17 On Fri, Mar 17, 2023 at 12:28:12PM +0800, Yi Li wrote: Please check the patch series if interested.So it seems you are doing a number of larger changes to the openssl code base. What is the plan for those? I'd prefer to not be in a situation where every openssl update needs alot of work in our edk2-specific adaptions, especially as openssl updates can be timing-sensitive when it comes to fixing security issues. For changes where we only need dummy stub functions which don't do anything is isn't a big problem. But when changing the provider logic to suit our needs it is probably much better to work with upstream openssl to get the changes we need merged. I did that in the past, worked fine. See for example openssl commit a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (change printf to not support floating point for --target=UEFI). take care, Gerd |
|
|
|
Rebecca Cran
This is going to be needed in the next 6 months because OpenSSL 1.1.1 is going EOL.
toggle quoted message
Show quoted text
From https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ : "We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. OpenSSL 1.1.1 is a Long Term Support (LTS) release. Our policy is to support LTS releases for a period of 5 years. During the last year of that we typically only backport security fixes to a release. OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date." -- Rebecca Cran On 3/16/23 10:28 PM, Li, Yi wrote:
Please check the patch series if interested. |
|
|