[PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0


Gerd Hoffmann
 

Very first take on updating openssl to 3.0.

Some hacks are in there still, only limited testing
(no CI runs), so cleary not complete yet. Review
comments and other hints are welcome nevertheless.

take care,
Gerd

Gerd Hoffmann (24):
CryptoPkg/openssl: update submodule to 3.0
CryptoPkg/openssl: process_files.pl: drop UefiAsm.conf
CryptoPkg/openssl: process_files.pl: expand *.a
CryptoPkg/openssl: process_files.pl: set api to 1.1.1
CryptoPkg/openssl: process_files.pl: change config header handling
CryptoPkg/openssl: process_files.pl: provider headers
CryptoPkg/openssl: process_files.pl: skip unused files
CryptoPkg/openssl: process_files.pl: clean up when done
CryptoPkg/openssl: process_files.pl: filter out crypto/buildinf.h
CryptoPkg/openssl: update generated files
CryptoPkg/BaseCryptLib: no openssl deprecation warnings please
CryptoPkg/BaseCryptLib; adapt CryptSm3.c to openssl 3.0 changes.
CryptoPkg/BaseCryptLib: add more bio print dummies
CryptoPkg/openssl: adapt rand_pool.c to openssl 3.0 changes
CryptoPkg/openssl: add dummy file store
CryptoPkg/openssl: move compiler_flags to buildinf.c
CryptoPkg/CrtLibSupport: add fcntl.h
CryptoPkg/CrtLibSupport: add strstr()
CryptoPkg/CrtLibSupport: add INT_MIN
CryptoPkg/CrtLibSupport: add UINT_MAX
CryptoPkg/CrtLibSupport: add MODULESDIR
CryptoPkg/openssl: process_files.pl: copy generated der/*.c source
files.
CryptoPkg/openssl: add generated files der source files
[hack] turn off -Werror

CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1305 +++++----
.../Library/OpensslLib/OpensslLibCrypto.inf | 1220 +++++---
.../Library/OpensslLib/OpensslLibX64.inf | 1 +
.../Library/OpensslLib/OpensslLibX64Gcc.inf | 1 +
.../Library/BaseCryptLib/InternalCryptLib.h | 2 +
CryptoPkg/Library/Include/CrtLibSupport.h | 4 +
CryptoPkg/Library/Include/crypto/bn_conf.h | 29 +
CryptoPkg/Library/Include/crypto/dso_conf.h | 8 +-
CryptoPkg/Library/Include/fcntl.h | 9 +
CryptoPkg/Library/Include/openssl/asn1.h | 1128 +++++++
CryptoPkg/Library/Include/openssl/asn1t.h | 946 ++++++
CryptoPkg/Library/Include/openssl/bio.h | 884 ++++++
CryptoPkg/Library/Include/openssl/cmp.h | 592 ++++
CryptoPkg/Library/Include/openssl/cms.h | 493 ++++
CryptoPkg/Library/Include/openssl/conf.h | 211 ++
.../Library/Include/openssl/configuration.h | 286 ++
CryptoPkg/Library/Include/openssl/crmf.h | 227 ++
CryptoPkg/Library/Include/openssl/crypto.h | 556 ++++
CryptoPkg/Library/Include/openssl/ct.h | 573 ++++
CryptoPkg/Library/Include/openssl/err.h | 492 ++++
CryptoPkg/Library/Include/openssl/ess.h | 128 +
CryptoPkg/Library/Include/openssl/fipskey.h | 36 +
CryptoPkg/Library/Include/openssl/lhash.h | 288 ++
CryptoPkg/Library/Include/openssl/ocsp.h | 483 +++
.../Library/Include/openssl/opensslconf.h | 348 ---
CryptoPkg/Library/Include/openssl/opensslv.h | 114 +
CryptoPkg/Library/Include/openssl/pkcs12.h | 350 +++
CryptoPkg/Library/Include/openssl/pkcs7.h | 427 +++
CryptoPkg/Library/Include/openssl/safestack.h | 297 ++
CryptoPkg/Library/Include/openssl/srp.h | 285 ++
CryptoPkg/Library/Include/openssl/ssl.h | 2585 +++++++++++++++++
CryptoPkg/Library/Include/openssl/ui.h | 407 +++
CryptoPkg/Library/Include/openssl/x509.h | 1276 ++++++++
CryptoPkg/Library/Include/openssl/x509_vfy.h | 894 ++++++
CryptoPkg/Library/Include/openssl/x509v3.h | 1450 +++++++++
CryptoPkg/Library/Include/prov/bio.h | 32 +
CryptoPkg/Library/Include/prov/blake2.h | 120 +
CryptoPkg/Library/Include/prov/ciphercommon.h | 361 +++
.../Library/Include/prov/ciphercommon_aead.h | 47 +
.../Library/Include/prov/ciphercommon_ccm.h | 100 +
.../Library/Include/prov/ciphercommon_gcm.h | 129 +
CryptoPkg/Library/Include/prov/der_digests.h | 160 +
CryptoPkg/Library/Include/prov/der_dsa.h | 94 +
CryptoPkg/Library/Include/prov/der_ec.h | 286 ++
CryptoPkg/Library/Include/prov/der_ecx.h | 50 +
CryptoPkg/Library/Include/prov/der_rsa.h | 187 ++
CryptoPkg/Library/Include/prov/der_sm2.h | 37 +
CryptoPkg/Library/Include/prov/der_wrap.h | 46 +
CryptoPkg/Library/Include/prov/digestcommon.h | 123 +
.../Library/Include/prov/implementations.h | 516 ++++
CryptoPkg/Library/Include/prov/kdfexchange.h | 24 +
CryptoPkg/Library/Include/prov/macsignature.h | 30 +
CryptoPkg/Library/Include/prov/md5_sha1.h | 36 +
CryptoPkg/Library/Include/prov/names.h | 327 +++
CryptoPkg/Library/Include/prov/proverr.h | 27 +
CryptoPkg/Library/Include/prov/provider_ctx.h | 40 +
.../Library/Include/prov/provider_util.h | 138 +
.../Library/Include/prov/providercommon.h | 24 +
.../Library/Include/prov/securitycheck.h | 30 +
CryptoPkg/Library/Include/prov/seeding.h | 41 +
CryptoPkg/Library/OpensslLib/buildinf.h | 2 +-
.../Library/BaseCryptLib/Hash/CryptSm3.c | 14 +-
.../Library/BaseCryptLib/SysCall/CrtWrapper.c | 10 +
.../OpensslLib/{buildinf.h => buildinf.c} | 3 +-
.../Library/OpensslLib/der_digests_gen.c | 160 +
CryptoPkg/Library/OpensslLib/der_rsa_gen.c | 174 ++
CryptoPkg/Library/OpensslLib/der_wrap_gen.c | 46 +
CryptoPkg/Library/OpensslLib/ossl_store.c | 11 +
CryptoPkg/Library/OpensslLib/rand_pool.c | 20 +-
CryptoPkg/Library/OpensslLib/openssl | 2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 79 +-
71 files changed, 20510 insertions(+), 1351 deletions(-)
create mode 100644 CryptoPkg/Library/Include/crypto/bn_conf.h
create mode 100644 CryptoPkg/Library/Include/fcntl.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1t.h
create mode 100644 CryptoPkg/Library/Include/openssl/bio.h
create mode 100644 CryptoPkg/Library/Include/openssl/cmp.h
create mode 100644 CryptoPkg/Library/Include/openssl/cms.h
create mode 100644 CryptoPkg/Library/Include/openssl/conf.h
create mode 100644 CryptoPkg/Library/Include/openssl/configuration.h
create mode 100644 CryptoPkg/Library/Include/openssl/crmf.h
create mode 100644 CryptoPkg/Library/Include/openssl/crypto.h
create mode 100644 CryptoPkg/Library/Include/openssl/ct.h
create mode 100644 CryptoPkg/Library/Include/openssl/err.h
create mode 100644 CryptoPkg/Library/Include/openssl/ess.h
create mode 100644 CryptoPkg/Library/Include/openssl/fipskey.h
create mode 100644 CryptoPkg/Library/Include/openssl/lhash.h
create mode 100644 CryptoPkg/Library/Include/openssl/ocsp.h
delete mode 100644 CryptoPkg/Library/Include/openssl/opensslconf.h
create mode 100644 CryptoPkg/Library/Include/openssl/opensslv.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs12.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs7.h
create mode 100644 CryptoPkg/Library/Include/openssl/safestack.h
create mode 100644 CryptoPkg/Library/Include/openssl/srp.h
create mode 100644 CryptoPkg/Library/Include/openssl/ssl.h
create mode 100644 CryptoPkg/Library/Include/openssl/ui.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509_vfy.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509v3.h
create mode 100644 CryptoPkg/Library/Include/prov/bio.h
create mode 100644 CryptoPkg/Library/Include/prov/blake2.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_aead.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_ccm.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_gcm.h
create mode 100644 CryptoPkg/Library/Include/prov/der_digests.h
create mode 100644 CryptoPkg/Library/Include/prov/der_dsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ec.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ecx.h
create mode 100644 CryptoPkg/Library/Include/prov/der_rsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_sm2.h
create mode 100644 CryptoPkg/Library/Include/prov/der_wrap.h
create mode 100644 CryptoPkg/Library/Include/prov/digestcommon.h
create mode 100644 CryptoPkg/Library/Include/prov/implementations.h
create mode 100644 CryptoPkg/Library/Include/prov/kdfexchange.h
create mode 100644 CryptoPkg/Library/Include/prov/macsignature.h
create mode 100644 CryptoPkg/Library/Include/prov/md5_sha1.h
create mode 100644 CryptoPkg/Library/Include/prov/names.h
create mode 100644 CryptoPkg/Library/Include/prov/proverr.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_ctx.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_util.h
create mode 100644 CryptoPkg/Library/Include/prov/providercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/securitycheck.h
create mode 100644 CryptoPkg/Library/Include/prov/seeding.h
copy CryptoPkg/Library/OpensslLib/{buildinf.h => buildinf.c} (50%)
create mode 100644 CryptoPkg/Library/OpensslLib/der_digests_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_rsa_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_wrap_gen.c

--
2.33.1


Michael D Kinney
 

Hi Gerd,

Thank you for starting this work!

Can you point the community as a summary of the changes/improvements in v3.0 and your
take on why it is important to upgrade TianoCore.

Thanks,

Mike

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd Hoffmann
Sent: Friday, December 3, 2021 8:07 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
Pawel Polawski <ppolawsk@redhat.com>; Philippe Mathieu-Daudé <philmd@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Gerd
Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0

Very first take on updating openssl to 3.0.

Some hacks are in there still, only limited testing
(no CI runs), so cleary not complete yet. Review
comments and other hints are welcome nevertheless.

take care,
Gerd

Gerd Hoffmann (24):
CryptoPkg/openssl: update submodule to 3.0
CryptoPkg/openssl: process_files.pl: drop UefiAsm.conf
CryptoPkg/openssl: process_files.pl: expand *.a
CryptoPkg/openssl: process_files.pl: set api to 1.1.1
CryptoPkg/openssl: process_files.pl: change config header handling
CryptoPkg/openssl: process_files.pl: provider headers
CryptoPkg/openssl: process_files.pl: skip unused files
CryptoPkg/openssl: process_files.pl: clean up when done
CryptoPkg/openssl: process_files.pl: filter out crypto/buildinf.h
CryptoPkg/openssl: update generated files
CryptoPkg/BaseCryptLib: no openssl deprecation warnings please
CryptoPkg/BaseCryptLib; adapt CryptSm3.c to openssl 3.0 changes.
CryptoPkg/BaseCryptLib: add more bio print dummies
CryptoPkg/openssl: adapt rand_pool.c to openssl 3.0 changes
CryptoPkg/openssl: add dummy file store
CryptoPkg/openssl: move compiler_flags to buildinf.c
CryptoPkg/CrtLibSupport: add fcntl.h
CryptoPkg/CrtLibSupport: add strstr()
CryptoPkg/CrtLibSupport: add INT_MIN
CryptoPkg/CrtLibSupport: add UINT_MAX
CryptoPkg/CrtLibSupport: add MODULESDIR
CryptoPkg/openssl: process_files.pl: copy generated der/*.c source
files.
CryptoPkg/openssl: add generated files der source files
[hack] turn off -Werror

CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1305 +++++----
.../Library/OpensslLib/OpensslLibCrypto.inf | 1220 +++++---
.../Library/OpensslLib/OpensslLibX64.inf | 1 +
.../Library/OpensslLib/OpensslLibX64Gcc.inf | 1 +
.../Library/BaseCryptLib/InternalCryptLib.h | 2 +
CryptoPkg/Library/Include/CrtLibSupport.h | 4 +
CryptoPkg/Library/Include/crypto/bn_conf.h | 29 +
CryptoPkg/Library/Include/crypto/dso_conf.h | 8 +-
CryptoPkg/Library/Include/fcntl.h | 9 +
CryptoPkg/Library/Include/openssl/asn1.h | 1128 +++++++
CryptoPkg/Library/Include/openssl/asn1t.h | 946 ++++++
CryptoPkg/Library/Include/openssl/bio.h | 884 ++++++
CryptoPkg/Library/Include/openssl/cmp.h | 592 ++++
CryptoPkg/Library/Include/openssl/cms.h | 493 ++++
CryptoPkg/Library/Include/openssl/conf.h | 211 ++
.../Library/Include/openssl/configuration.h | 286 ++
CryptoPkg/Library/Include/openssl/crmf.h | 227 ++
CryptoPkg/Library/Include/openssl/crypto.h | 556 ++++
CryptoPkg/Library/Include/openssl/ct.h | 573 ++++
CryptoPkg/Library/Include/openssl/err.h | 492 ++++
CryptoPkg/Library/Include/openssl/ess.h | 128 +
CryptoPkg/Library/Include/openssl/fipskey.h | 36 +
CryptoPkg/Library/Include/openssl/lhash.h | 288 ++
CryptoPkg/Library/Include/openssl/ocsp.h | 483 +++
.../Library/Include/openssl/opensslconf.h | 348 ---
CryptoPkg/Library/Include/openssl/opensslv.h | 114 +
CryptoPkg/Library/Include/openssl/pkcs12.h | 350 +++
CryptoPkg/Library/Include/openssl/pkcs7.h | 427 +++
CryptoPkg/Library/Include/openssl/safestack.h | 297 ++
CryptoPkg/Library/Include/openssl/srp.h | 285 ++
CryptoPkg/Library/Include/openssl/ssl.h | 2585 +++++++++++++++++
CryptoPkg/Library/Include/openssl/ui.h | 407 +++
CryptoPkg/Library/Include/openssl/x509.h | 1276 ++++++++
CryptoPkg/Library/Include/openssl/x509_vfy.h | 894 ++++++
CryptoPkg/Library/Include/openssl/x509v3.h | 1450 +++++++++
CryptoPkg/Library/Include/prov/bio.h | 32 +
CryptoPkg/Library/Include/prov/blake2.h | 120 +
CryptoPkg/Library/Include/prov/ciphercommon.h | 361 +++
.../Library/Include/prov/ciphercommon_aead.h | 47 +
.../Library/Include/prov/ciphercommon_ccm.h | 100 +
.../Library/Include/prov/ciphercommon_gcm.h | 129 +
CryptoPkg/Library/Include/prov/der_digests.h | 160 +
CryptoPkg/Library/Include/prov/der_dsa.h | 94 +
CryptoPkg/Library/Include/prov/der_ec.h | 286 ++
CryptoPkg/Library/Include/prov/der_ecx.h | 50 +
CryptoPkg/Library/Include/prov/der_rsa.h | 187 ++
CryptoPkg/Library/Include/prov/der_sm2.h | 37 +
CryptoPkg/Library/Include/prov/der_wrap.h | 46 +
CryptoPkg/Library/Include/prov/digestcommon.h | 123 +
.../Library/Include/prov/implementations.h | 516 ++++
CryptoPkg/Library/Include/prov/kdfexchange.h | 24 +
CryptoPkg/Library/Include/prov/macsignature.h | 30 +
CryptoPkg/Library/Include/prov/md5_sha1.h | 36 +
CryptoPkg/Library/Include/prov/names.h | 327 +++
CryptoPkg/Library/Include/prov/proverr.h | 27 +
CryptoPkg/Library/Include/prov/provider_ctx.h | 40 +
.../Library/Include/prov/provider_util.h | 138 +
.../Library/Include/prov/providercommon.h | 24 +
.../Library/Include/prov/securitycheck.h | 30 +
CryptoPkg/Library/Include/prov/seeding.h | 41 +
CryptoPkg/Library/OpensslLib/buildinf.h | 2 +-
.../Library/BaseCryptLib/Hash/CryptSm3.c | 14 +-
.../Library/BaseCryptLib/SysCall/CrtWrapper.c | 10 +
.../OpensslLib/{buildinf.h => buildinf.c} | 3 +-
.../Library/OpensslLib/der_digests_gen.c | 160 +
CryptoPkg/Library/OpensslLib/der_rsa_gen.c | 174 ++
CryptoPkg/Library/OpensslLib/der_wrap_gen.c | 46 +
CryptoPkg/Library/OpensslLib/ossl_store.c | 11 +
CryptoPkg/Library/OpensslLib/rand_pool.c | 20 +-
CryptoPkg/Library/OpensslLib/openssl | 2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 79 +-
71 files changed, 20510 insertions(+), 1351 deletions(-)
create mode 100644 CryptoPkg/Library/Include/crypto/bn_conf.h
create mode 100644 CryptoPkg/Library/Include/fcntl.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1t.h
create mode 100644 CryptoPkg/Library/Include/openssl/bio.h
create mode 100644 CryptoPkg/Library/Include/openssl/cmp.h
create mode 100644 CryptoPkg/Library/Include/openssl/cms.h
create mode 100644 CryptoPkg/Library/Include/openssl/conf.h
create mode 100644 CryptoPkg/Library/Include/openssl/configuration.h
create mode 100644 CryptoPkg/Library/Include/openssl/crmf.h
create mode 100644 CryptoPkg/Library/Include/openssl/crypto.h
create mode 100644 CryptoPkg/Library/Include/openssl/ct.h
create mode 100644 CryptoPkg/Library/Include/openssl/err.h
create mode 100644 CryptoPkg/Library/Include/openssl/ess.h
create mode 100644 CryptoPkg/Library/Include/openssl/fipskey.h
create mode 100644 CryptoPkg/Library/Include/openssl/lhash.h
create mode 100644 CryptoPkg/Library/Include/openssl/ocsp.h
delete mode 100644 CryptoPkg/Library/Include/openssl/opensslconf.h
create mode 100644 CryptoPkg/Library/Include/openssl/opensslv.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs12.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs7.h
create mode 100644 CryptoPkg/Library/Include/openssl/safestack.h
create mode 100644 CryptoPkg/Library/Include/openssl/srp.h
create mode 100644 CryptoPkg/Library/Include/openssl/ssl.h
create mode 100644 CryptoPkg/Library/Include/openssl/ui.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509_vfy.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509v3.h
create mode 100644 CryptoPkg/Library/Include/prov/bio.h
create mode 100644 CryptoPkg/Library/Include/prov/blake2.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_aead.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_ccm.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_gcm.h
create mode 100644 CryptoPkg/Library/Include/prov/der_digests.h
create mode 100644 CryptoPkg/Library/Include/prov/der_dsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ec.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ecx.h
create mode 100644 CryptoPkg/Library/Include/prov/der_rsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_sm2.h
create mode 100644 CryptoPkg/Library/Include/prov/der_wrap.h
create mode 100644 CryptoPkg/Library/Include/prov/digestcommon.h
create mode 100644 CryptoPkg/Library/Include/prov/implementations.h
create mode 100644 CryptoPkg/Library/Include/prov/kdfexchange.h
create mode 100644 CryptoPkg/Library/Include/prov/macsignature.h
create mode 100644 CryptoPkg/Library/Include/prov/md5_sha1.h
create mode 100644 CryptoPkg/Library/Include/prov/names.h
create mode 100644 CryptoPkg/Library/Include/prov/proverr.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_ctx.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_util.h
create mode 100644 CryptoPkg/Library/Include/prov/providercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/securitycheck.h
create mode 100644 CryptoPkg/Library/Include/prov/seeding.h
copy CryptoPkg/Library/OpensslLib/{buildinf.h => buildinf.c} (50%)
create mode 100644 CryptoPkg/Library/OpensslLib/der_digests_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_rsa_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_wrap_gen.c

--
2.33.1





Yao, Jiewen
 

Also, assuming you have done enough test, would you please provide:
1) size difference, Including PEI, SMM, DXE.
2) performance difference, Including PEI, SMM, DXE.
3) what unit test you have done (such as each crypto API)
4) what system test you have done (such as secure boot, trusted boot)

Thank you
Yao Jiewen

-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@intel.com>
Sent: Saturday, December 4, 2021 12:33 AM
To: devel@edk2.groups.io; kraxel@redhat.com; Kinney, Michael D
<michael.d.kinney@intel.com>
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
Jiang, Guomin <guomin.jiang@intel.com>; Pawel Polawski
<ppolawsk@redhat.com>; Philippe Mathieu-Daudé <philmd@redhat.com>; Lu,
XiaoyuX <xiaoyux.lu@intel.com>
Subject: RE: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl
submodule to v3.0

Hi Gerd,

Thank you for starting this work!

Can you point the community as a summary of the changes/improvements in
v3.0 and your
take on why it is important to upgrade TianoCore.

Thanks,

Mike

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
Hoffmann
Sent: Friday, December 3, 2021 8:07 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
<jian.j.wang@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
Pawel Polawski <ppolawsk@redhat.com>; Philippe Mathieu-Daudé
<philmd@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Gerd
Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl
submodule to v3.0

Very first take on updating openssl to 3.0.

Some hacks are in there still, only limited testing
(no CI runs), so cleary not complete yet. Review
comments and other hints are welcome nevertheless.

take care,
Gerd

Gerd Hoffmann (24):
CryptoPkg/openssl: update submodule to 3.0
CryptoPkg/openssl: process_files.pl: drop UefiAsm.conf
CryptoPkg/openssl: process_files.pl: expand *.a
CryptoPkg/openssl: process_files.pl: set api to 1.1.1
CryptoPkg/openssl: process_files.pl: change config header handling
CryptoPkg/openssl: process_files.pl: provider headers
CryptoPkg/openssl: process_files.pl: skip unused files
CryptoPkg/openssl: process_files.pl: clean up when done
CryptoPkg/openssl: process_files.pl: filter out crypto/buildinf.h
CryptoPkg/openssl: update generated files
CryptoPkg/BaseCryptLib: no openssl deprecation warnings please
CryptoPkg/BaseCryptLib; adapt CryptSm3.c to openssl 3.0 changes.
CryptoPkg/BaseCryptLib: add more bio print dummies
CryptoPkg/openssl: adapt rand_pool.c to openssl 3.0 changes
CryptoPkg/openssl: add dummy file store
CryptoPkg/openssl: move compiler_flags to buildinf.c
CryptoPkg/CrtLibSupport: add fcntl.h
CryptoPkg/CrtLibSupport: add strstr()
CryptoPkg/CrtLibSupport: add INT_MIN
CryptoPkg/CrtLibSupport: add UINT_MAX
CryptoPkg/CrtLibSupport: add MODULESDIR
CryptoPkg/openssl: process_files.pl: copy generated der/*.c source
files.
CryptoPkg/openssl: add generated files der source files
[hack] turn off -Werror

CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1305 +++++----
.../Library/OpensslLib/OpensslLibCrypto.inf | 1220 +++++---
.../Library/OpensslLib/OpensslLibX64.inf | 1 +
.../Library/OpensslLib/OpensslLibX64Gcc.inf | 1 +
.../Library/BaseCryptLib/InternalCryptLib.h | 2 +
CryptoPkg/Library/Include/CrtLibSupport.h | 4 +
CryptoPkg/Library/Include/crypto/bn_conf.h | 29 +
CryptoPkg/Library/Include/crypto/dso_conf.h | 8 +-
CryptoPkg/Library/Include/fcntl.h | 9 +
CryptoPkg/Library/Include/openssl/asn1.h | 1128 +++++++
CryptoPkg/Library/Include/openssl/asn1t.h | 946 ++++++
CryptoPkg/Library/Include/openssl/bio.h | 884 ++++++
CryptoPkg/Library/Include/openssl/cmp.h | 592 ++++
CryptoPkg/Library/Include/openssl/cms.h | 493 ++++
CryptoPkg/Library/Include/openssl/conf.h | 211 ++
.../Library/Include/openssl/configuration.h | 286 ++
CryptoPkg/Library/Include/openssl/crmf.h | 227 ++
CryptoPkg/Library/Include/openssl/crypto.h | 556 ++++
CryptoPkg/Library/Include/openssl/ct.h | 573 ++++
CryptoPkg/Library/Include/openssl/err.h | 492 ++++
CryptoPkg/Library/Include/openssl/ess.h | 128 +
CryptoPkg/Library/Include/openssl/fipskey.h | 36 +
CryptoPkg/Library/Include/openssl/lhash.h | 288 ++
CryptoPkg/Library/Include/openssl/ocsp.h | 483 +++
.../Library/Include/openssl/opensslconf.h | 348 ---
CryptoPkg/Library/Include/openssl/opensslv.h | 114 +
CryptoPkg/Library/Include/openssl/pkcs12.h | 350 +++
CryptoPkg/Library/Include/openssl/pkcs7.h | 427 +++
CryptoPkg/Library/Include/openssl/safestack.h | 297 ++
CryptoPkg/Library/Include/openssl/srp.h | 285 ++
CryptoPkg/Library/Include/openssl/ssl.h | 2585 +++++++++++++++++
CryptoPkg/Library/Include/openssl/ui.h | 407 +++
CryptoPkg/Library/Include/openssl/x509.h | 1276 ++++++++
CryptoPkg/Library/Include/openssl/x509_vfy.h | 894 ++++++
CryptoPkg/Library/Include/openssl/x509v3.h | 1450 +++++++++
CryptoPkg/Library/Include/prov/bio.h | 32 +
CryptoPkg/Library/Include/prov/blake2.h | 120 +
CryptoPkg/Library/Include/prov/ciphercommon.h | 361 +++
.../Library/Include/prov/ciphercommon_aead.h | 47 +
.../Library/Include/prov/ciphercommon_ccm.h | 100 +
.../Library/Include/prov/ciphercommon_gcm.h | 129 +
CryptoPkg/Library/Include/prov/der_digests.h | 160 +
CryptoPkg/Library/Include/prov/der_dsa.h | 94 +
CryptoPkg/Library/Include/prov/der_ec.h | 286 ++
CryptoPkg/Library/Include/prov/der_ecx.h | 50 +
CryptoPkg/Library/Include/prov/der_rsa.h | 187 ++
CryptoPkg/Library/Include/prov/der_sm2.h | 37 +
CryptoPkg/Library/Include/prov/der_wrap.h | 46 +
CryptoPkg/Library/Include/prov/digestcommon.h | 123 +
.../Library/Include/prov/implementations.h | 516 ++++
CryptoPkg/Library/Include/prov/kdfexchange.h | 24 +
CryptoPkg/Library/Include/prov/macsignature.h | 30 +
CryptoPkg/Library/Include/prov/md5_sha1.h | 36 +
CryptoPkg/Library/Include/prov/names.h | 327 +++
CryptoPkg/Library/Include/prov/proverr.h | 27 +
CryptoPkg/Library/Include/prov/provider_ctx.h | 40 +
.../Library/Include/prov/provider_util.h | 138 +
.../Library/Include/prov/providercommon.h | 24 +
.../Library/Include/prov/securitycheck.h | 30 +
CryptoPkg/Library/Include/prov/seeding.h | 41 +
CryptoPkg/Library/OpensslLib/buildinf.h | 2 +-
.../Library/BaseCryptLib/Hash/CryptSm3.c | 14 +-
.../Library/BaseCryptLib/SysCall/CrtWrapper.c | 10 +
.../OpensslLib/{buildinf.h => buildinf.c} | 3 +-
.../Library/OpensslLib/der_digests_gen.c | 160 +
CryptoPkg/Library/OpensslLib/der_rsa_gen.c | 174 ++
CryptoPkg/Library/OpensslLib/der_wrap_gen.c | 46 +
CryptoPkg/Library/OpensslLib/ossl_store.c | 11 +
CryptoPkg/Library/OpensslLib/rand_pool.c | 20 +-
CryptoPkg/Library/OpensslLib/openssl | 2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 79 +-
71 files changed, 20510 insertions(+), 1351 deletions(-)
create mode 100644 CryptoPkg/Library/Include/crypto/bn_conf.h
create mode 100644 CryptoPkg/Library/Include/fcntl.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1.h
create mode 100644 CryptoPkg/Library/Include/openssl/asn1t.h
create mode 100644 CryptoPkg/Library/Include/openssl/bio.h
create mode 100644 CryptoPkg/Library/Include/openssl/cmp.h
create mode 100644 CryptoPkg/Library/Include/openssl/cms.h
create mode 100644 CryptoPkg/Library/Include/openssl/conf.h
create mode 100644 CryptoPkg/Library/Include/openssl/configuration.h
create mode 100644 CryptoPkg/Library/Include/openssl/crmf.h
create mode 100644 CryptoPkg/Library/Include/openssl/crypto.h
create mode 100644 CryptoPkg/Library/Include/openssl/ct.h
create mode 100644 CryptoPkg/Library/Include/openssl/err.h
create mode 100644 CryptoPkg/Library/Include/openssl/ess.h
create mode 100644 CryptoPkg/Library/Include/openssl/fipskey.h
create mode 100644 CryptoPkg/Library/Include/openssl/lhash.h
create mode 100644 CryptoPkg/Library/Include/openssl/ocsp.h
delete mode 100644 CryptoPkg/Library/Include/openssl/opensslconf.h
create mode 100644 CryptoPkg/Library/Include/openssl/opensslv.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs12.h
create mode 100644 CryptoPkg/Library/Include/openssl/pkcs7.h
create mode 100644 CryptoPkg/Library/Include/openssl/safestack.h
create mode 100644 CryptoPkg/Library/Include/openssl/srp.h
create mode 100644 CryptoPkg/Library/Include/openssl/ssl.h
create mode 100644 CryptoPkg/Library/Include/openssl/ui.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509_vfy.h
create mode 100644 CryptoPkg/Library/Include/openssl/x509v3.h
create mode 100644 CryptoPkg/Library/Include/prov/bio.h
create mode 100644 CryptoPkg/Library/Include/prov/blake2.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_aead.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_ccm.h
create mode 100644 CryptoPkg/Library/Include/prov/ciphercommon_gcm.h
create mode 100644 CryptoPkg/Library/Include/prov/der_digests.h
create mode 100644 CryptoPkg/Library/Include/prov/der_dsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ec.h
create mode 100644 CryptoPkg/Library/Include/prov/der_ecx.h
create mode 100644 CryptoPkg/Library/Include/prov/der_rsa.h
create mode 100644 CryptoPkg/Library/Include/prov/der_sm2.h
create mode 100644 CryptoPkg/Library/Include/prov/der_wrap.h
create mode 100644 CryptoPkg/Library/Include/prov/digestcommon.h
create mode 100644 CryptoPkg/Library/Include/prov/implementations.h
create mode 100644 CryptoPkg/Library/Include/prov/kdfexchange.h
create mode 100644 CryptoPkg/Library/Include/prov/macsignature.h
create mode 100644 CryptoPkg/Library/Include/prov/md5_sha1.h
create mode 100644 CryptoPkg/Library/Include/prov/names.h
create mode 100644 CryptoPkg/Library/Include/prov/proverr.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_ctx.h
create mode 100644 CryptoPkg/Library/Include/prov/provider_util.h
create mode 100644 CryptoPkg/Library/Include/prov/providercommon.h
create mode 100644 CryptoPkg/Library/Include/prov/securitycheck.h
create mode 100644 CryptoPkg/Library/Include/prov/seeding.h
copy CryptoPkg/Library/OpensslLib/{buildinf.h => buildinf.c} (50%)
create mode 100644 CryptoPkg/Library/OpensslLib/der_digests_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_rsa_gen.c
create mode 100644 CryptoPkg/Library/OpensslLib/der_wrap_gen.c

--
2.33.1





Gerd Hoffmann
 

On Fri, Dec 03, 2021 at 04:32:48PM +0000, Michael D Kinney wrote:
Hi Gerd,

Thank you for starting this work!

Can you point the community as a summary of the changes/improvements in v3.0 and your
take on why it is important to upgrade TianoCore.
From the openssl website:

<quote>
The latest stable version is the 3.0 series. Also available is the
1.1.1 series which is our Long Term Support (LTS) version, supported
until 11th September 2023. All older versions (including 1.1.0, 1.0.2,
1.0.0 and 0.9.8) are now out of support and should not be used.
</quote>

So, long-term there is simply no way around upgrading. Version 1.1.1
will go out of support in less than two years, after that date we
wouldn't get security fixes any more.

I think it makes sense to start the porting effort early and not wait
until the last minute with the switch to 3.x

take care,
Gerd


Gerd Hoffmann
 

Hi,

I've continued working on this over the last weeks. Time for a status
update. All applies to the latest tree, sneak preview is here:
https://github.com/kraxel/edk2/commits/openssl3

Also, assuming you have done enough test, would you please provide:
1) size difference, Including PEI, SMM, DXE.
No changes in SEC and PEI. DXE:

openssl 1.1
- 399582 SecureBootConfigDxe
- 472182 SecurityStubDxe
- 532626 VariableSmm
- 656382 TlsDxe

openssl 3.0
+ 809886 SecureBootConfigDxe
+ 912310 SecurityStubDxe
+ 970898 VariableSmm
+ 1125758 TlsDxe

Most of that seems to come from some openssl core changes (the new
'provider' concept) and I don't see an easy way to cut that down.

That is with the same feature set we have right now (i.e. no elliptic
curves and thus no TLS 1.3 support).

2) performance difference, Including PEI, SMM, DXE.
Suggestions how to measure that?

3) what unit test you have done (such as each crypto API)
CryptoPkg/UnitTest passes.

4) what system test you have done (such as secure boot, trusted boot)
Secure boot works.
TlsDxe (boot from https server) works.
TPM not tested yet.


I still have a bunch of failures in CI, for some of them I'm not sure
how to handle them best:

(1) 32-bit builds on windows fail:

INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external symbol __allmul
INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external symbol __aulldiv
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external symbol __aulldvrm
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external symbol __ftol2_sse

Those symbols look like they reference helper functions to do 64bit math
on 32bit architecture. Any hints how to fix that?


(2) va_arg is not working with floats due to SEE being disabled:

INFO - /home/vsts/work/1/s/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bio_print.c:265:28: error: SSE register argument with SSE disabled
INFO - fvalue = va_arg(args, LDOUBLE);

I can't see a way to fix that given that va_arg typically refers to a
compiler builtin so I don't think there is a way to declare that a
EFIAPI function to change the calling convention. Not all builds fail
though, possibly because the compiler inlines with optimization turned
on.

Suggestions anyone?


(3) Some NOOPT builds are failing due to the size growing ...


take care,
Gerd


Yao, Jiewen
 

Thank you!
Good result. Comment below:

-----Original Message-----
From: kraxel@redhat.com <kraxel@redhat.com>
Sent: Monday, January 17, 2022 7:46 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Wang, Jian J
<jian.j.wang@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Pawel
Polawski <ppolawsk@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl
submodule to v3.0

Hi,

I've continued working on this over the last weeks. Time for a status
update. All applies to the latest tree, sneak preview is here:
https://github.com/kraxel/edk2/commits/openssl3

Also, assuming you have done enough test, would you please provide:
1) size difference, Including PEI, SMM, DXE.
No changes in SEC and PEI.
[Jiewen] Do you mean the Crypto consumer in PEI has no size difference? Such as
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Tcg2Pei ,
https://github.com/tianocore/edk2/tree/master/SecurityPkg/FvReportPei ,
https://github.com/tianocore/edk2/tree/master/SignedCapsulePkg/Universal/RecoveryModuleLoadPei linking https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256.

DXE:

openssl 1.1
- 399582 SecureBootConfigDxe
- 472182 SecurityStubDxe
- 532626 VariableSmm
- 656382 TlsDxe

openssl 3.0
+ 809886 SecureBootConfigDxe
+ 912310 SecurityStubDxe
+ 970898 VariableSmm
+ 1125758 TlsDxe

Most of that seems to come from some openssl core changes (the new
'provider' concept) and I don't see an easy way to cut that down.

That is with the same feature set we have right now (i.e. no elliptic
curves and thus no TLS 1.3 support).
[Jiewen] It almost doubles the size, which will becomes a big challenge for openssl3.0 adoption.



2) performance difference, Including PEI, SMM, DXE.
Suggestions how to measure that?
[Jiewen] Please just write an app to call the crypto API, multiple times.
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Test/UnitTest/Library/BaseCryptLib
I think we can focus on SHA256/RSA2048 + AES, which is used in secure boot, and HTTPS boot.


3) what unit test you have done (such as each crypto API)
CryptoPkg/UnitTest passes.
[Jiewen] Good enough.


4) what system test you have done (such as secure boot, trusted boot)
Secure boot works.
TlsDxe (boot from https server) works.
TPM not tested yet.
[Jiewen] Good enough. TPM only includes HASH. I am not too worry about that.




I still have a bunch of failures in CI, for some of them I'm not sure
how to handle them best:

(1) 32-bit builds on windows fail:

INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external
symbol __allmul
INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external
symbol __aulldiv
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external
symbol __aulldvrm
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external
symbol __ftol2_sse

Those symbols look like they reference helper functions to do 64bit math
on 32bit architecture. Any hints how to fix that?
[Jiewen] Please add them to https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/IntrinsicLib



(2) va_arg is not working with floats due to SEE being disabled:

INFO -
/home/vsts/work/1/s/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bio_pri
nt.c:265:28: error: SSE register argument with SSE disabled
INFO - fvalue = va_arg(args, LDOUBLE);

I can't see a way to fix that given that va_arg typically refers to a
compiler builtin so I don't think there is a way to declare that a
EFIAPI function to change the calling convention. Not all builds fail
though, possibly because the compiler inlines with optimization turned
on.

Suggestions anyone?
[Jiewen] This seems infrastructure issue.
Any suggestion, Mike ?




(3) Some NOOPT builds are failing due to the size growing ...
[Jiewen] Size becomes big challenge...
Have you tried to use https://github.com/tianocore/edk2/tree/master/CryptoPkg/Driver solution?




take care,
Gerd


Michael D Kinney
 

Gerd,

Thank you for the continued work on v3.0 support. Comments below.

Mike

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Tuesday, January 18, 2022 3:12 AM
To: kraxel@redhat.com; devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
Pawel Polawski <ppolawsk@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
Subject: RE: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl submodule to v3.0

Thank you!
Good result. Comment below:

-----Original Message-----
From: kraxel@redhat.com <kraxel@redhat.com>
Sent: Monday, January 17, 2022 7:46 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Wang, Jian J
<jian.j.wang@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Pawel
Polawski <ppolawsk@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
Subject: Re: [edk2-devel] [PATCH 00/24] CryptoPkg/openssl: update openssl
submodule to v3.0

Hi,

I've continued working on this over the last weeks. Time for a status
update. All applies to the latest tree, sneak preview is here:
https://github.com/kraxel/edk2/commits/openssl3

Also, assuming you have done enough test, would you please provide:
1) size difference, Including PEI, SMM, DXE.
No changes in SEC and PEI.
[Jiewen] Do you mean the Crypto consumer in PEI has no size difference? Such as
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Tcg/Tcg2Pei ,
https://github.com/tianocore/edk2/tree/master/SecurityPkg/FvReportPei ,
https://github.com/tianocore/edk2/tree/master/SignedCapsulePkg/Universal/RecoveryModuleLoadPei linking
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256.

DXE:

openssl 1.1
- 399582 SecureBootConfigDxe
- 472182 SecurityStubDxe
- 532626 VariableSmm
- 656382 TlsDxe

openssl 3.0
+ 809886 SecureBootConfigDxe
+ 912310 SecurityStubDxe
+ 970898 VariableSmm
+ 1125758 TlsDxe

Most of that seems to come from some openssl core changes (the new
'provider' concept) and I don't see an easy way to cut that down.

That is with the same feature set we have right now (i.e. no elliptic
curves and thus no TLS 1.3 support).
[Jiewen] It almost doubles the size, which will becomes a big challenge for openssl3.0 adoption.



2) performance difference, Including PEI, SMM, DXE.
Suggestions how to measure that?
[Jiewen] Please just write an app to call the crypto API, multiple times.
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Test/UnitTest/Library/BaseCryptLib
I think we can focus on SHA256/RSA2048 + AES, which is used in secure boot, and HTTPS boot.


3) what unit test you have done (such as each crypto API)
CryptoPkg/UnitTest passes.
[Jiewen] Good enough.


4) what system test you have done (such as secure boot, trusted boot)
Secure boot works.
TlsDxe (boot from https server) works.
TPM not tested yet.
[Jiewen] Good enough. TPM only includes HASH. I am not too worry about that.




I still have a bunch of failures in CI, for some of them I'm not sure
how to handle them best:

(1) 32-bit builds on windows fail:

INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external
symbol __allmul
INFO - OpensslLibCrypto.lib(rsa_lib.obj) : error LNK2001: unresolved external
symbol __aulldiv
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external
symbol __aulldvrm
INFO - OpensslLibCrypto.lib(bio_print.obj) : error LNK2001: unresolved external
symbol __ftol2_sse
We need to see if there are any OpenSSL config settings to completely remove use of
float/double types. UEFI envs do not support float/double. It is possible to
use them in a UEFI App or other UEFI FW components, but the use of those need
to do extra work to disable interrupts and save/restore state.


Those symbols look like they reference helper functions to do 64bit math
on 32bit architecture. Any hints how to fix that?
[Jiewen] Please add them to https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/IntrinsicLib



(2) va_arg is not working with floats due to SEE being disabled:

INFO -
/home/vsts/work/1/s/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bio_pri
nt.c:265:28: error: SSE register argument with SSE disabled
INFO - fvalue = va_arg(args, LDOUBLE);

I can't see a way to fix that given that va_arg typically refers to a
compiler builtin so I don't think there is a way to declare that a
EFIAPI function to change the calling convention. Not all builds fail
though, possibly because the compiler inlines with optimization turned
on.

Suggestions anyone?
[Jiewen] This seems infrastructure issue.
Any suggestion, Mike ?
As mentioned above, it would be better if OpenSSL had a config setting to
not use any float/double types.





(3) Some NOOPT builds are failing due to the size growing ...
[Jiewen] Size becomes big challenge...
Have you tried to use https://github.com/tianocore/edk2/tree/master/CryptoPkg/Driver solution?




take care,
Gerd