[PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms


Vineel Kovvuri <vineel.kovvuri@...>
 

This commit is a cherry pick of project mu's commit
https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c352316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
.../Library/Include/openssl/opensslconf.h | 25 ++--------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 50 +++++++++++++++++++
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 +++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
#ifndef OPENSSL_NO_DSA
# define OPENSSL_NO_DSA
#endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
#ifndef OPENSSL_NO_IDEA
# define OPENSSL_NO_IDEA
#endif
@@ -88,9 +85,6 @@ extern "C" {
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
#ifndef OPENSSL_NO_SRP
# define OPENSSL_NO_SRP
#endif
@@ -154,12 +148,6 @@ extern "C" {
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
#endif
-#ifndef OPENSSL_NO_ECDH
-# define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-# define OPENSSL_NO_ECDSA
-#endif
#ifndef OPENSSL_NO_EGD
# define OPENSSL_NO_EGD
#endif
@@ -226,9 +214,6 @@ extern "C" {
#ifndef OPENSSL_NO_TESTS
# define OPENSSL_NO_TESTS
#endif
-#ifndef OPENSSL_NO_TLS1_3
-# define OPENSSL_NO_TLS1_3
-#endif
#ifndef OPENSSL_NO_UBSAN
# define OPENSSL_NO_UBSAN
#endif
@@ -265,11 +250,11 @@ extern "C" {
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
"no-dgram",
"no-dsa",
"no-dynamic-engine",
- "no-ec",
"no-ec2m",
"no-engine",
"no-err",
--
2.17.1


Yao, Jiewen
 

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

-----Original Message-----
From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Sent: Tuesday, October 12, 2021 1:38 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
Michael.Turner@microsoft.com
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
algorithms

This commit is a cherry pick of project mu's commit
https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c3
52316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
.../Library/Include/openssl/opensslconf.h | 25 ++--------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 50 +++++++++++++++++++
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 +++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
#ifndef OPENSSL_NO_DSA
# define OPENSSL_NO_DSA
#endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
#ifndef OPENSSL_NO_IDEA
# define OPENSSL_NO_IDEA
#endif
@@ -88,9 +85,6 @@ extern "C" {
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
#ifndef OPENSSL_NO_SRP
# define OPENSSL_NO_SRP
#endif
@@ -154,12 +148,6 @@ extern "C" {
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
#endif
-#ifndef OPENSSL_NO_ECDH
-# define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-# define OPENSSL_NO_ECDSA
-#endif
#ifndef OPENSSL_NO_EGD
# define OPENSSL_NO_EGD
#endif
@@ -226,9 +214,6 @@ extern "C" {
#ifndef OPENSSL_NO_TESTS
# define OPENSSL_NO_TESTS
#endif
-#ifndef OPENSSL_NO_TLS1_3
-# define OPENSSL_NO_TLS1_3
-#endif
#ifndef OPENSSL_NO_UBSAN
# define OPENSSL_NO_UBSAN
#endif
@@ -265,11 +250,11 @@ extern "C" {
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
"no-dgram",
"no-dsa",
"no-dynamic-engine",
- "no-ec",
"no-ec2m",
"no-engine",
"no-err",
--
2.17.1


Yao, Jiewen
 

Hi
This patch fails in the P-R - https://github.com/tianocore/edk2/pull/2073. Please double check.

You are encourage to try P-R by yourself before submit the patch.

Thank you
Yao Jiewen

-----Original Message-----
From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Sent: Tuesday, October 12, 2021 1:38 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
Michael.Turner@microsoft.com
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
algorithms

This commit is a cherry pick of project mu's commit
https://github.com/microsoft/mu_tiano_plus/commit/1f3b135ddc821718a78c3
52316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3679

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
.../Library/Include/openssl/opensslconf.h | 25 ++--------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 50 +++++++++++++++++++
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 +++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
#ifndef OPENSSL_NO_DSA
# define OPENSSL_NO_DSA
#endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
#ifndef OPENSSL_NO_IDEA
# define OPENSSL_NO_IDEA
#endif
@@ -88,9 +85,6 @@ extern "C" {
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
#ifndef OPENSSL_NO_SRP
# define OPENSSL_NO_SRP
#endif
@@ -154,12 +148,6 @@ extern "C" {
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
#endif
-#ifndef OPENSSL_NO_ECDH
-# define OPENSSL_NO_ECDH
-#endif
-#ifndef OPENSSL_NO_ECDSA
-# define OPENSSL_NO_ECDSA
-#endif
#ifndef OPENSSL_NO_EGD
# define OPENSSL_NO_EGD
#endif
@@ -226,9 +214,6 @@ extern "C" {
#ifndef OPENSSL_NO_TESTS
# define OPENSSL_NO_TESTS
#endif
-#ifndef OPENSSL_NO_TLS1_3
-# define OPENSSL_NO_TLS1_3
-#endif
#ifndef OPENSSL_NO_UBSAN
# define OPENSSL_NO_UBSAN
#endif
@@ -265,11 +250,11 @@ extern "C" {
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
"no-dgram",
"no-dsa",
"no-dynamic-engine",
- "no-ec",
"no-ec2m",
"no-engine",
"no-err",
--
2.17.1


Vineel Kovvuri
 

Hi Jiewen,

Sorry for the build break. I will fix this locally and send you the patch.

Thanks,
Vineel

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Saturday, October 16, 2021 7:49 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

Hi
This patch fails in the P-R - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Fpull%2F2073&;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqbbiuJ6Q%3D&amp;reserved=0. Please double check.

You are encourage to try P-R by yourself before submit the patch.

Thank you
Yao Jiewen

-----Original Message-----
From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Sent: Tuesday, October 12, 2021 1:38 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
Michael.Turner@microsoft.com
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
chipher algorithms

This commit is a cherry pick of project mu's commit
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c3&am
p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d991
18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621360496
%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0H%2B2wfX
%2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
52316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvinee
lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f14
1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CTWFpbGZsb
3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTEKY%3D&
amp;reserved=0

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
.../Library/Include/openssl/opensslconf.h | 25 ++--------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 50 +++++++++++++++++++
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 +++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
#ifndef OPENSSL_NO_DSA
# define OPENSSL_NO_DSA
#endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
#ifndef OPENSSL_NO_IDEA
# define OPENSSL_NO_IDEA
#endif
@@ -88,9 +85,6 @@ extern "C" {
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
#ifndef OPENSSL_NO_SRP
# define OPENSSL_NO_SRP
#endif
@@ -154,12 +148,6 @@ extern "C" {
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define
OPENSSL_NO_EC_NISTP_64_GCC_128 #endif -#ifndef OPENSSL_NO_ECDH -#
define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define
OPENSSL_NO_ECDSA -#endif #ifndef OPENSSL_NO_EGD # define
OPENSSL_NO_EGD #endif @@ -226,9 +214,6 @@ extern "C" { #ifndef
OPENSSL_NO_TESTS # define OPENSSL_NO_TESTS #endif -#ifndef
OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif #ifndef
OPENSSL_NO_UBSAN # define OPENSSL_NO_UBSAN #endif @@ -265,11 +250,11
@@ extern "C" {
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
"no-dgram",
"no-dsa",
"no-dynamic-engine",
- "no-ec",
"no-ec2m",
"no-engine",
"no-err",
--
2.17.1


Yao, Jiewen
 

Hello Vineel
May I know if you have send out v2?

-----Original Message-----
From: Vineel Kovvuri <vineelko@microsoft.com>
Sent: Tuesday, October 19, 2021 4:06 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; Vineel Kovvuri
<vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean Brogan
<sean.brogan@microsoft.com>; Bret Barkelew
<Bret.Barkelew@microsoft.com>; Mike Turner
<Michael.Turner@microsoft.com>
Cc: Jancarlo Perez <jpere@microsoft.com>
Subject: RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
algorithms

Hi Jiewen,

Sorry for the build break. I will fix this locally and send you the patch.

Thanks,
Vineel

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Saturday, October 16, 2021 7:49 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>; devel@edk2.groups.io; Sean
Brogan <sean.brogan@microsoft.com>; Bret Barkelew
<Bret.Barkelew@microsoft.com>; Mike Turner
<Michael.Turner@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic
curve chipher algorithms

Hi
This patch fails in the P-R -
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
om%2Ftianocore%2Fedk2%2Fpull%2F2073&amp;data=04%7C01%7Cvineelko%4
0microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141
af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqb
biuJ6Q%3D&amp;reserved=0. Please double check.

You are encourage to try P-R by yourself before submit the patch.

Thank you
Yao Jiewen

-----Original Message-----
From: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Sent: Tuesday, October 12, 2021 1:38 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
sean.brogan@microsoft.com; bret.barkelew@microsoft.com;
Michael.Turner@microsoft.com
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
chipher algorithms

This commit is a cherry pick of project mu's commit
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c
3&am
p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608
d991
18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621
360496
%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
JBTiI6I
k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0
H%2B2wfX
%2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
52316197889c5d3e0c2

Reconfigure OpensslLib to add elliptic curve chipher algorithms.
The only file manually changed is process_files.pl.
Running the script changes the other three files.

BugZilla:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvin
ee
lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf8
6f14
1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
WFpbGZsb
3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
3D%
7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTE
KY%3D&
amp;reserved=0

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
---
.../Library/Include/openssl/opensslconf.h | 25 ++--------
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 50 +++++++++++++++++++
.../Library/OpensslLib/OpensslLibCrypto.inf | 50 +++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
4 files changed, 105 insertions(+), 21 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index b8d59aebe8..09a6641ffc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -55,9 +55,6 @@ extern "C" {
#ifndef OPENSSL_NO_DSA
# define OPENSSL_NO_DSA
#endif
-#ifndef OPENSSL_NO_EC
-# define OPENSSL_NO_EC
-#endif
#ifndef OPENSSL_NO_IDEA
# define OPENSSL_NO_IDEA
#endif
@@ -88,9 +85,6 @@ extern "C" {
#ifndef OPENSSL_NO_SEED
# define OPENSSL_NO_SEED
#endif
-#ifndef OPENSSL_NO_SM2
-# define OPENSSL_NO_SM2
-#endif
#ifndef OPENSSL_NO_SRP
# define OPENSSL_NO_SRP
#endif
@@ -154,12 +148,6 @@ extern "C" {
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define
OPENSSL_NO_EC_NISTP_64_GCC_128 #endif -#ifndef OPENSSL_NO_ECDH -#
define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define
OPENSSL_NO_ECDSA -#endif #ifndef OPENSSL_NO_EGD # define
OPENSSL_NO_EGD #endif @@ -226,9 +214,6 @@ extern "C" { #ifndef
OPENSSL_NO_TESTS # define OPENSSL_NO_TESTS #endif -#ifndef
OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif #ifndef
OPENSSL_NO_UBSAN # define OPENSSL_NO_UBSAN #endif @@ -265,11
+250,11
@@ extern "C" {
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
-#elif defined(__SUNPRO_C)
-#if (__SUNPRO_C >= 0x5130)
-#undef DECLARE_DEPRECATED
-#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
-#endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d84bde056a..bd3d9cc90f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index cdeed0d073..38ccf1a5b6 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -199,6 +199,43 @@
$(OPENSSL_PATH)/crypto/dso/dso_vms.c
$(OPENSSL_PATH)/crypto/dso/dso_win32.c
$(OPENSSL_PATH)/crypto/ebcdic.c
+ $(OPENSSL_PATH)/crypto/ec/curve25519.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
+ $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
+ $(OPENSSL_PATH)/crypto/ec/ec_check.c
+ $(OPENSSL_PATH)/crypto/ec/ec_curve.c
+ $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
+ $(OPENSSL_PATH)/crypto/ec/ec_err.c
+ $(OPENSSL_PATH)/crypto/ec/ec_key.c
+ $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_lib.c
+ $(OPENSSL_PATH)/crypto/ec/ec_mult.c
+ $(OPENSSL_PATH)/crypto/ec/ec_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
+ $(OPENSSL_PATH)/crypto/ec/ec_print.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
+ $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
+ $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
+ $(OPENSSL_PATH)/crypto/ec/eck_prn.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
+ $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
+ $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
$(OPENSSL_PATH)/crypto/err/err.c
$(OPENSSL_PATH)/crypto/err/err_prn.c
$(OPENSSL_PATH)/crypto/evp/bio_b64.c
@@ -384,6 +421,10 @@
$(OPENSSL_PATH)/crypto/siphash/siphash.c
$(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
$(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
+ $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
$(OPENSSL_PATH)/crypto/sm3/m_sm3.c
$(OPENSSL_PATH)/crypto/sm3/sm3.c
$(OPENSSL_PATH)/crypto/sm4/sm4.c
@@ -496,6 +537,15 @@
$(OPENSSL_PATH)/crypto/conf/conf_local.h
$(OPENSSL_PATH)/crypto/dh/dh_local.h
$(OPENSSL_PATH)/crypto/dso/dso_local.h
+ $(OPENSSL_PATH)/crypto/ec/ec_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/field.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/word.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
+ $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
$(OPENSSL_PATH)/crypto/evp/evp_local.h
$(OPENSSL_PATH)/crypto/hmac/hmac_local.h
$(OPENSSL_PATH)/crypto/lhash/lhash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 42bff05fa6..2ebfbbbca0 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -169,7 +169,6 @@ BEGIN {
"no-dgram",
"no-dsa",
"no-dynamic-engine",
- "no-ec",
"no-ec2m",
"no-engine",
"no-err",
--
2.17.1


Vineel Kovvuri <vineel.kovvuri@...>
 

Hi Jiewen, 

Thanks for checking. One of the issue is, ecc change required additional vsinstrincs to be included. If not, IA32 build will fail with __allmul undefined. So I have to include below in OVMFPKGIA32.dsc from Project Mu

[LibraryClasses.IA32]
  NULL|MdePkg/Library/VsIntrinsicLib/VsIntrinsicLib.inf

but then I am hitting a new failure when building "stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=VS2019 TARGET=DEBUG -a IA32"

ERROR - Linker #2001 from LINK :   unresolved external symbol __ModuleEntryPoint
ERROR - Linker #1120 from d:\repos\edk2\Build\OvmfIa32\DEBUG_VS2019\IA32\OvmfPkg\ResetVector\ResetVector\DEBUG\ResetVector.dll : fatal   1 unresolved externals
ERROR - Compiler #1077 from NMAKE : fatal   '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.28.29910\bin\Hostx86\x86\link.exe"' : return code '0x460'
ERROR - Compiler #7000 from :   Failed to execute command
ERROR - EDK2 #002 from :   Failed to build module

Probably I am missing something.

The other issue is the increased size of the OVMF firmware after enabling ec ciphers. We need some guidance in handling this as OVMF is being used by other open source projects like QEMU etc.

Thanks,
Vineel


On Tue, Nov 2, 2021 at 5:37 PM Yao, Jiewen <jiewen.yao@...> wrote:
Hello Vineel
May I know if you have send out v2?

> -----Original Message-----
> From: Vineel Kovvuri <vineelko@...>
> Sent: Tuesday, October 19, 2021 4:06 AM
> To: Yao, Jiewen <jiewen.yao@...>; Vineel Kovvuri
> <vineel.kovvuri@...>; devel@edk2.groups.io; Sean Brogan
> <sean.brogan@...>; Bret Barkelew
> <Bret.Barkelew@...>; Mike Turner
> <Michael.Turner@...>
> Cc: Jancarlo Perez <jpere@...>
> Subject: RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher
> algorithms
>
> Hi Jiewen,
>
> Sorry for the build break. I will fix this locally and send you the patch.
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@...>
> Sent: Saturday, October 16, 2021 7:49 PM
> To: Vineel Kovvuri <vineel.kovvuri@...>; devel@edk2.groups.io; Sean
> Brogan <sean.brogan@...>; Bret Barkelew
> <Bret.Barkelew@...>; Mike Turner
> <Michael.Turner@...>
> Cc: Vineel Kovvuri <vineelko@...>
> Subject: [EXTERNAL] RE: [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
>
> Hi
> This patch fails in the P-R -
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2Ftianocore%2Fedk2%2Fpull%2F2073&amp;data=04%7C01%7Cvineelko%4
> 0microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf86f141
> af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
> CI6Mn0%3D%7C1000&amp;sdata=NbiiW6sHXAfHEkkL7aBbnGlZoYXbAzmkgzeqb
> biuJ6Q%3D&amp;reserved=0. Please double check.
>
> You are encourage to try P-R by yourself before submit the patch.
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Vineel Kovvuri <vineel.kovvuri@...>
> > Sent: Tuesday, October 12, 2021 1:38 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@...>;
> > sean.brogan@...; bret.barkelew@...;
> > Michael.Turner@...
> > Cc: Vineel Kovvuri <vineelko@...>
> > Subject: [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve
> > chipher algorithms
> >
> > This commit is a cherry pick of project mu's commit
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> >
> ub.com%2Fmicrosoft%2Fmu_tiano_plus%2Fcommit%2F1f3b135ddc821718a78c
> 3&am
> >
> p;data=04%7C01%7Cvineelko%40microsoft.com%7C5d3643d0f0ec4bb48ba608
> d991
> >
> 18b6e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637700357621
> 360496
> > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
> JBTiI6I
> >
> k1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OFSVeefYJN%2Bq1BgGMKAJ0
> H%2B2wfX
> > %2Bbn%2B4rmppat62i1o%3D&amp;reserved=0
> > 52316197889c5d3e0c2
> >
> > Reconfigure OpensslLib to add elliptic curve chipher algorithms.
> > The only file manually changed is process_files.pl.
> > Running the script changes the other three files.
> >
> > BugZilla:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> >
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3679&amp;data=04%7C01%7Cvin
> ee
> >
> lko%40microsoft.com%7C5d3643d0f0ec4bb48ba608d99118b6e7%7C72f988bf8
> 6f14
> >
> 1af91ab2d7cd011db47%7C1%7C0%7C637700357621360496%7CUnknown%7CT
> WFpbGZsb
> >
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%
> >
> 7C1000&amp;sdata=hUoZ%2F%2BTHW4aIvzk2N%2BCgtSqQ9igntGGt2vtlOgPTE
> KY%3D&
> > amp;reserved=0
> >
> > Signed-off-by: Vineel Kovvuri <vineelko@...>
> > ---
> >  .../Library/Include/openssl/opensslconf.h     | 25 ++--------
> >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 50 +++++++++++++++++++
> >  .../Library/OpensslLib/OpensslLibCrypto.inf   | 50 +++++++++++++++++++
> >  CryptoPkg/Library/OpensslLib/process_files.pl |  1 -
> >  4 files changed, 105 insertions(+), 21 deletions(-)
> >
> > diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > index b8d59aebe8..09a6641ffc 100644
> > --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> > +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> > @@ -55,9 +55,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_DSA
> >  # define OPENSSL_NO_DSA
> >  #endif
> > -#ifndef OPENSSL_NO_EC
> > -# define OPENSSL_NO_EC
> > -#endif
> >  #ifndef OPENSSL_NO_IDEA
> >  # define OPENSSL_NO_IDEA
> >  #endif
> > @@ -88,9 +85,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_SEED
> >  # define OPENSSL_NO_SEED
> >  #endif
> > -#ifndef OPENSSL_NO_SM2
> > -# define OPENSSL_NO_SM2
> > -#endif
> >  #ifndef OPENSSL_NO_SRP
> >  # define OPENSSL_NO_SRP
> >  #endif
> > @@ -154,12 +148,6 @@ extern "C" {
> >  #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128  # define
> > OPENSSL_NO_EC_NISTP_64_GCC_128  #endif -#ifndef OPENSSL_NO_ECDH -#
> > define OPENSSL_NO_ECDH -#endif -#ifndef OPENSSL_NO_ECDSA -# define
> > OPENSSL_NO_ECDSA -#endif  #ifndef OPENSSL_NO_EGD  # define
> > OPENSSL_NO_EGD  #endif @@ -226,9 +214,6 @@ extern "C" {  #ifndef
> > OPENSSL_NO_TESTS  # define OPENSSL_NO_TESTS  #endif -#ifndef
> > OPENSSL_NO_TLS1_3 -# define OPENSSL_NO_TLS1_3 -#endif  #ifndef
> > OPENSSL_NO_UBSAN  # define OPENSSL_NO_UBSAN  #endif @@ -265,11
> +250,11
> > @@ extern "C" {
> >  #   undef DECLARE_DEPRECATED
> >  #   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> >  #  endif
> > -#elif defined(__SUNPRO_C)
> > -#if (__SUNPRO_C >= 0x5130)
> > -#undef DECLARE_DEPRECATED
> > -#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > -#endif
> > +# elif defined(__SUNPRO_C)
> > +#  if (__SUNPRO_C >= 0x5130)
> > +#   undef DECLARE_DEPRECATED
> > +#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
> > +#  endif
> >  # endif
> >  #endif
> >
> > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > index d84bde056a..bd3d9cc90f 100644
> > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > @@ -199,6 +199,43 @@
> >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> >    $(OPENSSL_PATH)/crypto/err/err.c
> >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > @@ -384,6 +421,10 @@
> >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > @@ -496,6 +537,15 @@
> >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > index cdeed0d073..38ccf1a5b6 100644
> > --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > @@ -199,6 +199,43 @@
> >    $(OPENSSL_PATH)/crypto/dso/dso_vms.c
> >    $(OPENSSL_PATH)/crypto/dso/dso_win32.c
> >    $(OPENSSL_PATH)/crypto/ebcdic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve25519.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_tables.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/eddsa.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/f_generic.c
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/scalar.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec2_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_ameth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_asn1.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_check.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_curve.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_cvt.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_err.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_key.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_kmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_lib.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_mult.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/ec/ec_print.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_kdf.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdh_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_ossl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_sign.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecdsa_vrf.c
> > +  $(OPENSSL_PATH)/crypto/ec/eck_prn.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_mont.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nist.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp224.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp256.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistp521.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_nistputil.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_oct.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecp_smpl.c
> > +  $(OPENSSL_PATH)/crypto/ec/ecx_meth.c
> >    $(OPENSSL_PATH)/crypto/err/err.c
> >    $(OPENSSL_PATH)/crypto/err/err_prn.c
> >    $(OPENSSL_PATH)/crypto/evp/bio_b64.c
> > @@ -384,6 +421,10 @@
> >    $(OPENSSL_PATH)/crypto/siphash/siphash.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_ameth.c
> >    $(OPENSSL_PATH)/crypto/siphash/siphash_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_crypt.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_err.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_pmeth.c
> > +  $(OPENSSL_PATH)/crypto/sm2/sm2_sign.c
> >    $(OPENSSL_PATH)/crypto/sm3/m_sm3.c
> >    $(OPENSSL_PATH)/crypto/sm3/sm3.c
> >    $(OPENSSL_PATH)/crypto/sm4/sm4.c
> > @@ -496,6 +537,15 @@
> >    $(OPENSSL_PATH)/crypto/conf/conf_local.h
> >    $(OPENSSL_PATH)/crypto/dh/dh_local.h
> >    $(OPENSSL_PATH)/crypto/dso/dso_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/ec_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448_local.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/curve448utils.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/ed448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/field.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/point_448.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/word.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/arch_intrinsics.h
> > +  $(OPENSSL_PATH)/crypto/ec/curve448/arch_32/f_impl.h
> >    $(OPENSSL_PATH)/crypto/evp/evp_local.h
> >    $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
> >    $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
> > diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> > b/CryptoPkg/Library/OpensslLib/process_files.pl
> > index 42bff05fa6..2ebfbbbca0 100755
> > --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> > +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> > @@ -169,7 +169,6 @@ BEGIN {
> >                  "no-dgram",
> >                  "no-dsa",
> >                  "no-dynamic-engine",
> > -                "no-ec",
> >                  "no-ec2m",
> >                  "no-engine",
> >                  "no-err",
> > --
> > 2.17.1


Vineel Kovvuri
 

Hi Folks,

 

We are able to resolve the __ModuleEntryPoint error and was able to run below build configurations locally.

  • Windows_VS2019 - Passed
    • EmulatorPkg_Win_VS2019 - Passed
    • OvmfPkg_Win_VS2019 - Passed
  • Ubuntu_GCC5 - Passed
    • ArmVirtPkg_Ubuntu_GCC5 - Passed
    • EmulatorPkg_Ubuntu_GCC5 - Passed
    • OvmfPkg_Ubuntu_GCC5 – Failed
      • INFO - GenFv: ERROR 3000: Invalid
      • INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

Is it okay to increase the fv image size if so need some guidance with respected to that as it may effect other projects like QEMU etc. Any inputs here are much appreciated

 

For Reference: https://github.com/vineelkovvuri/edk2/pull/2

 


Yao, Jiewen
 

Some options for your consideration.

  1. Enlarge OVMF size
    1. I have seen discussion to 8M to 16M, but it seems not concluded.
  2. Remove unnecessary algo in openssl config
    1. Do you really want to enable all those algorithms? Such as SM2? Maybe revisit them again to see if they are really needed. I could see it might break other platform potentially.
    2. Do you have any evaluation on binary size difference before or after your patch ? Please provide the data to help other people make decision.
  3. Provide 2 profiles – with ECC and without ECC.
    1. As such, we can let platform decide which one it wants to take, if there is significant size difference.
    2. This would be the best way to keep the compatibility.

Thank you

Yao Jiewen

 

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel Kovvuri via groups.io
Sent: Tuesday, November 9, 2021 6:30 AM
To: Vineel Kovvuri <vineel.kovvuri@...>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic curve chipher algorithms

 

Hi Folks,

 

We are able to resolve the __ModuleEntryPoint error and was able to run below build configurations locally.

  • Windows_VS2019 - Passed
    • EmulatorPkg_Win_VS2019 - Passed
    • OvmfPkg_Win_VS2019 - Passed
  • Ubuntu_GCC5 - Passed
    • ArmVirtPkg_Ubuntu_GCC5 - Passed
    • EmulatorPkg_Ubuntu_GCC5 - Passed
    • OvmfPkg_Ubuntu_GCC5 – Failed
      • INFO - GenFv: ERROR 3000: Invalid
      • INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

Is it okay to increase the fv image size if so need some guidance with respected to that as it may effect other projects like QEMU etc. Any inputs here are much appreciated

 

For Reference: https://github.com/vineelkovvuri/edk2/pull/2

 


Gerd Hoffmann
 

Hi,

* OvmfPkg_Win_VS2019 - Passed
* OvmfPkg_Ubuntu_GCC5 – Failed
* INFO - GenFv: ERROR 3000: Invalid
* INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000
Wow. That is a quite significant increase.
Is this the OVMF_IA32X64_FULL_NOOPT build?

That one is disabled on windows already, probably because turning off
compiler optimizations increases the build size too much. We could do
the same for ubuntu as short-term solution. Long-term we probably need
options to build 8M and 16M OVMF binaries.

While being at it: have you by chance also looked at switching tianocore
over to openssl 3.0?

take care,
Gerd


Gerd Hoffmann
 

2. Remove unnecessary algo in openssl config
* Do you really want to enable all those algorithms? Such as SM2? Maybe revisit them again to see if they are really needed. I could see it might break other platform potentially.
Enabling only those algorithms which are actually used by tianocore
certainly makes sense ...

3. Provide 2 profiles – with ECC and without ECC.
... and if it gets down the size enough would be better than yet another
compile time option.

take care,
Gerd


Vineel Kovvuri <vineel.kovvuri@...>
 

Hi All,

Sorry, my bad for not providing the details. Below is the build configuration.

Passing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 TARGET=NOOPT   -a IA32,X64

Failing: stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 TARGET=NOOPT -a IA32,X64 BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1

The failure is happening while generating DXEFV.FVINFO 
- Generating DXEFV FV
INFO - ##### ['GenFv', '-F', 'FALSE', '-a', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/DXEFV.inf', '-o', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv', '-i', '/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.inf']
INFO - Return Value = 2
INFO - GenFv: ERROR 3000: Invalid
INFO -   the required fv image size 0xcb2ac0 exceeds the set fv image size 0xc00000

The difference I see without ecc change and with the change is the increase in file sizes for below ffs files,(other .ffs files remained unchanged)

Without ecc change:
794742   /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
653470   /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1174654  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
872594   /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

With ecc change:
1058678  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
917214   /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1470718  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
1134738  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

Below is the size of DXEFV.Fv in successful build(without ecc change)

ubuntu@ubuntuubuntu:~/src/edk2$ ls -l /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv
-rw-rw-r-- 1 ubuntu ubuntu 12582912(0xC0000) Nov  9 19:18 /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/DXEFV.Fv

We haven't looked at porting to OpenSSL 3.0. 

I am wondering, removing existing ciphers might impact other platforms. Could you please suggest any less intrusive options without impacting other platforms.

I am new to EDK and what compile time options are you referring to? Please let me know if any other information is needed from the build.

Thanks in advance,
Vineel


On Tue, Nov 9, 2021 at 12:58 AM Gerd Hoffmann <kraxel@...> wrote:
>   2.  Remove unnecessary algo in openssl config
>      *   Do you really want to enable all those algorithms? Such as SM2? Maybe revisit them again to see if they are really needed. I could see it might break other platform potentially.

Enabling only those algorithms which are actually used by tianocore
certainly makes sense ...

>   3.  Provide 2 profiles – with ECC and without ECC.

... and if it gets down the size enough would be better than yet another
compile time option.

take care,
  Gerd


Gerd Hoffmann
 

Hi,

The difference I see without ecc change and with the change is the increase
in file sizes for below ffs files,(other .ffs files remained unchanged)

Without ecc change:
794742
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
653470
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1174654
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
872594
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs

With ecc change:
1058678
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-88E33EF71DFC.ffs
917214
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-AC64-54F202CD0A21.ffs
1470718
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-74d435052646.ffs
1134738
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-43E3298C2343.ffs
Uh. So each driver which needs openssl has its own copy of the library?

I wasn't aware of that, but yes, given we don't have dynamic linking
this makes sense and also easily explains why we see such a big jump in
size.

I am wondering, removing existing ciphers might impact other platforms.
Could you please suggest any less intrusive options without impacting
other platforms.
I was thinking more about reviewing the chipers added. Pick the most
commonly used ones instead of just adding them all for example.

I am new to EDK and what compile time options are you referring to? Please
let me know if any other information is needed from the build.
Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.

But I think Jiewen meant something else with "2 profiles":

We could create two OpensslLib variants. One full-featured build with
ecc enabled which TlsDxe could use (assuming better TLS support is your
use case). And one less-featured variant for VariableSmm +
SecureBootConfigDxe + SecurityStubDxe.

That way we have the ecc code only once not four times in the firmware
build. Possibly the less-featured could be stripped down even more when
it doesn't need to support TLS any more.

I'm also wondering why SecurityStubDxe needs OpensslLib ...

take care & HTH,
Gerd


Yao, Jiewen
 

Sorry, I don't mean: one platform uses 2 different configuration.

That might be worse, because we lose the benefit on compression.
Ideally, no matter how many *same* copies you have, the compression algo will handle it and make only *one* copy. If you have two *different* copies, then compression also may finally make *two* different copy.
I don't have data. I just feel it might be worse.

I mean two platform can choose 2 different configuration. But eventually, one platform should select one of them consistently, such as using only one CryptoDxe.inf.

In this case, you need carefully remove all unneeded algo.
For example, do you really need SM2 ?
Do you really need EdDSA ?
Do you really need ECX ?

Thank you
Yao Jiewen

-----Original Message-----
From: Gerd Hoffmann <kraxel@redhat.com>
Sent: Thursday, November 11, 2021 9:06 PM
To: Vineel Kovvuri <vineel.kovvuri@gmail.com>
Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>;
vineelko@microsoft.com
Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
curve chipher algorithms

Hi,

The difference I see without ecc change and with the change is the increase
in file sizes for below ffs files,(other .ffs files remained unchanged)

Without ecc change:
794742
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
88E33EF71DFC.ffs
653470
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
AC64-54F202CD0A21.ffs
1174654
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
74d435052646.ffs
872594
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
43E3298C2343.ffs

With ecc change:
1058678
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
88E33EF71DFC.ffs
917214
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
AC64-54F202CD0A21.ffs
1470718
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
74d435052646.ffs
1134738
/home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
43E3298C2343.ffs

Uh. So each driver which needs openssl has its own copy of the library?

I wasn't aware of that, but yes, given we don't have dynamic linking
this makes sense and also easily explains why we see such a big jump in
size.

I am wondering, removing existing ciphers might impact other platforms.
Could you please suggest any less intrusive options without impacting
other platforms.
I was thinking more about reviewing the chipers added. Pick the most
commonly used ones instead of just adding them all for example.

I am new to EDK and what compile time options are you referring to? Please
let me know if any other information is needed from the build.
Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.

But I think Jiewen meant something else with "2 profiles":

We could create two OpensslLib variants. One full-featured build with
ecc enabled which TlsDxe could use (assuming better TLS support is your
use case). And one less-featured variant for VariableSmm +
SecureBootConfigDxe + SecurityStubDxe.

That way we have the ecc code only once not four times in the firmware
build. Possibly the less-featured could be stripped down even more when
it doesn't need to support TLS any more.

I'm also wondering why SecurityStubDxe needs OpensslLib ...

take care & HTH,
Gerd


Vineel Kovvuri <vineel.kovvuri@...>
 

Hi Folks, 

Sorry for the delay in my response. Thanks for the inputs. My bad for not understanding what Jiewen was referring to, 
I think he is suggesting to remove the unused algorithms with in the ECC cipher. Not removing already available ciphers.

Totally makes sense but it would involve more testing against each private bios with the narrowed list of algorithms.

+Harshit from Intel for context

Thanks,
Vineel


On Thu, Nov 11, 2021 at 5:26 AM Yao, Jiewen <jiewen.yao@...> wrote:
Sorry, I don't mean: one platform uses 2 different configuration.

That might be worse, because we lose the benefit on compression.
Ideally, no matter how many *same* copies you have, the compression algo will handle it and make only *one* copy. If you have two *different* copies, then compression also may finally make *two* different copy.
I don't have data. I just feel it might be worse.

I mean two platform can choose 2 different configuration. But eventually, one platform should select one of them consistently, such as using only one CryptoDxe.inf.

In this case, you need carefully remove all unneeded algo.
For example, do you really need SM2 ?
Do you really need EdDSA ?
Do you really need ECX ?

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@...>
> Sent: Thursday, November 11, 2021 9:06 PM
> To: Vineel Kovvuri <vineel.kovvuri@...>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@...>;
> vineelko@...
> Subject: Re: [edk2-devel] [PATCH 1/2] Reconfigure OpensslLib to add elliptic
> curve chipher algorithms
>
>   Hi,
>
> > The difference I see without ecc change and with the change is the increase
> > in file sizes for below ffs files,(other .ffs files remained unchanged)
> >
> > Without ecc change:
> > 794742
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> 88E33EF71DFC.ffs
> > 653470
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> AC64-54F202CD0A21.ffs
> > 1174654
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> 74d435052646.ffs
> > 872594
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> 43E3298C2343.ffs
> >
> > With ecc change:
> > 1058678
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F80697E9-
> 7FD6-4665-8646-88E33EF71DFCSecurityStubDxe/F80697E9-7FD6-4665-8646-
> 88E33EF71DFC.ffs
> > 917214
> > /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/F0E6A44F-
> 7195-41c3-AC64-54F202CD0A21SecureBootConfigDxe/F0E6A44F-7195-41c3-
> AC64-54F202CD0A21.ffs
> > 1470718
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/3aceb0c0-
> 3c72-11e4-9a56-74d435052646TlsDxe/3aceb0c0-3c72-11e4-9a56-
> 74d435052646.ffs
> > 1134738
> >  /home/ubuntu/src/edk2/Build/Ovmf3264/NOOPT_GCC5/FV/Ffs/23A089B3-
> EED5-4ac5-B2AB-43E3298C2343VariableSmm/23A089B3-EED5-4ac5-B2AB-
> 43E3298C2343.ffs
>
> Uh.  So each driver which needs openssl has its own copy of the library?
>
> I wasn't aware of that, but yes, given we don't have dynamic linking
> this makes sense and also easily explains why we see such a big jump in
> size.
>
> > I am wondering, removing existing ciphers might impact other platforms.
> > Could you please suggest any less intrusive options without impacting
> > other platforms.
>
> I was thinking more about reviewing the chipers added.  Pick the most
> commonly used ones instead of just adding them all for example.
>
> > I am new to EDK and what compile time options are you referring to? Please
> > let me know if any other information is needed from the build.
>
> Compile time option would be a new "-D OPENSSL_ENABLE_ECC" switch.
>
> But I think Jiewen meant something else with "2 profiles":
>
> We could create two OpensslLib variants.  One full-featured build with
> ecc enabled which TlsDxe could use (assuming better TLS support is your
> use case).  And one less-featured variant for VariableSmm +
> SecureBootConfigDxe + SecurityStubDxe.
>
> That way we have the ecc code only once not four times in the firmware
> build.  Possibly the less-featured could be stripped down even more when
> it doesn't need to support TLS any more.
>
> I'm also wondering why SecurityStubDxe needs OpensslLib ...
>
> take care & HTH,
>   Gerd