Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypto migration to Openssl 3.0.15 #99

Draft
wants to merge 22 commits into
base: release/202311
Choose a base branch
from
Draft

Crypto migration to Openssl 3.0.15 #99

wants to merge 22 commits into from
+211,265 −41,676

Conversation

DorLevi95
Copy link

@DorLevi95 DorLevi95 commented Aug 26, 2024
edited
Loading

Description

<Include a description of the change and why this change was made.>
Change Openssl version from 1.1.1 to 3.0.15
The main reason for the change is Openssl 1.1.1 reached EOL, thus not getting security fixes. OpenSSL 3.0.15 is OpenSSL LTS version.
The changes in this PR are inspired by Edk2 transition, with adaptations to the MU project structure:
tianocore/edk2#4728
tianocore/edk2#6160

For details on how to complete to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

<Describe the test(s) that were run to verify the changes.>

Integration Instructions

<Describe how these changes should be integrated. Use N/A if nothing is required.>

@github-actions github-actions bot added language:python Pull requests that update Python code impact:non-functional Does not have a functional impact labels Aug 26, 2024
@DorLevi95
Copy link
Author

@microsoft-github-policy-service agree company="Microsoft"

@github-actions github-actions bot added the impact:security Has a security impact label Aug 26, 2024
@DorLevi95 DorLevi95 force-pushed the user/dorlevi/migrate_to_openssl3 branch from 23790a8 to 39d40a0 Compare August 26, 2024 16:44
@DorLevi95 DorLevi95 changed the title Crypto migration to Openssl 3.0.9 Crypto migration to Openssl 3.0.15 Jan 6, 2025
@makubacki
Copy link
Member

Hi @DorLevi95, since this is a large PR and draft, I haven't reviewed it yet. However, before its final, can you please provide 1) the tests performed and 2) size and performance impact data on a given platform with relevant and generic details about the platform (e.g. whether AES-NI instructions were tested).

DorLevi95 and others added 18 commits January 7, 2025 12:30
@DorLevi95
change to howto.txt
8eba191
@DorLevi95
update submodule to openssl-3.0.9
833f0dc
@DorLevi95
add openssl3 configure scripts
2a4fcac
@DorLevi95
cleanup openssl1.1.1 generated files and code
3cce3d0
@DorLevi95
update openssl*.inf files for openssl 3.0
2c1e028
@DorLevi95
update uefiasm.conf
799874c
@DorLevi95
adapt CryptSm3 to openssl 3.0
39e4fd3
@DorLevi95
remove openssl deprecation warnings
57c368e
@DorLevi95
remove BIO_* dummy functions
5566108
@DorLevi95
ERR_GET_FUNC is gone
415d547
@DorLevi95
more openssl 3.0 adaptation + add stub folder
5edc545
@DorLevi95
add implemention of _ftol2_sse() to avoid build error
0db8ea2
@DorLevi95
add more dummy implementation of openssl
4d460f7
@DorLevi95
add UEFI provider
785c441
@DorLevi95
run configure.py to update generated files -> X64 STANDARD build succ…
5d8512a 
…essful
@DorLevi95
Add instrinsics to support building openssl3 on IA32 windows -> IA32 …
245220e 
…standard build successfully
@DorLevi95
add missing gcc instructions for IA32 build
99eec06
@DorLevi95
Enable memcpy sys call in RISCV64 build
3f3f26b
@DorLevi95 DorLevi95 force-pushed the user/dorlevi/migrate_to_openssl3 branch from d5d5e54 to e9bc1e2 Compare January 7, 2025 11:16
@DorLevi95 DorLevi95 closed this Jan 8, 2025
@DorLevi95 DorLevi95 reopened this Jan 8, 2025
@DorLevi95
Copy link
Author

DorLevi95 commented Jan 8, 2025
edited
Loading

@makubacki The OpenSSL update seems to cause significant increase in the binary sizes.
For example, STANDARD_DEBUG binaries (local build):
Before --> After
CryptoDxe.efi - 1012.50 KB --> 1347KB
CryptoPei.efi - 556.00 KB --> 876KB
CryptoRuntimeDxe.efi - 792.50 KB --> 1087KB
CryptoSmm.efi - 534.00 KB --> 853KB
CryptoStandaloneMm.efi - 534.50 KB --> 856KB

@Flickdm is putting some effort to overcome this by merging the binaries.

About testing, currently it seems to pass the BaseCryptLib UTs. We are putting more efforts to enhance the UTs and also providing a reporting tool to gain more confidence in the built binaries.
We can have more robust tests to apply once we'll have all the pre-requirements described above, checked with the OpenSSL update.

@makubacki makubacki mentioned this pull request Jan 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kenlautner kenlautner Awaiting requested review from kenlautner

@makubacki makubacki Awaiting requested review from makubacki

@spbrogan spbrogan Awaiting requested review from spbrogan

@Flickdm Flickdm Awaiting requested review from Flickdm

At least 2 approving reviews are required to merge this pull request.

Assignees

@DorLevi95 DorLevi95

Labels
impact:non-functional Does not have a functional impact impact:security Has a security impact language:python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DorLevi95 @makubacki