Crypto migration to Openssl 3.0.15 #99
Conversation
github-actions
bot
added
language:python
|
@microsoft-github-policy-service agree company="Microsoft" |
DorLevi95
force-pushed
the
user/dorlevi/migrate_to_openssl3
branch
from
23790a8 to
39d40a0
Compare
DorLevi95
changed the title
|
Hi @DorLevi95, since this is a large PR and draft, I haven't reviewed it yet. However, before its final, can you please provide 1) the tests performed and 2) size and performance impact data on a given platform with relevant and generic details about the platform (e.g. whether AES-NI instructions were tested). |
DorLevi95
force-pushed
the
user/dorlevi/migrate_to_openssl3
branch
from
d5d5e54 to
e9bc1e2
Compare
|
@makubacki The OpenSSL update seems to cause significant increase in the binary sizes. @Flickdm is putting some effort to overcome this by merging the binaries. About testing, currently it seems to pass the BaseCryptLib UTs. We are putting more efforts to enhance the UTs and also providing a reporting tool to gain more confidence in the built binaries. |
Submodule name is incorrect and pointing at mu_plus instead of MU.
This commit updates the MU_BASECORE submodule to point to the latest commit. This removes an issue with zeex/subhooks submodule that was causing the build to fail.
Added casting to prevent shift left of 8 bits (equal to size of type). (similar to what's been done in other places, e.g. https://github.com/microsoft/mu_basecore/blob/fabbe775f9c6e375174067ea2df1e50ecb9bad50/MdePkg/Include/Ppi/PciCfg2.h#L29)
…standard build successfully
DorLevi95
force-pushed
the
user/dorlevi/migrate_to_openssl3
branch
from
e9bc1e2 to
81198b0
Compare
|
Rebased on top of release/202405-dev |
|
|
||
| def openssl_configure(openssldir, target, ec = True): | ||
| """ Run openssl Configure script. """ | ||
| cmdline = [ |
There was a problem hiding this comment.
@Flickdm Please take a deep look into these configuration flags.
There is a change in the flags from the previous file - process_files.pl.
For example, not sure about "no-tls1_3".
| 'perl', | ||
| 'Configure', | ||
| '--config=../UefiAsm.conf', | ||
| '--api=1.1.1', |
There was a problem hiding this comment.
@makubacki @kenlautner @Flickdm @inbal2l
Important note here: Although Openssl is updated to 3.0.15, here it configured to keep 1.1.1 API compatibility, in order to not cause any build breaks and keep using existing implementation with the current used openssl APIs.
Changing the above the 3.0 breaks local build
If we want to move to fully shift to Openssl 3 we will need to re-implement a lot of the functionality, probably using EVP_* API and not algorithms specific API (e.g. RSA_, AES_, etc.). Needs more research here.
There was a problem hiding this comment.
There was a problem hiding this comment.
@DorLevi95, thanks for all the work. Have you been tracking the recent changes in edk2/CryptoPkg during this time?
There was a problem hiding this comment.
@makubacki Mainly targeting openssl related PRs around the shift to 3.0.9 and 3.0.15 I found these changes that may be relevant.
tianocore/edk2#6394
tianocore/edk2#6185
tianocore/edk2#5977
The 3rd one is more about AARCH64 support and not functionality, so please share your opinion
Description
<Include a description of the change and why this change was made.>
Change Openssl version from 1.1.1 to 3.0.15
The main reason for the change is Openssl 1.1.1 reached EOL, thus not getting security fixes. OpenSSL 3.0.15 is OpenSSL LTS version.
The changes in this PR are inspired by Edk2 transition, with adaptations to the MU project structure:
tianocore/edk2#4728
tianocore/edk2#6160
Note: The change currently suggests an update to Openssl 3.0.15 but with 1.1.1 API compatibility. Mainly to not cause any breaks by using changed/deprecated APIs
For details on how to complete to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>