[edk2] Pkcs7 crypto verification without openSSL

Ard Biesheuvel ard.biesheuvel at linaro.org
Mon Dec 3 07:26:26 PST 2018

On Mon, 3 Dec 2018 at 13:55, Tomas Pilar (tpilar) <tpilar at solarflare.com> wrote:
> On 03/12/2018 12:40, Ard Biesheuvel wrote:
> > On Wed, 28 Nov 2018 at 18:40, Tomas Pilar (tpilar)
> > <tpilar at solarflare.com> wrote:
> >> Hi,
> >>
> >> Are there any plans for a crypto library that does not pull in openSSL? When I try to add BaseCryptLib to be able to use FmpAuthenticationLib, my driver size baloons significantly (increase of ~0x30000) and it seems like a basic public SHA256 crypto check library should not be _that_ large?
> > Well, I'd expect the code size to come from the asymmetric crypto, not
> > from the SHA256 hash code. Which FmpAuthenticationLib are you using?
> Yes, that makes sense. I am using the FmpAuthenticationLibPkcs7 from SecurityPkg which pulls in BaseCryptLib. I would assume that the linker only links the functions which are referenced so it should not pull in the entire library but I expect some overgeneric helpers might be quite large.

Just the arbitrary precision integer library needed for the modular
exponentiation produces a fair chunk of code.

You can check the .map file in the Build/ directory of your driver
where all the memory is going, but all of the bn_xxx objects are
probably required.

More information about the edk2-devel mailing list