Add no-store configuration option for UEFI #9206
Conversation
|
Shouldn't the UEFI target have it disabled by default, then? I.e an added |
|
I imagine more could be added in such an attribute. Is the |
|
Finally, I gotta ask, what else does UEFI not need? PEM? |
How much do you really want to know? :) Intel's EDK2 is the open source implementation of the UEFI core which most of the production UEFI firmware in the world is based on. Its build system is… baroque. I stopped short of trying to beat the OpenSSL Makefiles to work with it. Instead the EDK2 build system runs So yes, there's a bunch of stuff which could be automatically disabled in the UEFI target, but it's also slightly redundant to do so.
The "huge slashing job" was when I went through and made For a lot of things, if they're in standalone C files and not directly referenced from elsewhere, they just drop out of the build completely. Store wasn't like that because parts of it are referenced from elsewhere — it all got pulled in through things like As for PEM does get used for certificates. |
That's surprising, I would have thought that only It sounds like we could do with some refactoring, dividing some files into smaller units. That would be healthy anyway, gods know that we have some units that are way too large and contain way too many things at the same time. |
Yeah, I'm not sure it all got pulled in. I haven't looked at the precise trigger for them attempting to disable the store code, but it's a new directory full of code that they'd prefer to disable. It's also possible that it would have fallen out of the final link but actually failed to build in the first place, if there's (for example) a missing Certainly the hacks on the UEFI build side (in the thread I replied to and added you to Cc) aren't the right way to do it. I think the STORE stuff fits squarely into the category of things that normally would have had Now, it's entirely possible to go overboard and demand that we don't have a single machine instruction in the UEFI build of OpenSSL that isn't actively useful. That would be silly. I think we've settled on a relatively sane middle ground where we disable things that can be reasonably disabled, and live with the rest. Obviously, feedback on that strategy is welcome. Honestly, I was glad that no-stdio already existed when I started trying to clean this stuff up, because then I was only "fixing" it and not trying to persuade you to take that as a new concept. :) |
|
The way I would like store to go, it's as sensible to disable it as it is to disable, say, PEM. |
|
Another way to put it is that it makes sense to disable back ends, it makes less sense to disable the framework... |
|
Makes sense. I'll try an EDK2 build with it included and look at excluding specific back ends, and see what it looks like. Thanks. |
t8m
added
branch: master
We don't need OSSL_STORE in the firmware. Add an option to disable it.
cf. https://www.mail-archive.com/devel@edk2.groups.io/msg01635.html