[ipxe-devel] Using a modern TLS library
Michael Brown
mcb30 at ipxe.org
Tue Jul 2 06:42:51 UTC 2019
On 02/07/2019 04:59, Demi M. Obenour wrote:> I am in no position to send
patches right now, not least because I have
> no ability to test them unless I can do so entirely in QEMU.
You can do so entirely in Linux userspace, no need for even a VM.
>> Now since iPXE runs in a limited environment, do measure the footprint
>> it takes up,
>> Most constraining environment is pcbios mode.
>> And are still struggling with .rom builds that must fit in 64KiB flash chips.
>> So make sure to test those scenarios properly.
>
> One option would be to compress the code using a slow but efficient
> compression algorithm.
It's already compressed using xz.
> * Very small code size (<=25kB last I checked).
A quick test compile shows that the whole BearSSL codebase is around
700kB. What can actually fit in that quoted 25kB "minimal" build?
There are multiple missing features in BearSSL that you would need to
reimplement, the most obvious of which are that BearSSL does not support
entropy generation, code signature verification, or X.509 certificate
revocation checks.
Michael
More information about the ipxe-devel
mailing list