[ipxe-devel] Using a modern TLS library

Michael Brown mcb30 at ipxe.org
Tue Jul 2 06:42:51 UTC 2019

On 02/07/2019 04:59, Demi M. Obenour wrote:> I am in no position to send 
patches right now, not least because I have
> no ability to test them unless I can do so entirely in QEMU.

You can do so entirely in Linux userspace, no need for even a VM.

>> Now since iPXE runs in a limited environment, do measure the footprint
>> it takes up,
>> Most constraining environment is pcbios mode.
>> And are still struggling with .rom builds that must fit in 64KiB flash chips.
>> So make sure to test those scenarios properly.
> One option would be to compress the code using a slow but efficient
> compression algorithm.

It's already compressed using xz.

> * Very small code size (<=25kB last I checked).

A quick test compile shows that the whole BearSSL codebase is around 
700kB.  What can actually fit in that quoted 25kB "minimal" build?

There are multiple missing features in BearSSL that you would need to 
reimplement, the most obvious of which are that BearSSL does not support 
entropy generation, code signature verification, or X.509 certificate 
revocation checks.


More information about the ipxe-devel mailing list