[OE-core] How to backport openssl to Sumo

Wed Nov 20 19:06:04 UTC 2019

On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle at kernel.crashing.org>
wrote:

>
>
> On 11/20/19 12:18 PM, Ryan Harkin wrote:
> > Hi all,
> >
> > I'm struggling with backporting OpenSSL to my Sumo build [1], so
> wondered if
> > anyone else had done something similar with success.
> >
> > I copied "meta/recipes-connectivity/openssl" from Poky master branch [2]
> into my
> > own layer [3]. It didn't pick up, so I discovered I needed to add
> > a PREFERRED_VERSION, eg:
> >
> > +PREFERRED_VERSION_openssl ?= "1.1.%"
> > +PREFERRED_VERSION_openssl-native ?= "1.1.%"
> > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%"
> >
> > Now it builds fine. However, I no longer have /usr/bin/openssl in my
> disk image.
> >
> > It doesn't appear in FILES_${PN}, and adding it to the recipes doesn't
> seem to
> > make any difference.
> >
> > What am I missing?
> >
> > Thanks,
> > Ryan.
> >
> > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs.
>
> You know that 1.0.2 and 1.1 APIs are not compatible?  So you will need to
> update
> everything that needs OpenSSL to understand the new API.
>

So far, we're only using it in a shell script to sign an image and later
verify the image, so I've assumed, perhaps naively, that the API changes
won't matter...

>
> For CVE fixes, typically you would patch 1.0.2p, or update to the latest
> (1.0.2t) as you go.  (If you have an OSV, this should be part of the
> services
> that they offer you.)

> In my opinion, 1.0.2 will be around for at least another 4-5 years due to
> the
> number of people actively using it in the world.  Until 1.1/3.0 (won't be
> a 2.0
> from what I read) exists and has a FIPS-140-2 support available -- people
> will
> continue to use 1.0.2 and maintain it as necessary for security.
>
> As an FYI:  http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
>
> This version is for thud, warrior, zeus and master.  It is intended to be
> maintained until either 1.0.2 is no longer maintainable -- or the
> FIPS-140-2
> needs have been met by OpenSSL.
>

Great, that looks like a better option anyway, assuming it has the latest
fixes I need, and doesn't give me the same build problem.  Thanks for
pointing it out. I'll give it a go.

Thanks,
Ryan.

>
> --Mark
>
> > [2] http://git.yoctoproject.org/git/poky
> > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb <
> http://openssl_1.1.1d.bb>
> > and all the other files in the directory.
> >
> > [3] I have a clone of Linaro's meta-backports. I'm trying to generate a
> patch to
> > submit for review there.
> > https://git.linaro.org/openembedded/meta-backports.git
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191120/8fc0b6f7/attachment.html>