[OE-core] How to backport openssl to Sumo

Ryan Harkin ryan.harkin at linaro.org
Wed Nov 20 19:44:44 UTC 2019 

Hi Andre,

On Wed, 20 Nov 2019 at 19:27, Andre McCurdy <armccurdy at gmail.com> wrote:

> On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle
> <mark.hatle at kernel.crashing.org> wrote:
> > On 11/20/19 1:06 PM, Ryan Harkin wrote:
> > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <
> mark.hatle at kernel.crashing.org
> > > <mailto:mark.hatle at kernel.crashing.org>> wrote:
> > >
> > >     You know that 1.0.2 and 1.1 APIs are not compatible?  So you will
> need to update
> > >     everything that needs OpenSSL to understand the new API.
> > >
> > >
> > > So far, we're only using it in a shell script to sign an image and
> later verify
> > > the image, so I've assumed, perhaps naively, that the API changes
> won't matter...
> >
> > Correct, but there may be other components of the system that could be
> using the
> > API that you are unaware of.  On a system as old as Sumo, you will need
> to take
> > precautions to ensure that ONLY the 1.1x version is being used.  (There
> may be
> > an openssl10 for compatibility that will need to be blacklisted.)
> >
> > >     For CVE fixes, typically you would patch 1.0.2p, or update to the
> latest
> > >     (1.0.2t) as you go.  (If you have an OSV, this should be part of
> the services
> > >     that they offer you.)
> > >
> > >
> > >     In my opinion, 1.0.2 will be around for at least another 4-5 years
> due to the
> > >     number of people actively using it in the world.  Until 1.1/3.0
> (won't be a 2.0
> > >     from what I read) exists and has a FIPS-140-2 support available --
> people will
> > >     continue to use 1.0.2 and maintain it as necessary for security.
> > >
> > >     As an FYI:
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
> > >
> > >     This version is for thud, warrior, zeus and master.  It is
> intended to be
> > >     maintained until either 1.0.2 is no longer maintainable -- or the
> FIPS-140-2
> > >     needs have been met by OpenSSL.
> > >
> > >
> > > Great, that looks like a better option anyway, assuming it has the
> latest fixes
> > > I need, and doesn't give me the same build problem.  Thanks for
> pointing it out.
> > > I'll give it a go.
> >
> > It's better to work with the Sumo version for your needs.  I just posted
> that as
> > an example of openssl 1.0.2 being needed still by others, even as
> oe-core/Yocto
> > Project have changed their defaults.
>
> If you want an up to date openssl 1.0.2 recipe which is compatible
> with Sumo, you can find one here:
>
>   https://github.com/armcc/meta-plumewifi
>
> I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior)
> but it should work for all versions in between (and if it doesn't I'll
> accept patches or try to fix it).
>

Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two
diffs jump out:

- Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the
openssl 1.1.x recipe".
- Mark's repo has two extra patches:
           file://0001-Fix-BN_LLONG-breakage.patch \
           file://0001-Fix-DES_LONG-breakage.patch \

Regards,
Ryan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191120/3d29f7ba/attachment.html>

More information about the Openembedded-core mailing list