[OE-core] How to backport openssl to Sumo

Andre McCurdy armccurdy at gmail.com
Wed Nov 20 19:57:30 UTC 2019 

On Wed, Nov 20, 2019 at 11:44 AM Ryan Harkin <ryan.harkin at linaro.org> wrote:
>
> Hi Andre,
>
> On Wed, 20 Nov 2019 at 19:27, Andre McCurdy <armccurdy at gmail.com> wrote:
>>
>> On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle
>> <mark.hatle at kernel.crashing.org> wrote:
>> > On 11/20/19 1:06 PM, Ryan Harkin wrote:
>> > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle at kernel.crashing.org
>> > > <mailto:mark.hatle at kernel.crashing.org>> wrote:
>> > >
>> > >     You know that 1.0.2 and 1.1 APIs are not compatible?  So you will need to update
>> > >     everything that needs OpenSSL to understand the new API.
>> > >
>> > >
>> > > So far, we're only using it in a shell script to sign an image and later verify
>> > > the image, so I've assumed, perhaps naively, that the API changes won't matter...
>> >
>> > Correct, but there may be other components of the system that could be using the
>> > API that you are unaware of.  On a system as old as Sumo, you will need to take
>> > precautions to ensure that ONLY the 1.1x version is being used.  (There may be
>> > an openssl10 for compatibility that will need to be blacklisted.)
>> >
>> > >     For CVE fixes, typically you would patch 1.0.2p, or update to the latest
>> > >     (1.0.2t) as you go.  (If you have an OSV, this should be part of the services
>> > >     that they offer you.)
>> > >
>> > >
>> > >     In my opinion, 1.0.2 will be around for at least another 4-5 years due to the
>> > >     number of people actively using it in the world.  Until 1.1/3.0 (won't be a 2.0
>> > >     from what I read) exists and has a FIPS-140-2 support available -- people will
>> > >     continue to use 1.0.2 and maintain it as necessary for security.
>> > >
>> > >     As an FYI:  http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
>> > >
>> > >     This version is for thud, warrior, zeus and master.  It is intended to be
>> > >     maintained until either 1.0.2 is no longer maintainable -- or the FIPS-140-2
>> > >     needs have been met by OpenSSL.
>> > >
>> > >
>> > > Great, that looks like a better option anyway, assuming it has the latest fixes
>> > > I need, and doesn't give me the same build problem.  Thanks for pointing it out.
>> > > I'll give it a go.
>> >
>> > It's better to work with the Sumo version for your needs.  I just posted that as
>> > an example of openssl 1.0.2 being needed still by others, even as oe-core/Yocto
>> > Project have changed their defaults.
>>
>> If you want an up to date openssl 1.0.2 recipe which is compatible
>> with Sumo, you can find one here:
>>
>>   https://github.com/armcc/meta-plumewifi
>>
>> I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior)
>> but it should work for all versions in between (and if it doesn't I'll
>> accept patches or try to fix it).
>
>
> Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two diffs jump out:
>
> - Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the openssl 1.1.x recipe".

Yes. Makes the transition between 1.0.2 and 1.1.x a little easier.

> - Mark's repo has two extra patches:
>            file://0001-Fix-BN_LLONG-breakage.patch \
>            file://0001-Fix-DES_LONG-breakage.patch \

Those patches are in my repo too - but only in the master-next branch.
They are not required for Sumo. (Since some might regard those patches
as a little "dubious" I don't pull them in unless they're necessary).

> Regards,
> Ryan.

More information about the Openembedded-core mailing list