[OE-core] How to backport openssl to Sumo
Andre McCurdy
armccurdy at gmail.com
Wed Nov 20 19:57:30 UTC 2019
On Wed, Nov 20, 2019 at 11:44 AM Ryan Harkin <ryan.harkin at linaro.org> wrote:
>
> Hi Andre,
>
> On Wed, 20 Nov 2019 at 19:27, Andre McCurdy <armccurdy at gmail.com> wrote:
>>
>> On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle
>> <mark.hatle at kernel.crashing.org> wrote:
>> > On 11/20/19 1:06 PM, Ryan Harkin wrote:
>> > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle at kernel.crashing.org
>> > > <mailto:mark.hatle at kernel.crashing.org>> wrote:
>> > >
>> > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will need to update
>> > > everything that needs OpenSSL to understand the new API.
>> > >
>> > >
>> > > So far, we're only using it in a shell script to sign an image and later verify
>> > > the image, so I've assumed, perhaps naively, that the API changes won't matter...
>> >
>> > Correct, but there may be other components of the system that could be using the
>> > API that you are unaware of. On a system as old as Sumo, you will need to take
>> > precautions to ensure that ONLY the 1.1x version is being used. (There may be
>> > an openssl10 for compatibility that will need to be blacklisted.)
>> >
>> > > For CVE fixes, typically you would patch 1.0.2p, or update to the latest
>> > > (1.0.2t) as you go. (If you have an OSV, this should be part of the services
>> > > that they offer you.)
>> > >
>> > >
>> > > In my opinion, 1.0.2 will be around for at least another 4-5 years due to the
>> > > number of people actively using it in the world. Until 1.1/3.0 (won't be a 2.0
>> > > from what I read) exists and has a FIPS-140-2 support available -- people will
>> > > continue to use 1.0.2 and maintain it as necessary for security.
>> > >
>> > > As an FYI: http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
>> > >
>> > > This version is for thud, warrior, zeus and master. It is intended to be
>> > > maintained until either 1.0.2 is no longer maintainable -- or the FIPS-140-2
>> > > needs have been met by OpenSSL.
>> > >
>> > >
>> > > Great, that looks like a better option anyway, assuming it has the latest fixes
>> > > I need, and doesn't give me the same build problem. Thanks for pointing it out.
>> > > I'll give it a go.
>> >
>> > It's better to work with the Sumo version for your needs. I just posted that as
>> > an example of openssl 1.0.2 being needed still by others, even as oe-core/Yocto
>> > Project have changed their defaults.
>>
>> If you want an up to date openssl 1.0.2 recipe which is compatible
>> with Sumo, you can find one here:
>>
>> https://github.com/armcc/meta-plumewifi
>>
>> I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior)
>> but it should work for all versions in between (and if it doesn't I'll
>> accept patches or try to fix it).
>
>
> Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two diffs jump out:
>
> - Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the openssl 1.1.x recipe".
Yes. Makes the transition between 1.0.2 and 1.1.x a little easier.
> - Mark's repo has two extra patches:
> file://0001-Fix-BN_LLONG-breakage.patch \
> file://0001-Fix-DES_LONG-breakage.patch \
Those patches are in my repo too - but only in the master-next branch.
They are not required for Sumo. (Since some might regard those patches
as a little "dubious" I don't pull them in unless they're necessary).
> Regards,
> Ryan.
More information about the Openembedded-core
mailing list