[OE-core] How to backport openssl to Sumo
Ryan Harkin
ryan.harkin at linaro.org
Wed Nov 20 21:29:29 UTC 2019
On Wed, 20 Nov 2019 at 19:09, Mark Hatle <mark.hatle at kernel.crashing.org>
wrote:
>
>
> On 11/20/19 1:06 PM, Ryan Harkin wrote:
> >
> >
> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle at kernel.crashing.org
> > <mailto:mark.hatle at kernel.crashing.org>> wrote:
> >
> >
> >
> > On 11/20/19 12:18 PM, Ryan Harkin wrote:
> > > Hi all,
> > >
> > > I'm struggling with backporting OpenSSL to my Sumo build [1], so
> wondered if
> > > anyone else had done something similar with success.
> > >
> > > I copied "meta/recipes-connectivity/openssl" from Poky master
> branch [2]
> > into my
> > > own layer [3]. It didn't pick up, so I discovered I needed to add
> > > a PREFERRED_VERSION, eg:
> > >
> > > +PREFERRED_VERSION_openssl ?= "1.1.%"
> > > +PREFERRED_VERSION_openssl-native ?= "1.1.%"
> > > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%"
> > >
> > > Now it builds fine. However, I no longer have /usr/bin/openssl in
> my disk
> > image.
> > >
> > > It doesn't appear in FILES_${PN}, and adding it to the recipes
> doesn't seem to
> > > make any difference.
> > >
> > > What am I missing?
> > >
> > > Thanks,
> > > Ryan.
> > >
> > > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs.
> >
> > You know that 1.0.2 and 1.1 APIs are not compatible? So you will
> need to update
> > everything that needs OpenSSL to understand the new API.
> >
> >
> > So far, we're only using it in a shell script to sign an image and later
> verify
> > the image, so I've assumed, perhaps naively, that the API changes won't
> matter...
>
> Correct, but there may be other components of the system that could be
> using the
> API that you are unaware of. On a system as old as Sumo, you will need to
> take
> precautions to ensure that ONLY the 1.1x version is being used. (There
> may be
> an openssl10 for compatibility that will need to be blacklisted.)
>
Good point. I'll check on it once I get it to work.
>
> >
> > For CVE fixes, typically you would patch 1.0.2p, or update to the
> latest
> > (1.0.2t) as you go. (If you have an OSV, this should be part of the
> services
> > that they offer you.)
> >
> >
> > In my opinion, 1.0.2 will be around for at least another 4-5 years
> due to the
> > number of people actively using it in the world. Until 1.1/3.0
> (won't be a 2.0
> > from what I read) exists and has a FIPS-140-2 support available --
> people will
> > continue to use 1.0.2 and maintain it as necessary for security.
> >
> > As an FYI:
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
> >
> > This version is for thud, warrior, zeus and master. It is intended
> to be
> > maintained until either 1.0.2 is no longer maintainable -- or the
> FIPS-140-2
> > needs have been met by OpenSSL.
> >
> >
> > Great, that looks like a better option anyway, assuming it has the
> latest fixes
> > I need, and doesn't give me the same build problem. Thanks for pointing
> it out.
> > I'll give it a go.
>
> It's better to work with the Sumo version for your needs. I just posted
> that as
> an example of openssl 1.0.2 being needed still by others, even as
> oe-core/Yocto
> Project have changed their defaults.
>
I pulled the whole openssl dir from your repo, added the layer.conf changes
to my layer.conf and rebuilt openssl and my image.
Unfortunately, I still have no /usr/bin/openssl in my disk image. So I've
added the RPROVIDES from Andre's in a vain attempt to get it to work:
RPROVIDES_${PN} += "openssl-bin"
... although I'm not hopeful it'll do the trick...
> --Mark
>
> > Thanks,
> > Ryan.
> >
> >
> >
> > --Mark
> >
> > > [2] http://git.yoctoproject.org/git/poky
> > > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb
> > <http://openssl_1.1.1d.bb> <http://openssl_1.1.1d.bb>
> > > and all the other files in the directory.
> > >
> > > [3] I have a clone of Linaro's meta-backports. I'm trying to
> generate a
> > patch to
> > > submit for review there.
> > > https://git.linaro.org/openembedded/meta-backports.git
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191120/6c0ffcce/attachment.html>
More information about the Openembedded-core
mailing list