[OE-core] How to backport openssl to Sumo

Ryan Harkin ryan.harkin at linaro.org
Wed Nov 20 21:29:29 UTC 2019


On Wed, 20 Nov 2019 at 19:09, Mark Hatle <mark.hatle at kernel.crashing.org>
wrote:

>
>
> On 11/20/19 1:06 PM, Ryan Harkin wrote:
> >
> >
> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle at kernel.crashing.org
> > <mailto:mark.hatle at kernel.crashing.org>> wrote:
> >
> >
> >
> >     On 11/20/19 12:18 PM, Ryan Harkin wrote:
> >     > Hi all,
> >     >
> >     > I'm struggling with backporting OpenSSL to my Sumo build [1], so
> wondered if
> >     > anyone else had done something similar with success.
> >     >
> >     > I copied "meta/recipes-connectivity/openssl" from Poky master
> branch [2]
> >     into my
> >     > own layer [3]. It didn't pick up, so I discovered I needed to add
> >     > a PREFERRED_VERSION, eg:
> >     >
> >     > +PREFERRED_VERSION_openssl ?= "1.1.%"
> >     > +PREFERRED_VERSION_openssl-native ?= "1.1.%"
> >     > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%"
> >     >
> >     > Now it builds fine. However, I no longer have /usr/bin/openssl in
> my disk
> >     image.
> >     >
> >     > It doesn't appear in FILES_${PN}, and adding it to the recipes
> doesn't seem to
> >     > make any difference.
> >     >
> >     > What am I missing?
> >     >
> >     > Thanks,
> >     > Ryan.
> >     >
> >     > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs.
> >
> >     You know that 1.0.2 and 1.1 APIs are not compatible?  So you will
> need to update
> >     everything that needs OpenSSL to understand the new API.
> >
> >
> > So far, we're only using it in a shell script to sign an image and later
> verify
> > the image, so I've assumed, perhaps naively, that the API changes won't
> matter...
>
> Correct, but there may be other components of the system that could be
> using the
> API that you are unaware of.  On a system as old as Sumo, you will need to
> take
> precautions to ensure that ONLY the 1.1x version is being used.  (There
> may be
> an openssl10 for compatibility that will need to be blacklisted.)
>

Good point. I'll check on it once I get it to work.


>
> >
> >     For CVE fixes, typically you would patch 1.0.2p, or update to the
> latest
> >     (1.0.2t) as you go.  (If you have an OSV, this should be part of the
> services
> >     that they offer you.)
> >
> >
> >     In my opinion, 1.0.2 will be around for at least another 4-5 years
> due to the
> >     number of people actively using it in the world.  Until 1.1/3.0
> (won't be a 2.0
> >     from what I read) exists and has a FIPS-140-2 support available --
> people will
> >     continue to use 1.0.2 and maintain it as necessary for security.
> >
> >     As an FYI:
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
> >
> >     This version is for thud, warrior, zeus and master.  It is intended
> to be
> >     maintained until either 1.0.2 is no longer maintainable -- or the
> FIPS-140-2
> >     needs have been met by OpenSSL.
> >
> >
> > Great, that looks like a better option anyway, assuming it has the
> latest fixes
> > I need, and doesn't give me the same build problem.  Thanks for pointing
> it out.
> > I'll give it a go.
>
> It's better to work with the Sumo version for your needs.  I just posted
> that as
> an example of openssl 1.0.2 being needed still by others, even as
> oe-core/Yocto
> Project have changed their defaults.
>

I pulled the whole openssl dir from your repo, added the layer.conf changes
to my layer.conf and rebuilt openssl and my image.

Unfortunately, I still have no /usr/bin/openssl in my disk image. So I've
added the RPROVIDES from Andre's in a vain attempt to get it to work:

RPROVIDES_${PN} += "openssl-bin"

... although I'm not hopeful it'll do the trick...


> --Mark
>
> > Thanks,
> > Ryan.
> >
> >
> >
> >     --Mark
> >
> >     > [2] http://git.yoctoproject.org/git/poky
> >     > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb
> >     <http://openssl_1.1.1d.bb> <http://openssl_1.1.1d.bb>
> >     > and all the other files in the directory.
> >     >
> >     > [3] I have a clone of Linaro's meta-backports. I'm trying to
> generate a
> >     patch to
> >     > submit for review there.
> >     > https://git.linaro.org/openembedded/meta-backports.git
> >     >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191120/6c0ffcce/attachment.html>


More information about the Openembedded-core mailing list