[OE-core] How to backport openssl to Sumo

Ryan Harkin ryan.harkin at linaro.org
Wed Nov 20 22:41:28 UTC 2019 

On Wed, 20 Nov 2019 at 21:29, Ryan Harkin <ryan.harkin at linaro.org> wrote:

>
>
> On Wed, 20 Nov 2019 at 19:09, Mark Hatle <mark.hatle at kernel.crashing.org>
> wrote:
>
>>
>>
>> On 11/20/19 1:06 PM, Ryan Harkin wrote:
>> >
>> >
>> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <
>> mark.hatle at kernel.crashing.org
>> > <mailto:mark.hatle at kernel.crashing.org>> wrote:
>> >
>> >
>> >
>> >     On 11/20/19 12:18 PM, Ryan Harkin wrote:
>> >     > Hi all,
>> >     >
>> >     > I'm struggling with backporting OpenSSL to my Sumo build [1], so
>> wondered if
>> >     > anyone else had done something similar with success.
>> >     >
>> >     > I copied "meta/recipes-connectivity/openssl" from Poky master
>> branch [2]
>> >     into my
>> >     > own layer [3]. It didn't pick up, so I discovered I needed to add
>> >     > a PREFERRED_VERSION, eg:
>> >     >
>> >     > +PREFERRED_VERSION_openssl ?= "1.1.%"
>> >     > +PREFERRED_VERSION_openssl-native ?= "1.1.%"
>> >     > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%"
>> >     >
>> >     > Now it builds fine. However, I no longer have /usr/bin/openssl in
>> my disk
>> >     image.
>> >     >
>> >     > It doesn't appear in FILES_${PN}, and adding it to the recipes
>> doesn't seem to
>> >     > make any difference.
>> >     >
>> >     > What am I missing?
>> >     >
>> >     > Thanks,
>> >     > Ryan.
>> >     >
>> >     > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs.
>> >
>> >     You know that 1.0.2 and 1.1 APIs are not compatible?  So you will
>> need to update
>> >     everything that needs OpenSSL to understand the new API.
>> >
>> >
>> > So far, we're only using it in a shell script to sign an image and
>> later verify
>> > the image, so I've assumed, perhaps naively, that the API changes won't
>> matter...
>>
>> Correct, but there may be other components of the system that could be
>> using the
>> API that you are unaware of.  On a system as old as Sumo, you will need
>> to take
>> precautions to ensure that ONLY the 1.1x version is being used.  (There
>> may be
>> an openssl10 for compatibility that will need to be blacklisted.)
>>
>
> Good point. I'll check on it once I get it to work.
>
>
>>
>> >
>> >     For CVE fixes, typically you would patch 1.0.2p, or update to the
>> latest
>> >     (1.0.2t) as you go.  (If you have an OSV, this should be part of
>> the services
>> >     that they offer you.)
>> >
>> >
>> >     In my opinion, 1.0.2 will be around for at least another 4-5 years
>> due to the
>> >     number of people actively using it in the world.  Until 1.1/3.0
>> (won't be a 2.0
>> >     from what I read) exists and has a FIPS-140-2 support available --
>> people will
>> >     continue to use 1.0.2 and maintain it as necessary for security.
>> >
>> >     As an FYI:
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
>> >
>> >     This version is for thud, warrior, zeus and master.  It is intended
>> to be
>> >     maintained until either 1.0.2 is no longer maintainable -- or the
>> FIPS-140-2
>> >     needs have been met by OpenSSL.
>> >
>> >
>> > Great, that looks like a better option anyway, assuming it has the
>> latest fixes
>> > I need, and doesn't give me the same build problem.  Thanks for
>> pointing it out.
>> > I'll give it a go.
>>
>> It's better to work with the Sumo version for your needs.  I just posted
>> that as
>> an example of openssl 1.0.2 being needed still by others, even as
>> oe-core/Yocto
>> Project have changed their defaults.
>>
>
> I pulled the whole openssl dir from your repo, added the layer.conf
> changes to my layer.conf and rebuilt openssl and my image.
>
> Unfortunately, I still have no /usr/bin/openssl in my disk image. So I've
> added the RPROVIDES from Andre's in a vain attempt to get it to work:
>
> RPROVIDES_${PN} += "openssl-bin"
>
> ... although I'm not hopeful it'll do the trick...
>

It didn't work. Once thing that's puzzling me: where is the package
"openssl-bin"? I can only find references to it, but no package.


>
>> --Mark
>>
>> > Thanks,
>> > Ryan.
>> >
>> >
>> >
>> >     --Mark
>> >
>> >     > [2] http://git.yoctoproject.org/git/poky
>> >     > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb
>> >     <http://openssl_1.1.1d.bb> <http://openssl_1.1.1d.bb>
>> >     > and all the other files in the directory.
>> >     >
>> >     > [3] I have a clone of Linaro's meta-backports. I'm trying to
>> generate a
>> >     patch to
>> >     > submit for review there.
>> >     > https://git.linaro.org/openembedded/meta-backports.git
>> >     >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191120/0f17789f/attachment.html>

More information about the Openembedded-core mailing list