On Wed, 20 Nov 2019 at 21:29, Ryan Harkin <ryan.har...@linaro.org> wrote:
> > > On Wed, 20 Nov 2019 at 19:09, Mark Hatle <mark.ha...@kernel.crashing.org> > wrote: > >> >> >> On 11/20/19 1:06 PM, Ryan Harkin wrote: >> > >> > >> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle < >> mark.ha...@kernel.crashing.org >> > <mailto:mark.ha...@kernel.crashing.org>> wrote: >> > >> > >> > >> > On 11/20/19 12:18 PM, Ryan Harkin wrote: >> > > Hi all, >> > > >> > > I'm struggling with backporting OpenSSL to my Sumo build [1], so >> wondered if >> > > anyone else had done something similar with success. >> > > >> > > I copied "meta/recipes-connectivity/openssl" from Poky master >> branch [2] >> > into my >> > > own layer [3]. It didn't pick up, so I discovered I needed to add >> > > a PREFERRED_VERSION, eg: >> > > >> > > +PREFERRED_VERSION_openssl ?= "1.1.%" >> > > +PREFERRED_VERSION_openssl-native ?= "1.1.%" >> > > +PREFERRED_VERSION_nativesdk-openssl ?= "1.1.%" >> > > >> > > Now it builds fine. However, I no longer have /usr/bin/openssl in >> my disk >> > image. >> > > >> > > It doesn't appear in FILES_${PN}, and adding it to the recipes >> doesn't seem to >> > > make any difference. >> > > >> > > What am I missing? >> > > >> > > Thanks, >> > > Ryan. >> > > >> > > [1] I'm looking for CVE fixes, 1.0.2p has a lot of CVEs. >> > >> > You know that 1.0.2 and 1.1 APIs are not compatible? So you will >> need to update >> > everything that needs OpenSSL to understand the new API. >> > >> > >> > So far, we're only using it in a shell script to sign an image and >> later verify >> > the image, so I've assumed, perhaps naively, that the API changes won't >> matter... >> >> Correct, but there may be other components of the system that could be >> using the >> API that you are unaware of. On a system as old as Sumo, you will need >> to take >> precautions to ensure that ONLY the 1.1x version is being used. (There >> may be >> an openssl10 for compatibility that will need to be blacklisted.) >> > > Good point. I'll check on it once I get it to work. > > >> >> > >> > For CVE fixes, typically you would patch 1.0.2p, or update to the >> latest >> > (1.0.2t) as you go. (If you have an OSV, this should be part of >> the services >> > that they offer you.) >> > >> > >> > In my opinion, 1.0.2 will be around for at least another 4-5 years >> due to the >> > number of people actively using it in the world. Until 1.1/3.0 >> (won't be a 2.0 >> > from what I read) exists and has a FIPS-140-2 support available -- >> people will >> > continue to use 1.0.2 and maintain it as necessary for security. >> > >> > As an FYI: >> http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ >> > >> > This version is for thud, warrior, zeus and master. It is intended >> to be >> > maintained until either 1.0.2 is no longer maintainable -- or the >> FIPS-140-2 >> > needs have been met by OpenSSL. >> > >> > >> > Great, that looks like a better option anyway, assuming it has the >> latest fixes >> > I need, and doesn't give me the same build problem. Thanks for >> pointing it out. >> > I'll give it a go. >> >> It's better to work with the Sumo version for your needs. I just posted >> that as >> an example of openssl 1.0.2 being needed still by others, even as >> oe-core/Yocto >> Project have changed their defaults. >> > > I pulled the whole openssl dir from your repo, added the layer.conf > changes to my layer.conf and rebuilt openssl and my image. > > Unfortunately, I still have no /usr/bin/openssl in my disk image. So I've > added the RPROVIDES from Andre's in a vain attempt to get it to work: > > RPROVIDES_${PN} += "openssl-bin" > > ... although I'm not hopeful it'll do the trick... > It didn't work. Once thing that's puzzling me: where is the package "openssl-bin"? I can only find references to it, but no package. > >> --Mark >> >> > Thanks, >> > Ryan. >> > >> > >> > >> > --Mark >> > >> > > [2] http://git.yoctoproject.org/git/poky >> > > I'm at SHA a616ffebdc, so I copied openssl_1.1.1d.bb >> > <http://openssl_1.1.1d.bb> <http://openssl_1.1.1d.bb> >> > > and all the other files in the directory. >> > > >> > > [3] I have a clone of Linaro's meta-backports. I'm trying to >> generate a >> > patch to >> > > submit for review there. >> > > https://git.linaro.org/openembedded/meta-backports.git >> > > >> > >> >
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core