[PATCH 1/3] arm/trusted-firmware-m: set OpenSSL provider path

[PATCH 1/3] arm/trusted-firmware-m: set OpenSSL provider path

[Ross Burton]

imgtool from mcuboot uses python3-cryptography-native, and the latest
python3-cryptography explicitly loads the legacy provider, which is a
separate shared object in OpenSSL 3.  The search path for providers is
hard-coded into the library so the wrong path is searched and the module
is not found.

Set OPENSSL_MODULES so the right path, so that the legacy module is
found.  In the future we may be able to be removed this if the explict
use of legacy algorithms is removed
(https://github.com/pyca/cryptography/issues/6809).

This also means we can remove the downgrades of python3-crytography that
were being carried in meta-arm.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../trusted-firmware-m/trusted-firmware-m_1.5.0.bb            | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb
index 302fd2cd..c0eee5cc 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb
@@ -97,6 +97,10 @@ LDFLAGS[unexport] = "1"
 AS[unexport] = "1"
 LD[unexport] = "1"
 
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
 # TF-M ships patches that it needs applied to mbedcrypto, so apply them
 # as part of do_patch.
 apply_local_patches() {
-- 
2.25.1

[PATCH 2/3] Revert "meta-arm-bsp: use old python3-crytography on platforms using TF-M"

[Ross Burton]

This reverts commit 2a27bd4f47d09bb709a953f4a91ef2a2cf921255.
---
 meta-arm-bsp/conf/layer.conf                       | 6 +-----
 meta-arm-bsp/conf/machine/include/corstone1000.inc | 5 -----
 meta-arm-bsp/conf/machine/musca-b1.conf            | 5 -----
 meta-arm-bsp/conf/machine/musca-s1.conf            | 5 -----
 4 files changed, 1 insertion(+), 20 deletions(-)

diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf
index 82230470..45767866 100644
--- a/meta-arm-bsp/conf/layer.conf
+++ b/meta-arm-bsp/conf/layer.conf
@@ -21,8 +21,4 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python"
 LICENSE_PATH += "${LAYERDIR}/custom-licenses"
 
 # Delete this when our downgrade of python3-cryptography is removed
-META_ARM_PYCRYPTO = "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb"
-META_ARM_PYCRYPTO:corstone1000 = ""
-META_ARM_PYCRYPTO:musca-b1 = ""
-META_ARM_PYCRYPTO:musca-s1 = ""
-BBMASK += "${META_ARM_PYCRYPTO}"
+BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb"
diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc
index 019293b0..f9d301e4 100644
--- a/meta-arm-bsp/conf/machine/include/corstone1000.inc
+++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc
@@ -63,8 +63,3 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0"
 WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
 
 WKS_FILE ?= "corstone1000-image.corstone1000.wks"
-
-# The latest python3-cryptography-native doesn't work
-# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the
-# version before Rust was involved for now.
-PREFERRED_VERSION_python3-cryptography-native = "3.3.2"
diff --git a/meta-arm-bsp/conf/machine/musca-b1.conf b/meta-arm-bsp/conf/machine/musca-b1.conf
index ec5ff4ee..073c466e 100644
--- a/meta-arm-bsp/conf/machine/musca-b1.conf
+++ b/meta-arm-bsp/conf/machine/musca-b1.conf
@@ -26,8 +26,3 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot"
 ARCH:musca-b1 = "arm"
 
 TFM_PLATFORM = "arm/musca_b1/sse_200"
-
-# The latest python3-cryptography-native doesn't work
-# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the
-# version before Rust was involved for now.
-PREFERRED_VERSION_python3-cryptography-native = "3.3.2"
diff --git a/meta-arm-bsp/conf/machine/musca-s1.conf b/meta-arm-bsp/conf/machine/musca-s1.conf
index e5f63f76..d18c06c2 100644
--- a/meta-arm-bsp/conf/machine/musca-s1.conf
+++ b/meta-arm-bsp/conf/machine/musca-s1.conf
@@ -25,8 +25,3 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot"
 ARCH:musca-s1 = "arm"
 
 TFM_PLATFORM = "arm/musca_s1"
-
-# The latest python3-cryptography-native doesn't work
-# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the
-# version before Rust was involved for now.
-PREFERRED_VERSION_python3-cryptography-native = "3.3.2"
-- 
2.25.1

[PATCH 3/3] Revert "meta-arm: add old version of python3-cryptography"

[Ross Burton]

This reverts commit a15c16068ab011e2ba91a6c4ca6e1251de0d8058.
---
 meta-arm-bsp/conf/layer.conf                  |  3 -
 .../python/python3-cryptography/h-test.patch  | 10 ---
 .../python3-cryptography/openssl3.patch       | 62 -----------------
 .../python/python3-cryptography/run-ptest     |  2 -
 .../python/python3-cryptography_3.3.2.bb      | 68 -------------------
 5 files changed, 145 deletions(-)
 delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch
 delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch
 delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest
 delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb

diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf
index 45767866..7af156e8 100644
--- a/meta-arm-bsp/conf/layer.conf
+++ b/meta-arm-bsp/conf/layer.conf
@@ -19,6 +19,3 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python"
 
 # Additional license directories.
 LICENSE_PATH += "${LAYERDIR}/custom-licenses"
-
-# Delete this when our downgrade of python3-cryptography is removed
-BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb"
diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch
deleted file mode 100644
index 9f07c738..00000000
--- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/tests/hypothesis/__init__.py
-+++ b/tests/hypothesis/__init__.py
-@@ -3,3 +3,7 @@
- # for complete details.
- 
- from __future__ import absolute_import, division, print_function
-+
-+import pytest
-+hypothesis = pytest.importorskip("hypothesis")
-+
diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch
deleted file mode 100644
index 25baa42c..00000000
--- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Encourage our old python3-cryptography to at least start to work with OpenSSL 3.
-
-- Backport one patch to err.py to remove a symbol which has been removed in
-  OpenSSL 3, and isn't used in python3-cryptography.
-  (50ec692749b7e2e62685b443f5e629627b03987e)
-
-- Backport the detection of OpenSSL 3 and don't link to FIPS_mode/FIPS_mode_set
-  (parts of f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6)
-
-This is *not* a complete backport of the 3.0 support, but is enough that packages
-such as imgtool can import python3-cryptography and operate until the upgrade is
-ready.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
-index f24bee5a..920a86de 100644
---- a/src/_cffi_src/openssl/cryptography.py
-+++ b/src/_cffi_src/openssl/cryptography.py
-@@ -35,6 +35,8 @@ INCLUDES = """
- 
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
-+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
-+    (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- 
- #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
-     (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
-@@ -54,6 +56,7 @@ INCLUDES = """
- 
- TYPES = """
- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
-+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
- 
- static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
- static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
-diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
-index 0dd74146..42bab4d9 100644
---- a/src/_cffi_src/openssl/err.py
-+++ b/src/_cffi_src/openssl/err.py
-@@ -40,7 +40,6 @@ void ERR_clear_error(void);
- void ERR_put_error(int, int, int, const char *, int);
- 
- int ERR_GET_LIB(unsigned long);
--int ERR_GET_FUNC(unsigned long);
- int ERR_GET_REASON(unsigned long);
- 
- """
-diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py
-index c92bca49..38bfa231 100644
---- a/src/_cffi_src/openssl/fips.py
-+++ b/src/_cffi_src/openssl/fips.py
-@@ -18,7 +18,7 @@ int FIPS_mode(void);
- """
- 
- CUSTOMIZATIONS = """
--#if CRYPTOGRAPHY_IS_LIBRESSL
-+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
- static const long Cryptography_HAS_FIPS = 0;
- int (*FIPS_mode_set)(int) = NULL;
- int (*FIPS_mode)(void) = NULL;
diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest
deleted file mode 100644
index 0ba239c2..00000000
--- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-py.test
diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb b/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb
deleted file mode 100644
index a4c33442..00000000
--- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb
+++ /dev/null
@@ -1,68 +0,0 @@
-SUMMARY = "Provides cryptographic recipes and primitives to python developers"
-HOMEPAGE = "https://cryptography.io/"
-SECTION = "devel/python"
-LICENSE = "Apache-2.0 | BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=bf405a8056a6647e7d077b0e7bc36aba \
-                    file://LICENSE.APACHE;md5=4e168cce331e5c827d4c2b68a6200e1b \
-                    file://LICENSE.BSD;md5=5ae30ba4123bc4f2fa49aa0b0dce887b"
-
-LDSHARED += "-pthread"
-
-SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed"
-
-SRC_URI += " \
-    file://run-ptest \
-    file://h-test.patch \
-    file://openssl3.patch \
-"
-
-inherit pypi setuptools3
-
-DEPENDS += " \
-    ${PYTHON_PN}-cffi \
-    ${PYTHON_PN}-cffi-native \
-    ${PYTHON_PN}-asn1crypto \
-    ${PYTHON_PN}-six \
-"
-
-RDEPENDS:${PN} += " \
-    ${PYTHON_PN}-cffi \
-    ${PYTHON_PN}-idna \
-    ${PYTHON_PN}-asn1crypto \
-    ${PYTHON_PN}-setuptools \
-    ${PYTHON_PN}-six \
-"
-
-RDEPENDS:${PN}:class-target += " \
-    ${PYTHON_PN}-cffi \
-    ${PYTHON_PN}-idna \
-    ${PYTHON_PN}-numbers \
-    ${PYTHON_PN}-asn1crypto \
-    ${PYTHON_PN}-setuptools \
-    ${PYTHON_PN}-six \
-    ${PYTHON_PN}-threading \
-"
-
-RDEPENDS:${PN}-ptest += " \
-    ${PN} \
-    ${PYTHON_PN}-cryptography-vectors \
-    ${PYTHON_PN}-iso8601 \
-    ${PYTHON_PN}-pretend \
-    ${PYTHON_PN}-pytest \
-    ${PYTHON_PN}-pytz \
-"
-
-inherit ptest
-
-do_install_ptest() {
-    install -d ${D}${PTEST_PATH}/tests
-    cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/
-    install -d ${D}${PTEST_PATH}/tests/hazmat
-    cp -rf ${S}/tests/hazmat/* ${D}${PTEST_PATH}/tests/hazmat/
-}
-
-FILES:${PN}-dbg += " \
-    ${libdir}/${PYTHON_PN}2.7/site-packages/${SRCNAME}/hazmat/bindings/.debug \
-"
-
-BBCLASSEXTEND = "native nativesdk"
-- 
2.25.1

Re: [PATCH 1/3] arm/trusted-firmware-m: set OpenSSL provider path

[Jon Mason]

On Thu, 27 Jan 2022 16:54:17 +0000, Ross Burton wrote:
> imgtool from mcuboot uses python3-cryptography-native, and the latest
> python3-cryptography explicitly loads the legacy provider, which is a
> separate shared object in OpenSSL 3.  The search path for providers is
> hard-coded into the library so the wrong path is searched and the module
> is not found.
> 
> Set OPENSSL_MODULES so the right path, so that the legacy module is
> found.  In the future we may be able to be removed this if the explict
> use of legacy algorithms is removed
> (https://github.com/pyca/cryptography/issues/6809).
> 
> [...]

Applied, thanks!

[1/3] arm/trusted-firmware-m: set OpenSSL provider path
      commit: 1ee79374727224129f47c56115b18dea4edbd553
[2/3] Revert "meta-arm-bsp: use old python3-crytography on platforms using TF-M"
      commit: 778236335a983cd3e8e55857a19b83daf20ef8b7
[3/3] Revert "meta-arm: add old version of python3-cryptography"
      commit: 8a42328437db26071339162fd3c5b23d104eed60

Best regards,
-- 
Jon Mason <jon.mason@arm.com>