Fixation on polarssl 1.1.4 - EOL was 2013-10-01

Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Steven Haigh]

[-- Attachment #1.1: Type: text/plain, Size: 567 bytes --]

Hi all,

Just been looking at the polarssl parts in Xen 4.6 and others - seems
like we're hard coded to version 1.1.4 which was released on 31st May 2012.

Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
since Jan.

It's now called mbedtls and current versions are 2.2.1 released in Jan
this year.

I'm not exactly clear on what polarssl is used for (and why not
openssl?) - but is it time this was shown some loving?

-- 
Steven Haigh

Email: netwiz@crc.id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Wei Liu]

On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> Hi all,
> 
> Just been looking at the polarssl parts in Xen 4.6 and others - seems
> like we're hard coded to version 1.1.4 which was released on 31st May 2012.
> 
> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> since Jan.
> 
> It's now called mbedtls and current versions are 2.2.1 released in Jan
> this year.
> 
> I'm not exactly clear on what polarssl is used for (and why not
> openssl?) - but is it time this was shown some loving?
>

I grep'ed for polarssl in tree and the only user seems to be
vtpm. I've CC'ed Daniel and Quan for you.

Wei.

> -- 
> Steven Haigh
> 
> Email: netwiz@crc.id.au
> Web: https://www.crc.id.au
> Phone: (03) 9001 6090 - 0412 935 897
> 



> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Doug Goldstein]

[-- Attachment #1.1: Type: text/plain, Size: 918 bytes --]

On 2/15/16 10:28 AM, Wei Liu wrote:
> On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
>> Hi all,
>>
>> Just been looking at the polarssl parts in Xen 4.6 and others - seems
>> like we're hard coded to version 1.1.4 which was released on 31st May 2012.
>>
>> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
>> since Jan.
>>
>> It's now called mbedtls and current versions are 2.2.1 released in Jan
>> this year.
>>
>> I'm not exactly clear on what polarssl is used for (and why not
>> openssl?) - but is it time this was shown some loving?
>>
> 
> I grep'ed for polarssl in tree and the only user seems to be
> vtpm. I've CC'ed Daniel and Quan for you.
> 
> Wei.
> 

Looks like pv-grub has a build dependency on it as well based on the
snippet from stubdom/Makefile.

.PHONY: grub
grub: cross-polarssl grub-upstream $(CROSS_ROOT)


-- 
Doug Goldstein


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Wei Liu]

On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> On 2/15/16 10:28 AM, Wei Liu wrote:
> > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> >> Hi all,
> >>
> >> Just been looking at the polarssl parts in Xen 4.6 and others - seems
> >> like we're hard coded to version 1.1.4 which was released on 31st May 2012.
> >>
> >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> >> since Jan.
> >>
> >> It's now called mbedtls and current versions are 2.2.1 released in Jan
> >> this year.
> >>
> >> I'm not exactly clear on what polarssl is used for (and why not
> >> openssl?) - but is it time this was shown some loving?
> >>
> > 
> > I grep'ed for polarssl in tree and the only user seems to be
> > vtpm. I've CC'ed Daniel and Quan for you.
> > 
> > Wei.
> > 
> 
> Looks like pv-grub has a build dependency on it as well based on the
> snippet from stubdom/Makefile.
> 
> .PHONY: grub
> grub: cross-polarssl grub-upstream $(CROSS_ROOT)
>

Oh, yes, you're right.

Looking at the source code pv-grub only needs the sha1 function from
polarssl which might be easy to dealt with though. On the other hand,
if there is no critical bug fix to the sha1 function, I wouldn't
bother upgrading polarssl.

In fact, I think vtpm also only cares about some crypto algorithms
like AES and SHA. We'd better check if there is any critical update to
those functions before doing anything.

Wei.

> 
> -- 
> Doug Goldstein
> 

Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Xu, Quan]

On February 16, 2016 1:08am, <wei.liu2@citrix.com> wrote:
> On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> > On 2/15/16 10:28 AM, Wei Liu wrote:
> > > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> > >> Hi all,
> > >>
> > >> Just been looking at the polarssl parts in Xen 4.6 and others -
> > >> seems like we're hard coded to version 1.1.4 which was released on 31st
> May 2012.
> > >>
> > >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> > >> since Jan.
> > >>
> > >> It's now called mbedtls and current versions are 2.2.1 released in
> > >> Jan this year.
> > >>
> > >> I'm not exactly clear on what polarssl is used for (and why not
> > >> openssl?) - but is it time this was shown some loving?
> > >>
> > >
> > > I grep'ed for polarssl in tree and the only user seems to be vtpm.
> > > I've CC'ed Daniel and Quan for you.
> > >
> > > Wei.
> > >
> >
> > Looks like pv-grub has a build dependency on it as well based on the
> > snippet from stubdom/Makefile.
> >
> > .PHONY: grub
> > grub: cross-polarssl grub-upstream $(CROSS_ROOT)
> >
> 
> Oh, yes, you're right.
> 
> Looking at the source code pv-grub only needs the sha1 function from polarssl
> which might be easy to dealt with though. On the other hand, if there is no
> critical bug fix to the sha1 function, I wouldn't bother upgrading polarssl.
> 
> In fact, I think vtpm also only cares about some crypto algorithms like AES and
> SHA. We'd better check if there is any critical update to those functions before
> doing anything.
> 


Agreed.
If you really want to upgrade it, IMO this change would be backward compatible.
btw, it may be not an easy task to build the test env, and I can help you test your patch.

Quan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Wei Liu]

create ^
thanks


On Fri, Mar 04, 2016 at 03:37:10AM +0000, Xu, Quan wrote:
> On February 16, 2016 1:08am, <wei.liu2@citrix.com> wrote:
> > On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> > > On 2/15/16 10:28 AM, Wei Liu wrote:
> > > > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> > > >> Hi all,
> > > >>
> > > >> Just been looking at the polarssl parts in Xen 4.6 and others -
> > > >> seems like we're hard coded to version 1.1.4 which was released on 31st
> > May 2012.
> > > >>
> > > >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> > > >> since Jan.
> > > >>
> > > >> It's now called mbedtls and current versions are 2.2.1 released in
> > > >> Jan this year.
> > > >>
> > > >> I'm not exactly clear on what polarssl is used for (and why not
> > > >> openssl?) - but is it time this was shown some loving?
> > > >>
> > > >
> > > > I grep'ed for polarssl in tree and the only user seems to be vtpm.
> > > > I've CC'ed Daniel and Quan for you.
> > > >
> > > > Wei.
> > > >
> > >
> > > Looks like pv-grub has a build dependency on it as well based on the
> > > snippet from stubdom/Makefile.
> > >
> > > .PHONY: grub
> > > grub: cross-polarssl grub-upstream $(CROSS_ROOT)
> > >
> > 
> > Oh, yes, you're right.
> > 
> > Looking at the source code pv-grub only needs the sha1 function from polarssl
> > which might be easy to dealt with though. On the other hand, if there is no
> > critical bug fix to the sha1 function, I wouldn't bother upgrading polarssl.
> > 
> > In fact, I think vtpm also only cares about some crypto algorithms like AES and
> > SHA. We'd better check if there is any critical update to those functions before
> > doing anything.
> > 
> 
> 
> Agreed.
> If you really want to upgrade it, IMO this change would be backward compatible.
> btw, it may be not an easy task to build the test env, and I can help you test your patch.
> 

Right.

To be honest the chance of me working on it soon is rather low.  To
prevent this issue falling through the crack I've created an entry in
bug tracker.

Wei.

> Quan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Processed: Re: Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[xen]

Processing commands for xen@bugs.xenproject.org:

> create ^
Created new bug #52 rooted at `<945CA011AD5F084CBEA3E851C0AB28894B859023@SHSMSX101.ccr.corp.intel.com>'
Title: `Re: [Xen-devel] Fixation on polarssl 1.1.4 - EOL was 2013-10-01'
> thanks
Finished processing.

Modified/created Bugs:
 - 52: http://bugs.xenproject.org/xen/bug/52 (new)

---
Xen Hypervisor Bug Tracker
See http://wiki.xen.org/wiki/Reporting_Bugs_against_Xen for information on reporting bugs
Contact xen-bugs-owner@bugs.xenproject.org with any infrastructure issues

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel