Re: How to backport openssl to Sumo

From: Andre McCurdy <armccurdy@gmail.com>
To: Mark Hatle <mark.hatle@kernel.crashing.org>
Cc: Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: How to backport openssl to Sumo
Date: Wed, 20 Nov 2019 11:27:11 -0800	[thread overview]
Message-ID: <CAJ86T=XhxLih7d6cdXc8-1ZOKhHXTU6quzHnt+G4Oa3qhSFypw@mail.gmail.com> (raw)
In-Reply-To: <31b224ae-8e1a-943c-0554-684557ef33bc@kernel.crashing.org>

On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle
<mark.hatle@kernel.crashing.org> wrote:
> On 11/20/19 1:06 PM, Ryan Harkin wrote:
> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle@kernel.crashing.org
> > <mailto:mark.hatle@kernel.crashing.org>> wrote:
> >
> >     You know that 1.0.2 and 1.1 APIs are not compatible?  So you will need to update
> >     everything that needs OpenSSL to understand the new API.
> >
> >
> > So far, we're only using it in a shell script to sign an image and later verify
> > the image, so I've assumed, perhaps naively, that the API changes won't matter...
>
> Correct, but there may be other components of the system that could be using the
> API that you are unaware of.  On a system as old as Sumo, you will need to take
> precautions to ensure that ONLY the 1.1x version is being used.  (There may be
> an openssl10 for compatibility that will need to be blacklisted.)
>
> >     For CVE fixes, typically you would patch 1.0.2p, or update to the latest
> >     (1.0.2t) as you go.  (If you have an OSV, this should be part of the services
> >     that they offer you.)
> >
> >
> >     In my opinion, 1.0.2 will be around for at least another 4-5 years due to the
> >     number of people actively using it in the world.  Until 1.1/3.0 (won't be a 2.0
> >     from what I read) exists and has a FIPS-140-2 support available -- people will
> >     continue to use 1.0.2 and maintain it as necessary for security.
> >
> >     As an FYI:  http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
> >
> >     This version is for thud, warrior, zeus and master.  It is intended to be
> >     maintained until either 1.0.2 is no longer maintainable -- or the FIPS-140-2
> >     needs have been met by OpenSSL.
> >
> >
> > Great, that looks like a better option anyway, assuming it has the latest fixes
> > I need, and doesn't give me the same build problem.  Thanks for pointing it out.
> > I'll give it a go.
>
> It's better to work with the Sumo version for your needs.  I just posted that as
> an example of openssl 1.0.2 being needed still by others, even as oe-core/Yocto
> Project have changed their defaults.

If you want an up to date openssl 1.0.2 recipe which is compatible
with Sumo, you can find one here:

  https://github.com/armcc/meta-plumewifi

I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior)
but it should work for all versions in between (and if it doesn't I'll
accept patches or try to fix it).