From: Rasmus Villemoes <ravi@prevas.dk>
To: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] openssl environment variables
Date: Tue, 29 Oct 2024 10:56:43 +0100 [thread overview]
Message-ID: <87r07zjkpw.fsf@prevas.dk> (raw)
In-Reply-To: <f0d57e20bdf3d90e6c0ccd8ccfef6faf61bf45b0.camel@linuxfoundation.org> (Richard Purdie's message of "Tue, 29 Oct 2024 09:06:12 +0000")
On Tue, Oct 29 2024, Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> On Tue, 2024-10-29 at 10:01 +0100, Rasmus Villemoes via lists.openembedded.org wrote:
>> I'm wondering if anybody has encountered this problem before, and if so,
>> if there is a clean solution:
>>
>> When using openssl-native, there's machinery in place so that when
>> openssl-the-binary is called, it's done through a wrapper script that
>> sets
>>
>> OPENSSL_CONF
>> SSL_CERT_DIR
>> SSL_CERT_FILE
>> OPENSSL_ENGINES
>> OPENSSL_MODULES
>>
>> so that these point into the appropriate STAGING_DIR_NATIVE, and then
>> invokes openssl.real.
>>
>> Similarly, when including nativesdk-openssl in the sdk, there's an env
>> snippet installed that has the same effect when the sdk setup script is
>> sourced.
>>
>> However, when the build involves some tool, say (uboot-)mkimage, which
>> _links_ against libssl, no such env variables are automatically set
>> up. This means that if one tries to do something like using a pkcs11
>> engine, and has made sure that the appropriate pkcs11 .so file is
>> available in sysroot-native, libssl still won't find it because it
>> doesn't know to look in ${STAGING_DIR_NATIVE}/usr/lib/engines-3.
>>
>> I can of course define and export these variables myself in the recipe,
>> or in a tiny openssl-env.bbclass helper class, but this feels like the
>> sort of thing that the build system should take care of automatically,
>> just as it already does for the openssl binary itself, and for the whole
>> sdk environment. But I suppose that by the time dependency resolution
>> has figured out that "hey, this recipe (transitively) depends on
>> openssl-native", it's way too late to inject something that sets+exports
>> these variables.
>
> https://github.com/openssl/openssl/pull/19260
>
> We realised we could only probably fix this properly with upstream
> help. We haven't managed to have anyone work through the process enough
> to get patches accepted though.
>
> So yes, we're aware but we need someone with time to work on it.
Ah, thanks for the pointer. OK, so it's a known, and hard, problem.
Rasmus
next prev parent reply other threads:[~2024-10-29 9:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-29 9:01 openssl environment variables Rasmus Villemoes
2024-10-29 9:06 ` [OE-core] " Richard Purdie
2024-10-29 9:56 ` Rasmus Villemoes [this message]
2024-10-29 10:01 ` Mikko Rapeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r07zjkpw.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.