Re: [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update

[Patrick Ohly <patrick.ohly@intel.com>]

On Fri, 2017-06-16 at 14:24 +0300, Alexander Kanavin wrote:
> On 06/16/2017 12:53 PM, Patrick Ohly wrote:
> > The recent ovmf update broke secureboot because upstream changed the
> > +OPENSSL_RELEASE = "openssl-1.1.0e"
> > +
> >  SRC_URI_append_class-target = " \
> > -	${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
> > +	${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
> 
> Is it possible to make ovmf use an externally built openssl (that is, 
> the one that is provided by the openssl recipe)?

I very much doubt it. The externally build openssl depends on the libc
of the target system, and that isn't part of the environment in which
the OVMF firmware runs.

> Given openssl's baggage of major security issues, I really do not want 
> to have more than one copy of it in oe-core.

Now that OVMF seems more flexible regarding the actual OpenSSL
implementation that it uses (previously, one had to use pretty much
exactly the version chosen by the upstream OVMF developers), we could
try to make the OpenSSL version to use a distro setting and ensure that
both openssl .bb and ovmf .bb use that version.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.