* [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update
@ 2017-06-16 9:53 Patrick Ohly
2017-06-16 10:01 ` ✗ patchtest: failure for " Patchwork
2017-06-16 11:24 ` [PATCH] " Alexander Kanavin
0 siblings, 2 replies; 4+ messages in thread
From: Patrick Ohly @ 2017-06-16 9:53 UTC (permalink / raw)
To: openembedded-core
The recent ovmf update broke secureboot because upstream changed the
way how openssl gets compiled into ovmf. It's now integrated directly
into the ovmf build process, without having to patch it first.
In addition, more recent OpenSSL releases are supported. 1.1.0e was
explicitly mentioned in the ovmf commits and because the current
1.1.0f only has minor build enhancements, 1.1.0e is used here.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 5d7216e..28f0cde 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -18,14 +18,16 @@ SRC_URI = "git://github.com/tianocore/edk2.git;branch=master \
file://no-stack-protector-all-archs.patch \
"
+OPENSSL_RELEASE = "openssl-1.1.0e"
+
SRC_URI_append_class-target = " \
- ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
file://0007-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch \
"
SRCREV="ec4910cd3336565fdb61dafdd9ec4ae7a6160ba3"
-SRC_URI[openssl.md5sum] = "96322138f0b69e61b7212bc53d5e912b"
-SRC_URI[openssl.sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"
+SRC_URI[openssl.md5sum] = "51c42d152122e474754aea96f66928c6"
+SRC_URI[openssl.sha256sum] = "57be8618979d80c910728cfc99369bf97b2a1abd8f366ab6ebdee8975ad3874c"
inherit deploy
@@ -187,10 +189,7 @@ do_compile_class-target() {
# building with Secure Boot enabled.
bbnote "Building with Secure Boot."
rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
- if ! [ -f ${S}/CryptoPkg/Library/OpensslLib/openssl-*/edk2-patch-applied ]; then
- ( cd ${S}/CryptoPkg/Library/OpensslLib/openssl-* && patch -p1 <$(echo ../EDKII_openssl-*.patch) && touch edk2-patch-applied )
- fi
- ( cd ${S}/CryptoPkg/Library/OpensslLib/ && ./Install.sh )
+ ln -sf ${OPENSSL_RELEASE} ${S}/CryptoPkg/Library/OpensslLib/openssl
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS}
ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
base-commit: 059846662f1ea1c82804cfce5f91afcb2980ec8a
--
git-series 0.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* ✗ patchtest: failure for ovmf: fix secureboot PACKAGECONFIG + OpenSSL update
2017-06-16 9:53 [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update Patrick Ohly
@ 2017-06-16 10:01 ` Patchwork
2017-06-16 11:24 ` [PATCH] " Alexander Kanavin
1 sibling, 0 replies; 4+ messages in thread
From: Patchwork @ 2017-06-16 10:01 UTC (permalink / raw)
To: Patrick Ohly; +Cc: openembedded-core
== Series Details ==
Series: ovmf: fix secureboot PACKAGECONFIG + OpenSSL update
Revision: 1
URL : https://patchwork.openembedded.org/series/7287/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at 1d9a88f635)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update
2017-06-16 9:53 [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update Patrick Ohly
2017-06-16 10:01 ` ✗ patchtest: failure for " Patchwork
@ 2017-06-16 11:24 ` Alexander Kanavin
2017-06-16 12:24 ` Patrick Ohly
1 sibling, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2017-06-16 11:24 UTC (permalink / raw)
To: Patrick Ohly, openembedded-core
On 06/16/2017 12:53 PM, Patrick Ohly wrote:
> The recent ovmf update broke secureboot because upstream changed the
> +OPENSSL_RELEASE = "openssl-1.1.0e"
> +
> SRC_URI_append_class-target = " \
> - ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
> + ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
Is it possible to make ovmf use an externally built openssl (that is,
the one that is provided by the openssl recipe)?
Given openssl's baggage of major security issues, I really do not want
to have more than one copy of it in oe-core.
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update
2017-06-16 11:24 ` [PATCH] " Alexander Kanavin
@ 2017-06-16 12:24 ` Patrick Ohly
0 siblings, 0 replies; 4+ messages in thread
From: Patrick Ohly @ 2017-06-16 12:24 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: openembedded-core
On Fri, 2017-06-16 at 14:24 +0300, Alexander Kanavin wrote:
> On 06/16/2017 12:53 PM, Patrick Ohly wrote:
> > The recent ovmf update broke secureboot because upstream changed the
> > +OPENSSL_RELEASE = "openssl-1.1.0e"
> > +
> > SRC_URI_append_class-target = " \
> > - ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/openssl-1.0.2j.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
> > + ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'http://www.openssl.org/source/${OPENSSL_RELEASE}.tar.gz;name=openssl;subdir=${S}/CryptoPkg/Library/OpensslLib', '', d)} \
>
> Is it possible to make ovmf use an externally built openssl (that is,
> the one that is provided by the openssl recipe)?
I very much doubt it. The externally build openssl depends on the libc
of the target system, and that isn't part of the environment in which
the OVMF firmware runs.
> Given openssl's baggage of major security issues, I really do not want
> to have more than one copy of it in oe-core.
Now that OVMF seems more flexible regarding the actual OpenSSL
implementation that it uses (previously, one had to use pretty much
exactly the version chosen by the upstream OVMF developers), we could
try to make the OpenSSL version to use a distro setting and ensure that
both openssl .bb and ovmf .bb use that version.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-06-16 12:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-16 9:53 [PATCH] ovmf: fix secureboot PACKAGECONFIG + OpenSSL update Patrick Ohly
2017-06-16 10:01 ` ✗ patchtest: failure for " Patchwork
2017-06-16 11:24 ` [PATCH] " Alexander Kanavin
2017-06-16 12:24 ` Patrick Ohly
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox