[edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Zhang, Shenglei posted 1 patch 2 weeks ago
Failed in applying to current master (apply log)
CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
CryptoPkg/Library/OpensslLib/openssl          |  2 +-
CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
5 files changed, 50 insertions(+), 2 deletions(-)
create mode 100644 CryptoPkg/Library/Include/sys/shm.h
create mode 100644 CryptoPkg/Library/Include/sys/utsname.h

[edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Zhang, Shenglei 2 weeks ago
Update openssl from 1.1.1b to 1.1.1d.
Something needs to be noticed is that, there is a bug existing in the
released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
which causes build failure. So we switch the code base to a usable
version, which is 2 commits later than the stable tag.
Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
This log is to fix the build failure.
https://bugzilla.tianocore.org/show_bug.cgi?id=2226

Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
in OvmfPkg. So update process_files.pl to generate information from
"crypto/include/internal/dso_conf.h.in".

shm.h and utsname.h are added to avoid GCC build failure.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
---
v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
    The removed header files could be auto-generated by process_files.pl now.

v3: Add display information for dso_conf.h.

v4: Add shm.h and utsname.h to avoid GCC build failure.

 CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
 CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
 CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
 CryptoPkg/Library/OpensslLib/openssl          |  2 +-
 CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
 5 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 CryptoPkg/Library/Include/sys/shm.h
 create mode 100644 CryptoPkg/Library/Include/sys/utsname.h

diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h
index e69de29bb2d1..43c891588bc2 100644
--- a/CryptoPkg/Library/Include/internal/dso_conf.h
+++ b/CryptoPkg/Library/Include/internal/dso_conf.h
@@ -0,0 +1,16 @@
+/* WARNING: do not edit! */
+/* Generated from crypto/include/internal/dso_conf.h.in */
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_DSO_CONF_H
+# define HEADER_DSO_CONF_H
+# define DSO_NONE
+# define DSO_EXTENSION ".so"
+#endif
diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h
new file mode 100644
index 000000000000..dc0b8e81c8b0
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/shm.h
@@ -0,0 +1,9 @@
+/** @file
+  Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h
new file mode 100644
index 000000000000..75955b0a4eb6
--- /dev/null
+++ b/CryptoPkg/Library/Include/sys/utsname.h
@@ -0,0 +1,10 @@
+/** @file
+  Include file to support building the third-party cryptographic library.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <CrtLibSupport.h>
+
diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
index 50eaac9f3337..c3656cc594da 160000
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit 50eaac9f3337667259de725451f201e784599687
+Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 4fe54cd808a5..dd93bd84da22 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -106,6 +106,14 @@ BEGIN {
                 ) == 0 ||
                     die "Failed to generate opensslconf.h!\n";
 
+            # Generate dso_conf.h per config data
+            system(
+                "perl -I. -Mconfigdata util/dofile.pl " .
+                "crypto/include/internal/dso_conf.h.in " .
+                "> include/internal/dso_conf.h"
+                ) == 0 ||
+                    die "Failed to generate dso_conf.h!\n";
+
             chdir($basedir) ||
                 die "Cannot change to base directory \"" . $basedir . "\"";
 
@@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
 print "Done!";
 
 #
-# Copy opensslconf.h generated from OpenSSL Configuration
+# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
 #
 print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
 copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
      $OPENSSL_PATH . "/../../Include/openssl/") ||
    die "Cannot copy opensslconf.h!";
+print "Done!";
+print "\n--> Duplicating dso_conf.h into Include/internal ... ";
+copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
+     $OPENSSL_PATH . "/../../Include/internal/") ||
+   die "Cannot copy dso_conf.h!";
 print "Done!\n";
 
 print "\nProcessing Files Done!\n";
-- 
2.18.0.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49801): https://edk2.groups.io/g/devel/message/49801
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Laszlo Ersek 1 week ago
On 11/01/19 07:55, Zhang, Shenglei wrote:
> Update openssl from 1.1.1b to 1.1.1d.
> Something needs to be noticed is that, there is a bug existing in the
> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> which causes build failure. So we switch the code base to a usable
> version, which is 2 commits later than the stable tag.
> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> This log is to fix the build failure.
> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> 
> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
> in OvmfPkg. So update process_files.pl to generate information from
> "crypto/include/internal/dso_conf.h.in".
> 
> shm.h and utsname.h are added to avoid GCC build failure.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> ---
> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
>     The removed header files could be auto-generated by process_files.pl now.
> 
> v3: Add display information for dso_conf.h.
> 
> v4: Add shm.h and utsname.h to avoid GCC build failure.
> 
>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
>  5 files changed, 50 insertions(+), 2 deletions(-)
>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
> 
> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h
> index e69de29bb2d1..43c891588bc2 100644
> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
> @@ -0,0 +1,16 @@
> +/* WARNING: do not edit! */
> +/* Generated from crypto/include/internal/dso_conf.h.in */
> +/*
> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
> + *
> + * Licensed under the OpenSSL license (the "License").  You may not use
> + * this file except in compliance with the License.  You can obtain a copy
> + * in the file LICENSE in the source distribution or at
> + * https://www.openssl.org/source/license.html
> + */
> +
> +#ifndef HEADER_DSO_CONF_H
> +# define HEADER_DSO_CONF_H
> +# define DSO_NONE
> +# define DSO_EXTENSION ".so"
> +#endif
> diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h
> new file mode 100644
> index 000000000000..dc0b8e81c8b0
> --- /dev/null
> +++ b/CryptoPkg/Library/Include/sys/shm.h
> @@ -0,0 +1,9 @@
> +/** @file
> +  Include file to support building the third-party cryptographic library.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <CrtLibSupport.h>
> diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h
> new file mode 100644
> index 000000000000..75955b0a4eb6
> --- /dev/null
> +++ b/CryptoPkg/Library/Include/sys/utsname.h
> @@ -0,0 +1,10 @@
> +/** @file
> +  Include file to support building the third-party cryptographic library.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <CrtLibSupport.h>
> +

(1) The trailing empty line should be removed.

> diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
> index 50eaac9f3337..c3656cc594da 160000
> --- a/CryptoPkg/Library/OpensslLib/openssl
> +++ b/CryptoPkg/Library/OpensslLib/openssl
> @@ -1 +1 @@
> -Subproject commit 50eaac9f3337667259de725451f201e784599687
> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 4fe54cd808a5..dd93bd84da22 100755
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -106,6 +106,14 @@ BEGIN {
>                  ) == 0 ||
>                      die "Failed to generate opensslconf.h!\n";
>  
> +            # Generate dso_conf.h per config data
> +            system(
> +                "perl -I. -Mconfigdata util/dofile.pl " .
> +                "crypto/include/internal/dso_conf.h.in " .
> +                "> include/internal/dso_conf.h"
> +                ) == 0 ||
> +                    die "Failed to generate dso_conf.h!\n";
> +
>              chdir($basedir) ||
>                  die "Cannot change to base directory \"" . $basedir . "\"";
>  
> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
>  print "Done!";
>  
>  #
> -# Copy opensslconf.h generated from OpenSSL Configuration
> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
>  #
>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
>       $OPENSSL_PATH . "/../../Include/openssl/") ||
>     die "Cannot copy opensslconf.h!";
> +print "Done!";
> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
> +     $OPENSSL_PATH . "/../../Include/internal/") ||
> +   die "Cannot copy dso_conf.h!";
>  print "Done!\n";
>  
>  print "\nProcessing Files Done!\n";
> 

(2) The comment block at the top of the script has not been extended:

# This script runs the OpenSSL Configure script, then processes the
# resulting file list into our local OpensslLib[Crypto].inf and also
# takes a copy of opensslconf.h.

It only refers to "opensslconf.h". For consistency, we should update
that comment block too, with "dso_conf.h".

With (1) and (2) fixed:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

I'll follow up with test results soon.

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49931): https://edk2.groups.io/g/devel/message/49931
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Laszlo Ersek 1 week ago
On 11/04/19 17:04, Laszlo Ersek wrote:
> On 11/01/19 07:55, Zhang, Shenglei wrote:
>> Update openssl from 1.1.1b to 1.1.1d.
>> Something needs to be noticed is that, there is a bug existing in the
>> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
>> which causes build failure. So we switch the code base to a usable
>> version, which is 2 commits later than the stable tag.
>> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
>> This log is to fix the build failure.
>> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
>>
>> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
>> in OvmfPkg. So update process_files.pl to generate information from
>> "crypto/include/internal/dso_conf.h.in".
>>
>> shm.h and utsname.h are added to avoid GCC build failure.
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
>> ---
>> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
>>     The removed header files could be auto-generated by process_files.pl now.
>>
>> v3: Add display information for dso_conf.h.
>>
>> v4: Add shm.h and utsname.h to avoid GCC build failure.
>>
>>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
>>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
>>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
>>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
>>  5 files changed, 50 insertions(+), 2 deletions(-)
>>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
>>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
>>
>> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/internal/dso_conf.h
>> index e69de29bb2d1..43c891588bc2 100644
>> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
>> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
>> @@ -0,0 +1,16 @@
>> +/* WARNING: do not edit! */
>> +/* Generated from crypto/include/internal/dso_conf.h.in */
>> +/*
>> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
>> + *
>> + * Licensed under the OpenSSL license (the "License").  You may not use
>> + * this file except in compliance with the License.  You can obtain a copy
>> + * in the file LICENSE in the source distribution or at
>> + * https://www.openssl.org/source/license.html
>> + */
>> +
>> +#ifndef HEADER_DSO_CONF_H
>> +# define HEADER_DSO_CONF_H
>> +# define DSO_NONE
>> +# define DSO_EXTENSION ".so"
>> +#endif
>> diff --git a/CryptoPkg/Library/Include/sys/shm.h b/CryptoPkg/Library/Include/sys/shm.h
>> new file mode 100644
>> index 000000000000..dc0b8e81c8b0
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/shm.h
>> @@ -0,0 +1,9 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> diff --git a/CryptoPkg/Library/Include/sys/utsname.h b/CryptoPkg/Library/Include/sys/utsname.h
>> new file mode 100644
>> index 000000000000..75955b0a4eb6
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/utsname.h
>> @@ -0,0 +1,10 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> +
> 
> (1) The trailing empty line should be removed.
> 
>> diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
>> index 50eaac9f3337..c3656cc594da 160000
>> --- a/CryptoPkg/Library/OpensslLib/openssl
>> +++ b/CryptoPkg/Library/OpensslLib/openssl
>> @@ -1 +1 @@
>> -Subproject commit 50eaac9f3337667259de725451f201e784599687
>> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
>> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
>> index 4fe54cd808a5..dd93bd84da22 100755
>> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
>> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
>> @@ -106,6 +106,14 @@ BEGIN {
>>                  ) == 0 ||
>>                      die "Failed to generate opensslconf.h!\n";
>>  
>> +            # Generate dso_conf.h per config data
>> +            system(
>> +                "perl -I. -Mconfigdata util/dofile.pl " .
>> +                "crypto/include/internal/dso_conf.h.in " .
>> +                "> include/internal/dso_conf.h"
>> +                ) == 0 ||
>> +                    die "Failed to generate dso_conf.h!\n";
>> +
>>              chdir($basedir) ||
>>                  die "Cannot change to base directory \"" . $basedir . "\"";
>>  
>> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
>>  print "Done!";
>>  
>>  #
>> -# Copy opensslconf.h generated from OpenSSL Configuration
>> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
>>  #
>>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
>>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
>>       $OPENSSL_PATH . "/../../Include/openssl/") ||
>>     die "Cannot copy opensslconf.h!";
>> +print "Done!";
>> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
>> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
>> +     $OPENSSL_PATH . "/../../Include/internal/") ||
>> +   die "Cannot copy dso_conf.h!";
>>  print "Done!\n";
>>  
>>  print "\nProcessing Files Done!\n";
>>
> 
> (2) The comment block at the top of the script has not been extended:
> 
> # This script runs the OpenSSL Configure script, then processes the
> # resulting file list into our local OpensslLib[Crypto].inf and also
> # takes a copy of opensslconf.h.
> 
> It only refers to "opensslconf.h". For consistency, we should update
> that comment block too, with "dso_conf.h".
> 
> With (1) and (2) fixed:
> 
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> 
> I'll follow up with test results soon.

* Simple tests for Secure Boot:

- booting a VM with SB already enabled -> continues booting, and reports
SB enabled

- delete PK in UiApp manually + reboot; check from VM

- re-enroll using EnrollDefaultKeys.efi + reboot; check from VM

- with SB enabled, check rejection using an unsigned UEFI ISO -->
"DxeImageVerificationLib: Image is not signed and SHA256 hash of image
is not found in DB/DBX."

So this looks good.

* HTTPS boot:

- reused two of my earlier server certificates: DNS domain name in
subject Common Name, IP address in subject Alternative Name, and DNS
domain name resolves to IPv4 address (cert#1) vs. IPv6 address (cert#2)

- ran four HTTPS Boot tests in total: { DHCP presents URL with IP
address, DHCP presents URL with DNS domain name } x { IPv4, IPv6 }.

All worked fine.

Tested-by: Laszlo Ersek <lersek@redhat.com>

Thanks!
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49935): https://edk2.groups.io/g/devel/message/49935
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Wang, Jian J 1 week ago
Laszlo,

Thank you for the tests. I also tried secure boot (linux, windows) on both OVMF and
Intel platform. All work well.

Regards,
Jian

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Tuesday, November 05, 2019 1:45 AM
> To: devel@edk2.groups.io; Zhang, Shenglei <shenglei.zhang@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Gao, Liming <liming.gao@intel.com>
> Subject: Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> 
> On 11/04/19 17:04, Laszlo Ersek wrote:
> > On 11/01/19 07:55, Zhang, Shenglei wrote:
> >> Update openssl from 1.1.1b to 1.1.1d.
> >> Something needs to be noticed is that, there is a bug existing in the
> >> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> >> which causes build failure. So we switch the code base to a usable
> >> version, which is 2 commits later than the stable tag.
> >> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> >> This log is to fix the build failure.
> >> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> >>
> >> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
> >> in OvmfPkg. So update process_files.pl to generate information from
> >> "crypto/include/internal/dso_conf.h.in".
> >>
> >> shm.h and utsname.h are added to avoid GCC build failure.
> >>
> >> Cc: Jian J Wang <jian.j.wang@intel.com>
> >> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> >> Cc: Liming Gao <liming.gao@intel.com>
> >> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> >> ---
> >> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
> >>     The removed header files could be auto-generated by process_files.pl now.
> >>
> >> v3: Add display information for dso_conf.h.
> >>
> >> v4: Add shm.h and utsname.h to avoid GCC build failure.
> >>
> >>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
> >>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
> >>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
> >>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
> >>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
> >>  5 files changed, 50 insertions(+), 2 deletions(-)
> >>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
> >>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
> >>
> >> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
> b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> index e69de29bb2d1..43c891588bc2 100644
> >> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
> >> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> @@ -0,0 +1,16 @@
> >> +/* WARNING: do not edit! */
> >> +/* Generated from crypto/include/internal/dso_conf.h.in */
> >> +/*
> >> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
> >> + *
> >> + * Licensed under the OpenSSL license (the "License").  You may not use
> >> + * this file except in compliance with the License.  You can obtain a copy
> >> + * in the file LICENSE in the source distribution or at
> >> + * https://www.openssl.org/source/license.html
> >> + */
> >> +
> >> +#ifndef HEADER_DSO_CONF_H
> >> +# define HEADER_DSO_CONF_H
> >> +# define DSO_NONE
> >> +# define DSO_EXTENSION ".so"
> >> +#endif
> >> diff --git a/CryptoPkg/Library/Include/sys/shm.h
> b/CryptoPkg/Library/Include/sys/shm.h
> >> new file mode 100644
> >> index 000000000000..dc0b8e81c8b0
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/shm.h
> >> @@ -0,0 +1,9 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
> b/CryptoPkg/Library/Include/sys/utsname.h
> >> new file mode 100644
> >> index 000000000000..75955b0a4eb6
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/utsname.h
> >> @@ -0,0 +1,10 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> +
> >
> > (1) The trailing empty line should be removed.
> >
> >> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> b/CryptoPkg/Library/OpensslLib/openssl
> >> index 50eaac9f3337..c3656cc594da 160000
> >> --- a/CryptoPkg/Library/OpensslLib/openssl
> >> +++ b/CryptoPkg/Library/OpensslLib/openssl
> >> @@ -1 +1 @@
> >> -Subproject commit 50eaac9f3337667259de725451f201e784599687
> >> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
> >> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> index 4fe54cd808a5..dd93bd84da22 100755
> >> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> >> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> @@ -106,6 +106,14 @@ BEGIN {
> >>                  ) == 0 ||
> >>                      die "Failed to generate opensslconf.h!\n";
> >>
> >> +            # Generate dso_conf.h per config data
> >> +            system(
> >> +                "perl -I. -Mconfigdata util/dofile.pl " .
> >> +                "crypto/include/internal/dso_conf.h.in " .
> >> +                "> include/internal/dso_conf.h"
> >> +                ) == 0 ||
> >> +                    die "Failed to generate dso_conf.h!\n";
> >> +
> >>              chdir($basedir) ||
> >>                  die "Cannot change to base directory \"" . $basedir . "\"";
> >>
> >> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
> >>  print "Done!";
> >>
> >>  #
> >> -# Copy opensslconf.h generated from OpenSSL Configuration
> >> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL
> Configuration
> >>  #
> >>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
> >>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
> >>       $OPENSSL_PATH . "/../../Include/openssl/") ||
> >>     die "Cannot copy opensslconf.h!";
> >> +print "Done!";
> >> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
> >> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
> >> +     $OPENSSL_PATH . "/../../Include/internal/") ||
> >> +   die "Cannot copy dso_conf.h!";
> >>  print "Done!\n";
> >>
> >>  print "\nProcessing Files Done!\n";
> >>
> >
> > (2) The comment block at the top of the script has not been extended:
> >
> > # This script runs the OpenSSL Configure script, then processes the
> > # resulting file list into our local OpensslLib[Crypto].inf and also
> > # takes a copy of opensslconf.h.
> >
> > It only refers to "opensslconf.h". For consistency, we should update
> > that comment block too, with "dso_conf.h".
> >
> > With (1) and (2) fixed:
> >
> > Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> >
> > I'll follow up with test results soon.
> 
> * Simple tests for Secure Boot:
> 
> - booting a VM with SB already enabled -> continues booting, and reports
> SB enabled
> 
> - delete PK in UiApp manually + reboot; check from VM
> 
> - re-enroll using EnrollDefaultKeys.efi + reboot; check from VM
> 
> - with SB enabled, check rejection using an unsigned UEFI ISO -->
> "DxeImageVerificationLib: Image is not signed and SHA256 hash of image
> is not found in DB/DBX."
> 
> So this looks good.
> 
> * HTTPS boot:
> 
> - reused two of my earlier server certificates: DNS domain name in
> subject Common Name, IP address in subject Alternative Name, and DNS
> domain name resolves to IPv4 address (cert#1) vs. IPv6 address (cert#2)
> 
> - ran four HTTPS Boot tests in total: { DHCP presents URL with IP
> address, DHCP presents URL with DNS domain name } x { IPv4, IPv6 }.
> 
> All worked fine.
> 
> Tested-by: Laszlo Ersek <lersek@redhat.com>
> 
> Thanks!
> Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49941): https://edk2.groups.io/g/devel/message/49941
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Wang, Jian J 2 weeks ago
Hi Laszlo,

I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know if you have
any comments or want to do more tests against v4 before check in.

Based on my review and tests,
   Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Zhang, Shenglei <shenglei.zhang@intel.com>
> Sent: Friday, November 01, 2019 2:56 PM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Gao, Liming <liming.gao@intel.com>
> Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> 
> Update openssl from 1.1.1b to 1.1.1d.
> Something needs to be noticed is that, there is a bug existing in the
> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> which causes build failure. So we switch the code base to a usable
> version, which is 2 commits later than the stable tag.
> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> This log is to fix the build failure.
> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> 
> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
> in OvmfPkg. So update process_files.pl to generate information from
> "crypto/include/internal/dso_conf.h.in".
> 
> shm.h and utsname.h are added to avoid GCC build failure.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> ---
> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
>     The removed header files could be auto-generated by process_files.pl now.
> 
> v3: Add display information for dso_conf.h.
> 
> v4: Add shm.h and utsname.h to avoid GCC build failure.
> 
>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
>  5 files changed, 50 insertions(+), 2 deletions(-)
>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
> 
> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
> b/CryptoPkg/Library/Include/internal/dso_conf.h
> index e69de29bb2d1..43c891588bc2 100644
> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
> @@ -0,0 +1,16 @@
> +/* WARNING: do not edit! */
> +/* Generated from crypto/include/internal/dso_conf.h.in */
> +/*
> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
> + *
> + * Licensed under the OpenSSL license (the "License").  You may not use
> + * this file except in compliance with the License.  You can obtain a copy
> + * in the file LICENSE in the source distribution or at
> + * https://www.openssl.org/source/license.html
> + */
> +
> +#ifndef HEADER_DSO_CONF_H
> +# define HEADER_DSO_CONF_H
> +# define DSO_NONE
> +# define DSO_EXTENSION ".so"
> +#endif
> diff --git a/CryptoPkg/Library/Include/sys/shm.h
> b/CryptoPkg/Library/Include/sys/shm.h
> new file mode 100644
> index 000000000000..dc0b8e81c8b0
> --- /dev/null
> +++ b/CryptoPkg/Library/Include/sys/shm.h
> @@ -0,0 +1,9 @@
> +/** @file
> +  Include file to support building the third-party cryptographic library.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <CrtLibSupport.h>
> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
> b/CryptoPkg/Library/Include/sys/utsname.h
> new file mode 100644
> index 000000000000..75955b0a4eb6
> --- /dev/null
> +++ b/CryptoPkg/Library/Include/sys/utsname.h
> @@ -0,0 +1,10 @@
> +/** @file
> +  Include file to support building the third-party cryptographic library.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <CrtLibSupport.h>
> +
> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> b/CryptoPkg/Library/OpensslLib/openssl
> index 50eaac9f3337..c3656cc594da 160000
> --- a/CryptoPkg/Library/OpensslLib/openssl
> +++ b/CryptoPkg/Library/OpensslLib/openssl
> @@ -1 +1 @@
> -Subproject commit 50eaac9f3337667259de725451f201e784599687
> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> b/CryptoPkg/Library/OpensslLib/process_files.pl
> index 4fe54cd808a5..dd93bd84da22 100755
> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> @@ -106,6 +106,14 @@ BEGIN {
>                  ) == 0 ||
>                      die "Failed to generate opensslconf.h!\n";
> 
> +            # Generate dso_conf.h per config data
> +            system(
> +                "perl -I. -Mconfigdata util/dofile.pl " .
> +                "crypto/include/internal/dso_conf.h.in " .
> +                "> include/internal/dso_conf.h"
> +                ) == 0 ||
> +                    die "Failed to generate dso_conf.h!\n";
> +
>              chdir($basedir) ||
>                  die "Cannot change to base directory \"" . $basedir . "\"";
> 
> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
>  print "Done!";
> 
>  #
> -# Copy opensslconf.h generated from OpenSSL Configuration
> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
>  #
>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
>       $OPENSSL_PATH . "/../../Include/openssl/") ||
>     die "Cannot copy opensslconf.h!";
> +print "Done!";
> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
> +     $OPENSSL_PATH . "/../../Include/internal/") ||
> +   die "Cannot copy dso_conf.h!";
>  print "Done!\n";
> 
>  print "\nProcessing Files Done!\n";
> --
> 2.18.0.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49802): https://edk2.groups.io/g/devel/message/49802
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Laszlo Ersek 2 weeks ago
On 11/01/19 08:31, Wang, Jian J wrote:
> Hi Laszlo,
> 
> I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know if you have
> any comments or want to do more tests against v4 before check in.
> 
> Based on my review and tests,
>    Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

I can get to this patch on next Monday (2019-Nov-04) the earliest. (Even
today is a public holiday in my country, and I've only logged in now to
quickly respond to Mike's email in another thread.) I had the v3 posting
tagged earlier, and am learning of v4 only now.

I think the OpenSSL update should be tested with at least the following
use cases:

- HTTPS boot
- Secure Boot

Given that the HTTPS Boot CVE fix is also pending on the list, and that
it was posted before the OpenSSL upgrade, and they both affect HTTPS
Boot, I request that the OpenSSL upgrade be delayed until after the CVE
fix is pushed. (I'll try to push the CVE fix this weekend, or next Monday.)

Thanks
Laszlo

>> -----Original Message-----
>> From: Zhang, Shenglei <shenglei.zhang@intel.com>
>> Sent: Friday, November 01, 2019 2:56 PM
>> To: devel@edk2.groups.io
>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
>> Gao, Liming <liming.gao@intel.com>
>> Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
>>
>> Update openssl from 1.1.1b to 1.1.1d.
>> Something needs to be noticed is that, there is a bug existing in the
>> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
>> which causes build failure. So we switch the code base to a usable
>> version, which is 2 commits later than the stable tag.
>> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
>> This log is to fix the build failure.
>> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
>>
>> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
>> in OvmfPkg. So update process_files.pl to generate information from
>> "crypto/include/internal/dso_conf.h.in".
>>
>> shm.h and utsname.h are added to avoid GCC build failure.
>>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
>> ---
>> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
>>     The removed header files could be auto-generated by process_files.pl now.
>>
>> v3: Add display information for dso_conf.h.
>>
>> v4: Add shm.h and utsname.h to avoid GCC build failure.
>>
>>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
>>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
>>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
>>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
>>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
>>  5 files changed, 50 insertions(+), 2 deletions(-)
>>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
>>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
>>
>> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
>> b/CryptoPkg/Library/Include/internal/dso_conf.h
>> index e69de29bb2d1..43c891588bc2 100644
>> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
>> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
>> @@ -0,0 +1,16 @@
>> +/* WARNING: do not edit! */
>> +/* Generated from crypto/include/internal/dso_conf.h.in */
>> +/*
>> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
>> + *
>> + * Licensed under the OpenSSL license (the "License").  You may not use
>> + * this file except in compliance with the License.  You can obtain a copy
>> + * in the file LICENSE in the source distribution or at
>> + * https://www.openssl.org/source/license.html
>> + */
>> +
>> +#ifndef HEADER_DSO_CONF_H
>> +# define HEADER_DSO_CONF_H
>> +# define DSO_NONE
>> +# define DSO_EXTENSION ".so"
>> +#endif
>> diff --git a/CryptoPkg/Library/Include/sys/shm.h
>> b/CryptoPkg/Library/Include/sys/shm.h
>> new file mode 100644
>> index 000000000000..dc0b8e81c8b0
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/shm.h
>> @@ -0,0 +1,9 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
>> b/CryptoPkg/Library/Include/sys/utsname.h
>> new file mode 100644
>> index 000000000000..75955b0a4eb6
>> --- /dev/null
>> +++ b/CryptoPkg/Library/Include/sys/utsname.h
>> @@ -0,0 +1,10 @@
>> +/** @file
>> +  Include file to support building the third-party cryptographic library.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <CrtLibSupport.h>
>> +
>> diff --git a/CryptoPkg/Library/OpensslLib/openssl
>> b/CryptoPkg/Library/OpensslLib/openssl
>> index 50eaac9f3337..c3656cc594da 160000
>> --- a/CryptoPkg/Library/OpensslLib/openssl
>> +++ b/CryptoPkg/Library/OpensslLib/openssl
>> @@ -1 +1 @@
>> -Subproject commit 50eaac9f3337667259de725451f201e784599687
>> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
>> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
>> b/CryptoPkg/Library/OpensslLib/process_files.pl
>> index 4fe54cd808a5..dd93bd84da22 100755
>> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
>> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
>> @@ -106,6 +106,14 @@ BEGIN {
>>                  ) == 0 ||
>>                      die "Failed to generate opensslconf.h!\n";
>>
>> +            # Generate dso_conf.h per config data
>> +            system(
>> +                "perl -I. -Mconfigdata util/dofile.pl " .
>> +                "crypto/include/internal/dso_conf.h.in " .
>> +                "> include/internal/dso_conf.h"
>> +                ) == 0 ||
>> +                    die "Failed to generate dso_conf.h!\n";
>> +
>>              chdir($basedir) ||
>>                  die "Cannot change to base directory \"" . $basedir . "\"";
>>
>> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
>>  print "Done!";
>>
>>  #
>> -# Copy opensslconf.h generated from OpenSSL Configuration
>> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
>>  #
>>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
>>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
>>       $OPENSSL_PATH . "/../../Include/openssl/") ||
>>     die "Cannot copy opensslconf.h!";
>> +print "Done!";
>> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
>> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
>> +     $OPENSSL_PATH . "/../../Include/internal/") ||
>> +   die "Cannot copy dso_conf.h!";
>>  print "Done!\n";
>>
>>  print "\nProcessing Files Done!\n";
>> --
>> 2.18.0.windows.1
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49871): https://edk2.groups.io/g/devel/message/49871
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d

Posted by Wang, Jian J 2 weeks ago
Laszlo,

You're right. I'll do more tests for secure boot. I'll leave https boot to you.

Regards,
Jian

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Saturday, November 02, 2019 6:03 AM
> To: Wang, Jian J <jian.j.wang@intel.com>; Zhang, Shenglei
> <shenglei.zhang@intel.com>; devel@edk2.groups.io
> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: Re: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> 
> On 11/01/19 08:31, Wang, Jian J wrote:
> > Hi Laszlo,
> >
> > I did simple ovmf boot tests (shell, linux, windows) and all passed. Let me know
> if you have
> > any comments or want to do more tests against v4 before check in.
> >
> > Based on my review and tests,
> >    Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> 
> I can get to this patch on next Monday (2019-Nov-04) the earliest. (Even
> today is a public holiday in my country, and I've only logged in now to
> quickly respond to Mike's email in another thread.) I had the v3 posting
> tagged earlier, and am learning of v4 only now.
> 
> I think the OpenSSL update should be tested with at least the following
> use cases:
> 
> - HTTPS boot
> - Secure Boot
> 
> Given that the HTTPS Boot CVE fix is also pending on the list, and that
> it was posted before the OpenSSL upgrade, and they both affect HTTPS
> Boot, I request that the OpenSSL upgrade be delayed until after the CVE
> fix is pushed. (I'll try to push the CVE fix this weekend, or next Monday.)
> 
> Thanks
> Laszlo
> 
> >> -----Original Message-----
> >> From: Zhang, Shenglei <shenglei.zhang@intel.com>
> >> Sent: Friday, November 01, 2019 2:56 PM
> >> To: devel@edk2.groups.io
> >> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>;
> >> Gao, Liming <liming.gao@intel.com>
> >> Subject: [PATCH v4] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> >>
> >> Update openssl from 1.1.1b to 1.1.1d.
> >> Something needs to be noticed is that, there is a bug existing in the
> >> released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> >> which causes build failure. So we switch the code base to a usable
> >> version, which is 2 commits later than the stable tag.
> >> Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> >> This log is to fix the build failure.
> >> https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> >>
> >> Besides, the absense of "DSO_NONE" in dso_conf.h causes build failure
> >> in OvmfPkg. So update process_files.pl to generate information from
> >> "crypto/include/internal/dso_conf.h.in".
> >>
> >> shm.h and utsname.h are added to avoid GCC build failure.
> >>
> >> Cc: Jian J Wang <jian.j.wang@intel.com>
> >> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> >> Cc: Liming Gao <liming.gao@intel.com>
> >> Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> >> ---
> >> v2: Revert the changes in OpensslLib.inf and OpensslLibCrypto.inf.
> >>     The removed header files could be auto-generated by process_files.pl now.
> >>
> >> v3: Add display information for dso_conf.h.
> >>
> >> v4: Add shm.h and utsname.h to avoid GCC build failure.
> >>
> >>  CryptoPkg/Library/Include/internal/dso_conf.h | 16 ++++++++++++++++
> >>  CryptoPkg/Library/Include/sys/shm.h           |  9 +++++++++
> >>  CryptoPkg/Library/Include/sys/utsname.h       | 10 ++++++++++
> >>  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
> >>  CryptoPkg/Library/OpensslLib/process_files.pl | 15 ++++++++++++++-
> >>  5 files changed, 50 insertions(+), 2 deletions(-)
> >>  create mode 100644 CryptoPkg/Library/Include/sys/shm.h
> >>  create mode 100644 CryptoPkg/Library/Include/sys/utsname.h
> >>
> >> diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h
> >> b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> index e69de29bb2d1..43c891588bc2 100644
> >> --- a/CryptoPkg/Library/Include/internal/dso_conf.h
> >> +++ b/CryptoPkg/Library/Include/internal/dso_conf.h
> >> @@ -0,0 +1,16 @@
> >> +/* WARNING: do not edit! */
> >> +/* Generated from crypto/include/internal/dso_conf.h.in */
> >> +/*
> >> + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
> >> + *
> >> + * Licensed under the OpenSSL license (the "License").  You may not use
> >> + * this file except in compliance with the License.  You can obtain a copy
> >> + * in the file LICENSE in the source distribution or at
> >> + * https://www.openssl.org/source/license.html
> >> + */
> >> +
> >> +#ifndef HEADER_DSO_CONF_H
> >> +# define HEADER_DSO_CONF_H
> >> +# define DSO_NONE
> >> +# define DSO_EXTENSION ".so"
> >> +#endif
> >> diff --git a/CryptoPkg/Library/Include/sys/shm.h
> >> b/CryptoPkg/Library/Include/sys/shm.h
> >> new file mode 100644
> >> index 000000000000..dc0b8e81c8b0
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/shm.h
> >> @@ -0,0 +1,9 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> diff --git a/CryptoPkg/Library/Include/sys/utsname.h
> >> b/CryptoPkg/Library/Include/sys/utsname.h
> >> new file mode 100644
> >> index 000000000000..75955b0a4eb6
> >> --- /dev/null
> >> +++ b/CryptoPkg/Library/Include/sys/utsname.h
> >> @@ -0,0 +1,10 @@
> >> +/** @file
> >> +  Include file to support building the third-party cryptographic library.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <CrtLibSupport.h>
> >> +
> >> diff --git a/CryptoPkg/Library/OpensslLib/openssl
> >> b/CryptoPkg/Library/OpensslLib/openssl
> >> index 50eaac9f3337..c3656cc594da 160000
> >> --- a/CryptoPkg/Library/OpensslLib/openssl
> >> +++ b/CryptoPkg/Library/OpensslLib/openssl
> >> @@ -1 +1 @@
> >> -Subproject commit 50eaac9f3337667259de725451f201e784599687
> >> +Subproject commit c3656cc594daac8167721dde7220f0e59ae146fc
> >> diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
> >> b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> index 4fe54cd808a5..dd93bd84da22 100755
> >> --- a/CryptoPkg/Library/OpensslLib/process_files.pl
> >> +++ b/CryptoPkg/Library/OpensslLib/process_files.pl
> >> @@ -106,6 +106,14 @@ BEGIN {
> >>                  ) == 0 ||
> >>                      die "Failed to generate opensslconf.h!\n";
> >>
> >> +            # Generate dso_conf.h per config data
> >> +            system(
> >> +                "perl -I. -Mconfigdata util/dofile.pl " .
> >> +                "crypto/include/internal/dso_conf.h.in " .
> >> +                "> include/internal/dso_conf.h"
> >> +                ) == 0 ||
> >> +                    die "Failed to generate dso_conf.h!\n";
> >> +
> >>              chdir($basedir) ||
> >>                  die "Cannot change to base directory \"" . $basedir . "\"";
> >>
> >> @@ -249,12 +257,17 @@ rename( $new_inf_file, $inf_file ) ||
> >>  print "Done!";
> >>
> >>  #
> >> -# Copy opensslconf.h generated from OpenSSL Configuration
> >> +# Copy opensslconf.h and dso_conf.h generated from OpenSSL
> Configuration
> >>  #
> >>  print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
> >>  copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
> >>       $OPENSSL_PATH . "/../../Include/openssl/") ||
> >>     die "Cannot copy opensslconf.h!";
> >> +print "Done!";
> >> +print "\n--> Duplicating dso_conf.h into Include/internal ... ";
> >> +copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
> >> +     $OPENSSL_PATH . "/../../Include/internal/") ||
> >> +   die "Cannot copy dso_conf.h!";
> >>  print "Done!\n";
> >>
> >>  print "\nProcessing Files Done!\n";
> >> --
> >> 2.18.0.windows.1
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#49878): https://edk2.groups.io/g/devel/message/49878
Mute This Topic: https://groups.io/mt/40404152/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-