Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update openssl to 3.2.x #5765

Closed
wants to merge 14 commits into from
Closed

update openssl to 3.2.x #5765

wants to merge 14 commits into from

Conversation

kraxel
Copy link
Member

@kraxel kraxel commented Jun 11, 2024
edited
Loading

  • CrtLibSupport: add sleep()
  • CrtLibSupport: fix gettimeofday()
  • CrtLibSupport: factor out EFI_TIME -> time_t calculation to new function
  • CrtLibSupport: add mktime()
  • CrtLibSupport: add timezone
  • openssl: update submodule to 3.2.2
  • openssl: update generated files
  • CryptoPkg: CI: update OpensslGen file list
  • openssl: add Library/OpensslLib/openssl to includes, drop e_os.h hack
  • openssl: adapt stubs to openssl 3.2.x
  • openssl: add more stubs for openssl 3.2.x

Description

  • add a bunch of time-related tweaks to CrtLibSupport
  • update openssl submodule to openssl 3.2.2
  • apply a number of build fixes (mostly in stubs).

The second part of the series (all 'openssl:' prefixed patches) is not
bisectable, all patches are needed to make edk2 build again. The only
way to fix that would be to squash them all together. That would make
review rather hard though, especially due to the large "update generated
files" patch.

How This Was Tested

  • Regression testing with OVMF (verify secure boot and https network boot).
  • Run CryptoPkgHostUnitTest

Integration Instructions

N/A

@kraxel kraxel force-pushed the devel/openssl-3.2.x branch 4 times, most recently from 78c7225 to eeb0721 Compare June 18, 2024 11:29
@kraxel kraxel force-pushed the devel/openssl-3.2.x branch 6 times, most recently from 5665971 to 8c9a5ba Compare July 4, 2024 13:19
@kraxel kraxel force-pushed the devel/openssl-3.2.x branch 7 times, most recently from fbfdd4f to e527e4e Compare July 17, 2024 13:11
@kraxel kraxel marked this pull request as ready for review July 17, 2024 13:13
@kraxel
Copy link
Member Author

kraxel commented Jul 17, 2024

/cc @jyao1,@Wenxing-hou,@liyi77

@liyi77
Copy link
Contributor

liyi77 commented Jul 18, 2024

Is there any special reason to upgrade to 3.2? If you don't need the new features in 3.2, 3.0 is probably a better choice.
the 3.2 series supported until 23rd November 2025, the 3.1 series supported until 14th March 2025, and the 3.0 series which is a Long Term Support (LTS) version and is supported until 7th September 2026.

@liyi77 liyi77 requested review from jyao1 and Wenxing-hou July 18, 2024 01:53
@kraxel
Copy link
Member Author

kraxel commented Jul 18, 2024
edited
Loading

Is there any special reason to upgrade to 3.2?

Mostly that others (Fedora distro for example) moved from 3.0 to 3.2 too.

@liyi77
Copy link
Contributor

liyi77 commented Jul 19, 2024

Then I prefer to stay at LTS version due to no new features needed by EDK2.
Hi @jyao1, do you have comments on this?

@jyao1
Copy link
Contributor

jyao1 commented Aug 26, 2024
edited
Loading

Usually, I am OK to upgrade, as long as there is no much size difference.
@kraxel , do you have any data for the size difference?

Also, as @liyi77 mentioned,
is there any concern: the 3.2 series supported until 23rd November 2025,
the 3.1 series supported until 14th March 2025,
and the 3.0 series which is a Long Term Support (LTS) version and is supported until 7th September 2026.

@kraxel , do you want to go back to 3.0 after November 2025?

@kraxel
CrtLibSupport: add sleep()
4574036 
Will be needed by openssl-3.2.x

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
CrtLibSupport: fix gettimeofday()
30466cc 
Turn gettimeofday() into a proper function with return value.

Will be needed by openssl-3.2.x

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
CrtLibSupport: factor out EFI_TIME -> time_t calculation to new function
d2ca00f 
No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
CrtLibSupport: add mktime()
23f36cf 
Will be needed by openssl-3.2.x

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
CrtLibSupport: add timezone
0f8c5af 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: update submodule to 3.2.2
d28c49d 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: update generated files
e1d033a 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
CryptoPkg: CI: update OpensslGen file list
d538cbd 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: add Library/OpensslLib/openssl to includes, drop e_os.h hack
b1bce15 
Adding $(OPENSSL_PATH)/e_os.h to the list of source files had the effect
that $(OPENSSL_PATH)/ was added to the list of include directories.
With the file being gone in openssl-3.2.x this doesn't work any more.

Add the directory to the [Includes.Common.Private] section instead.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: adapt stubs to openssl 3.2.x
37db6d0 
Function declarations have changed in openssl-3.2.x, adapt the stubs.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: add more stubs for openssl 3.2.x
1e0cfcf 
openssl-3.2.2 got a few more tls config hooks, add stubs for them.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
openssl: turn off some ws2019 warnings (temporary)
3853c3f 
Fix for openssl is on the way and should land in 3.2.3
openssl/openssl#24895

After updating the openssl submodule to a version with the fix
included it should be possible to revert this patch.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
submodule: 3.2.3
26c042b 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
generated files: 3.2.3
0de4efb 
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
@kraxel
Copy link
Member Author

kraxel commented Sep 6, 2024

Usually, I am OK to upgrade, as long as there is no much size difference. @kraxel , do you have any data for the size difference?

ovmf pei firmware volume does not change in size.
ovmf dxe firmware volume is slightly larger (secure boot drivers and tlsdxe):

-          volume=guid:Ffs offset=0x0 size=0xe80000 hlen=0x48 xoff=0x60 rev=2 blocks=232*65536 used=50.1% name=guid:OvmfDxeFv
+          volume=guid:Ffs offset=0x0 size=0xe80000 hlen=0x48 xoff=0x60 rev=2 blocks=232*65536 used=51.5% name=guid:OvmfDxeFv

Also, as @liyi77 mentioned, is there any concern: the 3.2 series supported until 23rd November 2025, the 3.1 series supported until 14th March 2025, and the 3.0 series which is a Long Term Support (LTS) version and is supported until 7th September 2026.

@kraxel , do you want to go back to 3.0 after November 2025?

openssl started to do two releases per year, in april and november. Since I've started working on this 3.3 has been released, which will be supported until April 2026. Moving to 3.3 seems to work fine (builds on linux without additional changes, did not try CI yet).

3.4 should follow later this year, will supported until november 2026 (maybe even longer should it become an LTS release), which is beyond the 3.0 LTS EOL date. So there clearly is no need to go back to 3.0

@kraxel kraxel force-pushed the devel/openssl-3.2.x branch from e527e4e to f3706ce Compare September 6, 2024 11:03
@kraxel kraxel force-pushed the devel/openssl-3.2.x branch 2 times, most recently from 8407380 to 0de4efb Compare September 6, 2024 15:06
@kraxel
Copy link
Member Author

kraxel commented Sep 10, 2024

aarch64 switching to asm acceleration breaks the build with openssl 3.2 (also 3.3 and 3.4) due to an openssl bug.
openssl/openssl#25419

@kraxel kraxel marked this pull request as draft September 10, 2024 14:36
@kraxel
Copy link
Member Author

kraxel commented Sep 10, 2024

Downgraded this to draft for now, waiting for the openssl fix to land upstream.

Moved the version-independent changes to a new PR (#6185),
this for the most part carries CrtLibSupport updates needed for 3.2 + 3.3 + 3.4 versions.

@jyao1
Copy link
Contributor

jyao1 commented Sep 13, 2024

It seems the size delta is acceptable. Thanks @kraxel.

I feel we should always use the LTS branch.
In this case, can we just bump to 3.4 once it comes out later this year?

@kraxel
Copy link
Member Author

kraxel commented Sep 13, 2024

I feel we should always use the LTS branch. In this case, can we just bump to 3.4 once it comes out later this year?

Yes, we can also jump to 3.4. It is not clear whenever it will become an LTS release, but even in case that does not happen the EOL date will be after 3.0-LTS goes EOL.

@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has not had activity in 60 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.

@github-actions github-actions bot added the stale Due to lack of updates, this item is pending deletion. label Nov 12, 2024
@mergify Mergify
Copy link

mergify bot commented Nov 12, 2024

PR can not be merged due to conflict. Please rebase and resubmit

@github-actions github-actions bot removed the stale Due to lack of updates, this item is pending deletion. label Nov 13, 2024
@kraxel
Copy link
Member Author

kraxel commented Nov 14, 2024

closing, working on 3.4.x update instead.

@kraxel kraxel closed this Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jyao1 jyao1 Awaiting requested review from jyao1

@Wenxing-hou Wenxing-hou Awaiting requested review from Wenxing-hou

@liyi77 liyi77 Awaiting requested review from liyi77

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kraxel @liyi77 @jyao1