public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Zhang, Shenglei" <shenglei.zhang@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
	"Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
	David Woodhouse <dwmw2@infradead.org>
Subject: Re: [edk2-devel] [PATCH] CryptoPkg: Upgrade OpenSSL to 1.1.1d
Date: Wed, 23 Oct 2019 07:17:48 +0000	[thread overview]
Message-ID: <C0706E73DB8C124D9B9C38AA364E5D5E056459AA@SHSMSX106.ccr.corp.intel.com> (raw)
In-Reply-To: <27634217-cad7-9472-5122-3f62735c801d@redhat.com>

Hi Laszlo,

> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Tuesday, October 22, 2019 12:29 AM
> To: devel@edk2.groups.io; Zhang, Shenglei <shenglei.zhang@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>; David Woodhouse <dwmw2@infradead.org>
> Subject: Re: [edk2-devel] [PATCH] CryptoPkg: Upgrade OpenSSL to 1.1.1d
> 
> On 10/21/19 10:06, Zhang, Shenglei wrote:
> > Update openssl from 1.1.1b to 1.1.1d.
> > Something needs to be noticed is that, there is a bug existing in the
> > released 1_1_1d version(894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596),
> > which causes build failure. So we switch the code base to a usable
> > version, which is 2 commits later than the stable tag.
> > Now we use the version c3656cc594daac8167721dde7220f0e59ae146fc.
> > This log is to fix the build failure.
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2226
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
> > ---
> >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 57 -------------------
> >  .../Library/OpensslLib/OpensslLibCrypto.inf   | 49 ----------------
> >  CryptoPkg/Library/OpensslLib/openssl          |  2 +-
> >  3 files changed, 1 insertion(+), 107 deletions(-)
> 
> When I try to apply this patch manually, on top of current master
> (91f98c908627), then "git am" fails.
> 
> However, if I try to reproduce this patch myself (advancing the
> submodule to c3656cc594da, and then running "process_files.pl"), then
> the result ("git diff") matches the code changes in the patch -- not
> counting CRLF vs. LF, anyway.
> 
> (It seems like the "git am" failure is due to mixed line-endings within
> the patch -- the submodule reference hunk uses LFs, not CRLFs. I can
> live with that.)
> 
> Having to use openssl at c3656cc594da is unfortunate, but I think it's
> justified.
> 
> Unfortunately, with this update, the following build command fails for
> me (it may fail for other OVMF builds as well, this was simply my first
> attempt):
> 
>   $ nice build \
>       -a IA32 \
>       -p OvmfPkg/OvmfPkgIa32.dsc \
>       -t GCC48 \
>       -b DEBUG \
>       -D SMM_REQUIRE \
>       -D SECURE_BOOT_ENABLE \
>       -D NETWORK_IP6_ENABLE \
>       -D NETWORK_TLS_ENABLE \
>       -D NETWORK_HTTP_BOOT_ENABLE \
>       -D E1000_ENABLE \
>       -n 4 \
>       --report-file=$HOME/tmp/build.ovmf.32.report \
>       --log=$HOME/tmp/build.ovmf.32.log \
>       --cmd-len=65536 \
>       --genfds-multi-thread
> 
> The directly failing command is:
> 
>   "gcc"  \
>     -o
> Build/OvmfIa32/DEBUG_GCC48/IA32/MdeModulePkg/Universal/Variable/R
> untimeDxe/VariableSmm/DEBUG/VariableSmm.dll  \
>     -nostdlib  \
>     -Wl,-n,-q,--gc-sections  \
>     -z common-page-size=0x20  \
>     -Wl,--entry,_ModuleEntryPoint  \
>     -u _ModuleEntryPoint  \
>     -Wl,-
> Map,Build/OvmfIa32/DEBUG_GCC48/IA32/MdeModulePkg/Universal/Varia
> ble/RuntimeDxe/VariableSmm/DEBUG/VariableSmm.map,--whole-archive  \
>     -Wl,-m,elf_i386,--oformat=elf32-i386  \
>     -z common-page-size=0x1000  \
>     -Wl,--start-
> group,@Build/OvmfIa32/DEBUG_GCC48/IA32/MdeModulePkg/Universal/Va
> riable/RuntimeDxe/VariableSmm/OUTPUT/static_library_files.lst,--end-
> group  \
>     -g  \
>     -fshort-wchar  \
>     -fno-builtin  \
>     -fno-strict-aliasing  \
>     -Wall  \
>     -Werror  \
>     -Wno-array-bounds  \
>     -ffunction-sections  \
>     -fdata-sections  \
>     -include AutoGen.h  \
>     -fno-common  \
>     -DSTRING_ARRAY_NAME=VariableSmmStrings  \
>     -m32  \
>     -march=i586  \
>     -malign-double  \
>     -fno-stack-protector  \
>     -D EFI32  \
>     -fno-asynchronous-unwind-tables  \
>     -Wno-address  \
>     -Os  \
>     -mno-mmx  \
>     -mno-sse  \
>     -D DISABLE_NEW_DEPRECATED_INTERFACES  \
>     -Wl,--defsym=PECOFF_HEADER_SIZE=0x220  \
>     -Wl,--script=BaseTools/Scripts/GccBase.lds
> 
> And the error message:
> 
> >
> Build/OvmfIa32/DEBUG_GCC48/IA32/CryptoPkg/Library/OpensslLib/Openssl
> Lib/OUTPUT/OpensslLib.lib(dso_lib.obj): In function `DSO_new_method':
> > CryptoPkg/Library/OpensslLib/openssl/crypto/dso/dso_lib.c:25: undefined
> reference to `DSO_METHOD_openssl'
> >
> Build/OvmfIa32/DEBUG_GCC48/IA32/CryptoPkg/Library/OpensslLib/Openssl
> Lib/OUTPUT/OpensslLib.lib(dso_lib.obj): In function `DSO_pathbyaddr':
> > CryptoPkg/Library/OpensslLib/openssl/crypto/dso/dso_lib.c:314:
> undefined reference to `DSO_METHOD_openssl'
> 
> This is strange, because the missing function is provided by
> "crypto/dso/dso_openssl.c", which is listed in the INF files.
> 
> Hmmm. I ran the following command too:
> 
>   $ build \
>       -p CryptoPkg/CryptoPkg.dsc \
>       -a IA32 \
>       -b NOOPT \
>       -t GCC48 \
>       -m CryptoPkg/Library/OpensslLib/OpensslLib.inf
> 
> This compiles OK. The last commands are:
> 
> > rm -f
> Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Opens
> slLib/OUTPUT/OpensslLib.lib
> >
> > "ar" cr \
> >
> Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Opens
> slLib/OUTPUT/OpensslLib.lib \
> >
> @Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Ope
> nsslLib/OUTPUT/object_files.lst
> 
> If I check the file
> 
> 
> Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Opens
> slLib/OUTPUT/object_files.lst
> 
> I definitely see
> 
> 
> Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Opens
> slLib/OUTPUT/openssl/crypto/dso/dso_openssl.obj
> 
> there. However, if I run
> 
>   nm
> Build/CryptoPkg/NOOPT_GCC48/IA32/CryptoPkg/Library/OpensslLib/Opens
> slLib/OUTPUT/OpensslLib.lib
> 
> then the DSO_METHOD_openssl() symbol is reported as undefined:
> 
> > dso_lib.obj:
> >          U DSO_METHOD_openssl
> 
> In fact, if I run the "nm" command on "dso_openssl.obj" itself, the
> output is totally empty! (No symbols in the object file.)
> 
> Ahh, I know what's up. See the source code in
> "crypto/dso/dso_openssl.c":
> 
> > #ifdef DSO_NONE
> >
> > static DSO_METHOD dso_meth_null = {
> >     "NULL shared library method"
> > };
> >
> > DSO_METHOD *DSO_METHOD_openssl(void)
> > {
> >     return &dso_meth_null;
> > }
> > #endif
> 
> The #ifdef comes from OpenSSL commit 5fba3afad017 ("Rework DSO API
> conditions and configuration option", 2019-04-10), which is part of
> OpenSSL_1_1_1c. See the change (excerpt):
> 
> $ git show 5fba3afad017 -- \
>     crypto/dso/dso_openssl.c \
>     crypto/include/internal/dso_conf.h.in
> 
> > commit 5fba3afad01707f4a8856a35500de007a8a256ec
> > Author: Richard Levitte <levitte@openssl.org>
> > Date:   Mon Apr 1 06:40:33 2019 +0200
> >
> >     Rework DSO API conditions and configuration option
> >
> >     'no-dso' is meaningless, as it doesn't get any macro defined.
> >     Therefore, we remove all checks of OPENSSL_NO_DSO.  However, there
> may
> >     be some odd platforms with no DSO scheme.  For those, we generate
> the
> >     internal macro DSO_NONE aand use it.
> >
> >     Reviewed-by: Paul Dale <paul.dale@oracle.com>
> >     (Merged from https://github.com/openssl/openssl/pull/8622)
> >
> > diff --git a/crypto/dso/dso_openssl.c b/crypto/dso/dso_openssl.c
> > index 6626331e9256..eeebd98087b4 100644
> > --- a/crypto/dso/dso_openssl.c
> > +++ b/crypto/dso/dso_openssl.c
> > @@ -9,7 +9,7 @@
> >
> >  #include "dso_locl.h"
> >
> > -#if !defined(DSO_VMS) && !defined(DSO_DLCFN) && !defined(DSO_DL)
> && !defined(DSO_WIN32) && !defined(DSO_DLFCN)
> > +#ifdef DSO_NONE
> >
> >  static DSO_METHOD dso_meth_null = {
> >      "NULL shared library method"
> > diff --git a/crypto/include/internal/dso_conf.h.in
> b/crypto/include/internal/dso_conf.h.in
> > index d6e9d1b1baae..17fae7d8023a 100644
> > --- a/crypto/include/internal/dso_conf.h.in
> > +++ b/crypto/include/internal/dso_conf.h.in
> > @@ -10,7 +10,6 @@
> >
> >  #ifndef HEADER_DSO_CONF_H
> >  # define HEADER_DSO_CONF_H
> > -{- output_off() if $disabled{dso} -}
> >  {-  # The DSO code currently always implements all functions so that no
> >      # applications will have to worry about that from a compilation point
> >      # of view. However, the "method"s may return zero unless that platform
> > @@ -18,6 +17,9 @@
> >      # by a define "DSO_<name>" ... we translate the "dso_scheme" config
> >      # string entry into using the following logic;
> >      my $scheme = uc $target{dso_scheme};
> > +    if (!$scheme) {
> > +        $scheme = "NONE";
> > +    }
> >      my @macros = ( "DSO_$scheme" );
> >      if ($scheme eq 'DLFCN') {
> >          @macros = ( "DSO_DLFCN", "HAVE_DLFCN_H" );
> > @@ -26,5 +28,4 @@
> >      }
> >      join("\n", map { "# define $_" } @macros); -}
> >  # define DSO_EXTENSION "{- $target{dso_extension} -}"
> > -{- output_on() if $disabled{dso} -}
> >  #endif
> 
> Sure enough, "build.info" invokes the generator on this template file
> too:
> 
> > DEPEND[include/openssl/opensslconf.h]=configdata.pm
> >
> GENERATE[include/openssl/opensslconf.h]=include/openssl/opensslconf.h.i
> n
> > DEPEND[crypto/include/internal/bn_conf.h]=configdata.pm
> >
> GENERATE[crypto/include/internal/bn_conf.h]=crypto/include/internal/bn_
> conf.h.in
> > DEPEND[crypto/include/internal/dso_conf.h]=configdata.pm
> >
> GENERATE[crypto/include/internal/dso_conf.h]=crypto/include/internal/dso
> _conf.h.in
> 
> Unfortunately, it seems like the DSO_NONE internal macro is *not*
> generated, in our case.
> 
> ... Ah. Our "process_files.pl" script manually generates
> "opensslconf.h", from the configuration data. But, we have never done
> the same for "dso_conf.h".
> 
> Thus far, we've gotten away with it, because the *absence* of all
> DSO_xxx flags happened to do the right thing for us. But now, the "right
> thing for us" actually depends on a new macro, DSO_NONE, and for getting
> that, we need to invoke the generator on "dso_conf.h.in" too. Otherwise,
> "crypto/dso/dso_openssl.c" gets pre-processed to an empty source file,
> as a result of openssl commit 5fba3afad017.
> 
> Therefore, the bug is in "process_files.pl". Please invoke the generator
> on "dso_conf.h.in" too, similarly to "opensslconf.h.in".
> 
> ... And now I'm left with the question: did you test this patch at all,
> with any real platform?

Actually... I didn’t. Because I treated it as a small change with little risk.
I found there is no change except the auto-generated things in OpensslLib.inf and OpensslLibCrypto.inf.

With the update in "process_files.pl" according to your comments, things can be generated into dso_conf.h,
where DSO_NONE is not absent now.
And, I test this change on a real platform, which can boot to Shell with this patch.
I 'll send a new patch for the change in "process_files.pl".

Thanks,
Shenglei

> 
> Laszlo


      reply	other threads:[~2019-10-23  7:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-21  8:06 [PATCH] CryptoPkg: Upgrade OpenSSL to 1.1.1d Zhang, Shenglei
2019-10-21 13:37 ` [edk2-devel] " Liming Gao
2019-10-21 16:46   ` Laszlo Ersek
2019-10-23  7:23     ` Zhang, Shenglei
2019-10-21 16:28 ` Laszlo Ersek
2019-10-23  7:17   ` Zhang, Shenglei [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C0706E73DB8C124D9B9C38AA364E5D5E056459AA@SHSMSX106.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox