From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Thu, 09 May 2019 13:58:13 -0700
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 715CEC0495BF;
	Thu,  9 May 2019 20:58:11 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-234.rdu2.redhat.com [10.10.120.234])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 208B860C62;
	Thu,  9 May 2019 20:58:09 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v2 5/6] CryptoPkg: Upgrade OpenSSL to 1.1.1b
To: devel@edk2.groups.io, xiaoyux.lu@intel.com
Cc: Jian J Wang <jian.j.wang@intel.com>, Ting Ye <ting.ye@intel.com>
References: <1557379429-7527-1-git-send-email-xiaoyux.lu@intel.com>
 <1557379429-7527-5-git-send-email-xiaoyux.lu@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <fd1bcabc-9709-90b1-5f3a-d4b5053b9d3b@redhat.com>
Date: Thu, 9 May 2019 22:58:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <1557379429-7527-5-git-send-email-xiaoyux.lu@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 09 May 2019 20:58:11 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

Hi Xiaoyu,

On 05/09/19 07:23, Xiaoyu lu wrote:
> From: Xiaoyu Lu <xiaoyux.lu@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1089
>
> Update OpenSSL submodule to OpenSSL_1_1_1b
>   OpenSSL_1_1_1b(50eaac9f3337667259de725451f201e784599687)

I found another issue, while trying to cross-build this series for
AARCH64.

I ran the commands below:

> export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
> build \
>   -a AARCH64 \
>   -b NOOPT \
>   -p CryptoPkg/CryptoPkg.dsc \
>   -t GCC5 \
>   --cmd-len=65536 \
>   -m CryptoPkg/Library/OpensslLib/OpensslLib.inf

The following cross-compilation command failed:

> "aarch64-linux-gnu-gcc" \
>   -g \
>   -fshort-wchar \
>   -fno-builtin \
>   -fno-strict-aliasing \
>   -Wall \
>   -Werror \
>   -Wno-array-bounds \
>   -ffunction-sections \
>   -fdata-sections \
>   -include AutoGen.h \
>   -fno-common \
>   -DSTRING_ARRAY_NAME=OpensslLibStrings \
>   -g \
>   -Os \
>   -fshort-wchar \
>   -fno-builtin \
>   -fno-strict-aliasing \
>   -Wall \
>   -Werror \
>   -Wno-array-bounds \
>   -include AutoGen.h \
>   -fno-common \
>   -mlittle-endian \
>   -fno-short-enums \
>   -fverbose-asm \
>   -funsigned-char \
>   -ffunction-sections \
>   -fdata-sections \
>   -Wno-address \
>   -fno-asynchronous-unwind-tables \
>   -fno-unwind-tables \
>   -fno-pic \
>   -fno-pie \
>   -ffixed-x18 \
>   -mcmodel=small \
>   -O0 \
>   -DL_ENDIAN \
>   -DOPENSSL_SMALL_FOOTPRINT \
>   -D_CRT_SECURE_NO_DEPRECATE \
>   -D_CRT_NONSTDC_NO_DEPRECATE \
>   -Wno-error=maybe-uninitialized \
>   -Wno-format \
>   -Wno-error=unused-but-set-variable \
>   -D DISABLE_NEW_DEPRECATED_INTERFACES \
>   -c \
>   -o $WORKSPACE/Build/CryptoPkg/NOOPT_GCC5/AARCH64/CryptoPkg/Library/OpensslLib/OpensslLib/OUTPUT/openssl/crypto/rand/rand_unix.obj \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/ssl/statem \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/ssl/record \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/ssl \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/x509 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/ui \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/txt_db \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/stack \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/sm4 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/sm3 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/siphash \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/sha \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/rc4 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/rand \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/pem \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/ocsp \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/objects \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/modes \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/md5 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/md4 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/lhash \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/kdf \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/hmac \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/evp \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/err \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/dso \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/dh \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/des \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/conf \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/comp \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/cmac \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/buffer \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/bn \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/bio \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/async \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/async/arch \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1 \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/aria \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/aes \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib \
>   -I$WORKSPACE/Build/CryptoPkg/NOOPT_GCC5/AARCH64/CryptoPkg/Library/OpensslLib/OpensslLib/DEBUG \
>   -I$WORKSPACE/MdePkg \
>   -I$WORKSPACE/MdePkg/Include \
>   -I$WORKSPACE/MdePkg/Include/AArch64 \
>   -I$WORKSPACE/CryptoPkg \
>   -I$WORKSPACE/CryptoPkg/Include \
>   -I$WORKSPACE/CryptoPkg/Library/Include \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/include \
>   -I$WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/include \
>   $WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_unix.c

The error message was:

> $WORKSPACE/CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_unix.c:22:26:
> fatal error: sys/syscall.h: No such file or directory
>  # include <sys/syscall.h>
>                           ^
> compilation terminated.

The "rand_unix.c" source file contains:

     21 #if defined(__linux)
     22 # include <sys/syscall.h>
     23 #endif

This code originates from OpenSSL commit 148796291e47 ("Add support for
getrandom() or equivalent system calls and use them by default",
2018-04-22).

This is a problem because the aarch64 cross-compiler in Fedora only
supports "freestanding" programs (such as the Linux kernel, and edk2);
it does not support userspace (hosted) programs. The cross-compiler's
description says,

> Cross-build GNU C compiler.
>
> Only building kernels is currently supported.  Support for cross-building
> user space programs is not currently provided as that would massively multiply
> the number of packages.

(This is the case as of
gcc-aarch64-linux-gnu-8.2.1-1.fc30.2.aarch64.rpm, from
<https://koji.fedoraproject.org/koji/buildinfo?buildID=1185346>.)

And, <sys/syscall.h> is a header that only userspace programs may
include.


Now, I see that we already have the following files in CryptoPkg:

  CryptoPkg/Library/Include/sys/types.h
  CryptoPkg/Library/Include/sys/time.h

The following patch allows the build to complete:

> diff --git a/CryptoPkg/Library/Include/sys/syscall.h b/CryptoPkg/Library/Include/sys/syscall.h
> new file mode 100644
> index 000000000000..bfe1c7ff1473
> --- /dev/null
> +++ b/CryptoPkg/Library/Include/sys/syscall.h
> @@ -0,0 +1,10 @@
> +/** @file
> +  Include file to support building the third-party cryptographic library.
> +
> +Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2019, Red Hat, Inc.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <CrtLibSupport.h>

This file is sufficient for the following reason. In "rand_unix.c", at
tag OpenSSL_1_1_1b, we have:

    80  #if defined(OPENSSL_RAND_SEED_NONE)
    81  /* none means none. this simplifies the following logic */
    82  # undef OPENSSL_RAND_SEED_OS
    83  # undef OPENSSL_RAND_SEED_GETRANDOM
    84  # undef OPENSSL_RAND_SEED_LIBRANDOM
    85  # undef OPENSSL_RAND_SEED_DEVRANDOM
    86  # undef OPENSSL_RAND_SEED_RDTSC
    87  # undef OPENSSL_RAND_SEED_RDCPU
    88  # undef OPENSSL_RAND_SEED_EGD
    89  #endif

Due to your patch v2 1/6, the macro OPENSSL_RAND_SEED_NONE will be
defined, as a consequence of "--with-rand-seed=none".

And the following "naked" Linux syscall in "rand_unix.c":

   326      /* Linux supports this since version 3.17 */
   327  #  if defined(__linux) && defined(SYS_getrandom)
   328      return syscall(SYS_getrandom, buf, buflen, 0);

is located in the function syscall_random() -- which entirely depends on
OPENSSL_RAND_SEED_GETRANDOM.

In other words, due to "--with-rand-seed=none" from patch v2 1/6, the
actual contents of "sys/syscall.h" will never be necessary. We just need
to provide a placeholder header file.

So please include a patch in the v3 series that adds
"CryptoPkg/Library/Include/sys/syscall.h" like suggested above.

Thanks
Laszlo