[Skiboot] [PATCH] libstb/create-container: avoid using deprecated APIs when compiling with OpenSSL 3.0
Eric Richter
erichte at linux.ibm.com
Wed Feb 2 05:56:52 AEDT 2022
On 1/24/22 9:55 AM, Cédric Le Goater wrote:
> On 1/19/22 21:16, Eric Richter wrote:
>> OpenSSL 3.0 has deprecated functions that operate on raw key data, however the
>> closest replacement function are not available in OpenSSL 1.x. This patch
>> attempts to maintain compatibility with both 3.0 and 1.x versions.
>>
>> Avoids using the following deprecated functions when compiling with 3.0:
>> - EC_KEY_get0_group
>> - EC_KEY_get0_public_key
>> - EC_POINT_point2bn
>> - EC_KEY_free
>>
>> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
>> ---
>>
>> NOTE: While this patch should work, I have not yet been able to adequately
>> test this on actual hardware. The resulting data that stored in pubKeyData[]
>> appears to be identical when compiling with both versions of OpenSSL (minus
>> the one byte header that is removed anyway), thus it should work as expected.
>
> Would you prefer to have some tests on HW confirm that this patch is safe
> merge ? or should we proceed ?
>
I'd prefer to err on the side of caution on this, I am no expert with OpenSSL
nor this particular piece of secure boot code.
That said, I had initially assumed that this would need a full op-build to test.
However, I just managed to test this by using three skiboot images:
- using OpenSSL 1.x
- using OpenSSL 3.x
- commenting out the changed code, leaving the container pubkey as zeros.
The first two images booted up to Petitboot without issue. The third failed as
expected, which mostly served as a sanity check that secure boot errors would
be enforced with development firmware.
I would prefer having a larger scale test of this, as I don't want this to be
a potential source of problems in production in the future. That is not a
strong preference though, if this testing method sounds relatively sane to
more than just me, I am fine with moving forward.
More information about the Skiboot
mailing list