From patchwork Thu Jan 27 16:54:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 3039 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FE0BC433EF for ; Thu, 27 Jan 2022 16:54:24 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.378.1643302462726611708 for ; Thu, 27 Jan 2022 08:54:23 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 744A71FB for ; Thu, 27 Jan 2022 08:54:21 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1B4903F766 for ; Thu, 27 Jan 2022 08:54:20 -0800 (PST) From: Ross Burton To: meta-arm@lists.yoctoproject.org Subject: [PATCH 1/3] arm/trusted-firmware-m: set OpenSSL provider path Date: Thu, 27 Jan 2022 16:54:17 +0000 Message-Id: <20220127165419.952245-1-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Jan 2022 16:54:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2920 imgtool from mcuboot uses python3-cryptography-native, and the latest python3-cryptography explicitly loads the legacy provider, which is a separate shared object in OpenSSL 3. The search path for providers is hard-coded into the library so the wrong path is searched and the module is not found. Set OPENSSL_MODULES so the right path, so that the legacy module is found. In the future we may be able to be removed this if the explict use of legacy algorithms is removed (https://github.com/pyca/cryptography/issues/6809). This also means we can remove the downgrades of python3-crytography that were being carried in meta-arm. Signed-off-by: Ross Burton --- .../trusted-firmware-m/trusted-firmware-m_1.5.0.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb index 302fd2cd..c0eee5cc 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb +++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.5.0.bb @@ -97,6 +97,10 @@ LDFLAGS[unexport] = "1" AS[unexport] = "1" LD[unexport] = "1" +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + # TF-M ships patches that it needs applied to mbedcrypto, so apply them # as part of do_patch. apply_local_patches() { From patchwork Thu Jan 27 16:54:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 3041 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E76F5C43219 for ; Thu, 27 Jan 2022 16:54:24 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.379.1643302463873673888 for ; Thu, 27 Jan 2022 08:54:24 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 02987113E for ; Thu, 27 Jan 2022 08:54:22 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A225F3F766 for ; Thu, 27 Jan 2022 08:54:21 -0800 (PST) From: Ross Burton To: meta-arm@lists.yoctoproject.org Subject: [PATCH 2/3] Revert "meta-arm-bsp: use old python3-crytography on platforms using TF-M" Date: Thu, 27 Jan 2022 16:54:18 +0000 Message-Id: <20220127165419.952245-2-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220127165419.952245-1-ross.burton@arm.com> References: <20220127165419.952245-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Jan 2022 16:54:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2922 This reverts commit 2a27bd4f47d09bb709a953f4a91ef2a2cf921255. --- meta-arm-bsp/conf/layer.conf | 6 +----- meta-arm-bsp/conf/machine/include/corstone1000.inc | 5 ----- meta-arm-bsp/conf/machine/musca-b1.conf | 5 ----- meta-arm-bsp/conf/machine/musca-s1.conf | 5 ----- 4 files changed, 1 insertion(+), 20 deletions(-) diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf index 82230470..45767866 100644 --- a/meta-arm-bsp/conf/layer.conf +++ b/meta-arm-bsp/conf/layer.conf @@ -21,8 +21,4 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python" LICENSE_PATH += "${LAYERDIR}/custom-licenses" # Delete this when our downgrade of python3-cryptography is removed -META_ARM_PYCRYPTO = "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" -META_ARM_PYCRYPTO:corstone1000 = "" -META_ARM_PYCRYPTO:musca-b1 = "" -META_ARM_PYCRYPTO:musca-s1 = "" -BBMASK += "${META_ARM_PYCRYPTO}" +BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index 019293b0..f9d301e4 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -63,8 +63,3 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0" WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}" WKS_FILE ?= "corstone1000-image.corstone1000.wks" - -# The latest python3-cryptography-native doesn't work -# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the -# version before Rust was involved for now. -PREFERRED_VERSION_python3-cryptography-native = "3.3.2" diff --git a/meta-arm-bsp/conf/machine/musca-b1.conf b/meta-arm-bsp/conf/machine/musca-b1.conf index ec5ff4ee..073c466e 100644 --- a/meta-arm-bsp/conf/machine/musca-b1.conf +++ b/meta-arm-bsp/conf/machine/musca-b1.conf @@ -26,8 +26,3 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot" ARCH:musca-b1 = "arm" TFM_PLATFORM = "arm/musca_b1/sse_200" - -# The latest python3-cryptography-native doesn't work -# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the -# version before Rust was involved for now. -PREFERRED_VERSION_python3-cryptography-native = "3.3.2" diff --git a/meta-arm-bsp/conf/machine/musca-s1.conf b/meta-arm-bsp/conf/machine/musca-s1.conf index e5f63f76..d18c06c2 100644 --- a/meta-arm-bsp/conf/machine/musca-s1.conf +++ b/meta-arm-bsp/conf/machine/musca-s1.conf @@ -25,8 +25,3 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot" ARCH:musca-s1 = "arm" TFM_PLATFORM = "arm/musca_s1" - -# The latest python3-cryptography-native doesn't work -# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the -# version before Rust was involved for now. -PREFERRED_VERSION_python3-cryptography-native = "3.3.2" From patchwork Thu Jan 27 16:54:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 3040 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F1A5C433FE for ; Thu, 27 Jan 2022 16:54:24 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.418.1643302462972608969 for ; Thu, 27 Jan 2022 08:54:23 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8927D11D4 for ; Thu, 27 Jan 2022 08:54:22 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 352073F766 for ; Thu, 27 Jan 2022 08:54:22 -0800 (PST) From: Ross Burton To: meta-arm@lists.yoctoproject.org Subject: [PATCH 3/3] Revert "meta-arm: add old version of python3-cryptography" Date: Thu, 27 Jan 2022 16:54:19 +0000 Message-Id: <20220127165419.952245-3-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220127165419.952245-1-ross.burton@arm.com> References: <20220127165419.952245-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Jan 2022 16:54:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2921 This reverts commit a15c16068ab011e2ba91a6c4ca6e1251de0d8058. --- meta-arm-bsp/conf/layer.conf | 3 - .../python/python3-cryptography/h-test.patch | 10 --- .../python3-cryptography/openssl3.patch | 62 ----------------- .../python/python3-cryptography/run-ptest | 2 - .../python/python3-cryptography_3.3.2.bb | 68 ------------------- 5 files changed, 145 deletions(-) delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest delete mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf index 45767866..7af156e8 100644 --- a/meta-arm-bsp/conf/layer.conf +++ b/meta-arm-bsp/conf/layer.conf @@ -19,6 +19,3 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python" # Additional license directories. LICENSE_PATH += "${LAYERDIR}/custom-licenses" - -# Delete this when our downgrade of python3-cryptography is removed -BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch deleted file mode 100644 index 9f07c738..00000000 --- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/tests/hypothesis/__init__.py -+++ b/tests/hypothesis/__init__.py -@@ -3,3 +3,7 @@ - # for complete details. - - from __future__ import absolute_import, division, print_function -+ -+import pytest -+hypothesis = pytest.importorskip("hypothesis") -+ diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch deleted file mode 100644 index 25baa42c..00000000 --- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch +++ /dev/null @@ -1,62 +0,0 @@ -Encourage our old python3-cryptography to at least start to work with OpenSSL 3. - -- Backport one patch to err.py to remove a symbol which has been removed in - OpenSSL 3, and isn't used in python3-cryptography. - (50ec692749b7e2e62685b443f5e629627b03987e) - -- Backport the detection of OpenSSL 3 and don't link to FIPS_mode/FIPS_mode_set - (parts of f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6) - -This is *not* a complete backport of the 3.0 support, but is enough that packages -such as imgtool can import python3-cryptography and operate until the upgrade is -ready. - -Upstream-Status: Inappropriate -Signed-off-by: Ross Burton - -diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py -index f24bee5a..920a86de 100644 ---- a/src/_cffi_src/openssl/cryptography.py -+++ b/src/_cffi_src/openssl/cryptography.py -@@ -35,6 +35,8 @@ INCLUDES = """ - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ -+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) - - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ - (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) -@@ -54,6 +56,7 @@ INCLUDES = """ - - TYPES = """ - static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; -+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; - - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; -diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py -index 0dd74146..42bab4d9 100644 ---- a/src/_cffi_src/openssl/err.py -+++ b/src/_cffi_src/openssl/err.py -@@ -40,7 +40,6 @@ void ERR_clear_error(void); - void ERR_put_error(int, int, int, const char *, int); - - int ERR_GET_LIB(unsigned long); --int ERR_GET_FUNC(unsigned long); - int ERR_GET_REASON(unsigned long); - - """ -diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py -index c92bca49..38bfa231 100644 ---- a/src/_cffi_src/openssl/fips.py -+++ b/src/_cffi_src/openssl/fips.py -@@ -18,7 +18,7 @@ int FIPS_mode(void); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - static const long Cryptography_HAS_FIPS = 0; - int (*FIPS_mode_set)(int) = NULL; - int (*FIPS_mode)(void) = NULL; diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest deleted file mode 100644 index 0ba239c2..00000000 --- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -py.test diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb b/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb deleted file mode 100644 index a4c33442..00000000 --- a/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb +++ /dev/null @@ -1,68 +0,0 @@ -SUMMARY = "Provides cryptographic recipes and primitives to python developers" -HOMEPAGE = "https://cryptography.io/" -SECTION = "devel/python" -LICENSE = "Apache-2.0 | BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=bf405a8056a6647e7d077b0e7bc36aba \ - file://LICENSE.APACHE;md5=4e168cce331e5c827d4c2b68a6200e1b \ - file://LICENSE.BSD;md5=5ae30ba4123bc4f2fa49aa0b0dce887b" - -LDSHARED += "-pthread" - -SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed" - -SRC_URI += " \ - file://run-ptest \ - file://h-test.patch \ - file://openssl3.patch \ -" - -inherit pypi setuptools3 - -DEPENDS += " \ - ${PYTHON_PN}-cffi \ - ${PYTHON_PN}-cffi-native \ - ${PYTHON_PN}-asn1crypto \ - ${PYTHON_PN}-six \ -" - -RDEPENDS:${PN} += " \ - ${PYTHON_PN}-cffi \ - ${PYTHON_PN}-idna \ - ${PYTHON_PN}-asn1crypto \ - ${PYTHON_PN}-setuptools \ - ${PYTHON_PN}-six \ -" - -RDEPENDS:${PN}:class-target += " \ - ${PYTHON_PN}-cffi \ - ${PYTHON_PN}-idna \ - ${PYTHON_PN}-numbers \ - ${PYTHON_PN}-asn1crypto \ - ${PYTHON_PN}-setuptools \ - ${PYTHON_PN}-six \ - ${PYTHON_PN}-threading \ -" - -RDEPENDS:${PN}-ptest += " \ - ${PN} \ - ${PYTHON_PN}-cryptography-vectors \ - ${PYTHON_PN}-iso8601 \ - ${PYTHON_PN}-pretend \ - ${PYTHON_PN}-pytest \ - ${PYTHON_PN}-pytz \ -" - -inherit ptest - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ - install -d ${D}${PTEST_PATH}/tests/hazmat - cp -rf ${S}/tests/hazmat/* ${D}${PTEST_PATH}/tests/hazmat/ -} - -FILES:${PN}-dbg += " \ - ${libdir}/${PYTHON_PN}2.7/site-packages/${SRCNAME}/hazmat/bindings/.debug \ -" - -BBCLASSEXTEND = "native nativesdk"