From patchwork Thu Jan 20 16:32:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 2720 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61C7AC433F5 for ; Thu, 20 Jan 2022 16:32:10 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web08.14379.1642696329368867474 for ; Thu, 20 Jan 2022 08:32:09 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5DF16ED1 for ; Thu, 20 Jan 2022 08:32:08 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 070F93F73D for ; Thu, 20 Jan 2022 08:32:07 -0800 (PST) From: Ross Burton To: meta-arm@lists.yoctoproject.org Subject: [PATCH 1/2] meta-arm: add old version of python3-cryptography Date: Thu, 20 Jan 2022 16:32:05 +0000 Message-Id: <20220120163206.1950366-1-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Jan 2022 16:32:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2878 meta-python has upgraded to python3-cryptography 36, which has a problem when used in native recipes: cryptography.exceptions.InternalError: Unknown OpenSSL error This causes all builds of TF-M to fail. Until this error is fixed, add the old version of python3-cryptography. A BBMASK is set so that it has to be explicitly opted-in, as it DEPENDS on recipes from meta-python which isn't a hard dependency for meta-arm. Signed-off-by: Ross Burton --- meta-arm-bsp/conf/layer.conf | 3 + .../python/python3-cryptography/h-test.patch | 10 +++ .../python3-cryptography/openssl3.patch | 62 +++++++++++++++++ .../python/python3-cryptography/run-ptest | 2 + .../python/python3-cryptography_3.3.2.bb | 68 +++++++++++++++++++ 5 files changed, 145 insertions(+) create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf index 7af156e8..45767866 100644 --- a/meta-arm-bsp/conf/layer.conf +++ b/meta-arm-bsp/conf/layer.conf @@ -19,3 +19,6 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python" # Additional license directories. LICENSE_PATH += "${LAYERDIR}/custom-licenses" + +# Delete this when our downgrade of python3-cryptography is removed +BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch new file mode 100644 index 00000000..9f07c738 --- /dev/null +++ b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch @@ -0,0 +1,10 @@ +--- a/tests/hypothesis/__init__.py ++++ b/tests/hypothesis/__init__.py +@@ -3,3 +3,7 @@ + # for complete details. + + from __future__ import absolute_import, division, print_function ++ ++import pytest ++hypothesis = pytest.importorskip("hypothesis") ++ diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch new file mode 100644 index 00000000..25baa42c --- /dev/null +++ b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch @@ -0,0 +1,62 @@ +Encourage our old python3-cryptography to at least start to work with OpenSSL 3. + +- Backport one patch to err.py to remove a symbol which has been removed in + OpenSSL 3, and isn't used in python3-cryptography. + (50ec692749b7e2e62685b443f5e629627b03987e) + +- Backport the detection of OpenSSL 3 and don't link to FIPS_mode/FIPS_mode_set + (parts of f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6) + +This is *not* a complete backport of the 3.0 support, but is enough that packages +such as imgtool can import python3-cryptography and operate until the upgrade is +ready. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton + +diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py +index f24bee5a..920a86de 100644 +--- a/src/_cffi_src/openssl/cryptography.py ++++ b/src/_cffi_src/openssl/cryptography.py +@@ -35,6 +35,8 @@ INCLUDES = """ + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) +@@ -54,6 +56,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; + + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; +diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py +index 0dd74146..42bab4d9 100644 +--- a/src/_cffi_src/openssl/err.py ++++ b/src/_cffi_src/openssl/err.py +@@ -40,7 +40,6 @@ void ERR_clear_error(void); + void ERR_put_error(int, int, int, const char *, int); + + int ERR_GET_LIB(unsigned long); +-int ERR_GET_FUNC(unsigned long); + int ERR_GET_REASON(unsigned long); + + """ +diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py +index c92bca49..38bfa231 100644 +--- a/src/_cffi_src/openssl/fips.py ++++ b/src/_cffi_src/openssl/fips.py +@@ -18,7 +18,7 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL ++#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + static const long Cryptography_HAS_FIPS = 0; + int (*FIPS_mode_set)(int) = NULL; + int (*FIPS_mode)(void) = NULL; diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest new file mode 100644 index 00000000..0ba239c2 --- /dev/null +++ b/meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest @@ -0,0 +1,2 @@ +#!/bin/sh +py.test diff --git a/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb b/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb new file mode 100644 index 00000000..a4c33442 --- /dev/null +++ b/meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb @@ -0,0 +1,68 @@ +SUMMARY = "Provides cryptographic recipes and primitives to python developers" +HOMEPAGE = "https://cryptography.io/" +SECTION = "devel/python" +LICENSE = "Apache-2.0 | BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=bf405a8056a6647e7d077b0e7bc36aba \ + file://LICENSE.APACHE;md5=4e168cce331e5c827d4c2b68a6200e1b \ + file://LICENSE.BSD;md5=5ae30ba4123bc4f2fa49aa0b0dce887b" + +LDSHARED += "-pthread" + +SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed" + +SRC_URI += " \ + file://run-ptest \ + file://h-test.patch \ + file://openssl3.patch \ +" + +inherit pypi setuptools3 + +DEPENDS += " \ + ${PYTHON_PN}-cffi \ + ${PYTHON_PN}-cffi-native \ + ${PYTHON_PN}-asn1crypto \ + ${PYTHON_PN}-six \ +" + +RDEPENDS:${PN} += " \ + ${PYTHON_PN}-cffi \ + ${PYTHON_PN}-idna \ + ${PYTHON_PN}-asn1crypto \ + ${PYTHON_PN}-setuptools \ + ${PYTHON_PN}-six \ +" + +RDEPENDS:${PN}:class-target += " \ + ${PYTHON_PN}-cffi \ + ${PYTHON_PN}-idna \ + ${PYTHON_PN}-numbers \ + ${PYTHON_PN}-asn1crypto \ + ${PYTHON_PN}-setuptools \ + ${PYTHON_PN}-six \ + ${PYTHON_PN}-threading \ +" + +RDEPENDS:${PN}-ptest += " \ + ${PN} \ + ${PYTHON_PN}-cryptography-vectors \ + ${PYTHON_PN}-iso8601 \ + ${PYTHON_PN}-pretend \ + ${PYTHON_PN}-pytest \ + ${PYTHON_PN}-pytz \ +" + +inherit ptest + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/tests + cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ + install -d ${D}${PTEST_PATH}/tests/hazmat + cp -rf ${S}/tests/hazmat/* ${D}${PTEST_PATH}/tests/hazmat/ +} + +FILES:${PN}-dbg += " \ + ${libdir}/${PYTHON_PN}2.7/site-packages/${SRCNAME}/hazmat/bindings/.debug \ +" + +BBCLASSEXTEND = "native nativesdk" From patchwork Thu Jan 20 16:32:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 2719 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E5B7C433FE for ; Thu, 20 Jan 2022 16:32:10 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web08.14378.1642696329315871746 for ; Thu, 20 Jan 2022 08:32:09 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E417B11FB for ; Thu, 20 Jan 2022 08:32:08 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8F4CC3F73D for ; Thu, 20 Jan 2022 08:32:08 -0800 (PST) From: Ross Burton To: meta-arm@lists.yoctoproject.org Subject: [PATCH 2/2] meta-arm-bsp: use old python3-crytography on platforms using TF-M Date: Thu, 20 Jan 2022 16:32:06 +0000 Message-Id: <20220120163206.1950366-2-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220120163206.1950366-1-ross.burton@arm.com> References: <20220120163206.1950366-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Jan 2022 16:32:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2877 As the latest python3-crytography breaks TF-M builds, downgrade those machines using TF-M (musca and corstone) to python3-crytography-native 3.3.2 temporarily. Signed-off-by: Ross Burton --- meta-arm-bsp/conf/layer.conf | 6 +++++- meta-arm-bsp/conf/machine/include/corstone1000.inc | 5 +++++ meta-arm-bsp/conf/machine/musca-b1.conf | 5 +++++ meta-arm-bsp/conf/machine/musca-s1.conf | 5 +++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/meta-arm-bsp/conf/layer.conf b/meta-arm-bsp/conf/layer.conf index 45767866..82230470 100644 --- a/meta-arm-bsp/conf/layer.conf +++ b/meta-arm-bsp/conf/layer.conf @@ -21,4 +21,8 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python" LICENSE_PATH += "${LAYERDIR}/custom-licenses" # Delete this when our downgrade of python3-cryptography is removed -BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" +META_ARM_PYCRYPTO = "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb" +META_ARM_PYCRYPTO:corstone1000 = "" +META_ARM_PYCRYPTO:musca-b1 = "" +META_ARM_PYCRYPTO:musca-s1 = "" +BBMASK += "${META_ARM_PYCRYPTO}" diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index f9d301e4..019293b0 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -63,3 +63,8 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0" WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}" WKS_FILE ?= "corstone1000-image.corstone1000.wks" + +# The latest python3-cryptography-native doesn't work +# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the +# version before Rust was involved for now. +PREFERRED_VERSION_python3-cryptography-native = "3.3.2" diff --git a/meta-arm-bsp/conf/machine/musca-b1.conf b/meta-arm-bsp/conf/machine/musca-b1.conf index 073c466e..ec5ff4ee 100644 --- a/meta-arm-bsp/conf/machine/musca-b1.conf +++ b/meta-arm-bsp/conf/machine/musca-b1.conf @@ -26,3 +26,8 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot" ARCH:musca-b1 = "arm" TFM_PLATFORM = "arm/musca_b1/sse_200" + +# The latest python3-cryptography-native doesn't work +# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the +# version before Rust was involved for now. +PREFERRED_VERSION_python3-cryptography-native = "3.3.2" diff --git a/meta-arm-bsp/conf/machine/musca-s1.conf b/meta-arm-bsp/conf/machine/musca-s1.conf index d18c06c2..e5f63f76 100644 --- a/meta-arm-bsp/conf/machine/musca-s1.conf +++ b/meta-arm-bsp/conf/machine/musca-s1.conf @@ -25,3 +25,8 @@ ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot" ARCH:musca-s1 = "arm" TFM_PLATFORM = "arm/musca_s1" + +# The latest python3-cryptography-native doesn't work +# (cryptography.exceptions.InternalError: Unknown OpenSSL error) so use the +# version before Rust was involved for now. +PREFERRED_VERSION_python3-cryptography-native = "3.3.2"