[OE-core] [PATCH] openssl: add rdcpu to rand-seed

Fri, 10 Jul 2020 12:40:45 -0700 

Native[sdk] openssl fails to initialize RNG on systems where native[sdk]
glibc is built against pre-3.17 linux-libc-headers, but runs on 4.8+
kernel:
140737348333184:error:2406C06E:random number 
generator:RAND_DRBG_instantiate:error retrieving 
entropy:../openssl-1.1.1g/crypto/rand/drbg_lib.c:342

Commit 3ff98f558157 ("Start up DEVRANDOM entropy improvement for older
Linux devices.") in OpenSSL 1.1.1d has effectively disabled devrandom
seed source for kernels >=4.8. The assumption is that getrandom(2) will
be used instead. Getrandom syscall was added in kernel 3.17 by commit
c6e9d6f38894 ("random: introduce getrandom(2) system call"). So on a
system with 4.8+ kernel and pre-3.17 libc headers both getrandom and
devrandom can't be used.

To workaround this issue add 'rdcpu' as additional source of entropy for
the rand seed. Also devrandom in the list is no-op since os = getrandom
+ devrandom on Linux, so remove it. The comment is also not relevant
anymore.

Signed-off-by: Taras Kondratiuk <takon...@cisco.com>
---
 meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb 
b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
index 47ed6b7640b3..2bf7f56183ce 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
@@ -43,10 +43,8 @@ do_configure[cleandirs] = "${B}"
 EXTRA_OECONF_append_libc-musl = " no-async"
 EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
 
-# adding devrandom prevents openssl from using getrandom() which is not 
available on older glibc versions
-# (native versions can be built with newer glibc, but then relocated onto a 
system with older glibc)
-EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF_class-native = "--with-rand-seed=os,rdcpu"
+EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,rdcpu"
 
 # Relying on hardcoded built-in paths causes openssl-native to not be 
relocateable from sstate.
 CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin 
-DENGINESDIR=/not/builtin"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#140539): 
https://lists.openembedded.org/g/openembedded-core/message/140539
Mute This Topic: https://lists.openembedded.org/mt/75426089/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to