| Message ID | 20250228203206.1979714-3-danismostlikely@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | d1b29222ad6243c15275a04f9de5989cf158cb2e |
| Headers | show |
| Series | openssl-native(sdk): poision built in paths | expand |
Hi, Am Freitag, dem 28.02.2025 um 14:32 -0600 schrieb Dan McGregor via lists.openembedded.org: > From: Dan McGregor <dan.mcgregor@usask.ca> > > Long ago, in the OpenSSL 1.1 days changing CFLAGS worked to override > hard-coded paths in the OpenSSL libraries. Even as far back as > kirkstone this was no longer working. > > Override make variables instead to poision the paths that get built > into the native (and nativesdk) libraries so they become relocatable > again. > > While here, remove the -isystem<foo> compiler argument from the compiler > command line stored in the library, just like we already remove the > prefix-map and sysroot arguments. while this might be required to bypass some search path automatisms in openssl (to allow relocation), another effect of forcing the directory variables to be invalid is that it renders the generated native pkg-config file (libcrypto.pc) unusable: prefix=${pcfiledir}/../../../usr exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${prefix}/include enginesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin modulesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin Name: OpenSSL-libcrypto Description: OpenSSL cryptography library Version: 3.4.1 Libs: -L${libdir} -lcrypto Libs.private: -ldl -pthread Cflags: -I${includedir} This will prevent other native tools (like libp11-native) from installing their (.so) files into valid OpenSSL directories. Haven't found a good solution for this, yet. But I'm also unsure if the relocation is actually an issue if it has been broken since kirkstone? Maybe someone has experienced similar issues? Thanks and regards Enrico > Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca> > --- > ...-sysroot-and-debug-prefix-map-from-co.patch | 18 +++++++++++------- > .../openssl/openssl_3.4.1.bb | 4 ++-- > 2 files changed, 13 insertions(+), 9 deletions(-) > > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug- > prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot- > and-debug-prefix-map-from-co.patch > index b8672735abe..91a95d89290 100644 > --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map- > from-co.patch > +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map- > from-co.patch > @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'. > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > --- > - Configurations/unix-Makefile.tmpl | 12 +++++++++++- > + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++- > crypto/build.info | 2 +- > - 2 files changed, 12 insertions(+), 2 deletions(-) > + 2 files changed, 16 insertions(+), 2 deletions(-) > > -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl > -=================================================================== > ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl > -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl > -@@ -502,13 +502,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), > +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl > +index 09303c4..011bda1 100644 > +--- a/Configurations/unix-Makefile.tmpl > ++++ b/Configurations/unix-Makefile.tmpl > +@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), > '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} > BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) > > -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h > +# *_Q variables are used for one thing only: to build up buildinf.h > CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; > ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g; > $cppflags2 =~ s|([\\"])|\\$1|g; > ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g; > $lib_cppflags =~ s|([\\"])|\\$1|g; > ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g; > join(' ', $lib_cppflags || (), $cppflags2 || (), > $cppflags1 || ()) -} > > @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl > + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; > + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; > + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; > ++ s|-isystem/[^ ]+/usr/include ||g; > + } > + join(' ', @{$config{CFLAGS}}) -} > + > diff --git a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb b/meta/recipes- > connectivity/openssl/openssl_3.4.1.bb > index 1a054a36753..8da64aea6a3 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.4.1.bb > @@ -49,8 +49,8 @@ EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom" > EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom" > > # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. > -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" > -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" > +EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" > ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' > +EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" > ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' > > # This allows disabling deprecated or undesirable crypto algorithms. > # The default is to trust upstream choices. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#212078): https://lists.openembedded.org/g/openembedded-core/message/212078 > Mute This Topic: https://lists.openembedded.org/mt/111441623/3616721 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ejo@pengutronix.de] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index b8672735abe..91a95d89290 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'. Signed-off-by: Khem Raj <raj.khem@gmail.com> --- - Configurations/unix-Makefile.tmpl | 12 +++++++++++- + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++- crypto/build.info | 2 +- - 2 files changed, 12 insertions(+), 2 deletions(-) + 2 files changed, 16 insertions(+), 2 deletions(-) -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl -=================================================================== ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl -@@ -502,13 +502,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 09303c4..011bda1 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h +# *_Q variables are used for one thing only: to build up buildinf.h CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g; $cppflags2 =~ s|([\\"])|\\$1|g; ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g; $lib_cppflags =~ s|([\\"])|\\$1|g; ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g; join(' ', $lib_cppflags || (), $cppflags2 || (), $cppflags1 || ()) -} @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; ++ s|-isystem/[^ ]+/usr/include ||g; + } + join(' ', @{$config{CFLAGS}}) -} + diff --git a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb b/meta/recipes-connectivity/openssl/openssl_3.4.1.bb index 1a054a36753..8da64aea6a3 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.4.1.bb @@ -49,8 +49,8 @@ EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom" EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom" # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' +EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' # This allows disabling deprecated or undesirable crypto algorithms. # The default is to trust upstream choices.