|
1 # |
|
2 # CDDL HEADER START |
|
3 # |
|
4 # The contents of this file are subject to the terms of the |
|
5 # Common Development and Distribution License (the "License"). |
|
6 # You may not use this file except in compliance with the License. |
|
7 # |
|
8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 # or http://www.opensolaris.org/os/licensing. |
|
10 # See the License for the specific language governing permissions |
|
11 # and limitations under the License. |
|
12 # |
|
13 # When distributing Covered Code, include this CDDL HEADER in each |
|
14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 # If applicable, add the following below this CDDL HEADER, with the |
|
16 # fields enclosed by brackets "[]" replaced with your own identifying |
|
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 # |
|
19 # CDDL HEADER END |
|
20 # |
|
21 # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. |
|
22 # |
|
23 |
|
24 |
|
25 Disclaimer |
|
26 ---- |
|
27 |
|
28 The purpose of this directory is solely to build and deliver static OpenSSL |
|
29 binaries for wanboot. These binaries have some highly specific patches applied. |
|
30 Do not attempt to use these for any other purpose. |
|
31 |
|
32 |
|
33 Building |
|
34 ---- |
|
35 |
|
36 Building in this directory is triggered by running 'gmake build' in |
|
37 ../openssl-1.0.0. Calling 'gmake build' locally is possible for debugging |
|
38 purposes. There are no 'install' and 'publish' targets. Only 64-bit sparc |
|
39 version is built, nothing is done for x86. |
|
40 |
|
41 The outcome of build is file wanboot-openssl.o containing all the openssl bits |
|
42 required for wanboot. As part of 'make install' in ../openssl-1.0.0 this file |
|
43 is copied in to its proto area. From there, wanboot-openssl.o is published and |
|
44 delivered as a part of pkg:/library/security/openssl package. |
|
45 |
|
46 |
|
47 Patches |
|
48 ---- |
|
49 |
|
50 18-compiler_opts.patch: |
|
51 Taken from $USERLAND/components/openssl/openssl-1.0.0/patches/ |
|
52 - modified not to link with libc (-lc); |
|
53 - '-xF=%all' added to comp. flags to create separate section for each function |
|
54 |
|
55 30_wanboot.patch: |
|
56 Wanboot specific patches. |
|
57 - modified Makefiles not to build in engines apps test tools |
|
58 - not using vfprintf for error print in crypto/cryptlib.c |
|
59 - not using ERR_load_DSO_strings() in crypto/err/err_all.c |
|
60 - not using EVP_read_pw_string() in crypto/evp/evp_key.c |
|
61 - reading password is implemented in disabled DES library |
|
62 - avoid select() in crypto/rand/rand_unix.c |
|
63 - not defining _XOPEN_SOURCE in crypto/rand/randfile.c |
|
64 - direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c |
|
65 - using functions from libsock in e_os.h |
|
66 - by-passing version of sparc detection in crypto/sparcv9cap.c |
|
67 - results in not using FPU for big numbers multiplication |
|
68 - should be ok - original detection seems broken, FPU gets never used |
|
69 - stubs for EVP_read_pw_string_min(), OPENSSL_issetugid(), |
|
70 opendir(), readdir(), closedir() |
|
71 - implementation of atoi() |
|
72 |
|
73 |
|
74 Configure options |
|
75 ---- |
|
76 |
|
77 Most of the Configure options where carried over from the original code when |
|
78 migrating openssl for wanboot from ON to Userland. For the most part, these |
|
79 options exclude unused ciphers. |
|
80 |
|
81 New options added: |
|
82 -DNO_CHMOD chmod not available in stand-alone environment |
|
83 -DBOOT guard for wanboot specific patches |
|
84 -DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway |
|
85 |
|
86 |
|
87 List of object files for wanboot-openssl.o |
|
88 ---- |
|
89 |
|
90 At this moment, object files for wanboot-openssl.o need to be listed explicitly. |
|
91 This is cumbersome and relatively tedious with respect to upgrading to higher |
|
92 version of openssl. |
|
93 |
|
94 In future, it would be nice, if this could be performed automatically by the |
|
95 linker. The required interface for wanboot is already defined in a mapfile and |
|
96 linker option '-zdiscard-unused=sections,files' is already used to discard |
|
97 unused code. |
|
98 But sadly, at this moment when the linker is given all the object files, it |
|
99 fails to recognize some unreferenced sections as unused. As a result, numerous |
|
100 object files are not discarded, although they should be. These files are not |
|
101 patched to work in standalone environment, which causes wanboot linking failure |
|
102 due to undefined references. |
|
103 |
|
104 In order to determine which openssl object files are required for wanboot, |
|
105 first build static standalone openssl bits in Userland. As a site effect, |
|
106 static libraries libssl.a and libcrypto.a are created. |
|
107 |
|
108 $ cd $USERLAND/components/openssl/openssl-1.0.0-wanboot ; gmake build |
|
109 |
|
110 Next, collect some information from linking wanboot static libraries in ON. |
|
111 This can be done by the following hack. |
|
112 |
|
113 $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4 |
|
114 $ touch wanboot.o |
|
115 $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \ |
|
116 -L$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9 " \ |
|
117 WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all |
|
118 |
|
119 The following sort of information ends up in ld.dbg (note that the debugging |
|
120 output from the link-editor is not considered a 'stable interface' and may |
|
121 change in the future): |
|
122 |
|
123 debug: |
|
124 debug: file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
|
125 debug: |
|
126 debug: symbol table processing; file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
|
127 debug: symbol[1]=sparcv9cap.c |
|
128 ... |
|
129 |
|
130 Now run the following script in Userland: |
|
131 |
|
132 #!/bin/bash |
|
133 |
|
134 # set to workspace paths: |
|
135 USERLAND=/builds/tkuthan/ul-s11u1 |
|
136 ON=/builds/tkuthan/on11u1-wanboot-rti |
|
137 |
|
138 BUILD=$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9 |
|
139 LD_DBG=$ON/usr/src/psm/stand/boot/sparcv9/sun4/ld.dbg |
|
140 |
|
141 for i in `find $BUILD/crypto $BUILD/ssl -name '*.o'` |
|
142 do |
|
143 f=`basename $i` |
|
144 if grep -q "^debug: file.*\<$f\>" $LD_DBG |
|
145 then |
|
146 echo $i | sed "s#$BUILD/##" |
|
147 fi |
|
148 done |
|
149 |
|
150 to get the list of required object files. |
|
151 |
|
152 Additionally, you can format the list for including to Makefile by: |
|
153 $ sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/' |
|
154 |
|
155 |
|
156 Linking with wanboot |
|
157 ---- |
|
158 |
|
159 When linking with wanboot please pay attention to following pitfalls. |
|
160 |
|
161 Correct openssl header files need to be included. This is done in |
|
162 $ON/usr/src/stand/lib/wanboot/Makefile |
|
163 Make sure CPPFLAGS point to the right directories. |
|
164 |
|
165 EXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the |
|
166 changes! |
|
167 Wanboot is a statically linked standalone binary and it is loaded on a fixed |
|
168 address before execution. This address is defined in |
|
169 $ON/usr/src/psm/stand/boot/sparc/common/mapfile: |
|
170 |
|
171 27 LOAD_SEGMENT text { |
|
172 28 FLAGS = READ EXECUTE; |
|
173 29 VADDR = 0x130000; |
|
174 30 ASSIGN_SECTION { |
|
175 31 TYPE = PROGBITS; |
|
176 32 FLAGS = ALLOC !WRITE; |
|
177 33 }; |
|
178 34 }; |
|
179 |
|
180 This address (VADDR) NEEDS TO BE GREATER THEN |
|
181 size of .text section + size of .data section + 0x4000 |
|
182 |
|
183 The reason for this is in how wanboot is loaded by OpenBoot Prom: |
|
184 1) user initiates boot from network - "boot net" |
|
185 2) obp loads wanboot binary at address 0x4000 |
|
186 3) obp parses ELF header, reads virtual address where to load wanboot to |
|
187 4) obp mem-copies .text section to this address |
|
188 5) obp copies .data section behind .text |
|
189 6) obp starts executing wanboot at entry address |
|
190 |
|
191 If the given address is too small, obp overwrites part of .data with |
|
192 instructions from .text in step 4. resulting in .data being corrupted. |
|
193 Initialized variables get bogus values and failure is inevitable. |
|
194 This is very hard to troubleshoot. |
|
195 |
|
196 |
|
197 Testing wanboot with new openssl |
|
198 ---- |
|
199 |
|
200 With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and |
|
201 works well with the new bits. |
|
202 |
|
203 Provided you have a freshly built ON workspace, you can link wanboot with new |
|
204 OpenSSL bits by redefining WAN_OPENSSL macro: |
|
205 |
|
206 # copy wanboot-openssl.o to ON build machine |
|
207 cp wanboot-openssl.o /var/tmp/ |
|
208 |
|
209 # prepare to rebuild wanboot |
|
210 cd $ON |
|
211 bldenv developer.sh |
|
212 cd usr/src/psm/stand/boot/sparcv9/sun4 |
|
213 |
|
214 # hack to force a rebuild |
|
215 touch wanboot.o |
|
216 |
|
217 # link new OpenSSL to wanboot |
|
218 WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all |
|
219 |
|
220 Wanboot should build without warning. |
|
221 |
|
222 If there is something like this in the output: |
|
223 |
|
224 Undefined first referenced |
|
225 symbol in file |
|
226 CRYPTO_ccm128_setiv /var/tmp/wanboot-openssl.o |
|
227 SSL_get_srtp_profiles /var/tmp/wanboot-openssl.o |
|
228 ssl_parse_clienthello_use_srtp_ext /var/tmp/wanboot-openssl.o |
|
229 CRYPTO_gcm128_setiv /var/tmp/wanboot-openssl.o |
|
230 ... |
|
231 cmac_pkey_meth /var/tmp/wanboot-openssl.o |
|
232 ld: fatal: symbol referencing errors. No output written to wanboot |
|
233 *** Error code 1 |
|
234 dmake: Fatal error: Command failed for target `wanboot' |
|
235 |
|
236 some additional work has to be done in OpenSSL to either satisfy the function |
|
237 references listed in the linker error message, or to remove the calls to these |
|
238 functions. |
|
239 |
|
240 Finally, resulting wanboot binary shall be deployed on some install server and |
|
241 wanbooting from this server shall be tested. |