Merge pull request #244727 from RaitoBezarius/edk2-openssl-security-2305

NixOS · Aug 7, 2023 · 2a15a55 · 2a15a55
2 parents 52f2e2b + 3ed8d9b
commit 2a15a55
Showing 1 changed file with 29 additions and 1 deletion.
diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix
@@ -34,6 +34,14 @@ buildType = if stdenv.isDarwin then
   else
     "GCC5";
 
+  # OpenSSL 1.1.1t
+  vendoredOpenSSL = fetchFromGitHub {
+    owner = "openssl";
+    repo = "openssl";
+    rev = "OpenSSL_1_1_1t";
+    sha256 = "sha256-gI2+Vm67j1+xLvzBb+DF0YFTOHW7myotRsXRzluzSLY=";
+  };
+
 edk2 = buildStdenv.mkDerivation {
   pname = "edk2";
   version = "202211";
@@ -44,9 +52,18 @@ edk2 = buildStdenv.mkDerivation {
       url = "https://src.fedoraproject.org/rpms/edk2/raw/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/0021-Tweak-the-tools_def-to-support-cross-compiling.patch";
       sha256 = "sha256-E1/fiFNVx0aB1kOej2DJ2DlBIs9tAAcxoedym2Zhjxw=";
     })
+    # Apply EDK2-specific OpenSSL 1.1.1t changes
+    # Original bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4342
+    (fetchpatch {
+      url = "https://bugzilla.tianocore.org/attachment.cgi?id=1330";
+      hash = "sha256-HAwa9gqTxA5+8UQf5NiRdZYSmE6ykQsDbkHFj7oLygg=";
+      # Normally, EDK2 vendors OpenSSL via Git submodules
+      # We unbundle them because fetchpatch and fetchers interaction are not ideal in nixpkgs.
+      # i.e. we cannot patch a git submodule at the right moment.
+      excludes = [ "CryptoPkg/Library/OpensslLib/openssl" ];
+    })
   ];
 
-  # submodules
   src = fetchFromGitHub {
     owner = "tianocore";
     repo = "edk2";
@@ -55,6 +72,17 @@ edk2 = buildStdenv.mkDerivation {
     sha256 = "sha256-0jE73xPyenAcgJ1mS35oTc5cYw7jJvVYxhPdhTWpKA0=";
   };
 
+  postUnpack = ''
+    rm -rf source/CryptoPkg/Library/OpensslLib/openssl
+  '';
+
+  # Update the OpenSSL used APIs to 1.1.1t in EDK2…
+  # OpenSSL3 PoC exist: https://patchew.org/EDK2/cover.1679026329.git.yi1.li@intel.com/
+  # Unvendor only when OpenSSL3 support lands otherwise fix everything that breaks, I guess?
+  postPatch = ''
+    cp -r ${vendoredOpenSSL} CryptoPkg/Library/OpensslLib/openssl
+  '';
+
   nativeBuildInputs = [ pythonEnv ];
   depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.util-linux buildPackages.bash ];
   strictDeps = true;