edk2: backport OpenSSL 1.1.1t to the tree

Original bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4342 We decide to backport this way because we do not have a lot of choices here, upgrading will break 23.05.
NixOS · Jul 28, 2023 · 493509d · 493509d
1 parent 68903ef
commit 493509d
Showing 1 changed file with 37 additions and 7 deletions.
diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix
@@ -8,6 +8,7 @@
 , llvmPackages_9
 , lib
 , buildPackages
+, applyPatches
 }:
 
 let
@@ -34,6 +35,13 @@ buildType = if stdenv.isDarwin then
   else
     "GCC5";
 
+  vendoredOpenSSL = fetchFromGitHub {
+    owner = "openssl";
+    repo = "openssl";
+    rev = "830bf8e1e4749ad65c51b6a1d0d769ae689404ba";
+    sha256 = "sha256-gI2+Vm67j1+xLvzBb+DF0YFTOHW7myotRsXRzluzSLY=";
+  };
+
 edk2 = buildStdenv.mkDerivation {
   pname = "edk2";
   version = "202211";
@@ -46,13 +54,35 @@ edk2 = buildStdenv.mkDerivation {
     })
   ];
 
-  # submodules
-  src = fetchFromGitHub {
-    owner = "tianocore";
-    repo = "edk2";
-    rev = "edk2-stable${edk2.version}";
-    fetchSubmodules = true;
-    sha256 = "sha256-0jE73xPyenAcgJ1mS35oTc5cYw7jJvVYxhPdhTWpKA0=";
+  # This will be cursed, I, alas, have no choice.
+  # fetchFromGitHub cannot support patching a submodule source.
+  # We will let it download it stupid things and override it.
+  src = applyPatches {
+    name = "edk2-stable${edk2.version}-openssl-patched";
+    src = fetchFromGitHub {
+      owner = "tianocore";
+      repo = "edk2";
+      rev = "edk2-stable${edk2.version}";
+      fetchSubmodules = true;
+      sha256 = "sha256-0jE73xPyenAcgJ1mS35oTc5cYw7jJvVYxhPdhTWpKA0=";
+    };
+    # Update the OpenSSL used APIs to 1.1.1t in EDK2…
+    # OpenSSL3 PoC exist: https://patchew.org/EDK2/cover.1679026329.git.yi1.li@intel.com/
+    # Unvendor only when OpenSSL3 support lands otherwise fix everything that breaks, I guess?
+    patches = [
+      # This patch has been reflowed for nixpkgs usage.
+      # It drops submodule modification.
+      # As the patch is too big for in-tree inclusion, we decided to web archive it
+      # and fetch it.
+      (fetchpatch {
+        url = "http://web.archive.org/web/20230728182934id_/https://raw.githubusercontent.com/RaitoBezarius/nixpkgs/edk2-openssl-security-2305/pkgs/development/compilers/edk2/support-openssl-1_1_1t.patch";
+        hash = "sha256-HAwa9gqTxA5+8UQf5NiRdZYSmE6ykQsDbkHFj7oLygg=";
+      })
+    ];
+    postPatch = ''
+      rm -rf CryptoPkg/Library/OpensslLib/openssl
+      cp -r ${vendoredOpenSSL} CryptoPkg/Library/OpensslLib/openssl
+    '';
   };
 
   nativeBuildInputs = [ pythonEnv ];