From 3ed8d9b547c3941d74d9455fdec120f415ebaacd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 22 Jul 2023 00:08:50 +0200 Subject: [PATCH] edk2: backport OpenSSL 1.1.1t to the tree Original bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4342 Note that we use `excludes` here because EDK2 vendors OpenSSL via git submodules, we unbundle it, refetch it ourselves and apply in `postPatch`. Therefore, we also need to unpatch the `CryptoPkg/Library/OpensslLib/openssl`. Instead of upgrading EDK2, we decided to backport the patch manually because upgrading caused breakages in 23.05. --- pkgs/development/compilers/edk2/default.nix | 30 ++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index 878d3f7568383..73d3f00c3d154 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -34,6 +34,14 @@ buildType = if stdenv.isDarwin then else "GCC5"; + # OpenSSL 1.1.1t + vendoredOpenSSL = fetchFromGitHub { + owner = "openssl"; + repo = "openssl"; + rev = "OpenSSL_1_1_1t"; + sha256 = "sha256-gI2+Vm67j1+xLvzBb+DF0YFTOHW7myotRsXRzluzSLY="; + }; + edk2 = buildStdenv.mkDerivation { pname = "edk2"; version = "202211"; @@ -44,9 +52,18 @@ edk2 = buildStdenv.mkDerivation { url = "https://src.fedoraproject.org/rpms/edk2/raw/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/0021-Tweak-the-tools_def-to-support-cross-compiling.patch"; sha256 = "sha256-E1/fiFNVx0aB1kOej2DJ2DlBIs9tAAcxoedym2Zhjxw="; }) + # Apply EDK2-specific OpenSSL 1.1.1t changes + # Original bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4342 + (fetchpatch { + url = "https://bugzilla.tianocore.org/attachment.cgi?id=1330"; + hash = "sha256-HAwa9gqTxA5+8UQf5NiRdZYSmE6ykQsDbkHFj7oLygg="; + # Normally, EDK2 vendors OpenSSL via Git submodules + # We unbundle them because fetchpatch and fetchers interaction are not ideal in nixpkgs. + # i.e. we cannot patch a git submodule at the right moment. + excludes = [ "CryptoPkg/Library/OpensslLib/openssl" ]; + }) ]; - # submodules src = fetchFromGitHub { owner = "tianocore"; repo = "edk2"; @@ -55,6 +72,17 @@ edk2 = buildStdenv.mkDerivation { sha256 = "sha256-0jE73xPyenAcgJ1mS35oTc5cYw7jJvVYxhPdhTWpKA0="; }; + postUnpack = '' + rm -rf source/CryptoPkg/Library/OpensslLib/openssl + ''; + + # Update the OpenSSL used APIs to 1.1.1t in EDK2… + # OpenSSL3 PoC exist: https://patchew.org/EDK2/cover.1679026329.git.yi1.li@intel.com/ + # Unvendor only when OpenSSL3 support lands otherwise fix everything that breaks, I guess? + postPatch = '' + cp -r ${vendoredOpenSSL} CryptoPkg/Library/OpensslLib/openssl + ''; + nativeBuildInputs = [ pythonEnv ]; depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.util-linux buildPackages.bash ]; strictDeps = true;