Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to OpenSSL 3.x #5291

Closed
6 of 7 tasks
jumaffre opened this issue May 22, 2023 · 0 comments
Closed
6 of 7 tasks

Upgrade to OpenSSL 3.x #5291

jumaffre opened this issue May 22, 2023 · 0 comments
Assignees
Milestone

Comments

@jumaffre
Copy link
Contributor

jumaffre commented May 22, 2023

We should add support for OpenSSL 3.x before OpenSSL 1.1.1 end of life.

Updated plan (16/06/02023)

  • OpenSSL 1.1.1 will be supported by Canonical on Ubuntu 20.04 until 20.04 EOL (May 2025) so CCF will remain on Ubuntu 20.04 and use the distribution OpenSSL 1.1.1 for the host on SGX, but also for SNP and Virtual enclaves.
  • Open Enclave will update to OpenSSL 3.x (see Meta issue for upgrade to openssl 3.0 openenclave/openenclave#4759), which we'll use for SGX enclaves.
  • We should therefore provide support for both OpenSSL 1.1.1 (host + SNP/Virtual) and 3.x (SGX) and be able to run CCF enclaves from both.

Tasks (see #5293 for pointers)

Preview Give feedback

Some notes:

  • /opt/openenclave/lib/openenclave/host/liboehostverify.a pulls /usr/lib/x86_64-linux-gnu/libcrypto.so (the installed OpenSSL crypto library). This is OK, but makes it hard to build a CCF enclave with a custom installation of OpenSSL.
  • As discussed with @achamayou, because the OpenSSL 3.x deb package is only available on Ubuntu 22.04, we can (and should!) upgrade the Virtual/SNP images to use Ubuntu 22.04. However, these platforms still require Open Enclave HostVerify, which is currently only tested with Ubuntu 20.04.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants