363N/A# The contents of this file are subject to the terms of the
363N/A# Common Development and Distribution License (the "License").
363N/A# You may not use this file except in compliance with the License.
363N/A# See the License for the specific language governing permissions
363N/A# and limitations under the License.
363N/A# When distributing Covered Code, include this CDDL HEADER in each
363N/A# If applicable, add the following below this CDDL HEADER, with the
363N/A# fields enclosed by brackets "[]" replaced with your own identifying
363N/A# information: Portions Copyright [yyyy] [name of copyright owner]
4368N/A# Copyright (c) 2009, 2015, Oracle
and/or its affiliates. All rights reserved.
4820N/AOpenSSL build is run four times. Once for regular dynamic non-fips, once
4820N/Afor static bits to link with standalone wanboot binary, once for fips-140,
4820N/Aand once for FIPS-140 canister (in the openssl-fips component)
4820N/Aneeded to build FIPS-140 certified libraries. All builds apart from
777N/Astatic libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
3387N/Ais built seven times. OpenSSL for wanboot is only built on sparc.
797N/ASee also comments in all the Makefiles for more information.
4368N/AThe non-fips build is the 'default' build of OpenSSL and includes the regular
363N/Abinaries, libraries, man pages, and header files.
4820N/AWe are now shipping FIPS-140 certified OpenSSL with S11.2 and later.
2377N/AThe admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
797N/AThere are some significant differences when building OpenSSL for wanboot.
797N/ASome additional Configuration options are needed:
797N/A-DNO_CHMOD chmod not available in stand-alone environment
797N/A-DBOOT guard for wanboot specific patches
797N/A-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
797N/AThis is cumbersome and relatively tedious with respect to upgrading to higher
797N/AIn future, it would be nice, if this could be performed automatically by the
797N/Alinker. The required interface for wanboot is already defined in a mapfile and
797N/Alinker option '-zdiscard-unused=sections,files' is already used to discard
797N/ABut sadly, at this moment when the linker is given all the object files, it
797N/Acorrectly discards some unused files, but references to undefined symbols from
797N/Athe discarded files don't get discarded along. Later, these undefined references
797N/Acause wanboot linking failure.
797N/AIn order to determine which openssl object files are required for wanboot,
797N/Afirst build static standalone openssl bits in Userland. As a site effect,
797N/ANext, collect some information from linking wanboot static libraries in ON.
797N/AThis can be done by the following hack.
797N/A WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
797N/AThe following sort of information ends up in
ld.dbg (note that the debugging
797N/Aoutput from the link-editor is not considered a 'stable interface' and may
797N/ANow run the following script in Userland:
797N/A # set to workspace paths:
797N/A if grep -q "^debug: file.*\<$f\>" $LD_DBG
797N/A echo $i | sed "s#$BUILD/##"
797N/Ato get the list of required object files.
797N/AAdditionally, you can format the list for including to Makefile by:
797N/A sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
797N/AWhen linking with wanboot please pay attention to following pitfalls.
797N/ACorrect openssl header files need to be included. This is done in
797N/AMake sure CPPFLAGS point to the right directories.
797N/AEXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
797N/AWanboot is a statically linked standalone binary and it is loaded on a fixed
797N/Aaddress before execution. This address is defined in
797N/AThis address (VADDR) NEEDS TO BE GREATER THEN
797N/A size of wanboot binary + 0x4000
797N/AThe reason for this is in how wanboot is loaded by OpenBoot Prom:
797N/A1) user initiates boot from network - "boot net"
797N/A2) obp loads wanboot binary at address 0x4000
797N/A3) obp parses ELF header, reads virtual address where to load wanboot to
797N/A4) obp mem-copies .text section to this address
797N/A5) obp copies .data section behind .text
797N/A6) obp starts executing wanboot at entry address
797N/AIf the given address is too small, obp overwrites part of .data with
797N/Ainstructions from .text in step 4. resulting in .data being corrupted.
797N/AInitialized variables get bogus values and failure is inevitable.
797N/AThis is very hard to troubleshoot.
797N/ATesting wanboot with new openssl
797N/AWith every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
2828N/Aworks well with the new bits (post lullaby).
797N/AProvided you have a freshly built ON workspace, you can link wanboot with new
797N/A # prepare to rebuild wanboot
797N/A # hack to force a rebuild
2828N/A # modify Makefile and assign the WAN_OPENSSL macro to your binary
797N/AWanboot should build without warning.
797N/AIf there is something like this in the output:
797N/A Undefined first referenced
797N/A ld: fatal: symbol referencing errors. No output written to wanboot
797N/A dmake: Fatal error: Command failed for target `wanboot'
797N/Asome additional work has to be done in OpenSSL to either satisfy the function
797N/Areferences listed in the linker error message, or to remove the calls to these
797N/AFinally, resulting wanboot binary shall be deployed on some install server and
797N/Awanbooting from this server shall be tested.
4368N/Aand they are copied to both FIPS and non-FIPS 'patches' dir as soon as the
4368N/AMakefile is parsed. The Common patch filename has prefix '0',
4368N/ANon-FIPS specific patch files are located in the
4368N/AThe Non-FIPS specific patch filename has prefix '1',
4368N/AFIPS specific patch files are located in the
4368N/AThe FIPS specific patch filename has prefix '2',