Yocto 4.0 only supports OpenSSL 3.0.x while NXP's CST (code signing
tool) is still using OpenSSL 1.1.x. So the build fails when using the
Yocto-build OpenSSL. Instead, build OpenSSL 1.1.1 as part of the build of
the CST and link statically against libcrypto, so the resulting binaries
(cst, srktool) do not depend on any specific OpenSSL version installed
on the development computer.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
CST was being built linking to the openssl libcrypto library from the host.
When the openssl version in the host didn't match the version in the SDK,
the SDK build failed like this:
Error:
Problem 1: package nativesdk-packagegroup-sdk-host-1.0-r12.0.x86_64_nativesdk requires nativesdk-trustfence-cst, but none of the providers can be installed
- conflicting requests
- nothing provides libcrypto.so.1.0.0()(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
- nothing provides libcrypto.so.1.0.0(OPENSSL_1.0.0)(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
- nothing provides libcrypto.so.1.0.0(OPENSSL_1.0.1)(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
Problem 2: package nativesdk-packagegroup-qt5-toolchain-host-1.0-r0.0.x86_64_nativesdk requires nativesdk-packagegroup-sdk-host, but none of the providers can be installed
- package nativesdk-packagegroup-sdk-host-1.0-r12.0.x86_64_nativesdk requires nativesdk-trustfence-cst, but none of the providers can be installed
- conflicting requests
- nothing provides libcrypto.so.1.0.0()(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
- nothing provides libcrypto.so.1.0.0(OPENSSL_1.0.0)(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
- nothing provides libcrypto.so.1.0.0(OPENSSL_1.0.1)(64bit) needed by nativesdk-trustfence-cst-3.3.1-r0.0.x86_64_nativesdk
Fix that by adding the native dependencies include and lib folders to
the CST build. Also add openssl-native as a dependency for the SDK build,
otherwise it wont link to the SDK libcrypto library.
Additionally, to allow running CST in a host machine where the openssl version
does not match the version in the SDK, libcrypto library is statically linked.
https://jira.digi.com/browse/DEL-7346
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
(cherry picked from commit a95b3ad602)
This version supports encryption for devices with Advanced High Assurance Boot
(AHAB) capabilities. This commit also updates and simplifies Digi custom
patches.
https://jira.digi.com/browse/DEL-7175
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This version supports OpenSSL v1.1.0 by default, which is used in DEY 2.6.
Trying to build older versions of the package will result in failures, so
remove support for said versions entirely.
Our patches apply cleanly except for the hab4_pki_tree.sh automation patch,
which needs a small tweak so it can get applied over the latest version of the
script.
https://jira.digi.com/browse/DEL-6476
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Hector Palacios
Javier Viguera
Gonzalo Ruiz
Arturo Buzarra
Mike Engel
Gabriel Valcazar
Jose Diaz de Grenu