#52 - Re: [Xen-devel] Fixation on polarssl 1.1.4 - EOL was 2013-10-01

Owner: Wei Liu <wei.liu2@citrix.com>

Date: Fri Mar 4 10:15:02 2016

Last Update: Fri Mar 4 10:15:02 2016

Severity: normal

Affects:

State: Open

[ Retrieve as mbox ]


From: "Xu, Quan" <quan.xu@intel.com>
To: Doug Goldstein <cardoe@cardoe.com>, Wei Liu <wei.liu2@citrix.com>
Cc: "Xu, Quan" <quan.xu@intel.com>, "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, Steven Haigh <netwiz@crc.id.au>, Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [Xen-devel] Fixation on polarssl 1.1.4 - EOL was 2013-10-01
Date: Fri, 4 Mar 2016 03:37:10 +0000
Message-ID: <945CA011AD5F084CBEA3E851C0AB28894B859023@SHSMSX101.ccr.corp.intel.com>

[ Reply to this message; Retrieve Raw Message; Archives: marc.info, gmane ]

On February 16, 2016 1:08am, <wei.liu2@citrix.com> wrote:
> On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> > On 2/15/16 10:28 AM, Wei Liu wrote:
> > > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> > >> Hi all,
> > >>
> > >> Just been looking at the polarssl parts in Xen 4.6 and others -
> > >> seems like we're hard coded to version 1.1.4 which was released on 31st
> May 2012.
> > >>
> > >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> > >> since Jan.
> > >>
> > >> It's now called mbedtls and current versions are 2.2.1 released in
> > >> Jan this year.
> > >>
> > >> I'm not exactly clear on what polarssl is used for (and why not
> > >> openssl?) - but is it time this was shown some loving?
> > >>
> > >
> > > I grep'ed for polarssl in tree and the only user seems to be vtpm.
> > > I've CC'ed Daniel and Quan for you.
> > >
> > > Wei.
> > >
> >
> > Looks like pv-grub has a build dependency on it as well based on the
> > snippet from stubdom/Makefile.
> >
> > .PHONY: grub
> > grub: cross-polarssl grub-upstream $(CROSS_ROOT)
> >
> 
> Oh, yes, you're right.
> 
> Looking at the source code pv-grub only needs the sha1 function from polarssl
> which might be easy to dealt with though. On the other hand, if there is no
> critical bug fix to the sha1 function, I wouldn't bother upgrading polarssl.
> 
> In fact, I think vtpm also only cares about some crypto algorithms like AES and
> SHA. We'd better check if there is any critical update to those functions before
> doing anything.
> 


Agreed.
If you really want to upgrade it, IMO this change would be backward compatible.
btw, it may be not an easy task to build the test env, and I can help you test your patch.

Quan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

From: Wei Liu <wei.liu2@citrix.com>
To: "Xu, Quan" <quan.xu@intel.com>
Cc: Wei Liu <wei.liu2@citrix.com>, Daniel De Graaf <dgdegra@tycho.nsa.gov>, Doug Goldstein <cardoe@cardoe.com>, Steven Haigh <netwiz@crc.id.au>, "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
Subject: Re: [Xen-devel] Fixation on polarssl 1.1.4 - EOL was 2013-10-01
Date: Fri, 4 Mar 2016 10:09:00 +0000
Message-ID: <20160304100900.GO5535@citrix.com>

[ Reply to this message; Retrieve Raw Message; Archives: marc.info, gmane ]

create ^
thanks


On Fri, Mar 04, 2016 at 03:37:10AM +0000, Xu, Quan wrote:
> On February 16, 2016 1:08am, <wei.liu2@citrix.com> wrote:
> > On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> > > On 2/15/16 10:28 AM, Wei Liu wrote:
> > > > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> > > >> Hi all,
> > > >>
> > > >> Just been looking at the polarssl parts in Xen 4.6 and others -
> > > >> seems like we're hard coded to version 1.1.4 which was released on 31st
> > May 2012.
> > > >>
> > > >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> > > >> since Jan.
> > > >>
> > > >> It's now called mbedtls and current versions are 2.2.1 released in
> > > >> Jan this year.
> > > >>
> > > >> I'm not exactly clear on what polarssl is used for (and why not
> > > >> openssl?) - but is it time this was shown some loving?
> > > >>
> > > >
> > > > I grep'ed for polarssl in tree and the only user seems to be vtpm.
> > > > I've CC'ed Daniel and Quan for you.
> > > >
> > > > Wei.
> > > >
> > >
> > > Looks like pv-grub has a build dependency on it as well based on the
> > > snippet from stubdom/Makefile.
> > >
> > > .PHONY: grub
> > > grub: cross-polarssl grub-upstream $(CROSS_ROOT)
> > >
> > 
> > Oh, yes, you're right.
> > 
> > Looking at the source code pv-grub only needs the sha1 function from polarssl
> > which might be easy to dealt with though. On the other hand, if there is no
> > critical bug fix to the sha1 function, I wouldn't bother upgrading polarssl.
> > 
> > In fact, I think vtpm also only cares about some crypto algorithms like AES and
> > SHA. We'd better check if there is any critical update to those functions before
> > doing anything.
> > 
> 
> 
> Agreed.
> If you really want to upgrade it, IMO this change would be backward compatible.
> btw, it may be not an easy task to build the test env, and I can help you test your patch.
> 

Right.

To be honest the chance of me working on it soon is rather low.  To
prevent this issue falling through the crack I've created an entry in
bug tracker.

Wei.

> Quan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel