Question

The latest phyCORE-i.MX7 Linux BSP, PD19.1.0, includes OpenSSL version 1.0.2. This version is EOL as of December 2019. How can we update to OpenSSL 1.1? 

Answer

The latest stable version of OpenSSL is the 1.1.1 series and will be supported until September 2023. The following instructions can be used to upgrade the OpenSSL version and dependent packages in BSP-Yocto-FSL-iMX7-PD19.1.0. It is assumed that the Yocto BSP has been built following the BSP Development Guide

The table below is an overview of the changes made to Yocto: 

PackageNotes
OpenSSL
  • Updated from 1.0.2 to 1.1.1
OpenSSH
  • Update to 7.8 required
  • Dropbear is the source for SSH in the BSP by default. SSH-Dropbear is excluded to add OpenSSH 7.8
Cryptodev
  • Update to 1.10 required
Node.js
  • Update required
  • In this guide Node.js was removed from the build. There is a recipe for Node.js 10.15.3 that is compatible and can be added. 
OpenJDK-8
  • Removed for this test


  • Add and remove packages in your configuration file

Open the file with a text editor:

Host PC

vim $YOCTO_DIR/build/conf/local.conf
CODE

Add the following lines:

Text Editor ($YOCTO_DIR/build/conf/local.conf)

IMAGE_INSTALL_append = " openssh openssl-bin"
IMAGE_INSTALL_remove = " nodejs openjdk-8"
PACKAGE_EXCLUDE += "packagegroup-core-ssh-dropbear"
CODE
  • Add OpenSSL 1.1 as your preferred version

Host PC

vim $YOCTO_DIR/sources/meta-phytec/meta-phytec-fsl/conf/machine/include/imx7-phycore-som.inc
CODE

Add the following as the last line in this file: 

Text Editor ($YOCTO_DIR/sources/meta-phytec/meta-phytec-fsl/conf/machine/include/imx7-phycore-som.inc)

PREFERRED_VERSION_openssl_${MACHINE} = "1.1.%"
CODE


  • Download the OpenSSH 7.8 recipe to Yocto sources. Make sure to rename appropriately. 

Host PC

wget http://cgit.openembedded.org/openembedded-core/plain/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb?h=thud -O $YOCTO_DIR/sources/poky/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
CODE


  • Download the files for the Cryptodev 1.10 recipe to Yocto sources. Make sure to rename files appropriately (including changing cryptodev.inc to cryptodev_1.10.inc to avoid conflict with Cryptodev 1.9).

Host PC

wget http://cgit.openembedded.org/openembedded-core/plain/meta/recipes-kernel/cryptodev/cryptodev-tests_1.10.bb?h=warrior -O $YOCTO_DIR/sources/poky/meta/recipes-kernel/cryptodev/cryptodev-tests_1.10.bb
wget http://cgit.openembedded.org/openembedded-core/plain/meta/recipes-kernel/cryptodev/cryptodev.inc?h=warrior -O $YOCTO_DIR/sources/poky/meta/recipes-kernel/cryptodev/cryptodev_1.10.inc
wget http://cgit.openembedded.org/openembedded-core/plain/meta/recipes-kernel/cryptodev/files/0001-Fix-module-loading-with-Linux-v5.0-rc5.patch?h=warrior -O $YOCTO_DIR/sources/poky/meta/recipes-kernel/cryptodev/files/0001-Fix-module-loading-with-Linux-v5.0-rc5.patch
CODE


  • Edit Cryptodev recipe to remove conflict with Cryptodev 1.9

Host PC

vim $YOCTO_DIR/sources/poky/meta/recipes-kernel/cryptodev/cryptodev-tests_1.10.bb
CODE

Change the following (- for remove, + for add):

Text Editor ($YOCTO_DIR/sources/poky/meta/recipes-kernel/cryptodev/cryptodev-tests_1.10.bb)

 - require cryptodev.inc
 + require cryptodev_1.10.inc
CODE
  • With these changes you should be able to build the BSP using bitbake and the new package versions will be included.