We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

AR# 60384

PetaLinux - Building OpenSSL 1.0.1g From Source to Mitigate OpenSSL Security Alert CVE-2014-0160 (Heartbleed)


In April 2014, the OpenSSL development team identified a boundary check bug which allows malicious users to retrieve up to 64KB of data from a server running OpenSSL with the "heartbeat" functionality enabled.  

This vulnerability is detailed here: https://www.openssl.org/news/secadv_20140407.txt

Xilinx currently includes a vulnerable version of OpenSSL in the root filesystem packages provided by PetaLinux 2013.10 and prior.  

There are currently no plans to patch the filesystem packages provided by PetaLinux.

The instructions below detail how to download and build an up-to-date version of OpenSSL and include it in a user's root filesystem.


The instructions below are based on those found here (with appropriate alterations for package versions, target architecture, and clarity): http://blog.galemin.com/2010/11/how-to-build-monit-5-2-1-for-beagleboard-xm/

NOTE: Most of the commands below assume they are being run in a BASH shell. 

If running in a different shell, adapt the commands as appropriate.

Additionally, these instructions are for specific to build for Zynq (ARM Cortex-A9).

To build for MicroBlaze, substitute the appropriate architecture string where appropriate.

1) Create a new PetaLinux user application inside your PetaLinux project using the command

petalinux-create -t apps -n <name> -p <path_to_project>

Change to this directory.
2) Create a scratchpad area inside the OpenSSL PLNX application:
 mkdir ./target_root/
 mkdir ./target_root/etc
 mkdir ./target_root/etc/ssl
 mkdir ./target_root/usr
 mkdir ./target_root/usr/bin
 mkdir ./target_root/usr/lib
 mkdir ./zlib_build
 mkdir ./openssl_build

 3) Download and configure zlib 1.2.8
cd ./zlib_build
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -xzf ./zlib-1.2.8.tar.gz
cd ./zlib-1.2.8/
CC=arm-xilinx-linux-gnueabi-gcc CFLAGS="-pipe -Os -mtune=cortex-a9 -march=armv7-a -mabi=aapcs-linux -msoft-float -fPIC" ./configure shared prefix=/usr
4) Compile and install zlib 1.2.8
make DESTDIR=${PWD}/../../target_root install
rm -rf ../../target_root/opt
rm -rf ../../target_root/usr/include
rm -rf ../../target_root/usr/lib/pkgconfig
rm -rf ../../target_root/usr/share
cd ../..
5) Download and configure openSSL 1.0.1g
cd ./openssl_build
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-1.0.1g.tar.gz
cd ./openssl-1.0.1g
CC=arm-xilinx-linux-gnueabi-gcc LD=arm-xilinx-linux-gnueabi-ld LDFLAGS="-L../../target_root/usr/lib -I../../zlib_build/zlib-1.2.8" ./Configure linux-generic32 -prefix=/usr -openssldir=/etc/ssl threads shared no-idea no-rc5 enable-camellia enable-mdc2 enable-tlsext zlib-dynamic
6)  Fix the OpenSSL Makefile to correct the CPU architecture tag
sed -i -e "s:-march=[-a-z0-9] ::" -e "s:-mcpu=[-a-z0-9] ::g" ./Makefile
sed -i -e "s:-O[0-9]:-pipe -Os -mtune=cortex-a9 -march=armv7-a -mabi=aapcs-linux -msoft-float -I${PWD}/../../zlib_build/zlib-1.2.8:" ./Makefile

7)  Compile and install OpenSSL
make all build-shared
make INSTALL_PREFIX=${PWD}/../../target_root install_sw
rm -f -r ../../target_root/etc/ssl/man
rm -f -r ../../target_root/usr/lib/engines
rm -f -r ../../target_root/usr/lib/pkgconfig
rm -f -r ../../target_root/usr/include
rm -f ../../target_root/usr/bin/c_rehash
cd ../..
8)  Update the PetaLinux Application Makefile to allow installation into the root filesystem without re-building

note: the instructions below were tested with PetaLinux 2013.10.  For prior release of PetaLinux, please see (Xilinx Answer 55975)
 A) remove all sections except "all:" and "install:"
 B) remove "build" from the "all:" tag
 C) update .PHONY to be just "install"

Below is an example of fixed Makefile for the PetaLinux user application: 
$(error "Error: PETALINUX environment variable not set.  Change to the root of your PetaLinux install, and source the settings.sh file")
include apps.common.mk

APP = openssl_1.0.1g
# Add any other object files to this list below
APP_OBJS = openssl_1.0.1g.o

all: install
.PHONY: install

install: $(APP)
 rsync -ar ./target_root/ $(TARGETDIR)/
AR# 60384
Date 05/15/2014
Status Active
Type General Article
Page Bookmarked