Re: [Xen-devel] Fixation on polarssl 1.1.4 - EOL was 2013-10-01

[Wei Liu <wei.liu2@xxxxxxxxxx>]

On Mon, Feb 15, 2016 at 10:45:48AM -0600, Doug Goldstein wrote:
> On 2/15/16 10:28 AM, Wei Liu wrote:
> > On Sun, Feb 14, 2016 at 07:39:35PM +1100, Steven Haigh wrote:
> >> Hi all,
> >>
> >> Just been looking at the polarssl parts in Xen 4.6 and others - seems
> >> like we're hard coded to version 1.1.4 which was released on 31st May 2012.
> >>
> >> Branch 1.1.x has been EOL for a number of years, 1.2.x has been EOL
> >> since Jan.
> >>
> >> It's now called mbedtls and current versions are 2.2.1 released in Jan
> >> this year.
> >>
> >> I'm not exactly clear on what polarssl is used for (and why not
> >> openssl?) - but is it time this was shown some loving?
> >>
> > 
> > I grep'ed for polarssl in tree and the only user seems to be
> > vtpm. I've CC'ed Daniel and Quan for you.
> > 
> > Wei.
> > 
> 
> Looks like pv-grub has a build dependency on it as well based on the
> snippet from stubdom/Makefile.
> 
> .PHONY: grub
> grub: cross-polarssl grub-upstream $(CROSS_ROOT)
>

Oh, yes, you're right.

Looking at the source code pv-grub only needs the sha1 function from
polarssl which might be easy to dealt with though. On the other hand,
if there is no critical bug fix to the sha1 function, I wouldn't
bother upgrading polarssl.

In fact, I think vtpm also only cares about some crypto algorithms
like AES and SHA. We'd better check if there is any critical update to
those functions before doing anything.

Wei.

> 
> -- 
> Doug Goldstein
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel