From bf0965ce37f9f7c37485eea997a4d421d4708133 Mon Sep 17 00:00:00 2001 From: Sabeel Ansari Date: Fri, 22 Sep 2023 10:28:36 -0700 Subject: [PATCH 1/4] Adding documentation for OpenSSL upgrade Signed-off-by: Sabeel Ansari --- docs/guides/security/openssl-guide.md | 25 +++++++++++++++++++++++++ docs/guides/setup/dpdk-setup-guide.md | 3 +++ docs/guides/setup/es2k-setup-guide.md | 3 +++ docs/guides/setup/tofino-setup-guide.md | 3 +++ 4 files changed, 34 insertions(+) create mode 100644 docs/guides/security/openssl-guide.md diff --git a/docs/guides/security/openssl-guide.md b/docs/guides/security/openssl-guide.md new file mode 100644 index 00000000..ba651331 --- /dev/null +++ b/docs/guides/security/openssl-guide.md @@ -0,0 +1,25 @@ +# OpenSSL Guide + +This document provides information about supported OpenSSL versions and +security details that you need to consider. + +OpenSSL is a package dependency as infrap4d uses the library for gRPC. + +## End of Life for OpenSSL 1.1.1 + +OpenSSL 1.1.1 has reached End of Life (EOL) in September 2023. + +It is highly recommended that you upgrade OpenSSL from 1.1.1x to OpenSSL 3.x. +The official migration guide is [available here](https://www.openssl.org/docs/man3.0/man7/migration_guide.html). + +Starting Fedora 37, Ubuntu 22.04 and Rocky Linux 9.0 OpenSSL 3.0.x comes +standard and requires no further action. + +Older distributions of Linux systems download and install OpenSSL 1.1.1 when +running `yum install` or `apt install` commands. If you are using these +operating systems, you will need to upgrade the installed package (either find +an RPM to install upgrade or compile from source). + +Note that infrap4d will compile and run normally with OpenSSL 1.1.1 since +OpenSSL 3.0 is backwards-compatible. In the interest of best security practices +and future security risks, we still recommend upgrading to OpenSSL 3.0. diff --git a/docs/guides/setup/dpdk-setup-guide.md b/docs/guides/setup/dpdk-setup-guide.md index 39d79de2..a61fb7bc 100644 --- a/docs/guides/setup/dpdk-setup-guide.md +++ b/docs/guides/setup/dpdk-setup-guide.md @@ -17,6 +17,9 @@ For build instructions, see [P4 SDE Readme](https://github.com/p4lang/p4-dpdk-ta ### Install basic utilities +Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +for OpenSSL version and EOL information. + ```bash For Fedora distro: yum install libatomic libnl3-devel openssl For Ubuntu distro: apt install libatomic1 libnl-route-3-dev openssl diff --git a/docs/guides/setup/es2k-setup-guide.md b/docs/guides/setup/es2k-setup-guide.md index 8bf5587b..36bb5798 100644 --- a/docs/guides/setup/es2k-setup-guide.md +++ b/docs/guides/setup/es2k-setup-guide.md @@ -13,6 +13,9 @@ For the ACC, see [Building for the ES2K ACC](/guides/building-for-es2k-acc). ### Install basic utilities +Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +for OpenSSL version and EOL information. + For a Fedora system: ```bash diff --git a/docs/guides/setup/tofino-setup-guide.md b/docs/guides/setup/tofino-setup-guide.md index 3d906eb2..c642bfb8 100644 --- a/docs/guides/setup/tofino-setup-guide.md +++ b/docs/guides/setup/tofino-setup-guide.md @@ -60,6 +60,9 @@ docker exec -it infrap4d bash ### Install basic utilities +Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +for OpenSSL version and EOL information. + ```bash apt-get update apt-get install sudo git cmake autoconf gcc g++ libtool python3 python3-dev python3-distutils iproute2 libssl-dev From 9d6814635840eae8b0dbc2b5318fd4b3f06adcfe Mon Sep 17 00:00:00 2001 From: Sabeel Ansari <35787514+5abeel@users.noreply.github.com> Date: Mon, 25 Sep 2023 09:13:54 -0500 Subject: [PATCH 2/4] Update docs/guides/security/openssl-guide.md Co-authored-by: Derek G Foster --- docs/guides/security/openssl-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/security/openssl-guide.md b/docs/guides/security/openssl-guide.md index ba651331..adc1fd35 100644 --- a/docs/guides/security/openssl-guide.md +++ b/docs/guides/security/openssl-guide.md @@ -3,7 +3,7 @@ This document provides information about supported OpenSSL versions and security details that you need to consider. -OpenSSL is a package dependency as infrap4d uses the library for gRPC. +OpenSSL is a package dependency, as infrap4d uses the library for gRPC. ## End of Life for OpenSSL 1.1.1 From defb409560a33a29463b944320f1d84f8cc05674 Mon Sep 17 00:00:00 2001 From: Sabeel Ansari <35787514+5abeel@users.noreply.github.com> Date: Mon, 25 Sep 2023 09:16:28 -0500 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Derek G Foster --- docs/guides/security/openssl-guide.md | 17 +++++++++-------- docs/guides/setup/dpdk-setup-guide.md | 2 +- docs/guides/setup/es2k-setup-guide.md | 2 +- docs/guides/setup/tofino-setup-guide.md | 2 +- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/guides/security/openssl-guide.md b/docs/guides/security/openssl-guide.md index adc1fd35..585de979 100644 --- a/docs/guides/security/openssl-guide.md +++ b/docs/guides/security/openssl-guide.md @@ -10,16 +10,17 @@ OpenSSL is a package dependency, as infrap4d uses the library for gRPC. OpenSSL 1.1.1 has reached End of Life (EOL) in September 2023. It is highly recommended that you upgrade OpenSSL from 1.1.1x to OpenSSL 3.x. -The official migration guide is [available here](https://www.openssl.org/docs/man3.0/man7/migration_guide.html). +See the [official migration guide](https://www.openssl.org/docs/man3.0/man7/migration_guide.html) +for more information. -Starting Fedora 37, Ubuntu 22.04 and Rocky Linux 9.0 OpenSSL 3.0.x comes +Beginning with Fedora 37, Ubuntu 22.04, and Rocky Linux 9.0, OpenSSL 3.0.x comes standard and requires no further action. Older distributions of Linux systems download and install OpenSSL 1.1.1 when -running `yum install` or `apt install` commands. If you are using these -operating systems, you will need to upgrade the installed package (either find -an RPM to install upgrade or compile from source). +you run the `yum install` or `apt install` command. If you are using one of these +distributions, you will need to find an RPM or DEB package to install +or build OpenSSL 3.x from source. -Note that infrap4d will compile and run normally with OpenSSL 1.1.1 since -OpenSSL 3.0 is backwards-compatible. In the interest of best security practices -and future security risks, we still recommend upgrading to OpenSSL 3.0. +Note that infrap4d will compile and run normally with OpenSSL 1.1.1, since +OpenSSL 3.0 is backward compatible. In the interest of following best security practices +and avoiding future security issues, we recommend upgrading to OpenSSL 3.0. diff --git a/docs/guides/setup/dpdk-setup-guide.md b/docs/guides/setup/dpdk-setup-guide.md index a61fb7bc..002d2af9 100644 --- a/docs/guides/setup/dpdk-setup-guide.md +++ b/docs/guides/setup/dpdk-setup-guide.md @@ -17,7 +17,7 @@ For build instructions, see [P4 SDE Readme](https://github.com/p4lang/p4-dpdk-ta ### Install basic utilities -Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. ```bash diff --git a/docs/guides/setup/es2k-setup-guide.md b/docs/guides/setup/es2k-setup-guide.md index 36bb5798..58a2a315 100644 --- a/docs/guides/setup/es2k-setup-guide.md +++ b/docs/guides/setup/es2k-setup-guide.md @@ -13,7 +13,7 @@ For the ACC, see [Building for the ES2K ACC](/guides/building-for-es2k-acc). ### Install basic utilities -Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. For a Fedora system: diff --git a/docs/guides/setup/tofino-setup-guide.md b/docs/guides/setup/tofino-setup-guide.md index c642bfb8..ed5e4ece 100644 --- a/docs/guides/setup/tofino-setup-guide.md +++ b/docs/guides/setup/tofino-setup-guide.md @@ -60,7 +60,7 @@ docker exec -it infrap4d bash ### Install basic utilities -Note: See [OpenSSL security guide](/guides/security/openssl-guide.md) +See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. ```bash From 0d619583b09adf7eb20f9f936e836848a84dbfa0 Mon Sep 17 00:00:00 2001 From: Sabeel Ansari Date: Mon, 25 Sep 2023 07:23:48 -0700 Subject: [PATCH 4/4] Update based on recommendations in review Signed-off-by: Sabeel Ansari --- docs/guides/setup/dpdk-setup-guide.md | 2 ++ docs/guides/setup/es2k-setup-guide.md | 2 ++ docs/guides/setup/tofino-setup-guide.md | 2 ++ docs/index.rst | 1 + 4 files changed, 7 insertions(+) diff --git a/docs/guides/setup/dpdk-setup-guide.md b/docs/guides/setup/dpdk-setup-guide.md index 002d2af9..dd3595ca 100644 --- a/docs/guides/setup/dpdk-setup-guide.md +++ b/docs/guides/setup/dpdk-setup-guide.md @@ -20,6 +20,8 @@ For build instructions, see [P4 SDE Readme](https://github.com/p4lang/p4-dpdk-ta See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. +--- + ```bash For Fedora distro: yum install libatomic libnl3-devel openssl For Ubuntu distro: apt install libatomic1 libnl-route-3-dev openssl diff --git a/docs/guides/setup/es2k-setup-guide.md b/docs/guides/setup/es2k-setup-guide.md index 58a2a315..36f1bb9a 100644 --- a/docs/guides/setup/es2k-setup-guide.md +++ b/docs/guides/setup/es2k-setup-guide.md @@ -16,6 +16,8 @@ For the ACC, see [Building for the ES2K ACC](/guides/building-for-es2k-acc). See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. +--- + For a Fedora system: ```bash diff --git a/docs/guides/setup/tofino-setup-guide.md b/docs/guides/setup/tofino-setup-guide.md index ed5e4ece..2a717262 100644 --- a/docs/guides/setup/tofino-setup-guide.md +++ b/docs/guides/setup/tofino-setup-guide.md @@ -63,6 +63,8 @@ docker exec -it infrap4d bash See the [OpenSSL security guide](/guides/security/openssl-guide.md) for OpenSSL version and EOL information. +--- + ```bash apt-get update apt-get install sudo git cmake autoconf gcc g++ libtool python3 python3-dev python3-distutils iproute2 libssl-dev diff --git a/docs/index.rst b/docs/index.rst index f6bc57dc..88826d11 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -52,6 +52,7 @@ P4 Control Plane User Guide guides/security/security-guide guides/security/using-tls-certificates + guides/security/openssl-guide .. toctree:: :maxdepth: 1