edk2: 202302 -> 202305

[Luflosi]

Description of changes

https://github.com/tianocore/edk2/releases/tag/edk2-stable202305

This includes "[OpenSSL] Update OpenSSL version to version 1.1.1t to include CVE fix".

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[RaitoBezarius]

What the hell EDK2…

[ajs124]

maybe we should just take openssl from nixpkgs. something like this would probably work:

--- a/pkgs/development/compilers/edk2/default.nix
+++ b/pkgs/development/compilers/edk2/default.nix
@@ -8,6 +8,7 @@
 , llvmPackages_9
 , lib
 , buildPackages
+, openssl
 }:
 
 let
@@ -46,6 +47,12 @@ edk2 = buildStdenv.mkDerivation {
     })
   ];
 
+  prePatch = ''
+    rm -rf CryptoPkg/Library/OpensslLib/openssl
+    tar xf ${openssl.src} -C CryptoPkg/Library/OpensslLib
+    mv -v CryptoPkg/Library/OpensslLib/openssl-* CryptoPkg/Library/OpensslLib/openssl
+  '';
+
   # submodules
   src = fetchFromGitHub {
     owner = "tianocore";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a8687892e8c..f6c0befe390 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7270,7 +7270,9 @@ with pkgs;
 
   edit = callPackage ../applications/editors/edit { };
 
-  edk2 = callPackage ../development/compilers/edk2 { };
+  edk2 = callPackage ../development/compilers/edk2 {
+    openssl = openssl_1_1;
+  };
 
   edk2-uefi-shell = callPackage ../tools/misc/edk2-uefi-shell { };

[Luflosi]

I can't tell if this is a good or a bad idea. If you look at tianocore/edk2@4ca4041 for example, there are more changes than just changes to the openssl submodule. This may or may not lead to issues when we change the openssl version.

[ajs124]

hm, fair enough

[LunNova]

Let's merge this first, that approach might be worth doing in another PR but this one should be backported.

[github-actions]

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-241786-to-release-23.05 origin/release-23.05
cd .worktree/backport-241786-to-release-23.05
git checkout -b backport-241786-to-release-23.05
ancref=$(git merge-base 30a8e2f43bd834eaed9a4a32cbbbdd0436351681 2edeba8e6ca61315478ab265221cd4c4dcebe95b)
git cherry-pick -x $ancref..2edeba8e6ca61315478ab265221cd4c4dcebe95b