gnutls: Added fips support option.

Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
---
 meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

What do those do_compile/do_install tweaks do, and why are they
necessary? Please explain, it seems like there might be a better way
to do this.

Alex

On Thu, 28 Apr 2022 at 09:34, leimaohui <leimaohui@fujitsu.com> wrote:
>
> Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
> ---
>  meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> index b34eb7f..5a34805 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> @@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
>                      file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
>
>  DEPENDS = "nettle gmp virtual/libiconv libunistring"
> +DEPENDS:append:class-target = " gnutls-native"
>  DEPENDS:append:libc-musl = " argp-standalone"
>
>  SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
> @@ -36,6 +37,7 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
>  PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
>  PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
>  PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> +PACKAGECONFIG[fips] = "--enable-fips140-mode,--disable-fips140-mode"
>
>  EXTRA_OECONF = " \
>      --enable-doc \
> @@ -59,6 +61,21 @@ do_configure:prepend() {
>         done
>  }
>
> +do_compile:prepend:class-target () {
> +        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> +          sed -i -e "s#\$(builddir)/fipshmac#${STAGING_DIR_NATIVE}${libdir}/fipshmac#g" ${B}/lib/Makefile
> +        fi
> +}
> +
> +do_install:append:class-native() {
> +        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> +          install -d ${D}${libdir}
> +          install -d ${D}${libdir}/.libs
> +          install -m 0755 ${B}/lib/fipshmac ${D}${libdir}/
> +          install -m 0755 ${B}/lib/.libs/fipshmac ${D}${libdir}/.libs/
> +        fi
> +}
> +
>  PACKAGES =+ "${PN}-openssl ${PN}-xx"
>
>  FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
> --
> 1.8.3.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164933): https://lists.openembedded.org/g/openembedded-core/message/164933
> Mute This Topic: https://lists.openembedded.org/mt/90748530/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi, Alex

> What do those do_compile/do_install tweaks do, and why are they necessary?
> Please explain, it seems like there might be a better way to do this.

Sorry, It seems that I should add an explain in commit message.
I found that if enable fips, a binary build for target will be executed in do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
------------------------------------------------------
| ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t && mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
| libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
| libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
| /lib/ld-linux-aarch64.so.1: No such file or directory

So, I tweaked do_compile/do_install to use fipshmac from native instead of target. If there is better way, please tell me.
And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.

Best regards
Lei Maohui




> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Thursday, April 28, 2022 4:12 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] gnutls: Added fips support option.
> 
> What do those do_compile/do_install tweaks do, and why are they necessary?
> Please explain, it seems like there might be a better way to do this.
> 
> Alex
> 
> On Thu, 28 Apr 2022 at 09:34, leimaohui <leimaohui@fujitsu.com> wrote:
> >
> > Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
> > ---
> >  meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> >
> > diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > index b34eb7f..5a34805 100644
> > --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > @@ -15,6 +15,7 @@ LIC_FILES_CHKSUM =
> "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
> >
> file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
> >
> >  DEPENDS = "nettle gmp virtual/libiconv libunistring"
> > +DEPENDS:append:class-target = " gnutls-native"
> >  DEPENDS:append:libc-musl = " argp-standalone"
> >
> >  SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
> > @@ -36,6 +37,7 @@ PACKAGECONFIG[libidn] =
> "--with-idn,--without-idn,libidn2"
> >  PACKAGECONFIG[libtasn1] =
> "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
> >  PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
> >  PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> > +PACKAGECONFIG[fips] = "--enable-fips140-mode,--disable-fips140-mode"
> >
> >  EXTRA_OECONF = " \
> >      --enable-doc \
> > @@ -59,6 +61,21 @@ do_configure:prepend() {
> >         done
> >  }
> >
> > +do_compile:prepend:class-target () {
> > +        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)};
> then
> > +          sed -i -e
> "s#\$(builddir)/fipshmac#${STAGING_DIR_NATIVE}${libdir}/fipshmac#g"
> ${B}/lib/Makefile
> > +        fi
> > +}
> > +
> > +do_install:append:class-native() {
> > +        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)};
> then
> > +          install -d ${D}${libdir}
> > +          install -d ${D}${libdir}/.libs
> > +          install -m 0755 ${B}/lib/fipshmac ${D}${libdir}/
> > +          install -m 0755 ${B}/lib/.libs/fipshmac ${D}${libdir}/.libs/
> > +        fi
> > +}
> > +
> >  PACKAGES =+ "${PN}-openssl ${PN}-xx"
> >
> >  FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
> > --
> > 1.8.3.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#164933):
> > https://lists.openembedded.org/g/openembedded-core/message/164933
> > Mute This Topic: https://lists.openembedded.org/mt/90748530/1686489
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [alex.kanavin@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

On Fri, 29 Apr 2022 at 06:51, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> Sorry, It seems that I should add an explain in commit message.
> I found that if enable fips, a binary build for target will be executed in do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
> ------------------------------------------------------
> | ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t && mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
> | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
> | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
> | /lib/ld-linux-aarch64.so.1: No such file or directory
>
> So, I tweaked do_compile/do_install to use fipshmac from native instead of target. If there is better way, please tell me.
> And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.

Can you please show the fragment in the Makefile where the target
binary is executed? It is better to make a real patch that changes it
to run a native binary, instead of changing it with sed. (sed patching
is problematic because it's not clear from the recipe what is being
done exactly, and how the original and the changed code looks like).

Alex

Hi, Alex

Sorry for the late reply because my holiday.

> Can you please show the fragment in the Makefile where the target binary is
> executed? It is better to make a real patch that changes it to run a native binary,
> instead of changing it with sed. (sed patching is problematic because it's not clear
> from the recipe what is being done exactly, and how the original and the changed
> code looks like).

Yes, At first I wanted to fix this issue by a patch, but I had no idea. The binary is just a file exists in the build directory and it can't be found in "PATH".
So I had to install it into ${D} of native, then specify an absolute path of native by sed command for target and nativesdk.

The following is the part where execute the target/nativesdk(nativesdk also has the issue) binary.
$ cat tmp/work/core2-32-poky-linux/gnutls/3.7.4-r0/build/lib/Makefile
......
.libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
        $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
......

Best regards
Lei



> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Friday, April 29, 2022 3:05 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] gnutls: Added fips support option.
> 
> On Fri, 29 Apr 2022 at 06:51, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > Sorry, It seems that I should add an explain in commit message.
> > I found that if enable fips, a binary build for target will be executed in
> do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
> > ------------------------------------------------------
> > | ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t &&
> > | mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
> > | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s
> > | "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
> > | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s
> > | "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
> > | /lib/ld-linux-aarch64.so.1: No such file or directory
> >
> > So, I tweaked do_compile/do_install to use fipshmac from native instead of
> target. If there is better way, please tell me.
> > And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.
> 
> Can you please show the fragment in the Makefile where the target binary is
> executed? It is better to make a real patch that changes it to run a native binary,
> instead of changing it with sed. (sed patching is problematic because it's not clear
> from the recipe what is being done exactly, and how the original and the changed
> code looks like).
> 
> Alex

On Thu, 5 May 2022 at 06:19, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> .libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
>         $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@

If fipshmac from -native  is installed into the sysroot-native, then
it will be in PATH, and then you can simply drop $(builddir)/ prefix
with a simple patch.

Alex