diff mbox series

[v2] gnutls: Added fips support option.

Message ID 1651808269-3775-1-git-send-email-leimaohui@fujitsu.com
State New
Headers show
Series [v2] gnutls: Added fips support option. | expand

Commit Message

Maohui Lei (Fujitsu) May 6, 2022, 3:37 a.m. UTC 
- Added fips option.
- Fixed a cross compile bug when enable fips.

Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
---
 ...r-cross-compile-when-enable-fips.Usi.patch | 28 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   | 18 ++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch

Comments

Alexander Kanavin May 6, 2022, 6:30 a.m. UTC | #1 
On Fri, 6 May 2022 at 05:38, leimaohui <leimaohui@fujitsu.com> wrote:
> +DEPENDS:append:class-target = " gnutls-native"
> +DEPENDS:append:class-nativesdk = " gnutls-native"
> +PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"

I think the unconditional DEPENDS lines can be avoided if you use:
PACKAGECONFIG[fips] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-native"

Alex
Maohui Lei (Fujitsu) May 7, 2022, 2:30 a.m. UTC | #2 
Hi, Alex

> I think the unconditional DEPENDS lines can be avoided if you use:
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"

But because gnutls-native also need to enable fips, circular dependency error will occur in this way.
---------------------------------------------
ERROR: 288 unbuildable tasks were found.################################                                                               | ETA:  0:00:00
These are usually caused by circular dependencies and any circular dependency chains found will be printed below. Increase the debug level to see a list of unbuildable tasks.

Identifying dependency loops (this may take a short while)...
......
---------------------------------------------

Best regards
Lei

> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Friday, May 6, 2022 2:30 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> 
> On Fri, 6 May 2022 at 05:38, leimaohui <leimaohui@fujitsu.com> wrote:
> > +DEPENDS:append:class-target = " gnutls-native"
> > +DEPENDS:append:class-nativesdk = " gnutls-native"
> > +PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> 
> I think the unconditional DEPENDS lines can be avoided if you use:
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
> 
> Alex
Alexander Kanavin May 7, 2022, 7:36 a.m. UTC | #3 
On Sat, 7 May 2022 at 04:31, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> > I think the unconditional DEPENDS lines can be avoided if you use:
> But because gnutls-native also need to enable fips, circular dependency error will occur in this way.
> ---------------------------------------------
> ERROR: 288 unbuildable tasks were found.################################                                                               | ETA:  0:00:00
> These are usually caused by circular dependencies and any circular dependency chains found will be printed below. Increase the debug level to see a list of unbuildable tasks.
>
> Identifying dependency loops (this may take a short while)...

Perhaps there could be
PACKAGECONFIG[fips] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-native"
PACKAGECONFIG[fips-native] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"

You can have different sets of packageconfig options for -native and target.

Alex
Maohui Lei (Fujitsu) May 9, 2022, 1:30 a.m. UTC | #4 
Hi, Alex

> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
> PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"

I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native] means PACKAGECONFIG is set for fips-native not for fips. 
And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native or target separately.
I wonder If you can tell me any recipe for reference.
Thank you.

Best regards
Lei


> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Saturday, May 7, 2022 3:36 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> 
> On Sat, 7 May 2022 at 04:31, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > > I think the unconditional DEPENDS lines can be avoided if you use:
> > But because gnutls-native also need to enable fips, circular dependency error
> will occur in this way.
> > ---------------------------------------------
> > ERROR: 288 unbuildable tasks were
> found.################################
> | ETA:  0:00:00
> > These are usually caused by circular dependencies and any circular
> dependency chains found will be printed below. Increase the debug level to see a
> list of unbuildable tasks.
> >
> > Identifying dependency loops (this may take a short while)...
> 
> Perhaps there could be
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
> PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> 
> You can have different sets of packageconfig options for -native and target.
> 
> Alex
Alexander Kanavin May 9, 2022, 8:44 a.m. UTC | #5 
On Mon, 9 May 2022 at 03:30, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> > e"
> > PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
>
> I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native] means PACKAGECONFIG is set for fips-native not for fips.
> And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native or target separately.
> I wonder If you can tell me any recipe for reference.
> Thank you.

You can issue this in poky/meta and plenty of examples will come up:
[ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native

Alex
Maohui Lei (Fujitsu) May 10, 2022, 12:54 a.m. UTC | #6 
Hi Alex

> You can issue this in poky/meta and plenty of examples will come up:
> [ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native

I'm afraid I'm not quite with you. Searched poky by the following command and there is no example about how to config PACKAGECONFIG[xxx] for target or native separately. 
The result is all about how to config PACKAGECONFIG for target or native. 
----------------------------------------
$ grep -ir PACKAGECONFIG *|grep class-native
meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??= ""
meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
......
----------------------------------------

But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For example, in libcap_2.64.bb file: 
$ cat meta/recipes-support/libcap/libcap_2.64.bb
......
PACKAGECONFIG ??= "libidn  ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} "  //not here
......
PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"   //Your comment means modify here
.......

Did I misunderstand? 

Best regards
Lei

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> On Behalf Of Alexander
> Kanavin
> Sent: Monday, May 9, 2022 4:44 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> 
> On Mon, 9 May 2022 at 03:30, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnu
> > > tls-nativ
> > > e"
> > > PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> >
> > I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native]
> means PACKAGECONFIG is set for fips-native not for fips.
> > And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native
> or target separately.
> > I wonder If you can tell me any recipe for reference.
> > Thank you.
> 
> You can issue this in poky/meta and plenty of examples will come up:
> [ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native
> 
> Alex
Alexander Kanavin May 11, 2022, 5:39 a.m. UTC | #7 
On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> I'm afraid I'm not quite with you. Searched poky by the following command and there is no example about how to config PACKAGECONFIG[xxx] for target or native separately.
> The result is all about how to config PACKAGECONFIG for target or native.
> ----------------------------------------
> $ grep -ir PACKAGECONFIG *|grep class-native
> meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??= ""
> meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
> ......
> ----------------------------------------
>
> But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For example, in libcap_2.64.bb file:
> $ cat meta/recipes-support/libcap/libcap_2.64.bb
> ......
> PACKAGECONFIG ??= "libidn  ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} "  //not here
> ......
> PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"   //Your comment means modify here
> .......
>
> Did I misunderstand?

Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword
is used for two different purposes.

What I meant is something like this:

PACKAGECONFIG ??= "fips"
PACKAGECONFIG:class-native ??= "fips-native"

Alex
Maohui Lei (Fujitsu) May 11, 2022, 8:15 a.m. UTC | #8 
Hi, Alex

> PACKAGECONFIG ??= "fips"
> PACKAGECONFIG:class-native ??= "fips-native"

I got it. It seems an unusual method because there is no recipe using this way in .
In this way, it means that if user want to enable fips, the following PACKAGECONFIG should be added in recipe. 

PACKAGECONFIG:append:class-target = fips
PACKAGECONFIG:append:class-nativesdk = fips
PACKAGECONFIG:append:class-target = fips-native

So, I'll send a v3 patch in this way, is it ok?

Best regards 
Lei



> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Wednesday, May 11, 2022 1:40 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> 
> On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > I'm afraid I'm not quite with you. Searched poky by the following command and
> there is no example about how to config PACKAGECONFIG[xxx] for target or
> native separately.
> > The result is all about how to config PACKAGECONFIG for target or native.
> > ----------------------------------------
> > $ grep -ir PACKAGECONFIG *|grep class-native
> > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??=
> ""
> > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4
> fts5 rtree dyn_ext"
> > ......
> > ----------------------------------------
> >
> > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For
> example, in libcap_2.64.bb file:
> > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > ......
> > PACKAGECONFIG ??= "libidn  ${@bb.utils.filter('DISTRO_FEATURES',
> > 'seccomp', d)} "  //not here ......
> > PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"   //Your
> comment means modify here
> > .......
> >
> > Did I misunderstand?
> 
> Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword is used for
> two different purposes.
> 
> What I meant is something like this:
> 
> PACKAGECONFIG ??= "fips"
> PACKAGECONFIG:class-native ??= "fips-native"
> 
> Alex
Alexander Kanavin May 11, 2022, 11:08 a.m. UTC | #9 
On Wed, 11 May 2022 at 10:15, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> I got it. It seems an unusual method because there is no recipe using this way in .
> In this way, it means that if user want to enable fips, the following PACKAGECONFIG should be added in recipe.
>
> PACKAGECONFIG:append:class-target = fips
> PACKAGECONFIG:append:class-nativesdk = fips
> PACKAGECONFIG:append:class-target = fips-native

Yes, this should be fine. You can add a comment in the recipe
explaining how to do it.

> So, I'll send a v3 patch in this way, is it ok?

Yes please. The real problem here is that gnutls upstream didn't
consider how fips build is supposed to work in cross-compilation,
so you should also file a ticket with them and hopefully discuss how
the problem can be properly solved.

There are two options:
- do what your patch does and use the needed binary from the host
system, subject to ./configure flag.
- build the needed binary twice, first for the host (using BUILD_CC),
then for the cross-target.

Alex


>
> > -----Original Message-----
> > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > Sent: Wednesday, May 11, 2022 1:40 PM
> > To: Lei, Maohui <leimaohui@fujitsu.com>
> > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> >
> > On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> > wrote:
> > > I'm afraid I'm not quite with you. Searched poky by the following command and
> > there is no example about how to config PACKAGECONFIG[xxx] for target or
> > native separately.
> > > The result is all about how to config PACKAGECONFIG for target or native.
> > > ----------------------------------------
> > > $ grep -ir PACKAGECONFIG *|grep class-native
> > > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??=
> > ""
> > > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4
> > fts5 rtree dyn_ext"
> > > ......
> > > ----------------------------------------
> > >
> > > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For
> > example, in libcap_2.64.bb file:
> > > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > > ......
> > > PACKAGECONFIG ??= "libidn  ${@bb.utils.filter('DISTRO_FEATURES',
> > > 'seccomp', d)} "  //not here ......
> > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"   //Your
> > comment means modify here
> > > .......
> > >
> > > Did I misunderstand?
> >
> > Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword is used for
> > two different purposes.
> >
> > What I meant is something like this:
> >
> > PACKAGECONFIG ??= "fips"
> > PACKAGECONFIG:class-native ??= "fips-native"
> >
> > Alex
Maohui Lei (Fujitsu) May 12, 2022, 12:44 a.m. UTC | #10 
Hi, Alex

> > So, I'll send a v3 patch in this way, is it ok?
> 
> Yes please.

OK, I'll submit a V3 patch later.

The real problem here is that gnutls upstream didn't consider how fips
> build is supposed to work in cross-compilation, so you should also file a ticket
> with them and hopefully discuss how the problem can be properly solved.
> 
> There are two options:
> - do what your patch does and use the needed binary from the host system,
> subject to ./configure flag.
> - build the needed binary twice, first for the host (using BUILD_CC), then for the
> cross-target.

Thanks for your comment and I'll submit a question to gnutls upstream.

Best regards
Lei

> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Wednesday, May 11, 2022 7:09 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> 
> On Wed, 11 May 2022 at 10:15, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > I got it. It seems an unusual method because there is no recipe using this way
> in .
> > In this way, it means that if user want to enable fips, the following
> PACKAGECONFIG should be added in recipe.
> >
> > PACKAGECONFIG:append:class-target = fips
> > PACKAGECONFIG:append:class-nativesdk = fips
> > PACKAGECONFIG:append:class-target = fips-native
> 
> Yes, this should be fine. You can add a comment in the recipe explaining how to
> do it.
> 
> > So, I'll send a v3 patch in this way, is it ok?
> 
> Yes please. The real problem here is that gnutls upstream didn't consider how fips
> build is supposed to work in cross-compilation, so you should also file a ticket
> with them and hopefully discuss how the problem can be properly solved.
> 
> There are two options:
> - do what your patch does and use the needed binary from the host system,
> subject to ./configure flag.
> - build the needed binary twice, first for the host (using BUILD_CC), then for the
> cross-target.
> 
> Alex
> 
> 
> >
> > > -----Original Message-----
> > > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > > Sent: Wednesday, May 11, 2022 1:40 PM
> > > To: Lei, Maohui <leimaohui@fujitsu.com>
> > > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > > Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> > >
> > > On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com
> > > <leimaohui@fujitsu.com>
> > > wrote:
> > > > I'm afraid I'm not quite with you. Searched poky by the following
> > > > command and
> > > there is no example about how to config PACKAGECONFIG[xxx] for
> > > target or native separately.
> > > > The result is all about how to config PACKAGECONFIG for target or native.
> > > > ----------------------------------------
> > > > $ grep -ir PACKAGECONFIG *|grep class-native
> > > > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-nat
> > > > ive ??=
> > > ""
> > > > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > > > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native
> > > > ?= "fts4
> > > fts5 rtree dyn_ext"
> > > > ......
> > > > ----------------------------------------
> > > >
> > > > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips].
> > > > For
> > > example, in libcap_2.64.bb file:
> > > > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > > > ......
> > > > PACKAGECONFIG ??= "libidn  ${@bb.utils.filter('DISTRO_FEATURES',
> > > > 'seccomp', d)} "  //not here ......
> > > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> //Your
> > > comment means modify here
> > > > .......
> > > >
> > > > Did I misunderstand?
> > >
> > > Sorry, it's always a bit confusing with PACKAGECONFIG, as the
> > > keyword is used for two different purposes.
> > >
> > > What I meant is something like this:
> > >
> > > PACKAGECONFIG ??= "fips"
> > > PACKAGECONFIG:class-native ??= "fips-native"
> > >
> > > Alex
diff mbox series

Patch

diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch
new file mode 100644
index 0000000000..0eeebb9b5e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch
@@ -0,0 +1,28 @@ 
+From 755494234d71063ef1db6470d780a558ddfd1c56 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 6 May 2022 10:51:39 +0900
+Subject: [PATCH] Fix build bug for cross-compile when enable fips.Using binary
+ from gnutls-native instead of target.
+
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ lib/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index c3d7b6e..0f099f4 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -207,7 +207,7 @@ hmac_files = .libs/.$(gnutls_so).hmac
+ all-local: $(hmac_files)
+ 
+ .libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
+-	$(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
++	$(AM_V_GEN) fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
+ 
+ CLEANFILES = $(hmac_files)
+ endif
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index b34eb7f5f0..5882e980e7 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -15,6 +15,8 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
                     file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
 
 DEPENDS = "nettle gmp virtual/libiconv libunistring"
+DEPENDS:append:class-target = " gnutls-native"
+DEPENDS:append:class-nativesdk = " gnutls-native"
 DEPENDS:append:libc-musl = " argp-standalone"
 
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
@@ -22,6 +24,12 @@  SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
            file://arm_eabi.patch \
            "
+SRC_URI:append:class-target = "\
+           file://0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch \
+           "
+SRC_URI:append:class-nativesdk = "\
+           file://0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch \
+           "
 
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
 
@@ -36,6 +44,7 @@  PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
 PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
 PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
 PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
 
 EXTRA_OECONF = " \
     --enable-doc \
@@ -59,6 +68,15 @@  do_configure:prepend() {
 	done
 }
 
+do_install:append:class-native() {
+        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+          install -d ${D}${base_prefix}/bin
+          install -d ${D}${base_prefix}/bin/.libs
+          install -m 0755 ${B}/lib/fipshmac ${D}${base_prefix}/bin/
+          install -m 0755 ${B}/lib/.libs/fipshmac ${D}/${base_prefix}/bin/.libs/
+        fi
+}
+
 PACKAGES =+ "${PN}-openssl ${PN}-xx"
 
 FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"