| Message ID | 20250509093740.1367372-1-yi.zhao@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | openssl: add fips support | expand |
On Fri, 9 May 2025 at 11:38, Yi Zhao via lists.openembedded.org <yi.zhao=eng.windriver.com@lists.openembedded.org> wrote: > * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the > config file fipsmodule.cnf is created on target. > + # Generate fipsmodule.cnf on first boot > + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then > + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf > + fi > +pkg_postinst_ontarget:${PN}-ossl-module-fips () { > + if test -f ${libdir}/ossl-modules/fips.so; then > + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so > + fi > +} > + This needs to be better explained: - why is the standard fipsmodule.cnf deleted in do_install? If upstream installs it, then why can't we simply use it? - why re-generation of that file has to happen on target? Can we use native openssl instead? Or run target openssl with qemu usermode? Alex
On 5/9/25 17:56, Alexander Kanavin wrote: > On Fri, 9 May 2025 at 11:38, Yi Zhao via lists.openembedded.org > <yi.zhao=eng.windriver.com@lists.openembedded.org> wrote: >> * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the >> config file fipsmodule.cnf is created on target. >> + # Generate fipsmodule.cnf on first boot >> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then >> + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf >> + fi >> +pkg_postinst_ontarget:${PN}-ossl-module-fips () { >> + if test -f ${libdir}/ossl-modules/fips.so; then >> + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so >> + fi >> +} >> + > This needs to be better explained: > > - why is the standard fipsmodule.cnf deleted in do_install? If > upstream installs it, then why can't we simply use it? > > - why re-generation of that file has to happen on target? Can we use > native openssl instead? Or run target openssl with qemu usermode? The "openssl fipsinstall" command will do the following things: 1. Runs the FIPS module self tests on target 2. Generates config file fipsmodule.conf containing information about the module such as the calculated MAC of the FIPS module and the MAC of the value of the self tests status We should not use the same fipsmodule.cnf on different machines. So it will be generated on the target. //Yi > > Alex
> The "openssl fipsinstall" command will do the following things: > 1. Runs the FIPS module self tests on target > 2. Generates config file fipsmodule.conf containing information about > the module such as the calculated MAC of the FIPS module and the MAC of > the value of the self tests status > > We should not use the same fipsmodule.cnf on different machines. So it > will be generated on the target. Thanks. Is the original file (which is installed and then deleted) pre-packaged with openssl tarball, or generated during build? Can you show the difference between that, and the file that gets generated on target? I'd like to see the actual content. Alex
On 5/9/25 20:35, Alexander Kanavin via lists.openembedded.org wrote: >> The "openssl fipsinstall" command will do the following things: >> 1. Runs the FIPS module self tests on target >> 2. Generates config file fipsmodule.conf containing information about >> the module such as the calculated MAC of the FIPS module and the MAC of >> the value of the self tests status >> >> We should not use the same fipsmodule.cnf on different machines. So it >> will be generated on the target. > Thanks. Is the original file (which is installed and then deleted) > pre-packaged with openssl tarball, or generated during build? Can you > show the difference between that, and the file that gets generated on > target? I'd like to see the actual content. The original file is generated by util/mk-fipsmodule-cnf.pl during build. Here is the diff result: $ diff fipsmodule.cnf.origĀ fipsmodule.cnf 6,29c6,30 < module-mac = 8A:6E:E0:65:18:AF:1C:1C:67:FA:CF:8E:89:9B:67:03:4A:1F:0E:87:1A:34:23:D3:5D:90:73:98:32:A3:AC:31 < tls1-prf-ems-check = 1 < no-short-mac = 1 < drbg-no-trunc-md = 1 < signature-digest-check = 1 < dsa-sign-disabled = 1 < hkdf-digest-check = 1 < tls13-kdf-digest-check = 1 < tls1-prf-digest-check = 1 < sshkdf-digest-check = 1 < sskdf-digest-check = 1 < x963kdf-digest-check = 1 < tdes-encrypt-disabled = 1 < rsa-pkcs15-pad-disabled = 1 < rsa-pss-saltlen-check = 1 < rsa-sign-x931-pad-disabled = 1 < hkdf-key-check = 1 < kbkdf-key-check = 1 < tls13-kdf-key-check = 1 < tls1-prf-key-check = 1 < sshkdf-key-check = 1 < sskdf-key-check = 1 < x963kdf-key-check = 1 < x942kdf-key-check = 1 --- > hmac-key-check = 0 > kmac-key-check = 0 > tls1-prf-ems-check = 0 > no-short-mac = 0 > drbg-no-trunc-md = 0 > signature-digest-check = 0 > hkdf-digest-check = 0 > tls13-kdf-digest-check = 0 > tls1-prf-digest-check = 0 > sshkdf-digest-check = 0 > sskdf-digest-check = 0 > x963kdf-digest-check = 0 > dsa-sign-disabled = 0 > tdes-encrypt-disabled = 0 > rsa-pkcs15-pad-disabled = 0 > rsa-pss-saltlen-check = 0 > rsa-sign-x931-pad-disabled = 0 > hkdf-key-check = 0 > kbkdf-key-check = 0 > tls13-kdf-key-check = 0 > tls1-prf-key-check = 0 > sshkdf-key-check = 0 > sskdf-key-check = 0 > x963kdf-key-check = 0 > x942kdf-key-check = 0 31,33c32,33 < ecdh-cofactor-check = 1 < hmac-key-check = 1 < kmac-key-check = 1 --- > ecdh-cofactor-check = 0 > module-mac = 83:F9:46:E4:60:88:FC:B7:CF:7D:CA:30:1F:9D:9A:FB:4C:18:5F:57:68:44:C7:2D:8D:8A:CD:92:21:D4:10:44 > > Alex > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#216203): https://lists.openembedded.org/g/openembedded-core/message/216203 > Mute This Topic: https://lists.openembedded.org/mt/112895798/7283133 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yi.zhao@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, 9 May 2025 at 15:17, Yi Zhao <yi.zhao@windriver.com> wrote:
> The original file is generated by util/mk-fipsmodule-cnf.pl during build.
Thanks. It's a little odd that this script is not using 'openssl
fipsinstall', but rather seems to be writing out a hardcoded config:
https://github.com/openssl/openssl/blob/master/util/mk-fipsmodule-cnf.pl
Otherwise looks fine - you can send a v2 with the information
provided in responses to questions added to the commit message.
Alex
On 5/9/25 21:44, Alexander Kanavin wrote: > On Fri, 9 May 2025 at 15:17, Yi Zhao <yi.zhao@windriver.com> wrote: >> The original file is generated by util/mk-fipsmodule-cnf.pl during build. > Thanks. It's a little odd that this script is not using 'openssl > fipsinstall', but rather seems to be writing out a hardcoded config: > https://github.com/openssl/openssl/blob/master/util/mk-fipsmodule-cnf.pl > > Otherwise looks fine - you can send a v2 with the information > provided in responses to questions added to the commit message. Thanks, I will send V2. //Yi > > Alex
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb index 865e04deb2..fdb304c73c 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb @@ -31,6 +31,7 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt PACKAGECONFIG[no-tls1] = "no-tls1" PACKAGECONFIG[no-tls1_1] = "no-tls1_1" PACKAGECONFIG[manpages] = "" +PACKAGECONFIG[fips] = "enable-fips" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -154,7 +155,9 @@ do_compile:append () { } do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \ + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)} oe_multilib_header openssl/opensslconf.h oe_multilib_header openssl/configuration.h @@ -172,6 +175,11 @@ do_install () { ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf + + # Generate fipsmodule.cnf on first boot + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf + fi } do_install:append:class-native () { @@ -229,12 +237,18 @@ do_install_ptest() { ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers } +pkg_postinst_ontarget:${PN}-ossl-module-fips () { + if test -f ${libdir}/ossl-modules/fips.so; then + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so + fi +} + # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto # package RRECOMMENDS on this package. This will enable the configuration # file to be installed for both the openssl-bin package and the libcrypto # package since the openssl-bin package depends on the libcrypto package. -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" @@ -246,6 +260,7 @@ FILES:${PN}-engines = "${libdir}/engines-3" FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so" FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
* Add PACKAGECONFIG[fips] to enable fips build. * Split a new package openssl-ossl-module-fips for fips.so. * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the config file fipsmodule.cnf is created on target. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../openssl/openssl_3.5.0.bb | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)