Re: [yocto] QA notification for completed autobuilder build (yocto-2.8_M3.rc1)
Hello All, Intel and WR YP QA is planning for QA execution for YP build yocto-2.8_M3.rc1. We are planning to execute following tests for this cycle: OEQA-manual tests for following module: 1. OE-Core 2. BSP-hw 3. BSP-Qemu Runtime auto test for following platforms: 1. MinnowTurbot 32-bit 2. Coffee Lake 3. NUC 7 4. NUC 6 5. Edgerouter 6. MPC8315e-rdb 7. Beaglebone ETA for completion is next Thursday, September 26. Thanks & Regards, Sangeeta Jain >-Original Message- >From: pokybu...@ubuntu1804-ty-1.yocto.io [mailto:pokybuild@ubuntu1804-ty- >1.yocto.io] >Sent: Friday, September 20, 2019 1:01 PM >To: yocto@yoctoproject.org >Cc: ota...@ossystems.com.br; yi.z...@windriver.com; Sangal, Apoorv >; Yeoh, Ee Peng ; Chan, >Aaron Chun Yew ; Ang, Chin Huat >; richard.pur...@linuxfoundation.org; >akuster...@gmail.com; sjolley.yp...@gmail.com; Jain, Sangeeta > >Subject: QA notification for completed autobuilder build (yocto-2.8_M3.rc1) > > >A build flagged for QA (yocto-2.8_M3.rc1) was completed on the autobuilder and >is available at: > > >https://autobuilder.yocto.io/pub/releases/yocto-2.8_M3.rc1 > > >Build hash information: > >bitbake: 797354d285f6d624d9adb52bab65823572da0e39 >meta-gplv2: 1e2480e50f34e55bdfd5e06f98441e03a3752d5a >meta-intel: 655dfaec95196b9c0e15d34f490e4a51a7d501e3 >meta-mingw: 9df4e115ab9a7ab23f81fdbcc62b2a0269d6377f >oecore: 95ad5626296380358c8a502a3e04879dab653d78 >poky: 81f9e815d36848761a9dfa94b00ad998bb39a4a6 > > > >This is an automated message from the Yocto Project Autobuilder >Git: git://git.yoctoproject.org/yocto-autobuilder2 >Email: richard.pur...@linuxfoundation.org > > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: suppress appending of installation to perllocal.pod
perl modules when gets installed can produce a perllocal.pod file for documenting a list of locally installed perl modules. This can conflict if multiple packages generate the file. Hits the conflict with apparmor & rrdtool packages. Error: Transaction check error: file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between attempted installs of rrdtool-1.7.2-r0.corei7_64 and apparmor-2.13.3-r0.corei7_64 perllocal.pod files are for documentation purpose, so disabling does not harm. Generating perllocal.pod for perl module is disabled by passing NO_PERLLOCAL=1 with ExtUtils::MakeMaker utility. https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters [YOCTO #13491] Signed-off-by: Naveen Saini --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 1 + ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++ 2 files changed, 29 insertions(+) create mode 100644 recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 8484404..2e5d221 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -21,6 +21,7 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " diff --git a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 000..9807be1 --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH] apparmor: suppress appending of installation to perllocal.pod
perl modules when gets installed can produce a perllocal.pod file for documenting a list of locally installed perl modules. This can conflict if multiple packages generate the file. Hits the conflict with apparmor & rrdtool packages. Error: Transaction check error: file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between attempted installs of rrdtool-1.7.2-r0.corei7_64 and apparmor-2.13.3-r0.corei7_64 perllocal.pod files are for documentation purpose, so disabling does not harm. Generating perllocal.pod for perl module is disabled by passing NO_PERLLOCAL=1 with ExtUtils::MakeMaker utility. https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters [YOCTO #13491] Signed-off-by: Naveen Saini --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 1 + ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++ 2 files changed, 29 insertions(+) create mode 100644 recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 8484404..2e5d221 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -21,6 +21,7 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " diff --git a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 000..9807be1 --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 14/15] openssh: add CAVS tests for FIPS validation
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]
[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
Signed-off-by: Hongxu Jia
---
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 289 +
.../openssh/openssh/openssh-6.7p1-kdf-cavs.patch | 654 +
recipes-connectivity/openssh/openssh_fips.inc | 9 +
3 files changed, 952 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
create mode 100644
recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
diff --git
a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
new file mode 100644
index 000..038efa0
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -0,0 +1,289 @@
+From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 21:32:18 +0800
+Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+
+Original submission to Fedora, see:
+
https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
+
+this version download from:
+
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
+ (as of commit 991b66246f5151884b63c6d1232610a4569642a5)
+
+Makefile.in slightly modified for integration
+
+This is the makefile.in change for the normal configuration.
+
+Signed-off-by: Mark Hatle
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Hongxu Jia
+---
+ Makefile.in| 7 +-
+ ctr-cavstest.c | 215 +
+ 2 files changed, 221 insertions(+), 1 deletion(-)
+ create mode 100644 ctr-cavstest.c
+
+diff --git a/Makefile.in b/Makefile.in
+index ddd1804..cb34681 100644
+--- a/Makefile.in
b/Makefile.in
+@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ MKDIR_P=@MKDIR_P@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ctr-cavstest$(EXEEXT)
+
+ XMSS_OBJS=\
+ ssh-xmss.o \
+@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
readconf.o uidswap.o c
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o
ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
-lfipscheck $(LIBS)
+
+@@ -343,6 +347,7 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT)
$(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+new file mode 100644
+index 000..0d4776b
+--- /dev/null
b/ctr-cavstest.c
+@@ -0,0 +1,215 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv
++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo
aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
++ */
++
[yocto] [meta-openssl102-fips][PATCH 15/15] README.openssh_cavstest: add CAVS tests for FIPS validation
Signed-off-by: Hongxu Jia --- README.openssh_cavstest | 28 1 file changed, 28 insertions(+) create mode 100644 README.openssh_cavstest diff --git a/README.openssh_cavstest b/README.openssh_cavstest new file mode 100644 index 000..5d69ee5 --- /dev/null +++ b/README.openssh_cavstest @@ -0,0 +1,28 @@ +1. Install openssh-cavs to images +$ echo "IMAGE_INSTALL += 'openssh-cavs'" >> conf/local.conf +$ bitbake + +2. Run tests on target +1) ctr-cavstest +invocation (all of the following are equal): +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt + +$ cd /usr/libexec +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +58E33554D51B0DD7A63F44B22381B1CA +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +58E33554D51B0DD7A63F44B22381B1CA +$ echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt +58E33554D51B0DD7A63F44B22381B1CA + +2) ssh-cavs +$ cd /usr/libexec +$ ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20 +Initial IV (client to server) = 4bb320d1679dfd3a +Initial IV (server to client) = 43dea6fdf263a308 +Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed +Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0 +Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640 +Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479 -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 13/15] README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
Rerfer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia --- README.enable_fips | 56 ++ 1 file changed, 56 insertions(+) create mode 100644 README.enable_fips diff --git a/README.enable_fips b/README.enable_fips new file mode 100644 index 000..8016346 --- /dev/null +++ b/README.enable_fips @@ -0,0 +1,56 @@ +To turn your system (kernel and user space) into FIPS mode, follow these steps: + +1. Enable FIPS mode in kernel: +The `fips=1' kernel option needs to be added to the kernel command line so that key +generation is done with FIPS approved algorithms and continuous monitoring tests in +place: +... +[0.00] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019 +[0.00] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1 +[0.281178] alg: self-tests for rsa-generic (rsa) passed +[0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed +[0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed +[0.285596] alg: self-tests for sha1-generic (sha1) passed +[0.287474] alg: self-tests for sha256-generic (sha256) passed +[0.289138] alg: self-tests for sha224-generic (sha224) passed +[0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed +[0.292005] alg: self-tests for aes-generic (aes) passed +[0.294431] alg: self-tests for crc32c-generic (crc32c) passed +[0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed +[0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed +[0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed +[0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed +[0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed +[0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed +[0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed +[0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed +[0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed +[0.311120] DRBG: Continuing without Jitter RNG +[0.316952] alg: self-tests for ecdh-generic (ecdh) passed +[0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed +[3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed +... + +Kernel FIPS mode verification +You have two options: +1) cat /proc/sys/crypto/fips_enabled +2) sysctl crypto.fips_enabled + +NOTE: 1 indicates enabled, while 0 indicates disabled. + + +2. Enable FIPS mode in user space (default yes) +File /etc/system-fips to determine if a FIPS module is installed and +FIPS mode is enabled + +1) openssh: +- sshd +2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized + +- ssh +# ssh root@localhost +FIPS mode initialized + +- ssh-keygen +# ssh-keygen -A +ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode
The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... >From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia --- recipes-support/rng-tools/rng-tools/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default index b9f8e03..1ae6b33 100644 --- a/recipes-support/rng-tools/rng-tools/default +++ b/recipes-support/rng-tools/rng-tools/default @@ -1 +1 @@ -EXTRA_ARGS="-r /dev/hwrng" +EXTRA_ARGS="-r /dev/hwrng -i" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 9/15] openssh: port sshd_check_keys from oe-core
Signed-off-by: Hongxu Jia
---
.../openssh/openssh/sshd_check_keys| 78 ++
1 file changed, 78 insertions(+)
create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 000..1931dc7
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+local FILE=$1
+local TYPE=$2
+local DIR="$(dirname "$FILE")"
+
+mkdir -p "$DIR"
+ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+# Atomically rename file public key
+mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+# This sync does double duty: Ensuring that the data in the temporary
+# private key file is on disk before the rename, and ensuring that the
+# public key rename is completed before the private key rename, since we
+# switch on the existence of the private key to trigger key generation.
+# This does mean it is possible for the public key to exist, but be garbage
+# but this is OK because in that case the private key won't exist and the
+# keys will be regenerated.
+#
+# In the event that sync understands arguments that limit what it tries to
+# fsync(), we provided them. If it does not, it will simply call sync()
+# which is just as well
+sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+mv "${FILE}.tmp" "$FILE"
+
+# sync to ensure the atomic rename is committed
+sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+. /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+case "$1" in
+-f*) if [ "$1" = "-f" ] ; then
+sshd_config="$2"
+shift
+else
+sshd_config="${1#-f}"
+fi
+shift
+;;
+--) shift; break;;
+*) shift;;
+esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key
$SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+[ -f $key ] && continue
+case $key in
+*_rsa_key)
+echo " generating ssh RSA host key..."
+generate_key $key rsa
+;;
+*_ecdsa_key)
+echo " generating ssh ECDSA host key..."
+generate_key $key ecdsa
+;;
+*_ed25519_key)
+echo " generating ssh ED25519 host key..."
+generate_key $key ed25519
+;;
+esac
+done
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 11/15] rng-tools append: port default from oe-core
Signed-off-by: Hongxu Jia
---
recipes-support/rng-tools/rng-tools/default | 1 +
recipes-support/rng-tools/rng-tools_6.%.bbappend | 4
recipes-support/rng-tools/rng-tools_fips.inc | 2 ++
3 files changed, 7 insertions(+)
create mode 100644 recipes-support/rng-tools/rng-tools/default
create mode 100644 recipes-support/rng-tools/rng-tools_6.%.bbappend
create mode 100644 recipes-support/rng-tools/rng-tools_fips.inc
diff --git a/recipes-support/rng-tools/rng-tools/default
b/recipes-support/rng-tools/rng-tools/default
new file mode 100644
index 000..b9f8e03
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -0,0 +1 @@
+EXTRA_ARGS="-r /dev/hwrng"
diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend
b/recipes-support/rng-tools/rng-tools_6.%.bbappend
new file mode 100644
index 000..c487175
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1'
else 'rng-tools_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/rng-tools/rng-tools_fips.inc
b/recipes-support/rng-tools/rng-tools_fips.inc
new file mode 100644
index 000..d5f6435
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_fips.inc
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:"
+
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 10/15] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating
ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys
are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519
host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh/sshd_check_keys | 4
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys
b/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7..338531d 100644
--- a/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do
generate_key $key ecdsa
;;
*_ed25519_key)
+FIPS=/etc/system-fips
+if [[ -r "$FIPS" ]]; then
+continue
+fi
echo " generating ssh ED25519 host key..."
generate_key $key ed25519
;;
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 6/15] kernel: enable fips mode
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]
[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
Signed-off-by: Hongxu Jia
---
classes/fips_kernel.bbclass| 4
conf/layer.conf| 4
recipes-kernel/linux/files/crypto_fips.cfg | 3 +++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
4 files changed, 12 insertions(+)
create mode 100644 classes/fips_kernel.bbclass
create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg
create mode 100644 recipes-kernel/linux/files/crypto_fips.scc
diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
new file mode 100644
index 000..064088f
--- /dev/null
+++ b/classes/fips_kernel.bbclass
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend :=
"${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI_append = " \
+file://crypto_fips.scc \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 27a872e..b64c036 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,3 +18,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
meta-openssl-one-zero-two \
wr-template \
"
+
+LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
+
+KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', '
fips_kernel', '',d)}"
diff --git a/recipes-kernel/linux/files/crypto_fips.cfg
b/recipes-kernel/linux/files/crypto_fips.cfg
new file mode 100644
index 000..cffdc02
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.cfg
@@ -0,0 +1,3 @@
+CONFIG_CRYPTO_FIPS=y
+CONFIG_MODULE_SIG=y
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
new file mode 100644
index 000..f64380a
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -0,0 +1 @@
+kconf non-hardware crypto_fips.cfg
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 8/15] openssh: conditional enable fips mode
Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia
---
.../0001-conditional-enable-fips-mode.patch| 63 ++
recipes-connectivity/openssh/openssh_fips.inc | 1 +
2 files changed, 64 insertions(+)
create mode 100644
recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
diff --git
a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
new file mode 100644
index 000..b47e184
--- /dev/null
+++
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -0,0 +1,63 @@
+From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 14:31:51 +0800
+Subject: [PATCH] conditional enable fips mode
+
+Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
+enable fips mode according to the existence of "/etc/system-fips"
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ xmalloc.c | 24
+ 1 file changed, 24 insertions(+)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 5cc0310..0218ccd 100644
+--- a/xmalloc.c
b/xmalloc.c
+@@ -23,12 +23,20 @@
+ #include
+ #include
+
++#include
++#include
++#include
++
+ #include "xmalloc.h"
+ #include "log.h"
+
++void ssh_enable_fips_mode(void);
++
+ void
+ ssh_malloc_init(void)
+ {
++ ssh_enable_fips_mode();
++
+ #if defined(__OpenBSD__)
+ extern char *malloc_options;
+
+@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+
+ return (i);
+ }
++
++void
++ssh_enable_fips_mode(void)
++{
++if (access("/etc/system-fips", F_OK) == 0) {
++if (!FIPS_mode_set(1)) {
++/* make sure the error stack is available for some hint as
++ * to why this operation failed
++ */
++ERR_load_crypto_strings();
++ERR_print_errors_fp(stdout);
++fatal("FIPS_mode_set(): failed to enter FIPS mode!\n");
++exit(1);
++}
++}
++}
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index df84c39..33a84c9 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -5,6 +5,7 @@ DEPENDS += " \
"
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
+file://0001-conditional-enable-fips-mode.patch \
"
do_install_append() {
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 7/15] kernel: workaround alg self-tests failure in fips mode
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[0.311313] alg: ecdh: test failed on vector 2, err=-14
[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[0.306633] DRBG: Continuing without Jitter RNG
[0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia
---
.../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
2 files changed, 35 insertions(+)
create mode 100644
recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
diff --git
a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[0.311313] alg: ecdh: test failed on vector 2, err=-14
+[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic
(ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg,
struct drbg_string *pers,
+ if (IS_ERR(drbg->jent)) {
+ ret = PTR_ERR(drbg->jent);
+ drbg->jent = NULL;
+- if (fips_enabled || ret != -ENOENT)
++ if (ret != -ENOENT)
+ goto free_everything;
+ pr_info("DRBG: Continuing without Jitter RNG\n");
+ }
+--
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc
b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 3/15] fipscheck: add generation of the checksums in pkg_postinst
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/fipscheck_1.5.0.bb | 18 ++
1 file changed, 18 insertions(+)
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 68051d2..0a06bd3 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -27,4 +27,22 @@ EXTRA_OECONF += " \
EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+inherit qemu
+
+pkg_postinst_${PN} () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/fipscheck
$D${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
$D${libdir}/fipscheck/libfipscheck.so.1.hmac
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \
+${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac
${libdir}/fipscheck/libfipscheck.so.1.hmac
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 5/15] openssh: add generation of HMAC checksums in pkg_postinst
Refer
https://src.fedoraproject.org/rpms/openssh/c/d93958db19129e0f4615865eab22fb36e1f4fb8a
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/openssh_fips.inc | 26 ++
1 file changed, 26 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh_fips.inc
b/recipes-connectivity/openssh/openssh_fips.inc
index 99a3482..df84c39 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,3 +6,29 @@ DEPENDS += " \
SRC_URI += " \
file://0001-openssh-8.0p1-fips.patch \
"
+
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+
+inherit qemu
+
+pkg_postinst_append_${PN}-ssh () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/ssh.${BPN}
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/ssh.${BPN}
+fi
+}
+
+pkg_postinst_append_${PN}-sshd () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${sbindir}/sshd
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${sbindir}/sshd
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 4/15] fipscheck: enable fipscheck on target
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
Signed-off-by: Hongxu Jia
---
recipes-connectivity/openssh/fipscheck_1.5.0.bb | 4
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 0a06bd3..23a4123 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -28,6 +28,10 @@ EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
do_install_append() {
+# Is't the fedora way to enable fipscheck
+install -d ${D}${sysconfdir}
+touch ${D}${sysconfdir}/system-fips
+
install -d ${D}${libdir}/fipscheck
}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Review request 0/15: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Hi Mark, I apply a kernel patch to workaround alg self-tests failure, which the test is too early and Jitter RNG is not ready at that time. The latter alg: self-tests for jitterentropy_rng is passed, so I think the `Continuing without Jitter RNG' workaround is OK == Testing == * Commands See README.build README.enable_fips README.openssh_cavstest * Expected Results README.build README.enable_fips README.openssh_cavstest -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/15] openssh_8.%.bbappend: support fips 140-2
Signed-off-by: Hongxu Jia --- .../openssh/openssh/0001-openssh-8.0p1-fips.patch | 528 + recipes-connectivity/openssh/openssh_8.%.bbappend | 4 + recipes-connectivity/openssh/openssh_fips.inc | 8 + 3 files changed, 540 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch create mode 100644 recipes-connectivity/openssh/openssh_8.%.bbappend create mode 100644 recipes-connectivity/openssh/openssh_fips.inc diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch new file mode 100644 index 000..fd0a411 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch @@ -0,0 +1,528 @@ +From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 20 Sep 2019 17:59:00 +0800 +Subject: [PATCH] openssh 8.0p1 fips + +Port openssh-7.7p1-fips.patch from Fedora +https://src.fedoraproject.org/rpms/openssh.git + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + Makefile.in | 14 +++--- + cipher-ctr.c | 3 ++- + clientloop.c | 3 ++- + dh.c | 40 + dh.h | 1 + + kex.c| 5 - + kexgexc.c| 5 + + myproposal.h | 40 + readconf.c | 17 + + sandbox-seccomp-filter.c | 3 +++ + servconf.c | 19 ++- + ssh-keygen.c | 6 ++ + ssh.c| 16 + sshconnect2.c| 11 --- + sshd.c | 19 +++ + sshkey.c | 4 + 16 files changed, 176 insertions(+), 30 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 6f001bb..ddd1804 100644 +--- a/Makefile.in b/Makefile.in +@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o +- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff --git a/cipher-ctr.c b/cipher-ctr.c +index 32771f2..74fac3b 100644 +--- a/cipher-ctr.c b/cipher-ctr.c +@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (_ctr); + } +diff --git a/clientloop.c b/clientloop.c
[yocto] [meta-openssl102-fips][PATCH 1/15] fipscheck: add 1.5.0
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck
It is required by openssh fips.
Signed-off-by: Hongxu Jia
---
.../0001-compat-fip-with-openssl-1.0.2.patch | 34 ++
recipes-connectivity/openssh/fipscheck_1.5.0.bb| 30 +++
templates/feature/openssl-fips/template.conf | 2 +-
3 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644
recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
create mode 100644 recipes-connectivity/openssh/fipscheck_1.5.0.bb
diff --git
a/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
new file mode 100644
index 000..22e5a62
--- /dev/null
+++
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
@@ -0,0 +1,34 @@
+From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001
+From: Hongxu Jia
+Date: Fri, 20 Sep 2019 17:51:09 +0800
+Subject: [PATCH] compat fip with openssl 1.0.2
+
+In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h
+...
+define OPENSSL_VERSION_NUMBER 0x1010L
+...
+Since fips include file compat with openssl 1.1.0, do not include it
+in Yocto
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia
+---
+ src/filehmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index a8eef00..0b36cec 100644
+--- a/src/filehmac.c
b/src/filehmac.c
+@@ -41,7 +41,6 @@
+ #include
+
+ #if defined(WITH_OPENSSL)
+-#include
+ #include
+ #include
+ #elif defined(WITH_NSS)
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
new file mode 100644
index 000..68051d2
--- /dev/null
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -0,0 +1,30 @@
+SUMMARY = "A library for integrity verification of FIPS validated modules"
+DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS
validated \
+modules. The package also provides helper binaries for creation and \
+verification of the HMAC-SHA256 checksum files."
+HOMEPAGE = "https://pagure.io/fipscheck;
+SECTION = "libs/network"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf"
+
+SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \
+ file://0001-compat-fip-with-openssl-1.0.2.patch \
+"
+SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b"
+SRC_URI[sha256sum] =
"7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5"
+
+DEPENDS = " \
+openssl \
+openssl-fips \
+"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF += " \
+--disable-static \
+"
+EXTRA_OEMAKE += " \
+-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
+"
+
diff --git a/templates/feature/openssl-fips/template.conf
b/templates/feature/openssl-fips/template.conf
index 6da678c..9a551c3 100644
--- a/templates/feature/openssl-fips/template.conf
+++ b/templates/feature/openssl-fips/template.conf
@@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= ""
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips'
PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example'
-
+PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck'
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
