Re: [yocto] QA notification for completed autobuilder build (yocto-2.8_M3.rc1)
Hello All, Intel and WR YP QA is planning for QA execution for YP build yocto-2.8_M3.rc1. We are planning to execute following tests for this cycle: OEQA-manual tests for following module: 1. OE-Core 2. BSP-hw 3. BSP-Qemu Runtime auto test for following platforms: 1. MinnowTurbot 32-bit 2. Coffee Lake 3. NUC 7 4. NUC 6 5. Edgerouter 6. MPC8315e-rdb 7. Beaglebone ETA for completion is next Thursday, September 26. Thanks & Regards, Sangeeta Jain >-Original Message- >From: pokybu...@ubuntu1804-ty-1.yocto.io [mailto:pokybuild@ubuntu1804-ty- >1.yocto.io] >Sent: Friday, September 20, 2019 1:01 PM >To: yocto@yoctoproject.org >Cc: ota...@ossystems.com.br; yi.z...@windriver.com; Sangal, Apoorv >; Yeoh, Ee Peng ; Chan, >Aaron Chun Yew ; Ang, Chin Huat >; richard.pur...@linuxfoundation.org; >akuster...@gmail.com; sjolley.yp...@gmail.com; Jain, Sangeeta > >Subject: QA notification for completed autobuilder build (yocto-2.8_M3.rc1) > > >A build flagged for QA (yocto-2.8_M3.rc1) was completed on the autobuilder and >is available at: > > >https://autobuilder.yocto.io/pub/releases/yocto-2.8_M3.rc1 > > >Build hash information: > >bitbake: 797354d285f6d624d9adb52bab65823572da0e39 >meta-gplv2: 1e2480e50f34e55bdfd5e06f98441e03a3752d5a >meta-intel: 655dfaec95196b9c0e15d34f490e4a51a7d501e3 >meta-mingw: 9df4e115ab9a7ab23f81fdbcc62b2a0269d6377f >oecore: 95ad5626296380358c8a502a3e04879dab653d78 >poky: 81f9e815d36848761a9dfa94b00ad998bb39a4a6 > > > >This is an automated message from the Yocto Project Autobuilder >Git: git://git.yoctoproject.org/yocto-autobuilder2 >Email: richard.pur...@linuxfoundation.org > > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: suppress appending of installation to perllocal.pod
perl modules when gets installed can produce a perllocal.pod file for documenting a list of locally installed perl modules. This can conflict if multiple packages generate the file. Hits the conflict with apparmor & rrdtool packages. Error: Transaction check error: file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between attempted installs of rrdtool-1.7.2-r0.corei7_64 and apparmor-2.13.3-r0.corei7_64 perllocal.pod files are for documentation purpose, so disabling does not harm. Generating perllocal.pod for perl module is disabled by passing NO_PERLLOCAL=1 with ExtUtils::MakeMaker utility. https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters [YOCTO #13491] Signed-off-by: Naveen Saini --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 1 + ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++ 2 files changed, 29 insertions(+) create mode 100644 recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 8484404..2e5d221 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -21,6 +21,7 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " diff --git a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 000..9807be1 --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH] apparmor: suppress appending of installation to perllocal.pod
perl modules when gets installed can produce a perllocal.pod file for documenting a list of locally installed perl modules. This can conflict if multiple packages generate the file. Hits the conflict with apparmor & rrdtool packages. Error: Transaction check error: file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between attempted installs of rrdtool-1.7.2-r0.corei7_64 and apparmor-2.13.3-r0.corei7_64 perllocal.pod files are for documentation purpose, so disabling does not harm. Generating perllocal.pod for perl module is disabled by passing NO_PERLLOCAL=1 with ExtUtils::MakeMaker utility. https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters [YOCTO #13491] Signed-off-by: Naveen Saini --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 1 + ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++ 2 files changed, 29 insertions(+) create mode 100644 recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 8484404..2e5d221 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -21,6 +21,7 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " diff --git a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 000..9807be1 --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 14/15] openssh: add CAVS tests for FIPS validation
Refer the latest Fedora to add cavs test binary for the aes-ctr [1] and SSH KDF CAVS test driver [2] [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch Signed-off-by: Hongxu Jia --- .../openssh/openssh-6.6p1-ctr-cavstest.patch | 289 + .../openssh/openssh/openssh-6.7p1-kdf-cavs.patch | 654 + recipes-connectivity/openssh/openssh_fips.inc | 9 + 3 files changed, 952 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch create mode 100644 recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch new file mode 100644 index 000..038efa0 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch @@ -0,0 +1,289 @@ +From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Sun, 22 Sep 2019 21:32:18 +0800 +Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers + +Original submission to Fedora, see: + https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html + +this version download from: + http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch + (as of commit 991b66246f5151884b63c6d1232610a4569642a5) + +Makefile.in slightly modified for integration + +This is the makefile.in change for the normal configuration. + +Signed-off-by: Mark Hatle + +Upstream-Status: Inappropriate [oe specific] +Signed-off-by: Hongxu Jia +--- + Makefile.in| 7 +- + ctr-cavstest.c | 215 + + 2 files changed, 221 insertions(+), 1 deletion(-) + create mode 100644 ctr-cavstest.c + +diff --git a/Makefile.in b/Makefile.in +index ddd1804..cb34681 100644 +--- a/Makefile.in b/Makefile.in +@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh + ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass + SFTP_SERVER=$(libexecdir)/sftp-server + SSH_KEYSIGN=$(libexecdir)/ssh-keysign ++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest + SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@ + MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) + + XMSS_OBJS=\ + ssh-xmss.o \ +@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + ++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o ++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) ++ + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + +@@ -343,6 +347,7 @@ install-files: + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) ++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +diff --git a/ctr-cavstest.c b/ctr-cavstest.c +new file mode 100644 +index 000..0d4776b +--- /dev/null b/ctr-cavstest.c +@@ -0,0 +1,215 @@ ++/* ++ * ++ * invocation (all of the following are equal): ++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 ++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv ++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt ++ */ ++
[yocto] [meta-openssl102-fips][PATCH 15/15] README.openssh_cavstest: add CAVS tests for FIPS validation
Signed-off-by: Hongxu Jia --- README.openssh_cavstest | 28 1 file changed, 28 insertions(+) create mode 100644 README.openssh_cavstest diff --git a/README.openssh_cavstest b/README.openssh_cavstest new file mode 100644 index 000..5d69ee5 --- /dev/null +++ b/README.openssh_cavstest @@ -0,0 +1,28 @@ +1. Install openssh-cavs to images +$ echo "IMAGE_INSTALL += 'openssh-cavs'" >> conf/local.conf +$ bitbake + +2. Run tests on target +1) ctr-cavstest +invocation (all of the following are equal): +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt + +$ cd /usr/libexec +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 +58E33554D51B0DD7A63F44B22381B1CA +$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv +58E33554D51B0DD7A63F44B22381B1CA +$ echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt +58E33554D51B0DD7A63F44B22381B1CA + +2) ssh-cavs +$ cd /usr/libexec +$ ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20 +Initial IV (client to server) = 4bb320d1679dfd3a +Initial IV (server to client) = 43dea6fdf263a308 +Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed +Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0 +Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640 +Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479 -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 13/15] README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
Rerfer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia --- README.enable_fips | 56 ++ 1 file changed, 56 insertions(+) create mode 100644 README.enable_fips diff --git a/README.enable_fips b/README.enable_fips new file mode 100644 index 000..8016346 --- /dev/null +++ b/README.enable_fips @@ -0,0 +1,56 @@ +To turn your system (kernel and user space) into FIPS mode, follow these steps: + +1. Enable FIPS mode in kernel: +The `fips=1' kernel option needs to be added to the kernel command line so that key +generation is done with FIPS approved algorithms and continuous monitoring tests in +place: +... +[0.00] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019 +[0.00] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1 +[0.281178] alg: self-tests for rsa-generic (rsa) passed +[0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed +[0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed +[0.285596] alg: self-tests for sha1-generic (sha1) passed +[0.287474] alg: self-tests for sha256-generic (sha256) passed +[0.289138] alg: self-tests for sha224-generic (sha224) passed +[0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed +[0.292005] alg: self-tests for aes-generic (aes) passed +[0.294431] alg: self-tests for crc32c-generic (crc32c) passed +[0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed +[0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed +[0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed +[0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed +[0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed +[0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed +[0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed +[0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed +[0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed +[0.311120] DRBG: Continuing without Jitter RNG +[0.316952] alg: self-tests for ecdh-generic (ecdh) passed +[0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed +[3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed +... + +Kernel FIPS mode verification +You have two options: +1) cat /proc/sys/crypto/fips_enabled +2) sysctl crypto.fips_enabled + +NOTE: 1 indicates enabled, while 0 indicates disabled. + + +2. Enable FIPS mode in user space (default yes) +File /etc/system-fips to determine if a FIPS module is installed and +FIPS mode is enabled + +1) openssh: +- sshd +2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized + +- ssh +# ssh root@localhost +FIPS mode initialized + +- ssh-keygen +# ssh-keygen -A +ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode
The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... >From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia --- recipes-support/rng-tools/rng-tools/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default index b9f8e03..1ae6b33 100644 --- a/recipes-support/rng-tools/rng-tools/default +++ b/recipes-support/rng-tools/rng-tools/default @@ -1 +1 @@ -EXTRA_ARGS="-r /dev/hwrng" +EXTRA_ARGS="-r /dev/hwrng -i" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 9/15] openssh: port sshd_check_keys from oe-core
Signed-off-by: Hongxu Jia --- .../openssh/openssh/sshd_check_keys| 78 ++ 1 file changed, 78 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 000..1931dc7 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,78 @@ +#! /bin/sh + +generate_key() { +local FILE=$1 +local TYPE=$2 +local DIR="$(dirname "$FILE")" + +mkdir -p "$DIR" +ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + +# Atomically rename file public key +mv -f "${FILE}.tmp.pub" "${FILE}.pub" + +# This sync does double duty: Ensuring that the data in the temporary +# private key file is on disk before the rename, and ensuring that the +# public key rename is completed before the private key rename, since we +# switch on the existence of the private key to trigger key generation. +# This does mean it is possible for the public key to exist, but be garbage +# but this is OK because in that case the private key won't exist and the +# keys will be regenerated. +# +# In the event that sync understands arguments that limit what it tries to +# fsync(), we provided them. If it does not, it will simply call sync() +# which is just as well +sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + +mv "${FILE}.tmp" "$FILE" + +# sync to ensure the atomic rename is committed +sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then +. /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do +case "$1" in +-f*) if [ "$1" = "-f" ] ; then +sshd_config="$2" +shift +else +sshd_config="${1#-f}" +fi +shift +;; +--) shift; break;; +*) shift;; +esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do +[ -f $key ] && continue +case $key in +*_rsa_key) +echo " generating ssh RSA host key..." +generate_key $key rsa +;; +*_ecdsa_key) +echo " generating ssh ECDSA host key..." +generate_key $key ecdsa +;; +*_ed25519_key) +echo " generating ssh ED25519 host key..." +generate_key $key ed25519 +;; +esac +done -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 11/15] rng-tools append: port default from oe-core
Signed-off-by: Hongxu Jia --- recipes-support/rng-tools/rng-tools/default | 1 + recipes-support/rng-tools/rng-tools_6.%.bbappend | 4 recipes-support/rng-tools/rng-tools_fips.inc | 2 ++ 3 files changed, 7 insertions(+) create mode 100644 recipes-support/rng-tools/rng-tools/default create mode 100644 recipes-support/rng-tools/rng-tools_6.%.bbappend create mode 100644 recipes-support/rng-tools/rng-tools_fips.inc diff --git a/recipes-support/rng-tools/rng-tools/default b/recipes-support/rng-tools/rng-tools/default new file mode 100644 index 000..b9f8e03 --- /dev/null +++ b/recipes-support/rng-tools/rng-tools/default @@ -0,0 +1 @@ +EXTRA_ARGS="-r /dev/hwrng" diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend b/recipes-support/rng-tools/rng-tools_6.%.bbappend new file mode 100644 index 000..c487175 --- /dev/null +++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend @@ -0,0 +1,4 @@ +FIPSINC = "" +FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'rng-tools_fips.inc'}" + +require ${FIPSINC} diff --git a/recipes-support/rng-tools/rng-tools_fips.inc b/recipes-support/rng-tools/rng-tools_fips.inc new file mode 100644 index 000..d5f6435 --- /dev/null +++ b/recipes-support/rng-tools/rng-tools_fips.inc @@ -0,0 +1,2 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:" + -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 10/15] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
Run sshd_check_keys failed: ... 2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key... 2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode ... If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host keys in FIPS mode Refers Fedora: https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35 https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b Signed-off-by: Hongxu Jia --- recipes-connectivity/openssh/openssh/sshd_check_keys | 4 1 file changed, 4 insertions(+) diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys index 1931dc7..338531d 100644 --- a/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do generate_key $key ecdsa ;; *_ed25519_key) +FIPS=/etc/system-fips +if [[ -r "$FIPS" ]]; then +continue +fi echo " generating ssh ED25519 host key..." generate_key $key ed25519 ;; -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 6/15] kernel: enable fips mode
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode by specifying fips=1 as kernel parameter. [1][2] /proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat modified version of OpenSSL.[3] [1] https://www.linux.org/docs/man8/fipscheck.html [2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html [3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html Signed-off-by: Hongxu Jia --- classes/fips_kernel.bbclass| 4 conf/layer.conf| 4 recipes-kernel/linux/files/crypto_fips.cfg | 3 +++ recipes-kernel/linux/files/crypto_fips.scc | 1 + 4 files changed, 12 insertions(+) create mode 100644 classes/fips_kernel.bbclass create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg create mode 100644 recipes-kernel/linux/files/crypto_fips.scc diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass new file mode 100644 index 000..064088f --- /dev/null +++ b/classes/fips_kernel.bbclass @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:" +SRC_URI_append = " \ +file://crypto_fips.scc \ +" diff --git a/conf/layer.conf b/conf/layer.conf index 27a872e..b64c036 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -18,3 +18,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \ meta-openssl-one-zero-two \ wr-template \ " + +LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}" + +KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', ' fips_kernel', '',d)}" diff --git a/recipes-kernel/linux/files/crypto_fips.cfg b/recipes-kernel/linux/files/crypto_fips.cfg new file mode 100644 index 000..cffdc02 --- /dev/null +++ b/recipes-kernel/linux/files/crypto_fips.cfg @@ -0,0 +1,3 @@ +CONFIG_CRYPTO_FIPS=y +CONFIG_MODULE_SIG=y +# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc new file mode 100644 index 000..f64380a --- /dev/null +++ b/recipes-kernel/linux/files/crypto_fips.scc @@ -0,0 +1 @@ +kconf non-hardware crypto_fips.cfg -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 8/15] openssh: conditional enable fips mode
Enable fips mode according to the existence of "/etc/system-fips" Signed-off-by: Hongxu Jia --- .../0001-conditional-enable-fips-mode.patch| 63 ++ recipes-connectivity/openssh/openssh_fips.inc | 1 + 2 files changed, 64 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch new file mode 100644 index 000..b47e184 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch @@ -0,0 +1,63 @@ +From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Sun, 22 Sep 2019 14:31:51 +0800 +Subject: [PATCH] conditional enable fips mode + +Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke, +enable fips mode according to the existence of "/etc/system-fips" + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + xmalloc.c | 24 + 1 file changed, 24 insertions(+) + +diff --git a/xmalloc.c b/xmalloc.c +index 5cc0310..0218ccd 100644 +--- a/xmalloc.c b/xmalloc.c +@@ -23,12 +23,20 @@ + #include + #include + ++#include ++#include ++#include ++ + #include "xmalloc.h" + #include "log.h" + ++void ssh_enable_fips_mode(void); ++ + void + ssh_malloc_init(void) + { ++ ssh_enable_fips_mode(); ++ + #if defined(__OpenBSD__) + extern char *malloc_options; + +@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...) + + return (i); + } ++ ++void ++ssh_enable_fips_mode(void) ++{ ++if (access("/etc/system-fips", F_OK) == 0) { ++if (!FIPS_mode_set(1)) { ++/* make sure the error stack is available for some hint as ++ * to why this operation failed ++ */ ++ERR_load_crypto_strings(); ++ERR_print_errors_fp(stdout); ++fatal("FIPS_mode_set(): failed to enter FIPS mode!\n"); ++exit(1); ++} ++} ++} +-- +2.7.4 + diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc index df84c39..33a84c9 100644 --- a/recipes-connectivity/openssh/openssh_fips.inc +++ b/recipes-connectivity/openssh/openssh_fips.inc @@ -5,6 +5,7 @@ DEPENDS += " \ " SRC_URI += " \ file://0001-openssh-8.0p1-fips.patch \ +file://0001-conditional-enable-fips-mode.patch \ " do_install_append() { -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 7/15] kernel: workaround alg self-tests failure in fips mode
While kernel enable fips mode, it start alg self-test, and there is a kernel panic at ecdh-generic ... [0.311313] alg: ecdh: test failed on vector 2, err=-14 [0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! ... Continue without Jitter RNG for fips to workaround alg self-tests failure, after applying the fix: ... [0.306633] DRBG: Continuing without Jitter RNG [0.310550] alg: self-tests for ecdh-generic (ecdh) passed ... Refer: https://lore.kernel.org/patchwork/patch/568693/ Signed-off-by: Hongxu Jia --- .../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++ recipes-kernel/linux/files/crypto_fips.scc | 1 + 2 files changed, 35 insertions(+) create mode 100644 recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch diff --git a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch new file mode 100644 index 000..140d6a1 --- /dev/null +++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch @@ -0,0 +1,34 @@ +From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Sun, 22 Sep 2019 10:57:02 +0800 +Subject: [PATCH] fips: continuing without Jitter RNG + +Continue without Jitter RNG for fips to workaround alg self-tests failure +... +[0.311313] alg: ecdh: test failed on vector 2, err=-14 +[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! +... + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + crypto/drbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/drbg.c b/crypto/drbg.c +index b6929eb..d677da5 100644 +--- a/crypto/drbg.c b/crypto/drbg.c +@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, + if (IS_ERR(drbg->jent)) { + ret = PTR_ERR(drbg->jent); + drbg->jent = NULL; +- if (fips_enabled || ret != -ENOENT) ++ if (ret != -ENOENT) + goto free_everything; + pr_info("DRBG: Continuing without Jitter RNG\n"); + } +-- +2.7.4 + diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc index f64380a..85f8f44 100644 --- a/recipes-kernel/linux/files/crypto_fips.scc +++ b/recipes-kernel/linux/files/crypto_fips.scc @@ -1 +1,2 @@ kconf non-hardware crypto_fips.cfg +patch 0001-fips-continuing-without-Jitter-RNG.patch -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 3/15] fipscheck: add generation of the checksums in pkg_postinst
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70 Signed-off-by: Hongxu Jia --- recipes-connectivity/openssh/fipscheck_1.5.0.bb | 18 ++ 1 file changed, 18 insertions(+) diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb index 68051d2..0a06bd3 100644 --- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb @@ -27,4 +27,22 @@ EXTRA_OECONF += " \ EXTRA_OEMAKE += " \ -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \ " +do_install_append() { +install -d ${D}${libdir}/fipscheck +} +inherit qemu + +pkg_postinst_${PN} () { +if [ -n "$D" ]; then +${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \ +-d $D${libdir}/fipscheck $D${bindir}/fipscheck $D${libdir}/libfipscheck.so.1.2.1 && \ +ln -s libfipscheck.so.1.2.1.hmac $D${libdir}/fipscheck/libfipscheck.so.1.hmac +else +${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \ +${libdir}/libfipscheck.so.1.2.1 && \ +ln -s libfipscheck.so.1.2.1.hmac ${libdir}/fipscheck/libfipscheck.so.1.hmac +fi +} + +FILES_${PN} += "${libdir}/fipscheck" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 5/15] openssh: add generation of HMAC checksums in pkg_postinst
Refer https://src.fedoraproject.org/rpms/openssh/c/d93958db19129e0f4615865eab22fb36e1f4fb8a Signed-off-by: Hongxu Jia --- recipes-connectivity/openssh/openssh_fips.inc | 26 ++ 1 file changed, 26 insertions(+) diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc index 99a3482..df84c39 100644 --- a/recipes-connectivity/openssh/openssh_fips.inc +++ b/recipes-connectivity/openssh/openssh_fips.inc @@ -6,3 +6,29 @@ DEPENDS += " \ SRC_URI += " \ file://0001-openssh-8.0p1-fips.patch \ " + +do_install_append() { +install -d ${D}${libdir}/fipscheck +} + +inherit qemu + +pkg_postinst_append_${PN}-ssh () { +if [ -n "$D" ]; then +${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \ +-d $D${libdir}/fipscheck $D${bindir}/ssh.${BPN} +else +${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/ssh.${BPN} +fi +} + +pkg_postinst_append_${PN}-sshd () { +if [ -n "$D" ]; then +${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \ +-d $D${libdir}/fipscheck $D${sbindir}/sshd +else +${bindir}/fipshmac -d ${libdir}/fipscheck ${sbindir}/sshd +fi +} + +FILES_${PN} += "${libdir}/fipscheck" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 4/15] fipscheck: enable fipscheck on target
Refer Fedora/RedHat's way https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut Signed-off-by: Hongxu Jia --- recipes-connectivity/openssh/fipscheck_1.5.0.bb | 4 1 file changed, 4 insertions(+) diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb index 0a06bd3..23a4123 100644 --- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb @@ -28,6 +28,10 @@ EXTRA_OEMAKE += " \ -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \ " do_install_append() { +# Is't the fedora way to enable fipscheck +install -d ${D}${sysconfdir} +touch ${D}${sysconfdir}/system-fips + install -d ${D}${libdir}/fipscheck } -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] Review request 0/15: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Hi Mark, I apply a kernel patch to workaround alg self-tests failure, which the test is too early and Jitter RNG is not ready at that time. The latter alg: self-tests for jitterentropy_rng is passed, so I think the `Continuing without Jitter RNG' workaround is OK == Testing == * Commands See README.build README.enable_fips README.openssh_cavstest * Expected Results README.build README.enable_fips README.openssh_cavstest -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-openssl102-fips][PATCH 2/15] openssh_8.%.bbappend: support fips 140-2
Signed-off-by: Hongxu Jia --- .../openssh/openssh/0001-openssh-8.0p1-fips.patch | 528 + recipes-connectivity/openssh/openssh_8.%.bbappend | 4 + recipes-connectivity/openssh/openssh_fips.inc | 8 + 3 files changed, 540 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch create mode 100644 recipes-connectivity/openssh/openssh_8.%.bbappend create mode 100644 recipes-connectivity/openssh/openssh_fips.inc diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch new file mode 100644 index 000..fd0a411 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch @@ -0,0 +1,528 @@ +From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 20 Sep 2019 17:59:00 +0800 +Subject: [PATCH] openssh 8.0p1 fips + +Port openssh-7.7p1-fips.patch from Fedora +https://src.fedoraproject.org/rpms/openssh.git + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + Makefile.in | 14 +++--- + cipher-ctr.c | 3 ++- + clientloop.c | 3 ++- + dh.c | 40 + dh.h | 1 + + kex.c| 5 - + kexgexc.c| 5 + + myproposal.h | 40 + readconf.c | 17 + + sandbox-seccomp-filter.c | 3 +++ + servconf.c | 19 ++- + ssh-keygen.c | 6 ++ + ssh.c| 16 + sshconnect2.c| 11 --- + sshd.c | 19 +++ + sshkey.c | 4 + 16 files changed, 176 insertions(+), 30 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 6f001bb..ddd1804 100644 +--- a/Makefile.in b/Makefile.in +@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o +- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff --git a/cipher-ctr.c b/cipher-ctr.c +index 32771f2..74fac3b 100644 +--- a/cipher-ctr.c b/cipher-ctr.c +@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (_ctr); + } +diff --git a/clientloop.c b/clientloop.c
[yocto] [meta-openssl102-fips][PATCH 1/15] fipscheck: add 1.5.0
Port it from fedora: https://src.fedoraproject.org/rpms/fipscheck It is required by openssh fips. Signed-off-by: Hongxu Jia --- .../0001-compat-fip-with-openssl-1.0.2.patch | 34 ++ recipes-connectivity/openssh/fipscheck_1.5.0.bb| 30 +++ templates/feature/openssl-fips/template.conf | 2 +- 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch create mode 100644 recipes-connectivity/openssh/fipscheck_1.5.0.bb diff --git a/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch new file mode 100644 index 000..22e5a62 --- /dev/null +++ b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch @@ -0,0 +1,34 @@ +From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 20 Sep 2019 17:51:09 +0800 +Subject: [PATCH] compat fip with openssl 1.0.2 + +In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h +... +define OPENSSL_VERSION_NUMBER 0x1010L +... +Since fips include file compat with openssl 1.1.0, do not include it +in Yocto + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + src/filehmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/filehmac.c b/src/filehmac.c +index a8eef00..0b36cec 100644 +--- a/src/filehmac.c b/src/filehmac.c +@@ -41,7 +41,6 @@ + #include + + #if defined(WITH_OPENSSL) +-#include + #include + #include + #elif defined(WITH_NSS) +-- +2.7.4 + diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb new file mode 100644 index 000..68051d2 --- /dev/null +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb @@ -0,0 +1,30 @@ +SUMMARY = "A library for integrity verification of FIPS validated modules" +DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS validated \ +modules. The package also provides helper binaries for creation and \ +verification of the HMAC-SHA256 checksum files." +HOMEPAGE = "https://pagure.io/fipscheck; +SECTION = "libs/network" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf" + +SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \ + file://0001-compat-fip-with-openssl-1.0.2.patch \ +" +SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b" +SRC_URI[sha256sum] = "7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5" + +DEPENDS = " \ +openssl \ +openssl-fips \ +" + +inherit autotools pkgconfig + +EXTRA_OECONF += " \ +--disable-static \ +" +EXTRA_OEMAKE += " \ +-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \ +" + diff --git a/templates/feature/openssl-fips/template.conf b/templates/feature/openssl-fips/template.conf index 6da678c..9a551c3 100644 --- a/templates/feature/openssl-fips/template.conf +++ b/templates/feature/openssl-fips/template.conf @@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= "" PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips' PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example' - +PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck' -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto