Re: [yocto] QA notification for completed autobuilder build (yocto-2.8_M3.rc1)

2019-09-22 Thread Jain, Sangeeta
Hello All,

Intel and WR YP QA is planning for QA execution for YP build yocto-2.8_M3.rc1.
We are planning to execute following tests for this cycle:

OEQA-manual tests for following module:
1. OE-Core
2. BSP-hw
3. BSP-Qemu

Runtime auto test for following platforms:
1. MinnowTurbot 32-bit
2. Coffee Lake
3. NUC 7
4. NUC 6
5. Edgerouter
6. MPC8315e-rdb
7. Beaglebone

ETA for completion is next Thursday, September 26.

Thanks & Regards,
Sangeeta Jain

>-Original Message-
>From: pokybu...@ubuntu1804-ty-1.yocto.io [mailto:pokybuild@ubuntu1804-ty-
>1.yocto.io]
>Sent: Friday, September 20, 2019 1:01 PM
>To: yocto@yoctoproject.org
>Cc: ota...@ossystems.com.br; yi.z...@windriver.com; Sangal, Apoorv
>; Yeoh, Ee Peng ; Chan,
>Aaron Chun Yew ; Ang, Chin Huat
>; richard.pur...@linuxfoundation.org;
>akuster...@gmail.com; sjolley.yp...@gmail.com; Jain, Sangeeta
>
>Subject: QA notification for completed autobuilder build (yocto-2.8_M3.rc1)
>
>
>A build flagged for QA (yocto-2.8_M3.rc1) was completed on the autobuilder and
>is available at:
>
>
>https://autobuilder.yocto.io/pub/releases/yocto-2.8_M3.rc1
>
>
>Build hash information:
>
>bitbake: 797354d285f6d624d9adb52bab65823572da0e39
>meta-gplv2: 1e2480e50f34e55bdfd5e06f98441e03a3752d5a
>meta-intel: 655dfaec95196b9c0e15d34f490e4a51a7d501e3
>meta-mingw: 9df4e115ab9a7ab23f81fdbcc62b2a0269d6377f
>oecore: 95ad5626296380358c8a502a3e04879dab653d78
>poky: 81f9e815d36848761a9dfa94b00ad998bb39a4a6
>
>
>
>This is an automated message from the Yocto Project Autobuilder
>Git: git://git.yoctoproject.org/yocto-autobuilder2
>Email: richard.pur...@linuxfoundation.org
>
>
>

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH] apparmor: suppress appending of installation to perllocal.pod

2019-09-22 Thread Naveen Saini
perl modules when gets installed can produce a perllocal.pod
file for documenting a list of locally installed perl modules.
This can conflict if multiple packages generate the file.

Hits the conflict with apparmor & rrdtool packages.
Error: Transaction check error:
  file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between 
attempted installs of rrdtool-1.7.2-r0.corei7_64 and 
apparmor-2.13.3-r0.corei7_64

perllocal.pod files are for documentation purpose, so
disabling does not harm. Generating perllocal.pod for perl
module is disabled by passing NO_PERLLOCAL=1
with ExtUtils::MakeMaker utility.

https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters

[YOCTO #13491]

Signed-off-by: Naveen Saini 
---
 recipes-mac/AppArmor/apparmor_2.13.3.bb   |  1 +
 ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++
 2 files changed, 29 insertions(+)
 create mode 100644 
recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb 
b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 8484404..2e5d221 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
file://functions \
file://apparmor \
file://apparmor.service \
+   file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://run-ptest \
"
 
diff --git 
a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch 
b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch
new file mode 100644
index 000..9807be1
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch
@@ -0,0 +1,28 @@
+From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001
+From: Naveen Saini 
+Date: Fri, 20 Sep 2019 18:53:53 +0800
+Subject: [PATCH] Makefile.am: suppress perllocal.pod
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Naveen Saini 
+---
+ libraries/libapparmor/swig/perl/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/swig/perl/Makefile.am 
b/libraries/libapparmor/swig/perl/Makefile.am
+index 6ae4e30c..be00dc7f 100644
+--- a/libraries/libapparmor/swig/perl/Makefile.am
 b/libraries/libapparmor/swig/perl/Makefile.am
+@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm
+ LibAppArmor.pm: libapparmor_wrap.c
+ 
+ Makefile.perl: Makefile.PL LibAppArmor.pm
+-  $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
++  $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1
+   sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
+   sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
+ 
+-- 
+2.17.1
+
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [PATCH] apparmor: suppress appending of installation to perllocal.pod

2019-09-22 Thread Naveen Saini
perl modules when gets installed can produce a perllocal.pod
file for documenting a list of locally installed perl modules.
This can conflict if multiple packages generate the file.

Hits the conflict with apparmor & rrdtool packages.
Error: Transaction check error:
  file /usr/lib/perl5/5.30.0/x86_64-linux/perllocal.pod conflicts between 
attempted installs of rrdtool-1.7.2-r0.corei7_64 and 
apparmor-2.13.3-r0.corei7_64

perllocal.pod files are for documentation purpose, so
disabling does not harm. Generating perllocal.pod for perl
module is disabled by passing NO_PERLLOCAL=1
with ExtUtils::MakeMaker utility.

https://perldoc.perl.org/5.30.0/ExtUtils/MakeMaker.html#Using-Attributes-and-Parameters

[YOCTO #13491]

Signed-off-by: Naveen Saini 
---
 recipes-mac/AppArmor/apparmor_2.13.3.bb   |  1 +
 ...1-Makefile.am-suppress-perllocal.pod.patch | 28 +++
 2 files changed, 29 insertions(+)
 create mode 100644 
recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb 
b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 8484404..2e5d221 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
file://functions \
file://apparmor \
file://apparmor.service \
+   file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://run-ptest \
"
 
diff --git 
a/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch 
b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch
new file mode 100644
index 000..9807be1
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch
@@ -0,0 +1,28 @@
+From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001
+From: Naveen Saini 
+Date: Fri, 20 Sep 2019 18:53:53 +0800
+Subject: [PATCH] Makefile.am: suppress perllocal.pod
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Naveen Saini 
+---
+ libraries/libapparmor/swig/perl/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/swig/perl/Makefile.am 
b/libraries/libapparmor/swig/perl/Makefile.am
+index 6ae4e30c..be00dc7f 100644
+--- a/libraries/libapparmor/swig/perl/Makefile.am
 b/libraries/libapparmor/swig/perl/Makefile.am
+@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm
+ LibAppArmor.pm: libapparmor_wrap.c
+ 
+ Makefile.perl: Makefile.PL LibAppArmor.pm
+-  $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
++  $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1
+   sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
+   sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
+ 
+-- 
+2.17.1
+
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 14/15] openssh: add CAVS tests for FIPS validation

2019-09-22 Thread Hongxu Jia
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]

[1] 
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2] 
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch

Signed-off-by: Hongxu Jia 
---
 .../openssh/openssh-6.6p1-ctr-cavstest.patch   | 289 +
 .../openssh/openssh/openssh-6.7p1-kdf-cavs.patch   | 654 +
 recipes-connectivity/openssh/openssh_fips.inc  |   9 +
 3 files changed, 952 insertions(+)
 create mode 100644 
recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
 create mode 100644 
recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch

diff --git 
a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch 
b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
new file mode 100644
index 000..038efa0
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -0,0 +1,289 @@
+From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From: Hongxu Jia 
+Date: Sun, 22 Sep 2019 21:32:18 +0800
+Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+
+Original submission to Fedora, see:
+   
https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
+
+this version download from:
+   
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
+   (as of commit 991b66246f5151884b63c6d1232610a4569642a5)
+
+Makefile.in slightly modified for integration
+
+This is the makefile.in change for the normal configuration.
+
+Signed-off-by: Mark Hatle 
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Hongxu Jia 
+---
+ Makefile.in|   7 +-
+ ctr-cavstest.c | 215 +
+ 2 files changed, 221 insertions(+), 1 deletion(-)
+ create mode 100644 ctr-cavstest.c
+
+diff --git a/Makefile.in b/Makefile.in
+index ddd1804..cb34681 100644
+--- a/Makefile.in
 b/Makefile.in
+@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ MKDIR_P=@MKDIR_P@
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) 
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) 
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) 
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) 
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) 
ctr-cavstest$(EXEEXT)
+ 
+ XMSS_OBJS=\
+   ssh-xmss.o \
+@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o 
readconf.o uidswap.o c
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o 
ssh-pkcs11.o
+   $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ 
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++  $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
-lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+   $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
-lfipscheck $(LIBS)
+ 
+@@ -343,6 +347,7 @@ install-files:
+   $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) 
$(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+   $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) 
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+   $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) 
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
++  $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) 
$(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+   $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) 
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+   $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) 
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
+   $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) 
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+new file mode 100644
+index 000..0d4776b
+--- /dev/null
 b/ctr-cavstest.c
+@@ -0,0 +1,215 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc 
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc 
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 

++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo 
aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
++ */
++

[yocto] [meta-openssl102-fips][PATCH 15/15] README.openssh_cavstest: add CAVS tests for FIPS validation

2019-09-22 Thread Hongxu Jia
Signed-off-by: Hongxu Jia 
---
 README.openssh_cavstest | 28 
 1 file changed, 28 insertions(+)
 create mode 100644 README.openssh_cavstest

diff --git a/README.openssh_cavstest b/README.openssh_cavstest
new file mode 100644
index 000..5d69ee5
--- /dev/null
+++ b/README.openssh_cavstest
@@ -0,0 +1,28 @@
+1. Install openssh-cavs to images
+$ echo "IMAGE_INSTALL += 'openssh-cavs'" >> conf/local.conf
+$ bitbake 
+
+2. Run tests on target
+1) ctr-cavstest
+invocation (all of the following are equal):
+./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode 
encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
+./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode 
encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 

+echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr 
--key 987212980144b6a632e864031f52dacc --mode encrypt
+
+$ cd /usr/libexec
+$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc 
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
+58E33554D51B0DD7A63F44B22381B1CA
+$ ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc 
--mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 

+58E33554D51B0DD7A63F44B22381B1CA
+$ echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr 
--key 987212980144b6a632e864031f52dacc --mode encrypt
+58E33554D51B0DD7A63F44B22381B1CA
+
+2) ssh-cavs
+$ cd /usr/libexec
+$ ./ssh-cavs -K 
0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4
 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s 
d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+Initial IV (client to server) = 4bb320d1679dfd3a
+Initial IV (server to client) = 43dea6fdf263a308
+Encryption key (client to server) = 
13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+Encryption key (server to client) = 
1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 13/15] README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode

2019-09-22 Thread Hongxu Jia
Rerfer RedHat/Fedora/SUSE/Oracle/IBM ways

1. Add `fips=1' to kernel option to enable FIPS mode in kernel

2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
currently openssh only

Refer:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://access.redhat.com/discussions/3293631
https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html

Signed-off-by: Hongxu Jia 
---
 README.enable_fips | 56 ++
 1 file changed, 56 insertions(+)
 create mode 100644 README.enable_fips

diff --git a/README.enable_fips b/README.enable_fips
new file mode 100644
index 000..8016346
--- /dev/null
+++ b/README.enable_fips
@@ -0,0 +1,56 @@
+To turn your system (kernel and user space) into FIPS mode, follow these steps:
+
+1. Enable FIPS mode in kernel:
+The `fips=1' kernel option needs to be added to the kernel command line so 
that key
+generation is done with FIPS approved algorithms and continuous monitoring 
tests in
+place:
+...
+[0.00] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc 
version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019
+[0.00] Command line: root=/dev/vda rw highres=off  console=ttyS0 fips=1
+[0.281178] alg: self-tests for rsa-generic (rsa) passed
+[0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed
+[0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed
+[0.285596] alg: self-tests for sha1-generic (sha1) passed
+[0.287474] alg: self-tests for sha256-generic (sha256) passed
+[0.289138] alg: self-tests for sha224-generic (sha224) passed
+[0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed
+[0.292005] alg: self-tests for aes-generic (aes) passed
+[0.294431] alg: self-tests for crc32c-generic (crc32c) passed
+[0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed
+[0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed
+[0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed
+[0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed
+[0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed
+[0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed
+[0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed
+[0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed
+[0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed
+[0.311120] DRBG: Continuing without Jitter RNG
+[0.316952] alg: self-tests for ecdh-generic (ecdh) passed
+[0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed
+[3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed
+...
+
+Kernel FIPS mode verification
+You have two options:
+1) cat /proc/sys/crypto/fips_enabled
+2) sysctl crypto.fips_enabled
+
+NOTE: 1 indicates enabled, while 0 indicates disabled.
+
+
+2. Enable FIPS mode in user space (default yes)
+File /etc/system-fips to determine if a FIPS module is installed and
+FIPS mode is enabled
+
+1) openssh:
+- sshd
+2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized
+
+- ssh
+# ssh root@localhost
+FIPS mode initialized
+
+- ssh-keygen
+# ssh-keygen -A
+ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 12/15] rng-tools: fix rngd failed in fips mode

2019-09-22 Thread Hongxu Jia
The FIPS test is something done on government or more secure organizations
for extra security check.
...
root@qemux86-64:~# systemctl status rngd
Unit rngd-tools.service could not be found.
root@qemux86-64:~# systemctl status rngd
rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: 
enabled)
   Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
  Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, 
status=0/SUCCESS)
 Main PID: 317 (code=exited, status=0/SUCCESS)

Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not 
permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not 
permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy 
source
...

>From rngd manual, add `-i' to default
...
-i, --ignorefail
  Ignore repeated fips failures
...

After applying the fix
...
rngd.service - Hardware RNG Entropy Gatherer Daemon
   Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: 
enabled)
   Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
 Main PID: 121 (rngd)
Tasks: 2
   Memory: 1.8M
   CGroup: /system.slice/rngd.service
   /usr/sbin/rngd -f -r /dev/hwrng -i

Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not 
permitted
...

Refer:
https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html

Signed-off-by: Hongxu Jia 
---
 recipes-support/rng-tools/rng-tools/default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-support/rng-tools/rng-tools/default 
b/recipes-support/rng-tools/rng-tools/default
index b9f8e03..1ae6b33 100644
--- a/recipes-support/rng-tools/rng-tools/default
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -1 +1 @@
-EXTRA_ARGS="-r /dev/hwrng"
+EXTRA_ARGS="-r /dev/hwrng -i"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 9/15] openssh: port sshd_check_keys from oe-core

2019-09-22 Thread Hongxu Jia
Signed-off-by: Hongxu Jia 
---
 .../openssh/openssh/sshd_check_keys| 78 ++
 1 file changed, 78 insertions(+)
 create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys

diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys 
b/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 000..1931dc7
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,78 @@
+#! /bin/sh
+
+generate_key() {
+local FILE=$1
+local TYPE=$2
+local DIR="$(dirname "$FILE")"
+
+mkdir -p "$DIR"
+ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+
+# Atomically rename file public key
+mv -f "${FILE}.tmp.pub" "${FILE}.pub"
+
+# This sync does double duty: Ensuring that the data in the temporary
+# private key file is on disk before the rename, and ensuring that the
+# public key rename is completed before the private key rename, since we
+# switch on the existence of the private key to trigger key generation.
+# This does mean it is possible for the public key to exist, but be garbage
+# but this is OK because in that case the private key won't exist and the
+# keys will be regenerated.
+#
+# In the event that sync understands arguments that limit what it tries to
+# fsync(), we provided them. If it does not, it will simply call sync()
+# which is just as well
+sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
+
+mv "${FILE}.tmp" "$FILE"
+
+# sync to ensure the atomic rename is committed
+sync "$DIR"
+}
+
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
+if test -f /etc/default/ssh; then
+. /etc/default/ssh
+fi
+
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+# parse sshd options
+set -- ${SSHD_OPTS} --
+sshd_config=/etc/ssh/sshd_config
+while true ; do
+case "$1" in
+-f*) if [ "$1" = "-f" ] ; then
+sshd_config="$2"
+shift
+else
+sshd_config="${1#-f}"
+fi
+shift
+;;
+--) shift; break;;
+*) shift;;
+esac
+done
+
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key 
$SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+
+for key in ${HOST_KEYS} ; do
+[ -f $key ] && continue
+case $key in
+*_rsa_key)
+echo "  generating ssh RSA host key..."
+generate_key $key rsa
+;;
+*_ecdsa_key)
+echo "  generating ssh ECDSA host key..."
+generate_key $key ecdsa
+;;
+*_ed25519_key)
+echo "  generating ssh ED25519 host key..."
+generate_key $key ed25519
+;;
+esac
+done
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 11/15] rng-tools append: port default from oe-core

2019-09-22 Thread Hongxu Jia
Signed-off-by: Hongxu Jia 
---
 recipes-support/rng-tools/rng-tools/default  | 1 +
 recipes-support/rng-tools/rng-tools_6.%.bbappend | 4 
 recipes-support/rng-tools/rng-tools_fips.inc | 2 ++
 3 files changed, 7 insertions(+)
 create mode 100644 recipes-support/rng-tools/rng-tools/default
 create mode 100644 recipes-support/rng-tools/rng-tools_6.%.bbappend
 create mode 100644 recipes-support/rng-tools/rng-tools_fips.inc

diff --git a/recipes-support/rng-tools/rng-tools/default 
b/recipes-support/rng-tools/rng-tools/default
new file mode 100644
index 000..b9f8e03
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools/default
@@ -0,0 +1 @@
+EXTRA_ARGS="-r /dev/hwrng"
diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend 
b/recipes-support/rng-tools/rng-tools_6.%.bbappend
new file mode 100644
index 000..c487175
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' 
else 'rng-tools_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/rng-tools/rng-tools_fips.inc 
b/recipes-support/rng-tools/rng-tools_fips.inc
new file mode 100644
index 000..d5f6435
--- /dev/null
+++ b/recipes-support/rng-tools/rng-tools_fips.inc
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:"
+
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 10/15] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode

2019-09-22 Thread Hongxu Jia
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]:   generating 
ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys 
are not allowed in FIPS mode
...

If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 
host
keys in FIPS mode

Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b

Signed-off-by: Hongxu Jia 
---
 recipes-connectivity/openssh/openssh/sshd_check_keys | 4 
 1 file changed, 4 insertions(+)

diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys 
b/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7..338531d 100644
--- a/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do
 generate_key $key ecdsa
 ;;
 *_ed25519_key)
+FIPS=/etc/system-fips
+if [[ -r "$FIPS" ]]; then
+continue
+fi
 echo "  generating ssh ED25519 host key..."
 generate_key $key ed25519
 ;;
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 6/15] kernel: enable fips mode

2019-09-22 Thread Hongxu Jia
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]

/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]

[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html

Signed-off-by: Hongxu Jia 
---
 classes/fips_kernel.bbclass| 4 
 conf/layer.conf| 4 
 recipes-kernel/linux/files/crypto_fips.cfg | 3 +++
 recipes-kernel/linux/files/crypto_fips.scc | 1 +
 4 files changed, 12 insertions(+)
 create mode 100644 classes/fips_kernel.bbclass
 create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg
 create mode 100644 recipes-kernel/linux/files/crypto_fips.scc

diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
new file mode 100644
index 000..064088f
--- /dev/null
+++ b/classes/fips_kernel.bbclass
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := 
"${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI_append = " \
+file://crypto_fips.scc \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 27a872e..b64c036 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,3 +18,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
 meta-openssl-one-zero-two \
 wr-template \
 "
+
+LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
+
+KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', ' 
fips_kernel', '',d)}"
diff --git a/recipes-kernel/linux/files/crypto_fips.cfg 
b/recipes-kernel/linux/files/crypto_fips.cfg
new file mode 100644
index 000..cffdc02
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.cfg
@@ -0,0 +1,3 @@
+CONFIG_CRYPTO_FIPS=y
+CONFIG_MODULE_SIG=y
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
diff --git a/recipes-kernel/linux/files/crypto_fips.scc 
b/recipes-kernel/linux/files/crypto_fips.scc
new file mode 100644
index 000..f64380a
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -0,0 +1 @@
+kconf non-hardware crypto_fips.cfg
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 8/15] openssh: conditional enable fips mode

2019-09-22 Thread Hongxu Jia
Enable fips mode according to the existence of "/etc/system-fips"

Signed-off-by: Hongxu Jia 
---
 .../0001-conditional-enable-fips-mode.patch| 63 ++
 recipes-connectivity/openssh/openssh_fips.inc  |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 
recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch

diff --git 
a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch 
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
new file mode 100644
index 000..b47e184
--- /dev/null
+++ 
b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -0,0 +1,63 @@
+From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia 
+Date: Sun, 22 Sep 2019 14:31:51 +0800
+Subject: [PATCH] conditional enable fips mode
+
+Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
+enable fips mode according to the existence of "/etc/system-fips"
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia 
+---
+ xmalloc.c | 24 
+ 1 file changed, 24 insertions(+)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 5cc0310..0218ccd 100644
+--- a/xmalloc.c
 b/xmalloc.c
+@@ -23,12 +23,20 @@
+ #include 
+ #include 
+ 
++#include 
++#include 
++#include 
++
+ #include "xmalloc.h"
+ #include "log.h"
+ 
++void ssh_enable_fips_mode(void);
++
+ void
+ ssh_malloc_init(void)
+ {
++  ssh_enable_fips_mode();
++
+ #if defined(__OpenBSD__)
+   extern char *malloc_options;
+ 
+@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ 
+   return (i);
+ }
++
++void
++ssh_enable_fips_mode(void)
++{
++if (access("/etc/system-fips", F_OK) == 0) {
++if (!FIPS_mode_set(1)) {
++/* make sure the error stack is available for some hint as
++ * to why this operation failed
++ */
++ERR_load_crypto_strings();
++ERR_print_errors_fp(stdout);
++fatal("FIPS_mode_set(): failed to enter FIPS mode!\n");
++exit(1);
++}
++}
++}
+-- 
+2.7.4
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc 
b/recipes-connectivity/openssh/openssh_fips.inc
index df84c39..33a84c9 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -5,6 +5,7 @@ DEPENDS += " \
 "
 SRC_URI += " \
 file://0001-openssh-8.0p1-fips.patch \
+file://0001-conditional-enable-fips-mode.patch \
 "
 
 do_install_append() {
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 7/15] kernel: workaround alg self-tests failure in fips mode

2019-09-22 Thread Hongxu Jia
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[0.311313] alg: ecdh: test failed on vector 2, err=-14
[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic 
(ecdh) failed in fips mode!
...

Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[0.306633] DRBG: Continuing without Jitter RNG
[0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...

Refer: https://lore.kernel.org/patchwork/patch/568693/

Signed-off-by: Hongxu Jia 
---
 .../0001-fips-continuing-without-Jitter-RNG.patch  | 34 ++
 recipes-kernel/linux/files/crypto_fips.scc |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 
recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch

diff --git 
a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch 
b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia 
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[0.311313] alg: ecdh: test failed on vector 2, err=-14
+[0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic 
(ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia 
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
 b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg, 
struct drbg_string *pers,
+   if (IS_ERR(drbg->jent)) {
+   ret = PTR_ERR(drbg->jent);
+   drbg->jent = NULL;
+-  if (fips_enabled || ret != -ENOENT)
++  if (ret != -ENOENT)
+   goto free_everything;
+   pr_info("DRBG: Continuing without Jitter RNG\n");
+   }
+-- 
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc 
b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
 kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 3/15] fipscheck: add generation of the checksums in pkg_postinst

2019-09-22 Thread Hongxu Jia
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70

Signed-off-by: Hongxu Jia 
---
 recipes-connectivity/openssh/fipscheck_1.5.0.bb | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb 
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 68051d2..0a06bd3 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -27,4 +27,22 @@ EXTRA_OECONF += " \
 EXTRA_OEMAKE += " \
 -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
 "
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
 
+inherit qemu
+
+pkg_postinst_${PN} () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/fipscheck 
$D${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac 
$D${libdir}/fipscheck/libfipscheck.so.1.hmac
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \
+${libdir}/libfipscheck.so.1.2.1 && \
+ln -s libfipscheck.so.1.2.1.hmac 
${libdir}/fipscheck/libfipscheck.so.1.hmac
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 5/15] openssh: add generation of HMAC checksums in pkg_postinst

2019-09-22 Thread Hongxu Jia
Refer 
https://src.fedoraproject.org/rpms/openssh/c/d93958db19129e0f4615865eab22fb36e1f4fb8a

Signed-off-by: Hongxu Jia 
---
 recipes-connectivity/openssh/openssh_fips.inc | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/recipes-connectivity/openssh/openssh_fips.inc 
b/recipes-connectivity/openssh/openssh_fips.inc
index 99a3482..df84c39 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,3 +6,29 @@ DEPENDS += " \
 SRC_URI += " \
 file://0001-openssh-8.0p1-fips.patch \
 "
+
+do_install_append() {
+install -d ${D}${libdir}/fipscheck
+}
+
+inherit qemu
+
+pkg_postinst_append_${PN}-ssh () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${bindir}/ssh.${BPN}
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/ssh.${BPN}
+fi
+}
+
+pkg_postinst_append_${PN}-sshd () {
+if [ -n "$D" ]; then
+${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
+-d $D${libdir}/fipscheck $D${sbindir}/sshd
+else
+${bindir}/fipshmac -d ${libdir}/fipscheck ${sbindir}/sshd
+fi
+}
+
+FILES_${PN} += "${libdir}/fipscheck"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 4/15] fipscheck: enable fipscheck on target

2019-09-22 Thread Hongxu Jia
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut

Signed-off-by: Hongxu Jia 
---
 recipes-connectivity/openssh/fipscheck_1.5.0.bb | 4 
 1 file changed, 4 insertions(+)

diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb 
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
index 0a06bd3..23a4123 100644
--- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -28,6 +28,10 @@ EXTRA_OEMAKE += " \
 -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
 "
 do_install_append() {
+# Is't the fedora way to enable fipscheck
+install -d ${D}${sysconfdir}
+touch ${D}${sysconfdir}/system-fips
+
 install -d ${D}${libdir}/fipscheck
 }
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] Review request 0/15: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH

2019-09-22 Thread Hongxu Jia
Hi Mark,

I apply a kernel patch to workaround alg self-tests failure, which
the test is too early and Jitter RNG is not ready at that time.
The latter alg: self-tests for jitterentropy_rng is passed, so
I think the `Continuing without Jitter RNG' workaround is OK

== Testing ==
* Commands
See README.build  README.enable_fips  README.openssh_cavstest

* Expected Results
README.build  README.enable_fips  README.openssh_cavstest 
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-openssl102-fips][PATCH 2/15] openssh_8.%.bbappend: support fips 140-2

2019-09-22 Thread Hongxu Jia
Signed-off-by: Hongxu Jia 
---
 .../openssh/openssh/0001-openssh-8.0p1-fips.patch  | 528 +
 recipes-connectivity/openssh/openssh_8.%.bbappend  |   4 +
 recipes-connectivity/openssh/openssh_fips.inc  |   8 +
 3 files changed, 540 insertions(+)
 create mode 100644 
recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
 create mode 100644 recipes-connectivity/openssh/openssh_8.%.bbappend
 create mode 100644 recipes-connectivity/openssh/openssh_fips.inc

diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch 
b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
new file mode 100644
index 000..fd0a411
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
@@ -0,0 +1,528 @@
+From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia 
+Date: Fri, 20 Sep 2019 17:59:00 +0800
+Subject: [PATCH] openssh 8.0p1 fips
+
+Port openssh-7.7p1-fips.patch from Fedora
+https://src.fedoraproject.org/rpms/openssh.git
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia 
+---
+ Makefile.in  | 14 +++---
+ cipher-ctr.c |  3 ++-
+ clientloop.c |  3 ++-
+ dh.c | 40 
+ dh.h |  1 +
+ kex.c|  5 -
+ kexgexc.c|  5 +
+ myproposal.h | 40 
+ readconf.c   | 17 +
+ sandbox-seccomp-filter.c |  3 +++
+ servconf.c   | 19 ++-
+ ssh-keygen.c |  6 ++
+ ssh.c| 16 
+ sshconnect2.c| 11 ---
+ sshd.c   | 19 +++
+ sshkey.c |  4 
+ 16 files changed, 176 insertions(+), 30 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 6f001bb..ddd1804 100644
+--- a/Makefile.in
 b/Makefile.in
+@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS)
+   $(RANLIB) $@
+ 
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+-  $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) 
$(LIBS) $(GSSLIBS)
++  $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck 
$(SSHLIBS) $(LIBS) $(GSSLIBS)
+ 
+ sshd$(EXEEXT): libssh.a   $(LIBCOMPAT) $(SSHDOBJS)
+-  $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) 
$(LIBS) $(GSSLIBS) $(K5LIBS)
++  $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck 
$(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+   $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat 
$(LIBS)
+ 
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+-  $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++  $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck 
$(LIBS)
+ 
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
+-  $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh 
-lopenbsd-compat $(LIBS)
++  $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+-  $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++  $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck 
$(LIBS)
+ 
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o 
uidswap.o compat.o
+-  $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh 
-lopenbsd-compat $(LIBS)
++  $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o 
ssh-pkcs11.o
+   $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ 
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+-  $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
$(LIBS)
++  $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
-lfipscheck $(LIBS)
+ 
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o 
sftp-server.o sftp-server-main.o
+   $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) 
-lssh -lopenbsd-compat $(LIBS)
+diff --git a/cipher-ctr.c b/cipher-ctr.c
+index 32771f2..74fac3b 100644
+--- a/cipher-ctr.c
 b/cipher-ctr.c
+@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
+   aes_ctr.do_cipher = ssh_aes_ctr;
+ #ifndef SSH_OLD_EVP
+   aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+-  EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
++  EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
++  EVP_CIPH_FLAG_FIPS;
+ #endif
+   return (_ctr);
+ }
+diff --git a/clientloop.c b/clientloop.c

[yocto] [meta-openssl102-fips][PATCH 1/15] fipscheck: add 1.5.0

2019-09-22 Thread Hongxu Jia
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck

It is required by openssh fips.

Signed-off-by: Hongxu Jia 
---
 .../0001-compat-fip-with-openssl-1.0.2.patch   | 34 ++
 recipes-connectivity/openssh/fipscheck_1.5.0.bb| 30 +++
 templates/feature/openssl-fips/template.conf   |  2 +-
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 
recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
 create mode 100644 recipes-connectivity/openssh/fipscheck_1.5.0.bb

diff --git 
a/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
 
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
new file mode 100644
index 000..22e5a62
--- /dev/null
+++ 
b/recipes-connectivity/openssh/fipscheck/0001-compat-fip-with-openssl-1.0.2.patch
@@ -0,0 +1,34 @@
+From 3147ae2a63f10f9bbdd0a617b450ff8b9868e60f Mon Sep 17 00:00:00 2001
+From: Hongxu Jia 
+Date: Fri, 20 Sep 2019 17:51:09 +0800
+Subject: [PATCH] compat fip with openssl 1.0.2
+
+In /usr/lib64/ssl/fips-2.0/include/openssl/opensslv.h
+...
+define OPENSSL_VERSION_NUMBER  0x1010L
+...
+Since fips include file compat with openssl 1.1.0, do not include it
+in Yocto
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia 
+---
+ src/filehmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/filehmac.c b/src/filehmac.c
+index a8eef00..0b36cec 100644
+--- a/src/filehmac.c
 b/src/filehmac.c
+@@ -41,7 +41,6 @@
+ #include 
+ 
+ #if defined(WITH_OPENSSL)
+-#include 
+ #include 
+ #include 
+ #elif defined(WITH_NSS)
+-- 
+2.7.4
+
diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb 
b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
new file mode 100644
index 000..68051d2
--- /dev/null
+++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
@@ -0,0 +1,30 @@
+SUMMARY = "A library for integrity verification of FIPS validated modules"
+DESCRIPTION = "FIPSCheck is a library for integrity verification of FIPS 
validated \
+modules. The package also provides helper binaries for creation and \
+verification of the HMAC-SHA256 checksum files."
+HOMEPAGE = "https://pagure.io/fipscheck;
+SECTION = "libs/network"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=35f2904ce138ac5fa63e7cedf96bbedf"
+
+SRC_URI = "https://releases.pagure.org/fipscheck/${BPN}-${PV}.tar.bz2 \
+   file://0001-compat-fip-with-openssl-1.0.2.patch \
+"
+SRC_URI[md5sum] = "86e756a7d2aa15f3f91033fb3eced99b"
+SRC_URI[sha256sum] = 
"7ba38100ced187f44b12dd52c8c74db8f366a2a8b9da819bd3e7c6ea17f469d5"
+
+DEPENDS = " \
+openssl \
+openssl-fips \
+"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF += " \
+--disable-static \
+"
+EXTRA_OEMAKE += " \
+-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
+"
+
diff --git a/templates/feature/openssl-fips/template.conf 
b/templates/feature/openssl-fips/template.conf
index 6da678c..9a551c3 100644
--- a/templates/feature/openssl-fips/template.conf
+++ b/templates/feature/openssl-fips/template.conf
@@ -8,4 +8,4 @@ OPENSSL_FIPS_PREBUILT ??= ""
 
 PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips'
 PNWHITELIST_meta-openssl-one-zero-two-fips += 'openssl-fips-example'
-
+PNWHITELIST_meta-openssl-one-zero-two-fips += 'fipscheck'
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto