Re: [yocto] [meta-openssl102-fips][PATCH 2/2] README.build: add FAQ to support fips on arm/aarch64/x86

[Mark Hatle]

On 9/16/19 9:34 PM, Hongxu Jia wrote:
> Signed-off-by: Hongxu Jia 
> ---
>  README.build | 36 
>  1 file changed, 36 insertions(+)
> 
> diff --git a/README.build b/README.build
> index 9735028..bc8fcf3 100644
> --- a/README.build
> +++ b/README.build
> @@ -245,3 +245,39 @@ Note this sample command is functionally equivalent to:
>  $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c
>  HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc
>  
> +===
> +FAQ
> +===
> +1. How to support fips on 32bit arm (such as MACHINE = qemuarm)?
> +Set env MACHINE='arm' before Building the FIPS Object Module
> +(Building Steps 3), which affects fips config not to add option
> +`-march=armv7-a' to avoid failure on gcc8:
> +[snip]
> +|`cc1: error: -mfloat-abi=hard: selected processor lacks an FPU'
> +[snip]
> +
> +2. How to support fips on aarch64 (such as MACHINE = qemuarm64)?
> +For aarch64, FIPS 140-2 module only support android, wrapper gcc
> +at Building the FIPS Object Module(Building Steps 3) to define
> +macro FIPS_REF_POINT_IS_CROSS_COMPILER_AWARE to simulate what
> +android did. Provide a way to add bbappend to wrapper gcc:
> +mkdir -p recipes-devtools/gcc
> +cat << ENDOF > recipes-devtools/gcc/gcc_9.%.bbappend
> +do_install_append_aarch64() {
> +create_cmdline_wrapper \${D}/\${bindir}/gcc 
> -DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE
> +}
> +
> +FILES_\${PN}-symlinks += "\${bindir}/gcc.real"
> +ENDOF

I'm not sure the above wrapper is really allowed by the FIPS 140-2 User Guide.
However, if it were, the instructions should be different.  Something like

cat > gcc-wrapper.sh << EOF
#!/bin/sh
gcc -FFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE $@
EOF
chmod +x gcc-wrapper.sh

export CC='gcc-wrapper.sh'

I've not tried this though.

I'll give this a try and see if this will work.  We will document it with a
caveat about being unclear if it's allowed.

--Mark

> +3. How to support fips on 32bit x86? (Such as MACHINE = qemux86,
> +or lib32-image on qemux86-64)
> +Set env MACHINE='i686' before Building the FIPS Object Module
> +(Building Steps 3) which affect fips config not to add option
> +`-m 64' on lib32-image which workaround the following failure
> +[snip]
> +|/usr/include/bits/long-double.h:44:10: fatal error:
> +bits/long-double-64.h: No such file or directory
> +|   44 | #include 
> +[snip]
> +


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-openssl102-fips][PATCH 2/2] README.build: add FAQ to support fips on arm/aarch64/x86

[Hongxu Jia]

Signed-off-by: Hongxu Jia 
---
 README.build | 36 
 1 file changed, 36 insertions(+)

diff --git a/README.build b/README.build
index 9735028..bc8fcf3 100644
--- a/README.build
+++ b/README.build
@@ -245,3 +245,39 @@ Note this sample command is functionally equivalent to:
 $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c
 HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc
 
+===
+FAQ
+===
+1. How to support fips on 32bit arm (such as MACHINE = qemuarm)?
+Set env MACHINE='arm' before Building the FIPS Object Module
+(Building Steps 3), which affects fips config not to add option
+`-march=armv7-a' to avoid failure on gcc8:
+[snip]
+|`cc1: error: -mfloat-abi=hard: selected processor lacks an FPU'
+[snip]
+
+2. How to support fips on aarch64 (such as MACHINE = qemuarm64)?
+For aarch64, FIPS 140-2 module only support android, wrapper gcc
+at Building the FIPS Object Module(Building Steps 3) to define
+macro FIPS_REF_POINT_IS_CROSS_COMPILER_AWARE to simulate what
+android did. Provide a way to add bbappend to wrapper gcc:
+mkdir -p recipes-devtools/gcc
+cat << ENDOF > recipes-devtools/gcc/gcc_9.%.bbappend
+do_install_append_aarch64() {
+create_cmdline_wrapper \${D}/\${bindir}/gcc 
-DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE
+}
+
+FILES_\${PN}-symlinks += "\${bindir}/gcc.real"
+ENDOF
+
+3. How to support fips on 32bit x86? (Such as MACHINE = qemux86,
+or lib32-image on qemux86-64)
+Set env MACHINE='i686' before Building the FIPS Object Module
+(Building Steps 3) which affect fips config not to add option
+`-m 64' on lib32-image which workaround the following failure
+[snip]
+|/usr/include/bits/long-double.h:44:10: fatal error:
+bits/long-double-64.h: No such file or directory
+|   44 | #include 
+[snip]
+
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto