nss: create checksum files for the nss libraries

Add checksum files required for the NSS softoken to operate in FIPS 140 mode. The shlibsign is invoked to sign the libraries, and it is built for the target architecture and doesn't support cross-compiling so far. Invoke shlibsign at target's first boot time to generate checksum files. https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note6 http://en.wikipedia.org/wiki/FIPS_140 https://bugzilla.mozilla.org/show_bug.cgi?id=681624 (From OE-Core rev: a4580f967c8064294a06d406acf5deb24aee2acc) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2013-07-10 15:54:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-07-13 18:23:35 +0100
commit: 912efc0c8122abc622ad63db6da7d1faaee5f3da (patch)
tree: d6f108d604d219077dac93169f8f12d9a659deaf /meta/recipes-support
parent: e448ef66980895d00bbc721a2bd1a3926baa1edd (diff)
download: poky-912efc0c8122abc622ad63db6da7d1faaee5f3da.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/signlibs.sh b/meta/recipes-support/nss/files/signlibs.sh
new file mode 100644
index 0000000000..1ec79f4576
--- /dev/null
+++ b/meta/recipes-support/nss/files/signlibs.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# signlibs.sh
+#
+# (c)2010 Wind River Systems, Inc.
+#
+# regenerates the .chk files for the NSS libraries that require it
+# since the ones that are built have incorrect checksums that were
+# calculated on the host where they really need to be done on the
+# target
+CHK_FILES=`find /lib* /usr/lib* -name "*.chk"`
+SIGN_BINARY=`which shlibsign`
+for I in $CHK_FILES
+do
+       DN=`dirname $I`
+       BN=`basename $I .chk`
+       FN=$DN/$BN.so
+       $SIGN_BINARY -i $FN
+done
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 87cba38bc8..4270743329 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -18,6 +18,7 @@ SRC_URI = "\
 "
 SRC_URI_append_class-target += "\
    file://nss.pc.in \
+    file://signlibs.sh \
 "
 inherit siteinfo
 PR = "r0"
@@ -136,6 +137,14 @@ do_install() {
 }
 do_install_append_class-target() {
+    # Create empty .chk files for the NSS libraries at build time. They could
+    # be regenerated at target's boot time.
+    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
+        touch ${D}/${libdir}/$file
+        chmod 755 ${D}/${libdir}/$file
+    done
+    install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
    install -d ${D}${libdir}/pkgconfig/
    sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
    sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
@@ -151,6 +160,13 @@ do_install_append_class-target() {
    rm ./empty_password
 }
+pkg_postinst_${PN} () {
+    if [ -n "$D" ]; then
+        exit 1
+    fi
+    signlibs.sh
+}
 FILES_${PN} = "\
    ${sysconfdir} \
    ${bindir} \
author	Hongxu Jia <hongxu.jia@windriver.com>	2013-07-10 15:54:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-07-13 18:23:35 +0100
commit	912efc0c8122abc622ad63db6da7d1faaee5f3da (patch)
tree	d6f108d604d219077dac93169f8f12d9a659deaf /meta/recipes-support
parent	e448ef66980895d00bbc721a2bd1a3926baa1edd (diff)
download	poky-912efc0c8122abc622ad63db6da7d1faaee5f3da.tar.gz

diff --git a/meta/recipes-support/nss/files/signlibs.sh b/meta/recipes-support/nss/files/signlibs.sh new file mode 100644 index 0000000000..1ec79f4576 --- /dev/null +++ b/meta/recipes-support/nss/files/signlibs.sh
@@ -0,0 +1,20 @@
		1	#!/bin/sh
		2
		3	# signlibs.sh
		4	#
		5	# (c)2010 Wind River Systems, Inc.
		6	#
		7	# regenerates the .chk files for the NSS libraries that require it
		8	# since the ones that are built have incorrect checksums that were
		9	# calculated on the host where they really need to be done on the
		10	# target
		11
		12	CHK_FILES=`find /lib* /usr/lib* -name "*.chk"`
		13	SIGN_BINARY=`which shlibsign`
		14	for I in $CHK_FILES
		15	do
		16	DN=`dirname $I`
		17	BN=`basename $I .chk`
		18	FN=$DN/$BN.so
		19	$SIGN_BINARY -i $FN
		20	done


diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index 87cba38bc8..4270743329 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc
@@ -18,6 +18,7 @@ SRC_URI = "\
18	"	18	"
19	SRC_URI_append_class-target += "\	19	SRC_URI_append_class-target += "\
20	file://nss.pc.in \	20	file://nss.pc.in \
		21	file://signlibs.sh \
21	"	22	"
22	inherit siteinfo	23	inherit siteinfo
23	PR = "r0"	24	PR = "r0"
@@ -136,6 +137,14 @@ do_install() {
136	}	137	}
137		138
138	do_install_append_class-target() {	139	do_install_append_class-target() {
		140	# Create empty .chk files for the NSS libraries at build time. They could
		141	# be regenerated at target's boot time.
		142	for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
		143	touch ${D}/${libdir}/$file
		144	chmod 755 ${D}/${libdir}/$file
		145	done
		146	install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
		147
139	install -d ${D}${libdir}/pkgconfig/	148	install -d ${D}${libdir}/pkgconfig/
140	sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in \| sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc	149	sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in \| sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
141	sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc	150	sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
@@ -151,6 +160,13 @@ do_install_append_class-target() {
151	rm ./empty_password	160	rm ./empty_password
152	}	161	}
153		162
		163	pkg_postinst_${PN} () {
		164	if [ -n "$D" ]; then
		165	exit 1
		166	fi
		167	signlibs.sh
		168	}
		169
154	FILES_${PN} = "\	170	FILES_${PN} = "\
155	${sysconfdir} \	171	${sysconfdir} \
156	${bindir} \	172	${bindir} \