diff options
| author | Yi Zhao <yi.zhao@windriver.com> | 2025-05-09 22:55:00 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-05-15 10:55:26 +0100 |
| commit | 756d8ab24651a66f3ec705ab57a86a3919468cd2 (patch) | |
| tree | 710548283c23b8f308084bd3532632e874a1ce70 | |
| parent | 89d2b3876d515f61c43990ec3e63269dce011f5e (diff) | |
| download | poky-756d8ab24651a66f3ec705ab57a86a3919468cd2.tar.gz | |
openssl: add fips support
* Add PACKAGECONFIG[fips] to enable fips build.
* Split a new package openssl-ossl-module-fips for fips.so.
* Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
config file fipsmodule.cnf is created on target. This is because we
should not use the same fipsmodule.cnf on different machines.
The 'openssl fipsinstall' commandline in pkg_postinst_ontarget will do
the following things:
1. Run the FIPS module self tests on target.
2. Generate config file fipsmodule.conf containing information about
the FIPS module such as the calculated MAC of the module.
(From OE-Core rev: 29979937e2d40885e7e91bb9a7e7dca6763e3d52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.5.0.bb | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb index 865e04deb2..fddc4dbc81 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb | |||
| @@ -31,6 +31,7 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt | |||
| 31 | PACKAGECONFIG[no-tls1] = "no-tls1" | 31 | PACKAGECONFIG[no-tls1] = "no-tls1" |
| 32 | PACKAGECONFIG[no-tls1_1] = "no-tls1_1" | 32 | PACKAGECONFIG[no-tls1_1] = "no-tls1_1" |
| 33 | PACKAGECONFIG[manpages] = "" | 33 | PACKAGECONFIG[manpages] = "" |
| 34 | PACKAGECONFIG[fips] = "enable-fips" | ||
| 34 | 35 | ||
| 35 | B = "${WORKDIR}/build" | 36 | B = "${WORKDIR}/build" |
| 36 | do_configure[cleandirs] = "${B}" | 37 | do_configure[cleandirs] = "${B}" |
| @@ -154,7 +155,9 @@ do_compile:append () { | |||
| 154 | } | 155 | } |
| 155 | 156 | ||
| 156 | do_install () { | 157 | do_install () { |
| 157 | oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} | 158 | oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \ |
| 159 | ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \ | ||
| 160 | ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)} | ||
| 158 | 161 | ||
| 159 | oe_multilib_header openssl/opensslconf.h | 162 | oe_multilib_header openssl/opensslconf.h |
| 160 | oe_multilib_header openssl/configuration.h | 163 | oe_multilib_header openssl/configuration.h |
| @@ -172,6 +175,11 @@ do_install () { | |||
| 172 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs | 175 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs |
| 173 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private | 176 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private |
| 174 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf | 177 | ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf |
| 178 | |||
| 179 | # Generate fipsmodule.cnf in pkg_postinst_ontarget | ||
| 180 | if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then | ||
| 181 | rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf | ||
| 182 | fi | ||
| 175 | } | 183 | } |
| 176 | 184 | ||
| 177 | do_install:append:class-native () { | 185 | do_install:append:class-native () { |
| @@ -229,12 +237,18 @@ do_install_ptest() { | |||
| 229 | ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers | 237 | ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers |
| 230 | } | 238 | } |
| 231 | 239 | ||
| 240 | pkg_postinst_ontarget:${PN}-ossl-module-fips () { | ||
| 241 | if test -f ${libdir}/ossl-modules/fips.so; then | ||
| 242 | ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so | ||
| 243 | fi | ||
| 244 | } | ||
| 245 | |||
| 232 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto | 246 | # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto |
| 233 | # package RRECOMMENDS on this package. This will enable the configuration | 247 | # package RRECOMMENDS on this package. This will enable the configuration |
| 234 | # file to be installed for both the openssl-bin package and the libcrypto | 248 | # file to be installed for both the openssl-bin package and the libcrypto |
| 235 | # package since the openssl-bin package depends on the libcrypto package. | 249 | # package since the openssl-bin package depends on the libcrypto package. |
| 236 | 250 | ||
| 237 | PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" | 251 | PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips" |
| 238 | 252 | ||
| 239 | FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" | 253 | FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" |
| 240 | FILES:libssl = "${libdir}/libssl${SOLIBS}" | 254 | FILES:libssl = "${libdir}/libssl${SOLIBS}" |
| @@ -246,6 +260,7 @@ FILES:${PN}-engines = "${libdir}/engines-3" | |||
| 246 | FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" | 260 | FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" |
| 247 | FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" | 261 | FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" |
| 248 | FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" | 262 | FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" |
| 263 | FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so" | ||
| 249 | FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" | 264 | FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" |
| 250 | FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" | 265 | FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" |
| 251 | 266 | ||