| Age | Commit message (Collapse) | Author |
|---|
|
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-openssl102-fips
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Refresh patches:
0001-openssh-8.6p1-fips.patch
0001-conditional-enable-fips-mode.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
The kex->session_id has been replaced from u_char * to sshbuf and
kex->session_id_len has been removed in openssh 8.5[1]. Update ssh-cavs
to adapt it.
Fixes:
ssh-cavs.c:198:12: error: 'struct kex' has no member named 'session_id_len'; did you mean 'session_id'?
198 | ssh->kex->session_id_len = test->session_id_len;
| ^~~~~~~~~~~~~~
| session_id
[1] https://github.com/openssh/openssh-portable/commit/39be3dc209f28f9c1ebfeba42adde8963b01e1cd
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
There is a 'double free or corruption' error when running ssh-cavs:
$ /usr/libexec/ssh-cavs -K
0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4
-H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
Initial IV (client to server) = 4bb320d1679dfd3a
Initial IV (server to client) = 43dea6fdf263a308
Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
double free or corruption (out)
Aborted
Since openssh 8.x, the ssh->kex has been allocated when struct ssh is
initialized in function ssh_alloc_session_state()[1] and will be freed
in function ssh_packet_close()[2]. We don't need to make the ssh->kex to
point a extra kex struct which will cause the memory corruption and
memory leak.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Refresh patches to openssh-8.4p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit: fbd5f1bee2e2cdc7b1b47f4604b8347d8c3ed63f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
There is an openssl build error if the prebuilt FIPS object module is
built on target with a CPU which supports AVX/AVX2 instruction set.
Add section "Known Issues" to describe this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
In nss 3.51, there is a C macro NSS_FIPS_DISABLED can be used to disable
some FIPS compliant code and enable alternative implementations. And the
current build system never defines NSS_FIPS_DISABLED and always uses the
FIPS compliant code. So we can drop this local patch.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
Refresh patches to openssh-8.2p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
We encountered the following error when building fipscheck without
setting OPENSSL_FIPS_ENABLED:
ERROR: Nothing PROVIDES 'openssl-fips' (but /buildarea/poky/meta-openssl102-fips/recipes-support/fipscheck/fipscheck_1.5.0.bb DEPENDS on or otherwise requires it)
openssl-fips was skipped: To enable the openssl-fips recipe set OPENSSL_FIPS_ENABLED = '1'.
ERROR: Required build target 'fipscheck' has no buildable providers.
Missing or unbuildable dependency chain was: ['fipscheck', 'openssl-fips']
Add a check function as openssl-fips recipe does. Build fipscheck only
if OPENSSL_FIPS_ENABLED is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
In 0001-conditional-enable-fips-mode.patch, it inserts a function
ssh_enable_fips_mode to ssh_malloc_init which is invoked by main
function. But ssh_malloc_init is removed in openssh 8.1p1. Refresh the
patch, insert ssh_enable_fips_mode function to main function for all
applications.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
Since upstream oe-core upgraded openssh to 8.1p1,
refresh local patches of fips
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
wrl is not a standard community name or branch.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
While kernel enable fips, the rng-tools takes a high cpu performance
which Operation not permitted
...
Oct 12 06:08:23 qemux86-64 rngd[122]: RNDADDENTROPY failed: Operation not permitted
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The working fips package is openssl-fips-dev rather than openssl-fips.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
For Yocto and WRLinux, openssl fips works only if installing
package openssl-fips
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]
[1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
FIPS mode
Refer RedHat/Fedora/SUSE/Oracle/IBM ways
1. Add `fips=1' to kernel option to enable FIPS mode in kernel
2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
currently openssh only
Refer:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://access.redhat.com/discussions/3293631
https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The FIPS test is something done on government or more secure organizations
for extra security check.
...
root@qemux86-64:~# systemctl status rngd
Unit rngd-tools.service could not be found.
root@qemux86-64:~# systemctl status rngd
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
Main PID: 317 (code=exited, status=0/SUCCESS)
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
...
>From rngd manual, add `-i' to default
...
-i, --ignorefail
Ignore repeated fips failures
...
After applying the fix
...
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
Main PID: 121 (rngd)
Tasks: 2
Memory: 1.8M
CGroup: /system.slice/rngd.service
/usr/sbin/rngd -f -r /dev/hwrng -i
Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
...
Refer:
https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[ 0.311313] alg: ecdh: test failed on vector 2, err=-14
[ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[ 0.306633] DRBG: Continuing without Jitter RNG
[ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]
[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
(See __spec_install_post in openssh.spec for detail)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
To enable user space fips mode in the image recipe as part of an
'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
touch the file as a post image generation activity.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Changed from RPM_POSTPROCESS_COMMANDS to ROOTFS_POSTPROCESS_COMMAND to make it
generic.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
(* fipscheck.spec.in: Add generation of the checksums in __spec_install_post.)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck
(as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
It is required by openssh fips.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The openssl fips only works with old openssl(<=1.0.2),
update steps to clarify it for Yocto and Wind River Linux
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Since the layer is now published via the Yocto Project and
git.yoctoproject.org, we should update steps in README.build
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <Mark.Hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <Mark.Hatle@windriver.com>
|
|
Refer Appendix C in UserGuide-2.0.pdf [1] and openssl wiki [2], add a new
recipe to integrate Makefile, source file, and test steps to WR Linux
- A cross compile case which linking to dynamic crypto library (libcrypto.so)
- A native compile case (on target) which linking to static crypto library
(libcrypto.a) through fipsld
[1] https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] https://wiki.openssl.org/index.php/FIPS_Library_and_Android
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Fix build failure while installing openssl-fips-dev at do_rootfs
...
| Problem: conflicting requests
| - nothing provides openssl-fips = 2.0.16-r0 needed by
openssl-fips-dev-2.0.16-r0.core2_64
...
Drop useless FILES_${PN}-dbg since scripts does not need debug split.
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
The FIPS Capable library build process uses script fipsld on the shared
library (libcrypto.so), and fipsld invokes binary fips_premain_dso to
generate fingerprint of libcrypto.so
- For cross compiling, use qemu wrapper to run cross fips_premain_dso
on host
- Fix build fips_premain_dso failure
...
NOTE: make -j 40 OE_DISABLE_MANPAGES=1 fips_premain_dso
make: *** No rule to make target 'libcrypto.a', needed by 'fips_premain_dso'. Stop.
...
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
fixup! clean up fips_premain_dso
|
|
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
To build a precompiled binaries, it does not include template feature/openssl-fips.
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
It avoids var-TARGET_ARCH multilib extend to affect pre-build tarball name,
which causing `Missing or unbuildable dependency chain', such as:
....
|ERROR: Required build target 'wrlinux-image-std' has no buildable providers.
|Missing or unbuildable dependency chain was: ['wrlinux-image-std',
'lib32-wrlinux-image-std', 'lib32-dnf', 'lib32-python3', 'lib32-openssl',
'lib32-openssl-fips']
....
At bitbake parsing time, non-multilib recipe depends on its multilib recipe.
when build non-multilib image, the tarball archive existence checking in
anonymous function will skip multilib openssl-fips recipe, which causing
above error. So still skip the recipe if fips is not enabled, and add task
do_check_fips to check tarball archive existence which could workaround bitbake
parsing issue.
Reset do_fetch[file-checksums], remove ${@bb.fetch.get_checksum_file_list(d)}
from it to workaround a WARNING which cuased by variable multilib extend.
It is safe to do it since We have task do_check_fips to replace
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
Yi Zhao
Chen Qi
Changqing Li
Hongxu Jia
Mark Hatle
Mark Hatle