meta-openssl102-fips - Provides infrastructure to augment OpenSSL 1.0.2 with the FIPS Object Module

meta-openssl102-fips
====================

This layer provides a reference implementation of OpenSSL with the OpenSSL
FIPS Object Module.  The user is responsible for precompiling the necessary
openssl-fips binary objects using the steps described in the 
recipes-connectivity/openssl/openssl-fips/README file.

The items must be constructed according to the requirements of the security
policy and associated user guide.  See:

    https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
    https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

Additionally you must provide your own copy of
    openssl-fips-2.0.16.tar.gz

This file must be acquired following the steps listed in section 4.1 of
the UserGuide-2.0.pdf.  See both section 4.1 and section 6.6 for more 
information on the "trusted path" and "secure installation" requirements.

See README.build for information on building the components, and making them
available for re-use.

Note: According to information from NIST, FIPS-140-2 Validation submissions
will end September 22, 2021.  FIPS-140-2 Certifications will end September
22, 2026.  Due to this, it is expected updates will be minimal after 2021 and
most likely the layer will be EOL after 2026.


Dependencies
------------
This layer depends on OpenEmbedded-core (meta) layer and meta-openssl102
layer.


Usage
-----

You must provide your own certified OpenSSL Object Modules to be FIPS-140-2
compliant.  See the README.build file for instructions on how to build them.
Be aware, building them per the instructions does not mean they are certified
you must consult the User Guide and possibly a certification lab.

Once the modules are placed somewhere, you will need to instruct the system
to enable OpenSSL FIPS mode, as well as tell the system where your binaries
are located.

In your local.conf file set:

   OPENSSL_FIPS_ENABLED = '1'

   OPENSSL_FIPS_PREBUILT = 'path to prebuild binaries'

or if you have the wr-template layer, add to WRTEMPLATE feature/openssl-fips:

   WRTEMPLATE = "feature/openssl-fips"

or use the template without wr-template, add to your local.conf:

   include <path_to_layer>/templates/feature/openssl-fips

Note, if you use the template approach, you may still need to set the
OPENSSL_FIPS_PREBUILT in your local.conf.


Maintenance
-----------
Please see the MAINTAINERS file for information on contacting the maintainers
of this layer, as well as instructions for submitting patches.


License
-------
Copyright (C) 2012-2019 Wind River Systems, Inc.

Source code included in the tree for individual recipes is under the LICENSE
stated in the associated recipe (.bb file) unless otherwise stated.

The metadata is under the following license unless otherwise stated.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.