Age | Commit message (Collapse) | Author |
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
wrl is not a standard community name or branch.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips
...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.
$rpm -h
|error: Failed to initialize NSS library
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
While kernel enable fips, the rng-tools takes a high cpu performance
which Operation not permitted
...
Oct 12 06:08:23 qemux86-64 rngd[122]: RNDADDENTROPY failed: Operation not permitted
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The working fips package is openssl-fips-dev rather than openssl-fips.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
For Yocto and WRLinux, openssl fips works only if installing
package openssl-fips
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
and SSH KDF CAVS test driver [2]
[1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
[2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
FIPS mode
Refer RedHat/Fedora/SUSE/Oracle/IBM ways
1. Add `fips=1' to kernel option to enable FIPS mode in kernel
2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
currently openssh only
Refer:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://access.redhat.com/discussions/3293631
https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The FIPS test is something done on government or more secure organizations
for extra security check.
...
root@qemux86-64:~# systemctl status rngd
Unit rngd-tools.service could not be found.
root@qemux86-64:~# systemctl status rngd
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
Main PID: 317 (code=exited, status=0/SUCCESS)
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
...
>From rngd manual, add `-i' to default
...
-i, --ignorefail
Ignore repeated fips failures
...
After applying the fix
...
rngd.service - Hardware RNG Entropy Gatherer Daemon
Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
Main PID: 121 (rngd)
Tasks: 2
Memory: 1.8M
CGroup: /system.slice/rngd.service
/usr/sbin/rngd -f -r /dev/hwrng -i
Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
...
Refer:
https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it at the following commit in oe-core
http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[ 0.311313] alg: ecdh: test failed on vector 2, err=-14
[ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[ 0.306633] DRBG: Continuing without Jitter RNG
[ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]
[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
(See __spec_install_post in openssh.spec for detail)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer Fedora/RedHat's way
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
To enable user space fips mode in the image recipe as part of an
'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
touch the file as a post image generation activity.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Changed from RPM_POSTPROCESS_COMMANDS to ROOTFS_POSTPROCESS_COMMAND to make it
generic.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
(* fipscheck.spec.in: Add generation of the checksums in __spec_install_post.)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
(as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Port it from fedora:
https://src.fedoraproject.org/rpms/fipscheck
(as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
It is required by openssh fips.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
The openssl fips only works with old openssl(<=1.0.2),
update steps to clarify it for Yocto and Wind River Linux
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Since the layer is now published via the Yocto Project and
git.yoctoproject.org, we should update steps in README.build
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
|
|
Signed-off-by: Mark Hatle <Mark.Hatle@windriver.com>
|
|
Signed-off-by: Mark Hatle <Mark.Hatle@windriver.com>
|
|
Refer Appendix C in UserGuide-2.0.pdf [1] and openssl wiki [2], add a new
recipe to integrate Makefile, source file, and test steps to WR Linux
- A cross compile case which linking to dynamic crypto library (libcrypto.so)
- A native compile case (on target) which linking to static crypto library
(libcrypto.a) through fipsld
[1] https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] https://wiki.openssl.org/index.php/FIPS_Library_and_Android
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Fix build failure while installing openssl-fips-dev at do_rootfs
...
| Problem: conflicting requests
| - nothing provides openssl-fips = 2.0.16-r0 needed by
openssl-fips-dev-2.0.16-r0.core2_64
...
Drop useless FILES_${PN}-dbg since scripts does not need debug split.
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
The FIPS Capable library build process uses script fipsld on the shared
library (libcrypto.so), and fipsld invokes binary fips_premain_dso to
generate fingerprint of libcrypto.so
- For cross compiling, use qemu wrapper to run cross fips_premain_dso
on host
- Fix build fips_premain_dso failure
...
NOTE: make -j 40 OE_DISABLE_MANPAGES=1 fips_premain_dso
make: *** No rule to make target 'libcrypto.a', needed by 'fips_premain_dso'. Stop.
...
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
fixup! clean up fips_premain_dso
|
|
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
To build a precompiled binaries, it does not include template feature/openssl-fips.
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
It avoids var-TARGET_ARCH multilib extend to affect pre-build tarball name,
which causing `Missing or unbuildable dependency chain', such as:
....
|ERROR: Required build target 'wrlinux-image-std' has no buildable providers.
|Missing or unbuildable dependency chain was: ['wrlinux-image-std',
'lib32-wrlinux-image-std', 'lib32-dnf', 'lib32-python3', 'lib32-openssl',
'lib32-openssl-fips']
....
At bitbake parsing time, non-multilib recipe depends on its multilib recipe.
when build non-multilib image, the tarball archive existence checking in
anonymous function will skip multilib openssl-fips recipe, which causing
above error. So still skip the recipe if fips is not enabled, and add task
do_check_fips to check tarball archive existence which could workaround bitbake
parsing issue.
Reset do_fetch[file-checksums], remove ${@bb.fetch.get_checksum_file_list(d)}
from it to workaround a WARNING which cuased by variable multilib extend.
It is safe to do it since We have task do_check_fips to replace
Issue: LIN1019-2416
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
This layer depends on the meta-openssl102 layer. Both this and the
meta-openssl102 layer need to be kept in sync.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|