meta-openssl102-fips ==================== This layer provides a reference implementation of OpenSSL with the OpenSSL FIPS Object Module. The user is responsible for precompiling the necessary openssl-fips binary objects using the steps described in the recipes-connectivity/openssl/openssl-fips/README file. The items must be constructed according to the requirements of the security policy and associated user guide. See: https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf https://www.openssl.org/docs/fips/UserGuide-2.0.pdf Additionally you must provide your own copy of openssl-fips-2.0.16.tar.gz This file must be acquired following the steps listed in section 4.1 of the UserGuide-2.0.pdf. See both section 4.1 and section 6.6 for more information on the "trusted path" and "secure installation" requirements. See README.build for information on building the components, and making them available for re-use. Note: According to information from NIST, FIPS-140-2 Validation submissions will end September 22, 2021. FIPS-140-2 Certifications will end September 22, 2026. Due to this, it is expected updates will be minimal after 2021 and most likely the layer will be EOL after 2026. Dependencies ------------ This layer depends on OpenEmbedded-core (meta) layer and meta-openssl102 layer. Usage ----- You must provide your own certified OpenSSL Object Modules to be FIPS-140-2 compliant. See the README.build file for instructions on how to build them. Be aware, building them per the instructions does not mean they are certified you must consult the User Guide and possibly a certification lab. Once the modules are placed somewhere, you will need to instruct the system to enable OpenSSL FIPS mode, as well as tell the system where your binaries are located. In your local.conf file set: OPENSSL_FIPS_ENABLED = '1' OPENSSL_FIPS_PREBUILT = 'path to prebuild binaries' or if you have the wr-template layer, add to WRTEMPLATE feature/openssl-fips: WRTEMPLATE = "feature/openssl-fips" or use the template without wr-template, add to your local.conf: include /templates/feature/openssl-fips Note, if you use the template approach, you may still need to set the OPENSSL_FIPS_PREBUILT in your local.conf. Maintenance ----------- Please see the MAINTAINERS file for information on contacting the maintainers of this layer, as well as instructions for submitting patches. License ------- Copyright (C) 2012-2019 Wind River Systems, Inc. Source code included in the tree for individual recipes is under the LICENSE stated in the associated recipe (.bb file) unless otherwise stated. The metadata is under the following license unless otherwise stated. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.