[yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Hongxu Jia hongxu.jia at windriver.com
Sat Oct 12 19:12:28 PDT 2019 

On 10/13/19 5:22 AM, Mark Hatle wrote:
> The original goal of this work was to enable a FIPS-140-2 OpenSSL module.  Why
> is NSS part of this?
>
> Is something inside of the OpenSSL patches requesting NSS support, or is this a
> different -- but related request?

No, there is no relation between openssl and nss, but while kernel enable

fips "pass boot params `fips=1"', nss fips is enabled and trigger the issue,

It seems all of them are part of fips system, fips includes kernel and 
userspace,

and fips 140-2 is also part of it

//Hongxu

> --Mark
>
> On 10/12/19 3:17 AM, Hongxu Jia wrote:
>> Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
>> macro limitaition to fips enable test, currently we are not ready
>> to support nss fips
>>
>> ...
>> $ certutil -N -d sql:. --empty-password
>> |certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
>> module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
>> with the token or slot.
>>
>> $rpm -h
>> |error: Failed to initialize NSS library
>> ...
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>> ---
>>   .../nss/nss/0001-conditionally-enable-fips.patch   | 93 ++++++++++++++++++++++
>>   recipes-support/nss/nss_3.%.bbappend               |  4 +
>>   recipes-support/nss/nss_fips.inc                   |  4 +
>>   3 files changed, 101 insertions(+)
>>   create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
>>   create mode 100644 recipes-support/nss/nss_3.%.bbappend
>>   create mode 100644 recipes-support/nss/nss_fips.inc
>>
>> diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
>> new file mode 100644
>> index 0000000..d11db91
>> --- /dev/null
>> +++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
>> @@ -0,0 +1,93 @@
>> +From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
>> +From: Hongxu Jia <hongxu.jia at windriver.com>
>> +Date: Sat, 12 Oct 2019 10:49:28 +0800
>> +Subject: [PATCH] conditionally enable fips
>> +
>> +Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
>> +macro limitaition to fips enable test, currently we are not ready
>> +to support nss fips
>> +
>> +...
>> +$ certutil -N -d sql:. --empty-password
>> +|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
>> +module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
>> +with the token or slot.
>> +
>> +$rpm -h
>> +|error: Failed to initialize NSS library
>> +...
>> +
>> +Upstream-Status: Inappropriate [oe specific]
>> +
>> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>> +---
>> + nss/coreconf/config.mk       | 2 ++
>> + nss/lib/freebl/nsslowhash.c  | 2 +-
>> + nss/lib/pk11wrap/pk11util.c  | 2 +-
>> + nss/lib/sysinit/nsssysinit.c | 4 ++++
>> + 4 files changed, 8 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
>> +index 60a0841..dcca87f 100644
>> +--- a/nss/coreconf/config.mk
>> ++++ b/nss/coreconf/config.mk
>> +@@ -179,6 +179,8 @@ endif
>> + # executing the startup tests at library load time.
>> + ifndef NSS_FORCE_FIPS
>> + DEFINES += -DNSS_NO_INIT_SUPPORT
>> ++else
>> ++DEFINES += -DNSS_FORCE_FIPS
>> + endif
>> +
>> + ifdef NSS_SEED_ONLY_DEV_URANDOM
>> +diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
>> +index 22f9781..baf71c3 100644
>> +--- a/nss/lib/freebl/nsslowhash.c
>> ++++ b/nss/lib/freebl/nsslowhash.c
>> +@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
>> + static int
>> + nsslow_GetFIPSEnabled(void)
>> + {
>> +-#ifdef LINUX
>> ++#if defined LINUX && defined NSS_FORCE_FIPS
>> +     FILE *f;
>> +     char d;
>> +     size_t size;
>> +diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
>> +index 502c4d0..cd86270 100644
>> +--- a/nss/lib/pk11wrap/pk11util.c
>> ++++ b/nss/lib/pk11wrap/pk11util.c
>> +@@ -98,7 +98,7 @@ SECMOD_Shutdown()
>> + int
>> + secmod_GetSystemFIPSEnabled(void)
>> + {
>> +-#ifdef LINUX
>> ++#if defined LINUX && defined NSS_FORCE_FIPS
>> +     FILE *f;
>> +     char d;
>> +     size_t size;
>> +diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
>> +index bd0fac2..5c09e8d 100644
>> +--- a/nss/lib/sysinit/nsssysinit.c
>> ++++ b/nss/lib/sysinit/nsssysinit.c
>> +@@ -168,6 +168,7 @@ getFIPSEnv(void)
>> + static PRBool
>> + getFIPSMode(void)
>> + {
>> ++#ifdef NSS_FORCE_FIPS
>> +     FILE *f;
>> +     char d;
>> +     size_t size;
>> +@@ -186,6 +187,9 @@ getFIPSMode(void)
>> +     if (d != '1')
>> +         return PR_FALSE;
>> +     return PR_TRUE;
>> ++#else
>> ++    return PR_FALSE;
>> ++#endif
>> + }
>> +
>> + #define NSS_DEFAULT_FLAGS "flags=readonly"
>> +--
>> +2.7.4
>> +
>> diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
>> new file mode 100644
>> index 0000000..9608ca3
>> --- /dev/null
>> +++ b/recipes-support/nss/nss_3.%.bbappend
>> @@ -0,0 +1,4 @@
>> +FIPSINC = ""
>> +FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
>> +
>> +require ${FIPSINC}
>> diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
>> new file mode 100644
>> index 0000000..b183f55
>> --- /dev/null
>> +++ b/recipes-support/nss/nss_fips.inc
>> @@ -0,0 +1,4 @@
>> +FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
>> +SRC_URI += " \
>> +    file://0001-conditionally-enable-fips.patch \
>> +"
>>

More information about the yocto mailing list