[yocto] [meta-openssl102-fips][PATCH 2/2] README.build: add FAQ to support fips on arm/aarch64/x86

Mark Hatle mark.hatle at windriver.com
Tue Sep 17 06:09:13 PDT 2019 

On 9/16/19 9:34 PM, Hongxu Jia wrote:
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>  README.build | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
> 
> diff --git a/README.build b/README.build
> index 9735028..bc8fcf3 100644
> --- a/README.build
> +++ b/README.build
> @@ -245,3 +245,39 @@ Note this sample command is functionally equivalent to:
>  $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c
>  HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc
>  
> +===============
> +FAQ
> +===============
> +1. How to support fips on 32bit arm (such as MACHINE = qemuarm)?
> +Set env MACHINE='arm' before Building the FIPS Object Module
> +(Building Steps 3), which affects fips config not to add option
> +`-march=armv7-a' to avoid failure on gcc8:
> +[snip]
> +|`cc1: error: -mfloat-abi=hard: selected processor lacks an FPU'
> +[snip]
> +
> +2. How to support fips on aarch64 (such as MACHINE = qemuarm64)?
> +For aarch64, FIPS 140-2 module only support android, wrapper gcc
> +at Building the FIPS Object Module(Building Steps 3) to define
> +macro FIPS_REF_POINT_IS_CROSS_COMPILER_AWARE to simulate what
> +android did. Provide a way to add bbappend to wrapper gcc:
> +mkdir -p recipes-devtools/gcc
> +cat << ENDOF > recipes-devtools/gcc/gcc_9.%.bbappend
> +do_install_append_aarch64() {
> +    create_cmdline_wrapper \${D}/\${bindir}/gcc -DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE
> +}
> +
> +FILES_\${PN}-symlinks += "\${bindir}/gcc.real"
> +ENDOF

I'm not sure the above wrapper is really allowed by the FIPS 140-2 User Guide.
However, if it were, the instructions should be different.  Something like

cat > gcc-wrapper.sh << EOF
#!/bin/sh
gcc -FFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE $@
EOF
chmod +x gcc-wrapper.sh

export CC='gcc-wrapper.sh'

I've not tried this though.

I'll give this a try and see if this will work.  We will document it with a
caveat about being unclear if it's allowed.

--Mark

> +3. How to support fips on 32bit x86? (Such as MACHINE = qemux86,
> +or lib32-image on qemux86-64)
> +Set env MACHINE='i686' before Building the FIPS Object Module
> +(Building Steps 3) which affect fips config not to add option
> +`-m 64' on lib32-image which workaround the following failure
> +[snip]
> +|/usr/include/bits/long-double.h:44:10: fatal error:
> +bits/long-double-64.h: No such file or directory
> +|   44 | #include <bits/long-double-64.h>
> +[snip]
> +

More information about the yocto mailing list