[yocto] [meta-openssl102-fips][PATCH 3/15] fipscheck: add generation of the checksums in pkg_postinst

[Mark Hatle]

On 9/22/19 9:56 AM, Hongxu Jia wrote:
> Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
> 
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>  recipes-connectivity/openssh/fipscheck_1.5.0.bb | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> index 68051d2..0a06bd3 100644
> --- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> @@ -27,4 +27,22 @@ EXTRA_OECONF += " \
>  EXTRA_OEMAKE += " \
>      -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
>  "
> +do_install_append() {
> +    install -d ${D}${libdir}/fipscheck
> +}
>  
> +inherit qemu
> +
> +pkg_postinst_${PN} () {
> +    if [ -n "$D" ]; then
> +        ${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
> +            -d $D${libdir}/fipscheck $D${bindir}/fipscheck $D${libdir}/libfipscheck.so.1.2.1 && \
> +        ln -s libfipscheck.so.1.2.1.hmac $D${libdir}/fipscheck/libfipscheck.so.1.hmac
> +    else
> +        ${bindir}/fipshmac -d ${libdir}/fipscheck ${bindir}/fipscheck \
> +            ${libdir}/libfipscheck.so.1.2.1 && \
> +        ln -s libfipscheck.so.1.2.1.hmac ${libdir}/fipscheck/libfipscheck.so.1.hmac
> +    fi
> +}

The way this works has changed a bit since I really knew it.  I was looking in
the manpages.bbclass and they have the following:

>         if ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'true', 'false', d)}; then
>                 if test -n "$D"; then
>                         if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'true','false', d)}; then
>                                 sed "s:\(\s\)/:\1$D/:g" $D${sysconfdir}/man_db.conf | ${@qemu_run_binary(d, '$D', '${bindir}/mandb')} -C - -u -q $D${mandir}
>                                 mkdir -p $D${localstatedir}/cache/man
>                                 mv $D${mandir}/index.db $D${localstatedir}/cache/man
>                         else
>                                 $INTERCEPT_DIR/postinst_intercept delay_to_first_boot ${PKG} mlprefix=${MLPREFIX}
>                         fi
>                 else
>                         mandb -q
>                 fi
>         fi


That is checking for the presence of the MACHINE_FEATURE.  I'm not sure I like
that in this case though since it makes these recipes machine specific.

But I do think we need the delay until first boot part.

Jason, I know you've been working on first boot things for a while, any opinion?

--Mark

> +
> +FILES_${PN} += "${libdir}/fipscheck"
>