[yocto] [meta-openssl102-fips][PATCH 4/15] fipscheck: enable fipscheck on target
Mark Hatle
mark.hatle at kernel.crashing.org
Mon Sep 23 07:41:27 PDT 2019
On 9/22/19 9:56 AM, Hongxu Jia wrote:
> Refer Fedora/RedHat's way
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
> recipes-connectivity/openssh/fipscheck_1.5.0.bb | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/recipes-connectivity/openssh/fipscheck_1.5.0.bb b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> index 0a06bd3..23a4123 100644
> --- a/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> +++ b/recipes-connectivity/openssh/fipscheck_1.5.0.bb
> @@ -28,6 +28,10 @@ EXTRA_OEMAKE += " \
> -I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
> "
> do_install_append() {
> + # Is't the fedora way to enable fipscheck
> + install -d ${D}${sysconfdir}
> + touch ${D}${sysconfdir}/system-fips
> +
After researching the system-fips, I'm wondering if it would be better to enable
this in the image recipe as part of an 'IMAGE_CLASSES'. Basically if FIPS-140-2
is enabled, then we can touch the file as a post image generation activity.
The alternative would be to create an initscript that would check for 'fips=1'
on the kernel command line and then create that file (or remove it?) as well.
I'm not sure which is the better strategy. (For read-only devices the image
thing is better.. since /etc/ is otherwise read-only.)
--Mark
> install -d ${D}${libdir}/fipscheck
> }
>
>
More information about the yocto
mailing list