[yocto] [meta-openssl102-fips][PATCH 6/16] add kernel fips mode support

Hongxu Jia hongxu.jia at windriver.com
Wed Sep 25 00:24:03 PDT 2019 

A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
by specifying fips=1 as kernel parameter. [1][2]

/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.[3]

[1] https://www.linux.org/docs/man8/fipscheck.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
[3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 classes/fips_kernel.bbclass                | 4 ++++
 conf/layer.conf                            | 4 ++++
 recipes-kernel/linux/files/crypto_fips.cfg | 3 +++
 recipes-kernel/linux/files/crypto_fips.scc | 1 +
 4 files changed, 12 insertions(+)
 create mode 100644 classes/fips_kernel.bbclass
 create mode 100644 recipes-kernel/linux/files/crypto_fips.cfg
 create mode 100644 recipes-kernel/linux/files/crypto_fips.scc

diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
new file mode 100644
index 0000000..064088f
--- /dev/null
+++ b/classes/fips_kernel.bbclass
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI_append = " \
+    file://crypto_fips.scc \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 185f422..bcf34b3 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -20,3 +20,7 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
 "
 
 IMAGE_CLASSES_append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else ' image-enable-fips'}"
+
+LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
+
+KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', ' fips_kernel', '',d)}"
diff --git a/recipes-kernel/linux/files/crypto_fips.cfg b/recipes-kernel/linux/files/crypto_fips.cfg
new file mode 100644
index 0000000..cffdc02
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.cfg
@@ -0,0 +1,3 @@
+CONFIG_CRYPTO_FIPS=y
+CONFIG_MODULE_SIG=y
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc
new file mode 100644
index 0000000..f64380a
--- /dev/null
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -0,0 +1 @@
+kconf non-hardware crypto_fips.cfg
-- 
2.7.4

More information about the yocto mailing list