[PATCH] openssl: add fips support

[PATCH] openssl: add fips support

[Yi Zhao]

* Add PACKAGECONFIG[fips] to enable fips build.
* Split a new package openssl-ossl-module-fips for fips.so.
* Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
  config file fipsmodule.cnf is created on target.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 .../openssl/openssl_3.5.0.bb                  | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
index 865e04deb2..fdb304c73c 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -31,6 +31,7 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
 PACKAGECONFIG[no-tls1] = "no-tls1"
 PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
 PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
 
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
@@ -154,7 +155,9 @@ do_compile:append () {
 }
 
 do_install () {
-	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+	    ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+	    ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
 
 	oe_multilib_header openssl/opensslconf.h
 	oe_multilib_header openssl/configuration.h
@@ -172,6 +175,11 @@ do_install () {
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
 	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+	# Generate fipsmodule.cnf on first boot
+	if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+		rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+	fi
 }
 
 do_install:append:class-native () {
@@ -229,12 +237,18 @@ do_install_ptest() {
 	ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
 }
 
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+	if test -f ${libdir}/ossl-modules/fips.so; then
+		${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+	fi
+}
+
 # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
 # package RRECOMMENDS on this package. This will enable the configuration
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -246,6 +260,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
 FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
 FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
 FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
 FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
 FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
-- 
2.48.1

Re: [OE-core] [PATCH] openssl: add fips support

[Alexander Kanavin]

On Fri, 9 May 2025 at 11:38, Yi Zhao via lists.openembedded.org
<yi.zhao=eng.windriver.com@lists.openembedded.org> wrote:
> * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
>   config file fipsmodule.cnf is created on target.
> +       # Generate fipsmodule.cnf on first boot
> +       if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> +               rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
> +       fi
> +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
> +       if test -f ${libdir}/ossl-modules/fips.so; then
> +               ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
> +       fi
> +}
> +

This needs to be better explained:

- why is the standard fipsmodule.cnf deleted in do_install? If
upstream installs it, then why can't we simply use it?

- why re-generation of that file has to happen on target? Can we use
native openssl instead? Or run target openssl with qemu usermode?

Alex

Re: [OE-core] [PATCH] openssl: add fips support

[Yi Zhao]

On 5/9/25 17:56, Alexander Kanavin wrote:
> On Fri, 9 May 2025 at 11:38, Yi Zhao via lists.openembedded.org
> <yi.zhao=eng.windriver.com@lists.openembedded.org> wrote:
>> * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
>>    config file fipsmodule.cnf is created on target.
>> +       # Generate fipsmodule.cnf on first boot
>> +       if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
>> +               rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
>> +       fi
>> +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
>> +       if test -f ${libdir}/ossl-modules/fips.so; then
>> +               ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
>> +       fi
>> +}
>> +
> This needs to be better explained:
>
> - why is the standard fipsmodule.cnf deleted in do_install? If
> upstream installs it, then why can't we simply use it?
>
> - why re-generation of that file has to happen on target? Can we use
> native openssl instead? Or run target openssl with qemu usermode?

The "openssl fipsinstall" command will do the following things:
1. Runs the FIPS module self tests on target
2. Generates config file fipsmodule.conf containing information about 
the module such as the calculated MAC of the FIPS module and the MAC of 
the value of the self tests status

We should not use the same fipsmodule.cnf on different machines. So it 
will be generated on the target.


//Yi


>
> Alex

Re: [OE-core] [PATCH] openssl: add fips support

[Alexander Kanavin]

> The "openssl fipsinstall" command will do the following things:
> 1. Runs the FIPS module self tests on target
> 2. Generates config file fipsmodule.conf containing information about
> the module such as the calculated MAC of the FIPS module and the MAC of
> the value of the self tests status
>
> We should not use the same fipsmodule.cnf on different machines. So it
> will be generated on the target.

Thanks. Is the original file (which is installed and then deleted)
pre-packaged with openssl tarball, or generated during build? Can you
show the difference between that, and the file that gets generated on
target? I'd like to see the actual content.

Alex

Re: [OE-core] [PATCH] openssl: add fips support

[Yi Zhao]

On 5/9/25 20:35, Alexander Kanavin via lists.openembedded.org wrote:
>> The "openssl fipsinstall" command will do the following things:
>> 1. Runs the FIPS module self tests on target
>> 2. Generates config file fipsmodule.conf containing information about
>> the module such as the calculated MAC of the FIPS module and the MAC of
>> the value of the self tests status
>>
>> We should not use the same fipsmodule.cnf on different machines. So it
>> will be generated on the target.
> Thanks. Is the original file (which is installed and then deleted)
> pre-packaged with openssl tarball, or generated during build? Can you
> show the difference between that, and the file that gets generated on
> target? I'd like to see the actual content.

The original file is generated by util/mk-fipsmodule-cnf.pl during build.


Here is the diff result:

$ diff fipsmodule.cnf.orig  fipsmodule.cnf
6,29c6,30
< module-mac = 
8A:6E:E0:65:18:AF:1C:1C:67:FA:CF:8E:89:9B:67:03:4A:1F:0E:87:1A:34:23:D3:5D:90:73:98:32:A3:AC:31
< tls1-prf-ems-check = 1
< no-short-mac = 1
< drbg-no-trunc-md = 1
< signature-digest-check = 1
< dsa-sign-disabled = 1
< hkdf-digest-check = 1
< tls13-kdf-digest-check = 1
< tls1-prf-digest-check = 1
< sshkdf-digest-check = 1
< sskdf-digest-check = 1
< x963kdf-digest-check = 1
< tdes-encrypt-disabled = 1
< rsa-pkcs15-pad-disabled = 1
< rsa-pss-saltlen-check = 1
< rsa-sign-x931-pad-disabled = 1
< hkdf-key-check = 1
< kbkdf-key-check = 1
< tls13-kdf-key-check = 1
< tls1-prf-key-check = 1
< sshkdf-key-check = 1
< sskdf-key-check = 1
< x963kdf-key-check = 1
< x942kdf-key-check = 1
---
 > hmac-key-check = 0
 > kmac-key-check = 0
 > tls1-prf-ems-check = 0
 > no-short-mac = 0
 > drbg-no-trunc-md = 0
 > signature-digest-check = 0
 > hkdf-digest-check = 0
 > tls13-kdf-digest-check = 0
 > tls1-prf-digest-check = 0
 > sshkdf-digest-check = 0
 > sskdf-digest-check = 0
 > x963kdf-digest-check = 0
 > dsa-sign-disabled = 0
 > tdes-encrypt-disabled = 0
 > rsa-pkcs15-pad-disabled = 0
 > rsa-pss-saltlen-check = 0
 > rsa-sign-x931-pad-disabled = 0
 > hkdf-key-check = 0
 > kbkdf-key-check = 0
 > tls13-kdf-key-check = 0
 > tls1-prf-key-check = 0
 > sshkdf-key-check = 0
 > sskdf-key-check = 0
 > x963kdf-key-check = 0
 > x942kdf-key-check = 0
31,33c32,33
< ecdh-cofactor-check = 1
< hmac-key-check = 1
< kmac-key-check = 1
---
 > ecdh-cofactor-check = 0
 > module-mac = 
83:F9:46:E4:60:88:FC:B7:CF:7D:CA:30:1F:9D:9A:FB:4C:18:5F:57:68:44:C7:2D:8D:8A:CD:92:21:D4:10:44

>
> Alex
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#216203): https://lists.openembedded.org/g/openembedded-core/message/216203
> Mute This Topic: https://lists.openembedded.org/mt/112895798/7283133
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yi.zhao@eng.windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [PATCH] openssl: add fips support

[Alexander Kanavin]

On Fri, 9 May 2025 at 15:17, Yi Zhao <yi.zhao@windriver.com> wrote:
> The original file is generated by util/mk-fipsmodule-cnf.pl during build.

Thanks. It's a little odd that this script is not using 'openssl
fipsinstall', but rather seems to be writing out a hardcoded config:
https://github.com/openssl/openssl/blob/master/util/mk-fipsmodule-cnf.pl

Otherwise looks fine -  you can send a v2 with the information
provided in responses to questions added to the commit message.

Alex

Re: [OE-core] [PATCH] openssl: add fips support

[Yi Zhao]

On 5/9/25 21:44, Alexander Kanavin wrote:
> On Fri, 9 May 2025 at 15:17, Yi Zhao <yi.zhao@windriver.com> wrote:
>> The original file is generated by util/mk-fipsmodule-cnf.pl during build.
> Thanks. It's a little odd that this script is not using 'openssl
> fipsinstall', but rather seems to be writing out a hardcoded config:
> https://github.com/openssl/openssl/blob/master/util/mk-fipsmodule-cnf.pl
>
> Otherwise looks fine -  you can send a v2 with the information
> provided in responses to questions added to the commit message.

Thanks, I will send V2.


//Yi


>
> Alex