From: Yi Zhao <yi.zhao@windriver.com>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] openssl: add fips support
Date: Fri, 9 May 2025 19:24:49 +0800 [thread overview]
Message-ID: <b7826686-6580-41ea-bc93-89a28798d7fd@windriver.com> (raw)
In-Reply-To: <CANNYZj8+SvOzz7D0a_sEi81vhi3up699eYoJ1pgBsW0xMHuhog@mail.gmail.com>
On 5/9/25 17:56, Alexander Kanavin wrote:
> On Fri, 9 May 2025 at 11:38, Yi Zhao via lists.openembedded.org
> <yi.zhao=eng.windriver.com@lists.openembedded.org> wrote:
>> * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the
>> config file fipsmodule.cnf is created on target.
>> + # Generate fipsmodule.cnf on first boot
>> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
>> + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
>> + fi
>> +pkg_postinst_ontarget:${PN}-ossl-module-fips () {
>> + if test -f ${libdir}/ossl-modules/fips.so; then
>> + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
>> + fi
>> +}
>> +
> This needs to be better explained:
>
> - why is the standard fipsmodule.cnf deleted in do_install? If
> upstream installs it, then why can't we simply use it?
>
> - why re-generation of that file has to happen on target? Can we use
> native openssl instead? Or run target openssl with qemu usermode?
The "openssl fipsinstall" command will do the following things:
1. Runs the FIPS module self tests on target
2. Generates config file fipsmodule.conf containing information about
the module such as the calculated MAC of the FIPS module and the MAC of
the value of the self tests status
We should not use the same fipsmodule.cnf on different machines. So it
will be generated on the target.
//Yi
>
> Alex
next prev parent reply other threads:[~2025-05-09 11:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-09 9:37 [PATCH] openssl: add fips support Yi Zhao
2025-05-09 9:56 ` [OE-core] " Alexander Kanavin
2025-05-09 11:24 ` Yi Zhao [this message]
2025-05-09 12:35 ` Alexander Kanavin
2025-05-09 13:17 ` Yi Zhao
2025-05-09 13:44 ` Alexander Kanavin
2025-05-09 14:04 ` Yi Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7826686-6580-41ea-bc93-89a28798d7fd@windriver.com \
--to=yi.zhao@windriver.com \
--cc=alex.kanavin@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox