* [OE-core] [PATCH v2] gnutls: Added fips support option.
@ 2022-05-06 3:37 Lei Maohui
2022-05-06 6:30 ` Alexander Kanavin
0 siblings, 1 reply; 11+ messages in thread
From: Lei Maohui @ 2022-05-06 3:37 UTC (permalink / raw)
To: openembedded-core; +Cc: Lei Maohui
- Added fips option.
- Fixed a cross compile bug when enable fips.
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
---
...r-cross-compile-when-enable-fips.Usi.patch | 28 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 18 ++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch
new file mode 100644
index 0000000000..0eeebb9b5e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch
@@ -0,0 +1,28 @@
+From 755494234d71063ef1db6470d780a558ddfd1c56 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 6 May 2022 10:51:39 +0900
+Subject: [PATCH] Fix build bug for cross-compile when enable fips.Using binary
+ from gnutls-native instead of target.
+
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ lib/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index c3d7b6e..0f099f4 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -207,7 +207,7 @@ hmac_files = .libs/.$(gnutls_so).hmac
+ all-local: $(hmac_files)
+
+ .libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
+- $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
++ $(AM_V_GEN) fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
+
+ CLEANFILES = $(hmac_files)
+ endif
+--
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index b34eb7f5f0..5882e980e7 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
DEPENDS = "nettle gmp virtual/libiconv libunistring"
+DEPENDS:append:class-target = " gnutls-native"
+DEPENDS:append:class-nativesdk = " gnutls-native"
DEPENDS:append:libc-musl = " argp-standalone"
SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
@@ -22,6 +24,12 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
file://arm_eabi.patch \
"
+SRC_URI:append:class-target = "\
+ file://0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch \
+ "
+SRC_URI:append:class-nativesdk = "\
+ file://0001-Fix-build-bug-for-cross-compile-when-enable-fips.Usi.patch \
+ "
SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
@@ -36,6 +44,7 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
EXTRA_OECONF = " \
--enable-doc \
@@ -59,6 +68,15 @@ do_configure:prepend() {
done
}
+do_install:append:class-native() {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+ install -d ${D}${base_prefix}/bin
+ install -d ${D}${base_prefix}/bin/.libs
+ install -m 0755 ${B}/lib/fipshmac ${D}${base_prefix}/bin/
+ install -m 0755 ${B}/lib/.libs/fipshmac ${D}/${base_prefix}/bin/.libs/
+ fi
+}
+
PACKAGES =+ "${PN}-openssl ${PN}-xx"
FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-06 3:37 [OE-core] [PATCH v2] gnutls: Added fips support option Lei Maohui
@ 2022-05-06 6:30 ` Alexander Kanavin
2022-05-07 2:30 ` leimaohui
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Kanavin @ 2022-05-06 6:30 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Fri, 6 May 2022 at 05:38, leimaohui <leimaohui@fujitsu.com> wrote:
> +DEPENDS:append:class-target = " gnutls-native"
> +DEPENDS:append:class-nativesdk = " gnutls-native"
> +PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
I think the unconditional DEPENDS lines can be avoided if you use:
PACKAGECONFIG[fips] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-native"
Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-06 6:30 ` Alexander Kanavin
@ 2022-05-07 2:30 ` leimaohui
2022-05-07 7:36 ` Alexander Kanavin
0 siblings, 1 reply; 11+ messages in thread
From: leimaohui @ 2022-05-07 2:30 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
> I think the unconditional DEPENDS lines can be avoided if you use:
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
But because gnutls-native also need to enable fips, circular dependency error will occur in this way.
---------------------------------------------
ERROR: 288 unbuildable tasks were found.################################ | ETA: 0:00:00
These are usually caused by circular dependencies and any circular dependency chains found will be printed below. Increase the debug level to see a list of unbuildable tasks.
Identifying dependency loops (this may take a short while)...
......
---------------------------------------------
Best regards
Lei
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Friday, May 6, 2022 2:30 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
>
> On Fri, 6 May 2022 at 05:38, leimaohui <leimaohui@fujitsu.com> wrote:
> > +DEPENDS:append:class-target = " gnutls-native"
> > +DEPENDS:append:class-nativesdk = " gnutls-native"
> > +PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
>
> I think the unconditional DEPENDS lines can be avoided if you use:
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
>
> Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-07 2:30 ` leimaohui
@ 2022-05-07 7:36 ` Alexander Kanavin
2022-05-09 1:30 ` leimaohui
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Kanavin @ 2022-05-07 7:36 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Sat, 7 May 2022 at 04:31, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> > I think the unconditional DEPENDS lines can be avoided if you use:
> But because gnutls-native also need to enable fips, circular dependency error will occur in this way.
> ---------------------------------------------
> ERROR: 288 unbuildable tasks were found.################################ | ETA: 0:00:00
> These are usually caused by circular dependencies and any circular dependency chains found will be printed below. Increase the debug level to see a list of unbuildable tasks.
>
> Identifying dependency loops (this may take a short while)...
Perhaps there could be
PACKAGECONFIG[fips] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-native"
PACKAGECONFIG[fips-native] = "--enable-fips140-mode
--with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
You can have different sets of packageconfig options for -native and target.
Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-07 7:36 ` Alexander Kanavin
@ 2022-05-09 1:30 ` leimaohui
2022-05-09 8:44 ` Alexander Kanavin
0 siblings, 1 reply; 11+ messages in thread
From: leimaohui @ 2022-05-09 1:30 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
> PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native] means PACKAGECONFIG is set for fips-native not for fips.
And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native or target separately.
I wonder If you can tell me any recipe for reference.
Thank you.
Best regards
Lei
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Saturday, May 7, 2022 3:36 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
>
> On Sat, 7 May 2022 at 04:31, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > > I think the unconditional DEPENDS lines can be avoided if you use:
> > But because gnutls-native also need to enable fips, circular dependency error
> will occur in this way.
> > ---------------------------------------------
> > ERROR: 288 unbuildable tasks were
> found.################################
> | ETA: 0:00:00
> > These are usually caused by circular dependencies and any circular
> dependency chains found will be printed below. Increase the debug level to see a
> list of unbuildable tasks.
> >
> > Identifying dependency loops (this may take a short while)...
>
> Perhaps there could be
> PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> e"
> PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
>
> You can have different sets of packageconfig options for -native and target.
>
> Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-09 1:30 ` leimaohui
@ 2022-05-09 8:44 ` Alexander Kanavin
2022-05-10 0:54 ` leimaohui
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Kanavin @ 2022-05-09 8:44 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Mon, 9 May 2022 at 03:30, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnutls-nativ
> > e"
> > PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
>
> I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native] means PACKAGECONFIG is set for fips-native not for fips.
> And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native or target separately.
> I wonder If you can tell me any recipe for reference.
> Thank you.
You can issue this in poky/meta and plenty of examples will come up:
[ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native
Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-09 8:44 ` Alexander Kanavin
@ 2022-05-10 0:54 ` leimaohui
2022-05-11 5:39 ` Alexander Kanavin
0 siblings, 1 reply; 11+ messages in thread
From: leimaohui @ 2022-05-10 0:54 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi Alex
> You can issue this in poky/meta and plenty of examples will come up:
> [ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native
I'm afraid I'm not quite with you. Searched poky by the following command and there is no example about how to config PACKAGECONFIG[xxx] for target or native separately.
The result is all about how to config PACKAGECONFIG for target or native.
----------------------------------------
$ grep -ir PACKAGECONFIG *|grep class-native
meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??= ""
meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
......
----------------------------------------
But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For example, in libcap_2.64.bb file:
$ cat meta/recipes-support/libcap/libcap_2.64.bb
......
PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} " //not here
......
PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode" //Your comment means modify here
.......
Did I misunderstand?
Best regards
Lei
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org> On Behalf Of Alexander
> Kanavin
> Sent: Monday, May 9, 2022 4:44 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
>
> On Mon, 9 May 2022 at 03:30, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode,gnu
> > > tls-nativ
> > > e"
> > > PACKAGECONFIG[fips-native] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> >
> > I'm sorry that this way doesn’t work, because PACKAGECONFIG[fips-native]
> means PACKAGECONFIG is set for fips-native not for fips.
> > And I don't find any existing recipes that config PACKAGECONFIG[xxx] for native
> or target separately.
> > I wonder If you can tell me any recipe for reference.
> > Thank you.
>
> You can issue this in poky/meta and plenty of examples will come up:
> [ak@fedora meta]$ grep -ir PACKAGECONFIG *|grep class-native
>
> Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-10 0:54 ` leimaohui
@ 2022-05-11 5:39 ` Alexander Kanavin
2022-05-11 8:15 ` leimaohui
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Kanavin @ 2022-05-11 5:39 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> I'm afraid I'm not quite with you. Searched poky by the following command and there is no example about how to config PACKAGECONFIG[xxx] for target or native separately.
> The result is all about how to config PACKAGECONFIG for target or native.
> ----------------------------------------
> $ grep -ir PACKAGECONFIG *|grep class-native
> meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??= ""
> meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext"
> ......
> ----------------------------------------
>
> But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For example, in libcap_2.64.bb file:
> $ cat meta/recipes-support/libcap/libcap_2.64.bb
> ......
> PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} " //not here
> ......
> PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode" //Your comment means modify here
> .......
>
> Did I misunderstand?
Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword
is used for two different purposes.
What I meant is something like this:
PACKAGECONFIG ??= "fips"
PACKAGECONFIG:class-native ??= "fips-native"
Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-11 5:39 ` Alexander Kanavin
@ 2022-05-11 8:15 ` leimaohui
2022-05-11 11:08 ` Alexander Kanavin
0 siblings, 1 reply; 11+ messages in thread
From: leimaohui @ 2022-05-11 8:15 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
> PACKAGECONFIG ??= "fips"
> PACKAGECONFIG:class-native ??= "fips-native"
I got it. It seems an unusual method because there is no recipe using this way in .
In this way, it means that if user want to enable fips, the following PACKAGECONFIG should be added in recipe.
PACKAGECONFIG:append:class-target = fips
PACKAGECONFIG:append:class-nativesdk = fips
PACKAGECONFIG:append:class-target = fips-native
So, I'll send a v3 patch in this way, is it ok?
Best regards
Lei
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Wednesday, May 11, 2022 1:40 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
>
> On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > I'm afraid I'm not quite with you. Searched poky by the following command and
> there is no example about how to config PACKAGECONFIG[xxx] for target or
> native separately.
> > The result is all about how to config PACKAGECONFIG for target or native.
> > ----------------------------------------
> > $ grep -ir PACKAGECONFIG *|grep class-native
> > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??=
> ""
> > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4
> fts5 rtree dyn_ext"
> > ......
> > ----------------------------------------
> >
> > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For
> example, in libcap_2.64.bb file:
> > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > ......
> > PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES',
> > 'seccomp', d)} " //not here ......
> > PACKAGECONFIG[fips] = "--enable-fips140-mode
> --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode" //Your
> comment means modify here
> > .......
> >
> > Did I misunderstand?
>
> Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword is used for
> two different purposes.
>
> What I meant is something like this:
>
> PACKAGECONFIG ??= "fips"
> PACKAGECONFIG:class-native ??= "fips-native"
>
> Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-11 8:15 ` leimaohui
@ 2022-05-11 11:08 ` Alexander Kanavin
2022-05-12 0:44 ` leimaohui
0 siblings, 1 reply; 11+ messages in thread
From: Alexander Kanavin @ 2022-05-11 11:08 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Wed, 11 May 2022 at 10:15, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> I got it. It seems an unusual method because there is no recipe using this way in .
> In this way, it means that if user want to enable fips, the following PACKAGECONFIG should be added in recipe.
>
> PACKAGECONFIG:append:class-target = fips
> PACKAGECONFIG:append:class-nativesdk = fips
> PACKAGECONFIG:append:class-target = fips-native
Yes, this should be fine. You can add a comment in the recipe
explaining how to do it.
> So, I'll send a v3 patch in this way, is it ok?
Yes please. The real problem here is that gnutls upstream didn't
consider how fips build is supposed to work in cross-compilation,
so you should also file a ticket with them and hopefully discuss how
the problem can be properly solved.
There are two options:
- do what your patch does and use the needed binary from the host
system, subject to ./configure flag.
- build the needed binary twice, first for the host (using BUILD_CC),
then for the cross-target.
Alex
>
> > -----Original Message-----
> > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > Sent: Wednesday, May 11, 2022 1:40 PM
> > To: Lei, Maohui <leimaohui@fujitsu.com>
> > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> >
> > On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> > wrote:
> > > I'm afraid I'm not quite with you. Searched poky by the following command and
> > there is no example about how to config PACKAGECONFIG[xxx] for target or
> > native separately.
> > > The result is all about how to config PACKAGECONFIG for target or native.
> > > ----------------------------------------
> > > $ grep -ir PACKAGECONFIG *|grep class-native
> > > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-native ??=
> > ""
> > > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native ?= "fts4
> > fts5 rtree dyn_ext"
> > > ......
> > > ----------------------------------------
> > >
> > > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips]. For
> > example, in libcap_2.64.bb file:
> > > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > > ......
> > > PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES',
> > > 'seccomp', d)} " //not here ......
> > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode" //Your
> > comment means modify here
> > > .......
> > >
> > > Did I misunderstand?
> >
> > Sorry, it's always a bit confusing with PACKAGECONFIG, as the keyword is used for
> > two different purposes.
> >
> > What I meant is something like this:
> >
> > PACKAGECONFIG ??= "fips"
> > PACKAGECONFIG:class-native ??= "fips-native"
> >
> > Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [OE-core] [PATCH v2] gnutls: Added fips support option.
2022-05-11 11:08 ` Alexander Kanavin
@ 2022-05-12 0:44 ` leimaohui
0 siblings, 0 replies; 11+ messages in thread
From: leimaohui @ 2022-05-12 0:44 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
> > So, I'll send a v3 patch in this way, is it ok?
>
> Yes please.
OK, I'll submit a V3 patch later.
The real problem here is that gnutls upstream didn't consider how fips
> build is supposed to work in cross-compilation, so you should also file a ticket
> with them and hopefully discuss how the problem can be properly solved.
>
> There are two options:
> - do what your patch does and use the needed binary from the host system,
> subject to ./configure flag.
> - build the needed binary twice, first for the host (using BUILD_CC), then for the
> cross-target.
Thanks for your comment and I'll submit a question to gnutls upstream.
Best regards
Lei
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Wednesday, May 11, 2022 7:09 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
>
> On Wed, 11 May 2022 at 10:15, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > I got it. It seems an unusual method because there is no recipe using this way
> in .
> > In this way, it means that if user want to enable fips, the following
> PACKAGECONFIG should be added in recipe.
> >
> > PACKAGECONFIG:append:class-target = fips
> > PACKAGECONFIG:append:class-nativesdk = fips
> > PACKAGECONFIG:append:class-target = fips-native
>
> Yes, this should be fine. You can add a comment in the recipe explaining how to
> do it.
>
> > So, I'll send a v3 patch in this way, is it ok?
>
> Yes please. The real problem here is that gnutls upstream didn't consider how fips
> build is supposed to work in cross-compilation, so you should also file a ticket
> with them and hopefully discuss how the problem can be properly solved.
>
> There are two options:
> - do what your patch does and use the needed binary from the host system,
> subject to ./configure flag.
> - build the needed binary twice, first for the host (using BUILD_CC), then for the
> cross-target.
>
> Alex
>
>
> >
> > > -----Original Message-----
> > > From: Alexander Kanavin <alex.kanavin@gmail.com>
> > > Sent: Wednesday, May 11, 2022 1:40 PM
> > > To: Lei, Maohui <leimaohui@fujitsu.com>
> > > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > > Subject: Re: [OE-core] [PATCH v2] gnutls: Added fips support option.
> > >
> > > On Tue, 10 May 2022 at 02:54, leimaohui@fujitsu.com
> > > <leimaohui@fujitsu.com>
> > > wrote:
> > > > I'm afraid I'm not quite with you. Searched poky by the following
> > > > command and
> > > there is no example about how to config PACKAGECONFIG[xxx] for
> > > target or native separately.
> > > > The result is all about how to config PACKAGECONFIG for target or native.
> > > > ----------------------------------------
> > > > $ grep -ir PACKAGECONFIG *|grep class-native
> > > > meta/recipes-support/libcap/libcap_2.64.bb:PACKAGECONFIG:class-nat
> > > > ive ??=
> > > ""
> > > > meta/recipes-support/vim/vim_8.2.bb:PACKAGECONFIG:class-native = ""
> > > > meta/recipes-support/sqlite/sqlite3.inc:PACKAGECONFIG:class-native
> > > > ?= "fts4
> > > fts5 rtree dyn_ext"
> > > > ......
> > > > ----------------------------------------
> > > >
> > > > But I think you mean not PACKAGECONFIG but PACKAGECONFIG[fips].
> > > > For
> > > example, in libcap_2.64.bb file:
> > > > $ cat meta/recipes-support/libcap/libcap_2.64.bb
> > > > ......
> > > > PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES',
> > > > 'seccomp', d)} " //not here ......
> > > > PACKAGECONFIG[fips] = "--enable-fips140-mode
> > > --with-libdl-prefix=${STAGING_BASELIBDIR},--disable-fips140-mode"
> //Your
> > > comment means modify here
> > > > .......
> > > >
> > > > Did I misunderstand?
> > >
> > > Sorry, it's always a bit confusing with PACKAGECONFIG, as the
> > > keyword is used for two different purposes.
> > >
> > > What I meant is something like this:
> > >
> > > PACKAGECONFIG ??= "fips"
> > > PACKAGECONFIG:class-native ??= "fips-native"
> > >
> > > Alex
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-05-12 0:45 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-06 3:37 [OE-core] [PATCH v2] gnutls: Added fips support option Lei Maohui
2022-05-06 6:30 ` Alexander Kanavin
2022-05-07 2:30 ` leimaohui
2022-05-07 7:36 ` Alexander Kanavin
2022-05-09 1:30 ` leimaohui
2022-05-09 8:44 ` Alexander Kanavin
2022-05-10 0:54 ` leimaohui
2022-05-11 5:39 ` Alexander Kanavin
2022-05-11 8:15 ` leimaohui
2022-05-11 11:08 ` Alexander Kanavin
2022-05-12 0:44 ` leimaohui
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.