[PATCH 0/1] FIPS host support

[PATCH 0/1] FIPS host support

[Mark Hatle]

The patch here, and one sent to bitbake-devel together enable basic support
for a FIPS-140 host system.

What was identified were a few users of md5, which is not allowed for any
security part of the system.  It can still be used to identify changes and
similar non-security activities.  (OE already uses sha256 for file
integrity.)

In addition to this, it's possible that a recipe may attempt to use md5
during the build process.  In oe-core, the only user is 'ovmf'.  At this
time I don't intend to provide a fix for ovmf, but everything else in core
works properly now.

Mark Hatle (1):
  insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts

 meta/classes/insane.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.25.1

[PATCH 1/1] insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts

[Mark Hatle]

hashlib.md5() is not permitted on a FIPS enabled host system.  This is due
to md5 not being an approved hash algorithm.

Instead use:
 hashlib.new('MD5', usedforsecurity=False)

This is allowed, as it's clear the hash is used for a non-security purpose.

Using an md5 to identify when a license has changed is permitted, as we're
not using it for file integrity.

Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
---
 meta/classes/insane.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 890e865a8f..29b9b3d466 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -549,7 +549,7 @@ python populate_lic_qa_checksum() {
                 import hashlib
                 lineno = 0
                 license = []
-                m = hashlib.md5()
+                m = hashlib.new('MD5', usedforsecurity=False)
                 for line in f:
                     lineno += 1
                     if (lineno >= beginline):
-- 
2.25.1