* [PATCH 0/1] FIPS host support
@ 2022-03-01 1:37 Mark Hatle
2022-03-01 1:37 ` [PATCH 1/1] insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts Mark Hatle
0 siblings, 1 reply; 2+ messages in thread
From: Mark Hatle @ 2022-03-01 1:37 UTC (permalink / raw)
To: openembedded-core
The patch here, and one sent to bitbake-devel together enable basic support
for a FIPS-140 host system.
What was identified were a few users of md5, which is not allowed for any
security part of the system. It can still be used to identify changes and
similar non-security activities. (OE already uses sha256 for file
integrity.)
In addition to this, it's possible that a recipe may attempt to use md5
during the build process. In oe-core, the only user is 'ovmf'. At this
time I don't intend to provide a fix for ovmf, but everything else in core
works properly now.
Mark Hatle (1):
insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts
meta/classes/insane.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.25.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 1/1] insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts
2022-03-01 1:37 [PATCH 0/1] FIPS host support Mark Hatle
@ 2022-03-01 1:37 ` Mark Hatle
0 siblings, 0 replies; 2+ messages in thread
From: Mark Hatle @ 2022-03-01 1:37 UTC (permalink / raw)
To: openembedded-core
hashlib.md5() is not permitted on a FIPS enabled host system. This is due
to md5 not being an approved hash algorithm.
Instead use:
hashlib.new('MD5', usedforsecurity=False)
This is allowed, as it's clear the hash is used for a non-security purpose.
Using an md5 to identify when a license has changed is permitted, as we're
not using it for file integrity.
Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
---
meta/classes/insane.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 890e865a8f..29b9b3d466 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -549,7 +549,7 @@ python populate_lic_qa_checksum() {
import hashlib
lineno = 0
license = []
- m = hashlib.md5()
+ m = hashlib.new('MD5', usedforsecurity=False)
for line in f:
lineno += 1
if (lineno >= beginline):
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-01 1:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-01 1:37 [PATCH 0/1] FIPS host support Mark Hatle
2022-03-01 1:37 ` [PATCH 1/1] insane.bbclass: Update insane.bbclass to work on FIPS enabled hosts Mark Hatle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.