* [OE-core] [PATCH] gnutls: Added fips support option.
@ 2022-04-28 7:33 Lei Maohui
2022-04-28 8:11 ` Alexander Kanavin
0 siblings, 1 reply; 6+ messages in thread
From: Lei Maohui @ 2022-04-28 7:33 UTC (permalink / raw)
To: openembedded-core; +Cc: Lei Maohui
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
---
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index b34eb7f..5a34805 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
DEPENDS = "nettle gmp virtual/libiconv libunistring"
+DEPENDS:append:class-target = " gnutls-native"
DEPENDS:append:libc-musl = " argp-standalone"
SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
@@ -36,6 +37,7 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[fips] = "--enable-fips140-mode,--disable-fips140-mode"
EXTRA_OECONF = " \
--enable-doc \
@@ -59,6 +61,21 @@ do_configure:prepend() {
done
}
+do_compile:prepend:class-target () {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+ sed -i -e "s#\$(builddir)/fipshmac#${STAGING_DIR_NATIVE}${libdir}/fipshmac#g" ${B}/lib/Makefile
+ fi
+}
+
+do_install:append:class-native() {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+ install -d ${D}${libdir}
+ install -d ${D}${libdir}/.libs
+ install -m 0755 ${B}/lib/fipshmac ${D}${libdir}/
+ install -m 0755 ${B}/lib/.libs/fipshmac ${D}${libdir}/.libs/
+ fi
+}
+
PACKAGES =+ "${PN}-openssl ${PN}-xx"
FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
--
1.8.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] gnutls: Added fips support option.
2022-04-28 7:33 [OE-core] [PATCH] gnutls: Added fips support option Lei Maohui
@ 2022-04-28 8:11 ` Alexander Kanavin
2022-04-29 4:51 ` leimaohui
0 siblings, 1 reply; 6+ messages in thread
From: Alexander Kanavin @ 2022-04-28 8:11 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
What do those do_compile/do_install tweaks do, and why are they
necessary? Please explain, it seems like there might be a better way
to do this.
Alex
On Thu, 28 Apr 2022 at 09:34, leimaohui <leimaohui@fujitsu.com> wrote:
>
> Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
> ---
> meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> index b34eb7f..5a34805 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> @@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
> file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
>
> DEPENDS = "nettle gmp virtual/libiconv libunistring"
> +DEPENDS:append:class-target = " gnutls-native"
> DEPENDS:append:libc-musl = " argp-standalone"
>
> SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
> @@ -36,6 +37,7 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
> PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
> PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
> PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> +PACKAGECONFIG[fips] = "--enable-fips140-mode,--disable-fips140-mode"
>
> EXTRA_OECONF = " \
> --enable-doc \
> @@ -59,6 +61,21 @@ do_configure:prepend() {
> done
> }
>
> +do_compile:prepend:class-target () {
> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> + sed -i -e "s#\$(builddir)/fipshmac#${STAGING_DIR_NATIVE}${libdir}/fipshmac#g" ${B}/lib/Makefile
> + fi
> +}
> +
> +do_install:append:class-native() {
> + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
> + install -d ${D}${libdir}
> + install -d ${D}${libdir}/.libs
> + install -m 0755 ${B}/lib/fipshmac ${D}${libdir}/
> + install -m 0755 ${B}/lib/.libs/fipshmac ${D}${libdir}/.libs/
> + fi
> +}
> +
> PACKAGES =+ "${PN}-openssl ${PN}-xx"
>
> FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
> --
> 1.8.3.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164933): https://lists.openembedded.org/g/openembedded-core/message/164933
> Mute This Topic: https://lists.openembedded.org/mt/90748530/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [OE-core] [PATCH] gnutls: Added fips support option.
2022-04-28 8:11 ` Alexander Kanavin
@ 2022-04-29 4:51 ` leimaohui
2022-04-29 7:05 ` Alexander Kanavin
0 siblings, 1 reply; 6+ messages in thread
From: leimaohui @ 2022-04-29 4:51 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
> What do those do_compile/do_install tweaks do, and why are they necessary?
> Please explain, it seems like there might be a better way to do this.
Sorry, It seems that I should add an explain in commit message.
I found that if enable fips, a binary build for target will be executed in do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
------------------------------------------------------
| ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t && mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
| libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
| libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
| /lib/ld-linux-aarch64.so.1: No such file or directory
So, I tweaked do_compile/do_install to use fipshmac from native instead of target. If there is better way, please tell me.
And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.
Best regards
Lei Maohui
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Thursday, April 28, 2022 4:12 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] gnutls: Added fips support option.
>
> What do those do_compile/do_install tweaks do, and why are they necessary?
> Please explain, it seems like there might be a better way to do this.
>
> Alex
>
> On Thu, 28 Apr 2022 at 09:34, leimaohui <leimaohui@fujitsu.com> wrote:
> >
> > Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
> > ---
> > meta/recipes-support/gnutls/gnutls_3.7.4.bb | 17 +++++++++++++++++
> > 1 file changed, 17 insertions(+)
> >
> > diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > index b34eb7f..5a34805 100644
> > --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
> > @@ -15,6 +15,7 @@ LIC_FILES_CHKSUM =
> "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
> >
> file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
> >
> > DEPENDS = "nettle gmp virtual/libiconv libunistring"
> > +DEPENDS:append:class-target = " gnutls-native"
> > DEPENDS:append:libc-musl = " argp-standalone"
> >
> > SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
> > @@ -36,6 +37,7 @@ PACKAGECONFIG[libidn] =
> "--with-idn,--without-idn,libidn2"
> > PACKAGECONFIG[libtasn1] =
> "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
> > PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
> > PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> > +PACKAGECONFIG[fips] = "--enable-fips140-mode,--disable-fips140-mode"
> >
> > EXTRA_OECONF = " \
> > --enable-doc \
> > @@ -59,6 +61,21 @@ do_configure:prepend() {
> > done
> > }
> >
> > +do_compile:prepend:class-target () {
> > + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)};
> then
> > + sed -i -e
> "s#\$(builddir)/fipshmac#${STAGING_DIR_NATIVE}${libdir}/fipshmac#g"
> ${B}/lib/Makefile
> > + fi
> > +}
> > +
> > +do_install:append:class-native() {
> > + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)};
> then
> > + install -d ${D}${libdir}
> > + install -d ${D}${libdir}/.libs
> > + install -m 0755 ${B}/lib/fipshmac ${D}${libdir}/
> > + install -m 0755 ${B}/lib/.libs/fipshmac ${D}${libdir}/.libs/
> > + fi
> > +}
> > +
> > PACKAGES =+ "${PN}-openssl ${PN}-xx"
> >
> > FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
> > --
> > 1.8.3.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#164933):
> > https://lists.openembedded.org/g/openembedded-core/message/164933
> > Mute This Topic: https://lists.openembedded.org/mt/90748530/1686489
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [alex.kanavin@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] gnutls: Added fips support option.
2022-04-29 4:51 ` leimaohui
@ 2022-04-29 7:05 ` Alexander Kanavin
2022-05-05 4:19 ` leimaohui
0 siblings, 1 reply; 6+ messages in thread
From: Alexander Kanavin @ 2022-04-29 7:05 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Fri, 29 Apr 2022 at 06:51, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> Sorry, It seems that I should add an explain in commit message.
> I found that if enable fips, a binary build for target will be executed in do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
> ------------------------------------------------------
> | ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t && mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
> | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
> | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
> | /lib/ld-linux-aarch64.so.1: No such file or directory
>
> So, I tweaked do_compile/do_install to use fipshmac from native instead of target. If there is better way, please tell me.
> And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.
Can you please show the fragment in the Makefile where the target
binary is executed? It is better to make a real patch that changes it
to run a native binary, instead of changing it with sed. (sed patching
is problematic because it's not clear from the recipe what is being
done exactly, and how the original and the changed code looks like).
Alex
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [OE-core] [PATCH] gnutls: Added fips support option.
2022-04-29 7:05 ` Alexander Kanavin
@ 2022-05-05 4:19 ` leimaohui
2022-05-05 5:00 ` Alexander Kanavin
0 siblings, 1 reply; 6+ messages in thread
From: leimaohui @ 2022-05-05 4:19 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
Hi, Alex
Sorry for the late reply because my holiday.
> Can you please show the fragment in the Makefile where the target binary is
> executed? It is better to make a real patch that changes it to run a native binary,
> instead of changing it with sed. (sed patching is problematic because it's not clear
> from the recipe what is being done exactly, and how the original and the changed
> code looks like).
Yes, At first I wanted to fix this issue by a patch, but I had no idea. The binary is just a file exists in the build directory and it can't be found in "PATH".
So I had to install it into ${D} of native, then specify an absolute path of native by sed command for target and nativesdk.
The following is the part where execute the target/nativesdk(nativesdk also has the issue) binary.
$ cat tmp/work/core2-32-poky-linux/gnutls/3.7.4-r0/build/lib/Makefile
......
.libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
$(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
......
Best regards
Lei
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Friday, April 29, 2022 3:05 PM
> To: Lei, Maohui <leimaohui@fujitsu.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] gnutls: Added fips support option.
>
> On Fri, 29 Apr 2022 at 06:51, leimaohui@fujitsu.com <leimaohui@fujitsu.com>
> wrote:
> > Sorry, It seems that I should add an explain in commit message.
> > I found that if enable fips, a binary build for target will be executed in
> do_compile task. The log(MACHINE ?= "qemuarm64") is as the following:
> > ------------------------------------------------------
> > | ./fipshmac .libs/libgnutls.so.30 > .libs/.libgnutls.so.30.hmac-t &&
> > | mv .libs/.libgnutls.so.30.hmac-t .libs/.libgnutls.so.30.hmac
> > | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so.30" && ln -s
> > | "libgnutlsxx.so.30.0.0" "libgnutlsxx.so.30")
> > | libtool: link: (cd ".libs" && rm -f "libgnutlsxx.so" && ln -s
> > | "libgnutlsxx.so.30.0.0" "libgnutlsxx.so")
> > | /lib/ld-linux-aarch64.so.1: No such file or directory
> >
> > So, I tweaked do_compile/do_install to use fipshmac from native instead of
> target. If there is better way, please tell me.
> > And if there are no questions, I'll send a v2 patch with an issue fixed for multilib.
>
> Can you please show the fragment in the Makefile where the target binary is
> executed? It is better to make a real patch that changes it to run a native binary,
> instead of changing it with sed. (sed patching is problematic because it's not clear
> from the recipe what is being done exactly, and how the original and the changed
> code looks like).
>
> Alex
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] gnutls: Added fips support option.
2022-05-05 4:19 ` leimaohui
@ 2022-05-05 5:00 ` Alexander Kanavin
0 siblings, 0 replies; 6+ messages in thread
From: Alexander Kanavin @ 2022-05-05 5:00 UTC (permalink / raw)
To: leimaohui; +Cc: OE-core
On Thu, 5 May 2022 at 06:19, leimaohui@fujitsu.com
<leimaohui@fujitsu.com> wrote:
> .libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
> $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
If fipshmac from -native is installed into the sysroot-native, then
it will be in PATH, and then you can simply drop $(builddir)/ prefix
with a simple patch.
Alex
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-05 5:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-28 7:33 [OE-core] [PATCH] gnutls: Added fips support option Lei Maohui
2022-04-28 8:11 ` Alexander Kanavin
2022-04-29 4:51 ` leimaohui
2022-04-29 7:05 ` Alexander Kanavin
2022-05-05 4:19 ` leimaohui
2022-05-05 5:00 ` Alexander Kanavin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.