diff --git a/classes/wolfssl-commercial.bbclass b/classes/wolfssl-commercial.bbclass index 6beab578..2df8047f 100644 --- a/classes/wolfssl-commercial.bbclass +++ b/classes/wolfssl-commercial.bbclass @@ -29,6 +29,7 @@ # Optional format variables: # COMMERCIAL_BUNDLE_FILE - Bundle filename including extension (defaults to .7z) # COMMERCIAL_BUNDLE_GCS_URI - gs:// path to the protected bundle +# COMMERCIAL_BUNDLE_SRC_DIR - Direct path to already-extracted source directory (skips fetch/extract) # Commercial bundles already ship generated configure scripts, so skip autoreconf AUTOTOOLS_AUTORECONF = "no" @@ -55,6 +56,12 @@ def get_commercial_bundle_archive(d): def get_commercial_src_uri(d): """Generate SRC_URI for commercial bundle if configured, dummy file otherwise""" + # Check for direct source directory first (skip fetch/extract) + src_dir = d.getVar('COMMERCIAL_BUNDLE_SRC_DIR') + if src_dir and src_dir.strip() and not src_dir.startswith('${'): + # Direct source directory - no fetch needed + return "" + bundle_archive = d.getVar('COMMERCIAL_BUNDLE_ARCHIVE') bundle_sha = d.getVar('COMMERCIAL_BUNDLE_SHA') gcs_uri = d.getVar('COMMERCIAL_BUNDLE_GCS_URI') @@ -79,9 +86,18 @@ def get_commercial_src_uri(d): def get_commercial_source_dir(d): """Get source directory for commercial bundle if configured, WORKDIR otherwise""" - bundle_name = d.getVar('COMMERCIAL_BUNDLE_NAME') workdir = d.getVar('WORKDIR') - + bundle_name = d.getVar('COMMERCIAL_BUNDLE_NAME') + + # Check for direct source directory - return the copy location in WORKDIR + src_dir = d.getVar('COMMERCIAL_BUNDLE_SRC_DIR') + if src_dir and src_dir.strip() and not src_dir.startswith('${'): + # do_commercial_extract will copy to WORKDIR/bundle_name + if bundle_name and bundle_name.strip() and not bundle_name.startswith('${'): + return f'{workdir}/{bundle_name}' + # Fallback to workdir if bundle_name not set + return workdir + # Check if bundle_name is actually set (not empty, None, or unexpanded variable) if bundle_name and bundle_name.strip() and not bundle_name.startswith('${'): return f'{workdir}/{bundle_name}' @@ -90,7 +106,7 @@ def get_commercial_source_dir(d): def get_commercial_bbclassextend(d): """Return BBCLASSEXTEND variants only when commercial bundle is configured""" bundle_name = d.getVar('COMMERCIAL_BUNDLE_NAME') - + # Check if bundle_name is actually set (not empty, None, or unexpanded variable) if bundle_name and bundle_name.strip() and not bundle_name.startswith('${'): return 'native nativesdk' @@ -106,6 +122,7 @@ COMMERCIAL_BUNDLE_SHA ?= "" COMMERCIAL_BUNDLE_TARGET ?= "${WORKDIR}" COMMERCIAL_BUNDLE_PLACEHOLDER ?= "${WOLFSSL_LAYERDIR}/recipes-wolfssl/wolfssl/commercial/files/README.md" COMMERCIAL_BUNDLE_GCS_URI ?= "" +COMMERCIAL_BUNDLE_SRC_DIR ?= "" COMMERCIAL_BUNDLE_ARCHIVE = "${@get_commercial_bundle_archive(d)}" # Task to extract commercial bundle @@ -114,8 +131,9 @@ python do_commercial_extract() { import bb import bb.process import bb.build - + enabled = d.getVar('COMMERCIAL_BUNDLE_ENABLED') + src_dir = d.getVar('COMMERCIAL_BUNDLE_SRC_DIR') bundle_dir = d.getVar('COMMERCIAL_BUNDLE_DIR') bundle_archive = d.getVar('COMMERCIAL_BUNDLE_ARCHIVE') bundle_pass = d.getVar('COMMERCIAL_BUNDLE_PASS') @@ -126,22 +144,40 @@ python do_commercial_extract() { bb.note("COMMERCIAL_BUNDLE_ENABLED=0; skipping commercial extraction (standard fetch/unpack will run).") return + # If direct source directory is provided, skip extraction + if src_dir and src_dir.strip() and not src_dir.startswith('${'): + bb.note(f"COMMERCIAL_BUNDLE_SRC_DIR={src_dir}; copying source directory to WORKDIR.") + + # Copy source directory to WORKDIR to avoid polluting the original + import shutil + bundle_name = d.getVar('COMMERCIAL_BUNDLE_NAME') + dest_dir = os.path.join(target_dir, bundle_name) + + if os.path.exists(dest_dir): + bb.note(f"Removing existing build directory: {dest_dir}") + shutil.rmtree(dest_dir) + + bb.note(f"Copying {src_dir} to {dest_dir}") + shutil.copytree(src_dir, dest_dir, symlinks=True) + bb.note("Source directory copied successfully") + return + if not bundle_dir: bb.fatal("COMMERCIAL_BUNDLE_DIR not set. Please set the directory containing the commercial bundle.") - + if not bundle_archive: bb.fatal("COMMERCIAL_BUNDLE_NAME/FILE not set. Please provide the bundle filename.") - + is_seven_zip = bundle_archive.endswith('.7z') is_tarball = bundle_archive.endswith('.tar.gz') or bundle_archive.endswith('.tgz') - + if is_seven_zip and not bundle_pass: bb.fatal("COMMERCIAL_BUNDLE_PASS not set. Please set bundle password for .7z archives.") if not is_seven_zip: bb.note("Non-7z commercial bundle detected; letting BitBake unpack the archive.") return - + bundle_path = os.path.join(bundle_dir, bundle_archive) if not os.path.exists(bundle_path): @@ -168,9 +204,9 @@ python do_commercial_extract() { ret = os.system(f'cp -f "{bundle_path}" "{target_dir}"') if ret != 0: bb.fatal(f"Failed to copy bundle to {target_dir}") - + archive_in_target = os.path.join(target_dir, bundle_archive) - + if is_seven_zip: # Locate 7zip binary from native sysroot or host path = d.getVar('PATH') @@ -199,7 +235,17 @@ addtask commercial_extract after do_fetch before do_patch # Conditionally add p7zip-native dependency only when commercial bundle variables are set python __anonymous() { enabled = d.getVar('COMMERCIAL_BUNDLE_ENABLED') + src_dir = d.getVar('COMMERCIAL_BUNDLE_SRC_DIR') archive = d.getVar('COMMERCIAL_BUNDLE_ARCHIVE') + + # Skip p7zip and unpack tasks if using direct source directory + # But keep commercial_extract to copy the source + if enabled == "1" and src_dir and src_dir.strip() and not src_dir.startswith('${'): + bb.build.deltask('do_fetch', d) + bb.build.deltask('do_unpack', d) + # do_commercial_extract will copy the source directory + return + if enabled == "1" and archive and archive.endswith('.7z'): d.appendVar('DEPENDS', ' p7zip-native') d.appendVarFlag('do_commercial_extract', 'depends', ' p7zip-native:do_populate_sysroot') diff --git a/classes/wolfssl-compatibility.bbclass b/classes/wolfssl-compatibility.bbclass new file mode 100644 index 00000000..69c335ad --- /dev/null +++ b/classes/wolfssl-compatibility.bbclass @@ -0,0 +1,118 @@ +# wolfSSL Yocto Compatibility Helper Class +# Provides functions to work with both old (underscore) and new (colon) Yocto syntax + +def wolfssl_uses_colon_syntax(d): + """ + Detect if this Yocto version uses colon syntax (Honister 3.4+ / LAYERVERSION_core >= 14). + Falls back to checking DISTRO_VERSION if LAYERVERSION_core unavailable. + """ + try: + # Check OE-Core layer version (most reliable) + layer_version = d.getVar('LAYERVERSION_core') or d.getVar('LAYERVERSION_core', True) + if layer_version: + return int(layer_version) >= 14 + except: + pass + + # Fallback: check DISTRO_VERSION + try: + distro_version = d.getVar('DISTRO_VERSION') or d.getVar('DISTRO_VERSION', True) + if distro_version: + # Versions 2.x and 3.x before 3.4 use underscore + if distro_version.startswith('2.') or distro_version.startswith('3.0') or \ + distro_version.startswith('3.1') or distro_version.startswith('3.2') or \ + distro_version.startswith('3.3'): + return False + except: + pass + + # Default to colon syntax for unknown/newer versions + return True + +def wolfssl_varAppend(d, base_var, package_name, value): + """ + Appends a value to a package-specific variable, handling both old and new Yocto syntax. + + Args: + d: BitBake data store + base_var: Base variable name (e.g., 'RDEPENDS', 'FILES', 'RRECOMMENDS') + package_name: Package name (e.g., '${PN}') + value: Value to append + """ + import bb + + package_name_expanded = d.expand(package_name) + + if wolfssl_uses_colon_syntax(d): + var_name = base_var + ':' + package_name_expanded + else: + var_name = base_var + '_' + package_name_expanded + + d.appendVar(var_name, value) + +def wolfssl_varSet(d, base_var, package_name, value): + """ + Sets a package-specific variable, handling both old and new Yocto syntax. + + Args: + d: BitBake data store + base_var: Base variable name (e.g., 'RDEPENDS', 'FILES', 'RRECOMMENDS') + package_name: Package name (e.g., '${PN}') + value: Value to set + """ + import bb + + package_name_expanded = d.expand(package_name) + + if wolfssl_uses_colon_syntax(d): + var_name = base_var + ':' + package_name_expanded + else: + var_name = base_var + '_' + package_name_expanded + + d.setVar(var_name, value) + +def wolfssl_varGet(d, base_var, package_name): + """ + Gets a package-specific variable, handling both old and new Yocto syntax. + + Args: + d: BitBake data store + base_var: Base variable name (e.g., 'RDEPENDS', 'FILES', 'RRECOMMENDS') + package_name: Package name (e.g., '${PN}') + + Returns: + Variable value or None + """ + import bb + + package_name_expanded = d.expand(package_name) + + if wolfssl_uses_colon_syntax(d): + var_name = base_var + ':' + package_name_expanded + else: + var_name = base_var + '_' + package_name_expanded + + return d.getVar(var_name) or d.getVar(var_name, True) + +def wolfssl_varPrepend(d, var_name, value): + """ + Prepends a value to a variable (for things like FILESEXTRAPATHS, PACKAGECONFIG). + + Args: + d: BitBake data store + var_name: Variable name (e.g., 'FILESEXTRAPATHS', 'PACKAGECONFIG') + value: Value to prepend + """ + d.prependVar(var_name, value) + +def wolfssl_varAppendNonOverride(d, var_name, value): + """ + Appends a value to a variable (for things like PACKAGECONFIG, EXTRA_OECONF). + + Args: + d: BitBake data store + var_name: Variable name (e.g., 'PACKAGECONFIG', 'EXTRA_OECONF') + value: Value to append + """ + d.appendVar(var_name, value) + diff --git a/classes/wolfssl-fips-helper.bbclass b/classes/wolfssl-fips-helper.bbclass index 1bd20dbb..1a64f2aa 100644 --- a/classes/wolfssl-fips-helper.bbclass +++ b/classes/wolfssl-fips-helper.bbclass @@ -11,10 +11,14 @@ # FIPS hash configuration WOLFSSL_FIPS_HASH_MODE ?= "auto" -WOLFSSL_FIPS_HASH_MODE:class-native = "manual" -WOLFSSL_FIPS_HASH_MODE:class-nativesdk = "manual" WOLFSSL_FIPS_PLACEHOLDER ?= "0000000000000000000000000000000000000000000000000000000000000000" +python __anonymous() { + # Set mode to manual for native/nativesdk builds + if bb.utils.contains('OVERRIDES', 'class-native', True, False, d) or bb.utils.contains('OVERRIDES', 'class-nativesdk', True, False, d): + d.setVar('WOLFSSL_FIPS_HASH_MODE', 'manual') +} + # This will be set by anonymous Python based on mode (manual: FIPS_HASH, auto: function call) WOLFSSL_GET_HASH_METHOD ?= "" @@ -25,16 +29,16 @@ WOLFSSL_FIPS_TEST_BINARY ?= "${B}/wolfcrypt/test/.libs/testwolfcrypt" # This function performs the actual hash retrieval and returns the value get_wolfssl_fips_hash() { local mode="${WOLFSSL_FIPS_HASH_MODE}" - + if [ "${mode}" != "auto" ]; then # Manual mode: return the configured hash echo "${FIPS_HASH}" return 0 fi - + # Auto mode: perform hash extraction bbnote "wolfSSL FIPS auto mode: extracting hash from test binary" - + # Build test binary if not already built (configure should have enabled --enable-crypttests) if [ ! -x "${WOLFSSL_FIPS_TEST_BINARY}" ]; then bbnote "Building wolfCrypt test binary for FIPS hash generation" @@ -43,7 +47,7 @@ get_wolfssl_fips_hash() { # Build everything needed for the test (redirect output to log files, not stdout) oe_runmake all 1>&2 fi - + # Capture and return the hash directly (only hash goes to stdout) local hash=$(wolfssl_fips_capture_hash) local rc=$? @@ -51,7 +55,7 @@ get_wolfssl_fips_hash() { bberror "Failed to capture FIPS hash (rc=${rc})" return 1 fi - + # Return only the hash to stdout (no other messages) echo "${hash}" return 0 @@ -78,13 +82,13 @@ wolfssl_fips_clean_config() { # Dynamic variable setup - handles dependencies, class inheritance, and task ordering python __anonymous () { import bb - + mode = d.getVar('WOLFSSL_FIPS_HASH_MODE') distro_version = d.getVar('DISTRO_VERSION') - + # Add clean function to do_configure (version-compatible based on DISTRO_VERSION) clean_command = 'wolfssl_fips_clean_config\n' - + if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): # For Dunfell (3.x) and earlier - use old style variable existing = d.getVar('do_configure_prepend') or '' @@ -92,19 +96,19 @@ python __anonymous () { else: # For Kirkstone (4.x) and later - use prefuncs d.appendVarFlag('do_configure', 'prefuncs', ' wolfssl_fips_clean_config') - + # Only set up for auto mode if mode == 'auto': # Inherit qemu class for cross-compilation support bb.parse.BBHandler.inherit('qemu', '', 0, d) - + # Add qemu-native dependency d.appendVar('DEPENDS', ' qemu-native') - + # Include crypttests configuration for auto mode include_file = d.expand('${WOLFSSL_LAYERDIR}/inc/wolfcrypttest/wolfssl-enable-wolfcrypttest.inc') bb.parse.handle(include_file, d, True) - + bb.build.addtask('do_wolfssl_fips_capture_hash', 'do_compile', 'do_configure', d) else: # Manual mode task @@ -122,7 +126,7 @@ wolfssl_fips_capture_hash() { # Use temporary file for output local temp_log=$(mktemp) - + # Determine if we need QEMU (cross-compile) or can run natively local run_cmd="" if [ "${BUILD_ARCH}" = "${TARGET_ARCH}" ]; then @@ -134,10 +138,10 @@ wolfssl_fips_capture_hash() { bbnote "Cross-compile detected - using QEMU wrapper" run_cmd="${WOLFSSL_QEMU_WRAPPER} ${WOLFSSL_FIPS_TEST_BINARY}" fi - + bbnote "Capturing wolfSSL FIPS hash from test binary" bbnote "Command: ${run_cmd}" - + set +e ${run_cmd} > ${temp_log} 2>&1 local rc=$? @@ -154,7 +158,7 @@ wolfssl_fips_capture_hash() { # Parse the hash from output local parsed=$(grep -E "hash = " "${temp_log}" | tail -n1 | awk -F'=' '{print $2}' | tr -d '[:space:]' | tr '[:lower:]' '[:upper:]') - + # Debug: show output if parsing failed if [ -z "${parsed}" ]; then bberror "Failed to parse FIPS hash from test output" @@ -163,10 +167,10 @@ wolfssl_fips_capture_hash() { rm -f ${temp_log} return 1 fi - + rm -f ${temp_log} bbnote "wolfSSL FIPS hash extracted: ${parsed}" - + # Return the hash value echo "${parsed}" return 0 @@ -178,7 +182,7 @@ do_wolfssl_fips_capture_hash() { # Place a placeholder hash in fips_test.c before capturing PLACEHOLDER_HASH="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" bbnote "Setting placeholder hash in fips_test.c: ${PLACEHOLDER_HASH}" - + if [ -f "${S}/wolfcrypt/src/fips_test.c" ]; then cp ${S}/wolfcrypt/src/fips_test.c ${S}/wolfcrypt/src/fips_test.c.orig sed "s/^\".*\";/\"${PLACEHOLDER_HASH}\";/" ${S}/wolfcrypt/src/fips_test.c.orig > ${S}/wolfcrypt/src/fips_test.c @@ -186,7 +190,7 @@ do_wolfssl_fips_capture_hash() { rm -f ${B}/wolfcrypt/test/.libs/testwolfcrypt ${B}/wolfcrypt/test/testwolfcrypt touch ${S}/wolfcrypt/src/fips_test.c fi - + # Reconfigure to ensure placeholder is used do_configure @@ -201,29 +205,29 @@ do_wolfssl_fips_capture_hash() { bberror "Failed to capture wolfSSL FIPS hash (rc=${rc})" bbfatal "FIPS hash capture failed - cannot continue" fi - + # Display the captured hash bbplain "==========================================" bbplain "wolfSSL FIPS Hash (auto mode): ${CAPTURED_HASH}" bbplain "==========================================" - + # Update fips_test.c with the captured hash (same as official fips-hash.sh) if [ ! -f "${S}/wolfcrypt/src/fips_test.c" ]; then bbfatal "fips_test.c not found at ${S}/wolfcrypt/src/fips_test.c" fi - + # Create backup of original if it doesn't exist yet if [ ! -f "${S}/wolfcrypt/src/fips_test.c.bak" ]; then bbnote "Creating backup of original fips_test.c" cp ${S}/wolfcrypt/src/fips_test.c ${S}/wolfcrypt/src/fips_test.c.bak fi - + bbnote "Updating fips_test.c with captured hash" sed "s/^\".*\";/\"${CAPTURED_HASH}\";/" ${S}/wolfcrypt/src/fips_test.c > ${S}/wolfcrypt/src/fips_test.c.tmp mv ${S}/wolfcrypt/src/fips_test.c.tmp ${S}/wolfcrypt/src/fips_test.c - + bbnote "Updated fips_test.c with hash: ${CAPTURED_HASH}" - + # Run configure again do_configure } @@ -232,33 +236,33 @@ do_wolfssl_fips_capture_hash_manual() { # Manual mode: just use the configured FIPS_HASH value CAPTURED_HASH=${FIPS_HASH} - + if [ -z "${CAPTURED_HASH}" ]; then bbfatal "FIPS_HASH is not set in manual mode" fi - + # Display the configured hash bbplain "==========================================" bbplain "wolfSSL FIPS Hash (manual mode): ${CAPTURED_HASH}" bbplain "==========================================" - + # Update fips_test.c with the configured hash if [ ! -f "${S}/wolfcrypt/src/fips_test.c" ]; then bbfatal "fips_test.c not found at ${S}/wolfcrypt/src/fips_test.c" fi - + # Create backup of original if it doesn't exist yet if [ ! -f "${S}/wolfcrypt/src/fips_test.c.bak" ]; then bbnote "Creating backup of original fips_test.c" cp ${S}/wolfcrypt/src/fips_test.c ${S}/wolfcrypt/src/fips_test.c.bak fi - + bbnote "Updating fips_test.c with configured hash" sed "s/^\".*\";/\"${CAPTURED_HASH}\";/" ${S}/wolfcrypt/src/fips_test.c > ${S}/wolfcrypt/src/fips_test.c.tmp mv ${S}/wolfcrypt/src/fips_test.c.tmp ${S}/wolfcrypt/src/fips_test.c - + bbnote "Updated fips_test.c with hash: ${CAPTURED_HASH}" - + # Reconfigure to pick up the updated hash # Note: wolfssl_fips_clean_config will run automatically via prefuncs do_configure diff --git a/classes/wolfssl-helper.bbclass b/classes/wolfssl-helper.bbclass index 8200b9b4..e1b927d8 100644 --- a/classes/wolfssl-helper.bbclass +++ b/classes/wolfssl-helper.bbclass @@ -9,7 +9,7 @@ def wolfssl_conditional_require(d, package_name, inc_path): """ Conditionally include an .inc file if package is in IMAGE_INSTALL or WOLFSSL_FEATURES - + Args: d: BitBake datastore package_name: Name of the package to check for @@ -17,7 +17,7 @@ def wolfssl_conditional_require(d, package_name, inc_path): """ import os import bb.parse - + if bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d): # Get the meta-wolfssl layer directory from variable set in layer.conf @@ -33,7 +33,7 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): WOLFSSL_FEATURES. Supports space-separated modes (e.g., "replace-default enable-tests") and a mapping of mode->inc_file so callers can configure multiple modes in a single invocation. - + Args: d: BitBake datastore package_name: Name of the package to check for (e.g., 'wolfprovider') @@ -41,10 +41,10 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): inc-file paths. inc_file: Relative path from layer root to the .inc file (required when 'mode' is a single string) - + Returns: True if configuration was included, False otherwise - + Example: wolfssl_conditional_require_mode( d, @@ -52,7 +52,7 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): mode='standalone', inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' ) - + # Multiple modes in one call: wolfssl_conditional_require_mode( d, @@ -62,23 +62,23 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): 'replace-default': 'inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc', } ) - + # Supports multiple modes in WOLFPROVIDER_MODE: # WOLFPROVIDER_MODE = "replace-default enable-tests" """ import os import bb.parse - + # Check if package is enabled if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)): bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping") return False - + # Build the mode variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_MODE') mode_var_name = f"{package_name.upper()}_MODE" current_mode_str = d.getVar(mode_var_name) or 'standalone' # Default to standalone - + # Support space-separated modes: split into list and check if expected mode is in the list current_modes = [m.strip() for m in current_mode_str.split() if m.strip()] @@ -89,18 +89,18 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): if inc_file is None: bb.fatal(f"{package_name}: wolfssl_conditional_require_mode called without inc_file for mode '{mode}'") mode_map = {mode: inc_file} - + included_any = False - + layerdir = d.getVar('WOLFSSL_LAYERDIR') if not layerdir: bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") - + for single_mode, single_inc in mode_map.items(): if single_mode not in current_modes: bb.debug(2, f"{package_name}: {mode_var_name}='{current_mode_str}' does not contain '{single_mode}' - skipping") continue - + bb.note(f"{package_name}: {mode_var_name}='{current_mode_str}' contains '{single_mode}' mode - including {single_inc}") full_inc_file = os.path.join(layerdir, single_inc) bb.parse.mark_dependency(d, full_inc_file) @@ -109,7 +109,7 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file=None): included_any = True except Exception as e: bb.fatal(f"Failed to include {full_inc_file}: {e}") - + return included_any @@ -118,51 +118,51 @@ def wolfssl_conditional_require_flag(d, flag_name, inc_file): Conditionally include an .inc file based solely on the current recipe's flags variable (derived from PN). Flags are separate from modes - use for opt-in features like tests, not OpenSSL configuration. - + Args: d: BitBake datastore flag_name: The flag to check for (e.g., 'enable-tests') inc_file: Relative path from layer root to the .inc file - + Returns: True if configuration was included, False otherwise - + Example: wolfssl_conditional_require_flag( d, flag_name='enable-tests', inc_file='inc/wolfprovider/wolfprovider-enable-test.inc' ) - + # Usage in local.conf: # WOLFPROVIDER_FLAGS = "enable-tests" # PN=wolfprovider -> WOLFPROVIDER_FLAGS """ import os import bb.parse - + package_name = d.getVar('PN') if not package_name: bb.fatal("wolfssl_conditional_require_flag called without PN set") - + # Build the flags variable name from the current package name (e.g., wolfprovider -> WOLFPROVIDER_FLAGS) flags_var_name = f"{package_name.upper()}_FLAGS" current_flags_str = d.getVar(flags_var_name) or '' - + # Support space-separated flags: split into list and check if expected flag is in the list current_flags = [f.strip() for f in current_flags_str.split() if f.strip()] - + # Check if expected flag is in the current flags list if flag_name not in current_flags: bb.debug(2, f"{package_name}: {flags_var_name}='{current_flags_str}' does not contain '{flag_name}' - skipping") return False - + # Flag found in list - include the configuration bb.note(f"{package_name}: {flags_var_name}='{current_flags_str}' contains '{flag_name}' flag - including {inc_file}") - + layerdir = d.getVar('WOLFSSL_LAYERDIR') if not layerdir: bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") - + full_inc_file = os.path.join(layerdir, inc_file) bb.parse.mark_dependency(d, full_inc_file) try: @@ -179,7 +179,7 @@ python do_wolfssl_check_package() { package_name = d.getVar('PN') image_install = d.getVar('IMAGE_INSTALL') or '' wolfssl_features = d.getVar('WOLFSSL_FEATURES') or '' - + # Check if this package is in either IMAGE_INSTALL or WOLFSSL_FEATURES if package_name not in image_install and package_name not in wolfssl_features: bb.fatal("%s requires either:\n" \ diff --git a/conf/wolfssl-fips.conf.sample b/conf/wolfssl-fips.conf.sample index a3028ea5..2c34885b 100644 --- a/conf/wolfssl-fips.conf.sample +++ b/conf/wolfssl-fips.conf.sample @@ -15,6 +15,11 @@ PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" PREFERRED_PROVIDER_wolfssl = "wolfssl-fips" +# Optional: Use wolfSSL FIPS Linux kernel module +# Uncomment to use the FIPS-validated kernel module instead of the standard one +#PREFERRED_PROVIDER_virtual/wolfssl-linuxkm = "wolfssl-linuxkm-fips" +#PREFERRED_PROVIDER_wolfssl-linuxkm = "wolfssl-linuxkm-fips" + # FIPS hash mode: "auto" (QEMU-based extraction) or "manual" (use static FIPS_HASH) WOLFSSL_FIPS_HASH_MODE ?= "manual" diff --git a/inc/gnupg/gnupg-enable-libgcrypt-wolfssl.inc b/inc/gnupg/gnupg-enable-libgcrypt-wolfssl.inc deleted file mode 100644 index 43686199..00000000 --- a/inc/gnupg/gnupg-enable-libgcrypt-wolfssl.inc +++ /dev/null @@ -1,4 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" - -SRC_URI += "file://gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch" - diff --git a/inc/gnutls/gnutls-enable-wolfssl.inc b/inc/gnutls/gnutls-enable-wolfssl.inc deleted file mode 100644 index 80a7224e..00000000 --- a/inc/gnutls/gnutls-enable-wolfssl.inc +++ /dev/null @@ -1,60 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" - -# Override version and source for target builds only -PV:class-target = "3.8.11+git${SRCPV}" -LIC_FILES_CHKSUM:class-target = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \ - file://COPYING.LESSERv2;md5=4bf661c1e3793e55c8d1051bc5e0ae21" - -# Add gnutls-wolfssl specific dependencies -DEPENDS:append:class-target = " virtual/wolfssl libunistring gmp nettle libtasn1 p11-kit zlib \ - bison-native libtasn1-native gperf-native gtk-doc-native gettext-native \ - autoconf-native automake-native libtool-native" -RDEPENDS:${PN}:append:class-target = " wolfssl" - -# Use wolfSSL fork of gnutls -SRC_URI:class-target = "git://github.com/wolfSSL/gnutls.git;protocol=https;branch=gnutls-wolfssl-3.8.11 \ - file://0001-creating-hmac-file-should-be-excuted-in-target-envi.patch \ -" -SRCREV:class-target = "${AUTOREV}" -S:class-target = "${WORKDIR}/git" -B:class-target = "${S}" - -# Enable FIPS mode -PACKAGECONFIG:append:class-target = " fips" - -# Configure options for wolfSSL backend -EXTRA_OECONF:class-target = "\ - --disable-doc \ - --disable-manpages \ - --disable-gtk-doc \ - --disable-gost \ - --disable-dsa \ - --disable-full-test-suite \ - --disable-valgrind-tests \ - --disable-dependency-tracking \ - --enable-srp-authentication \ - --enable-fips140-mode \ -" - -TARGET_CFLAGS:append:class-target = " -DGNUTLS_WOLFSSL" - -# Create dummy files so base prepend doesn't fail -do_configure:prepend:class-target() { - touch ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 - touch ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e - touch ${WORKDIR}/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 -} - -do_configure:class-target() { - cd ${S} - if [ ! -f configure ]; then - bbnote "Running bootstrap..." - ./bootstrap - fi - bbnote "Running autoreconf..." - autoreconf -fvi - bbnote "Running configure..." - oe_runconf -} - -do_configure[network] = "1" diff --git a/inc/librelp/librelp-ptest.inc b/inc/librelp/librelp-ptest.inc deleted file mode 100644 index 93df8959..00000000 --- a/inc/librelp/librelp-ptest.inc +++ /dev/null @@ -1,2 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" -SRC_URI:append:class-target = " file://librelp-ptest.patch" diff --git a/inc/curl/curl-enable-wolfprovider-fips.inc b/inc/scarthgap/curl/curl-enable-wolfprovider-fips.inc similarity index 91% rename from inc/curl/curl-enable-wolfprovider-fips.inc rename to inc/scarthgap/curl/curl-enable-wolfprovider-fips.inc index 4c889664..52f7a369 100644 --- a/inc/curl/curl-enable-wolfprovider-fips.inc +++ b/inc/scarthgap/curl/curl-enable-wolfprovider-fips.inc @@ -7,4 +7,5 @@ # By defining CURL_DISABLE_SHA512_256 at compile time, curl properly reports # the feature as unavailable and tests that require it are skipped rather than # failing. -CFLAGS:append = " -DCURL_DISABLE_SHA512_256" + +CFLAGS += " -DCURL_DISABLE_SHA512_256" diff --git a/inc/gnupg/files/gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch b/inc/scarthgap/gnupg/files/gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch similarity index 100% rename from inc/gnupg/files/gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch rename to inc/scarthgap/gnupg/files/gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch diff --git a/inc/scarthgap/gnupg/gnupg-enable-libgcrypt-wolfssl.inc b/inc/scarthgap/gnupg/gnupg-enable-libgcrypt-wolfssl.inc new file mode 100644 index 00000000..57d92d80 --- /dev/null +++ b/inc/scarthgap/gnupg/gnupg-enable-libgcrypt-wolfssl.inc @@ -0,0 +1,6 @@ +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://gnupg-2.4.8-use-pkgconfig-for-libgcrypt.patch') +} diff --git a/inc/gnutls/files/0001-creating-hmac-file-should-be-excuted-in-target-envi.patch b/inc/scarthgap/gnutls/files/0001-creating-hmac-file-should-be-excuted-in-target-envi.patch similarity index 100% rename from inc/gnutls/files/0001-creating-hmac-file-should-be-excuted-in-target-envi.patch rename to inc/scarthgap/gnutls/files/0001-creating-hmac-file-should-be-excuted-in-target-envi.patch diff --git a/inc/scarthgap/gnutls/gnutls-enable-wolfssl.inc b/inc/scarthgap/gnutls/gnutls-enable-wolfssl.inc new file mode 100644 index 00000000..3dcb0ecd --- /dev/null +++ b/inc/scarthgap/gnutls/gnutls-enable-wolfssl.inc @@ -0,0 +1,59 @@ +inherit wolfssl-compatibility + +# Override version and source for target builds only +PV_class-target = "3.8.11+git${SRCPV}" +LIC_FILES_CHKSUM_class-target = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \ + file://COPYING.LESSERv2;md5=4bf661c1e3793e55c8d1051bc5e0ae21" + +S_class-target = "${WORKDIR}/git" +B_class-target = "${S}" +SRCREV_class-target = "${AUTOREV}" + +# Configure options for wolfSSL backend +EXTRA_OECONF_class-target = "\ + --disable-doc \ + --disable-manpages \ + --disable-gtk-doc \ + --disable-gost \ + --disable-dsa \ + --disable-full-test-suite \ + --disable-valgrind-tests \ + --disable-dependency-tracking \ + --enable-srp-authentication \ + --enable-fips140-mode \ +" + +TARGET_CFLAGS_append_class-target = " -DGNUTLS_WOLFSSL" + +python __anonymous() { + if bb.data.inherits_class('target', d): + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppendNonOverride(d, 'DEPENDS', ' virtual/wolfssl libunistring gmp nettle libtasn1 p11-kit zlib bison-native libtasn1-native gperf-native gtk-doc-native gettext-native autoconf-native automake-native libtool-native') + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') + wolfssl_varAppendNonOverride(d, 'PACKAGECONFIG', ' fips') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' git://github.com/wolfSSL/gnutls.git;protocol=https;branch=gnutls-wolfssl-3.8.11 file://0001-creating-hmac-file-should-be-excuted-in-target-envi.patch') +} + +# Create dummy files so base prepend doesn't fail +do_configure_create_dummy_files() { + touch ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 + touch ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e + touch ${WORKDIR}/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 +} + +addtask do_configure_create_dummy_files after do_unpack before do_configure +do_configure_create_dummy_files[class-target] = "" + +do_configure_class-target() { + cd ${S} + if [ ! -f configure ]; then + bbnote "Running bootstrap..." + ./bootstrap + fi + bbnote "Running autoreconf..." + autoreconf -fvi + bbnote "Running configure..." + oe_runconf +} + +do_configure[network] = "1" diff --git a/inc/libgcrypt/files/wc_ptest-fixes.patch b/inc/scarthgap/libgcrypt/files/wc_ptest-fixes.patch similarity index 100% rename from inc/libgcrypt/files/wc_ptest-fixes.patch rename to inc/scarthgap/libgcrypt/files/wc_ptest-fixes.patch diff --git a/inc/libgcrypt/libgcrypt-enable-wolfssl.inc b/inc/scarthgap/libgcrypt/libgcrypt-enable-wolfssl.inc similarity index 50% rename from inc/libgcrypt/libgcrypt-enable-wolfssl.inc rename to inc/scarthgap/libgcrypt/libgcrypt-enable-wolfssl.inc index ddb1f654..454eea73 100644 --- a/inc/libgcrypt/libgcrypt-enable-wolfssl.inc +++ b/inc/scarthgap/libgcrypt/libgcrypt-enable-wolfssl.inc @@ -3,42 +3,41 @@ # This include file configures libgcrypt to use wolfSSL/wolfCrypt as the crypto backend. # Only applied when wolfssl-fips is the active provider. +inherit wolfssl-compatibility + # Override to use custom git repo and version - TARGET ONLY # Set your desired version -PV:class-target = "1.11.0" +PV_class-target = "1.11.0" # Update license checksums for version 1.11.0 -LIC_FILES_CHKSUM:class-target = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ +LIC_FILES_CHKSUM_class-target = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c \ file://LICENSES;md5=034b4e369944ad4b52a68368f1cf98b8 \ " -# Override source to use wolfSSL-enabled git repo -SRC_URI:class-target = "git://github.com/wolfSSL/libgcrypt-wolfssl.git;protocol=https;branch=libgcrypt-1.11.0-wolfCrypt \ - file://run-ptest \ - file://wc_ptest-fixes.patch \ - " - -# Set to specific commit hash or use "${AUTOREV}" for latest -SRCREV:class-target = "${AUTOREV}" - # Source directory for git checkouts -S:class-target = "${WORKDIR}/git" +S_class-target = "${WORKDIR}/git" +SRCREV_class-target = "${AUTOREV}" -# Add patch directory to file search path -# Patches are in files/ subdirectory relative to this .inc file -FILESEXTRAPATHS:prepend:class-target := "${WOLFSSL_LAYERDIR}/inc/libgcrypt/files:" +python __anonymous() { + if bb.data.inherits_class('target', d): + # Override source to use wolfSSL-enabled git repo + d.setVar('SRC_URI', 'git://github.com/wolfSSL/libgcrypt-wolfssl.git;protocol=https;branch=libgcrypt-1.11.0-wolfCrypt file://run-ptest file://wc_ptest-fixes.patch') -# Add wolfssl as dependency -DEPENDS:append:class-target = " virtual/wolfssl" -RDEPENDS:${PN}:append:class-target = " wolfssl" + # Add patch directory to file search path + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${WOLFSSL_LAYERDIR}/inc/libgcrypt/files:') -# Add wolfSSL FIPS configuration flag -EXTRA_OECONF:append:class-target = " --enable-wolfssl-fips --with-wolfssl=${STAGING_EXECPREFIXDIR} --disable-jent-support --disable-doc" + # Add wolfssl as dependency + wolfssl_varAppendNonOverride(d, 'DEPENDS', ' virtual/wolfssl') + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') + + # Add wolfSSL FIPS configuration flag + wolfssl_varAppendNonOverride(d, 'EXTRA_OECONF', ' --enable-wolfssl-fips --with-wolfssl=${STAGING_EXECPREFIXDIR} --disable-jent-support --disable-doc') +} # In FIPS mode, some tests are excluded - install only tests that were actually built -do_install_ptest:class-target() { +do_install_ptest_class-target() { cd ${B}/tests oe_runmake testdrv-build testdrv for f in testdrv $(srcdir=${S}/tests ./testdrv-build --files | sort | uniq); do @@ -51,4 +50,3 @@ do_install_ptest:class-target() { install -m 0755 ${WORKDIR}/run-ptest ${D}${PTEST_PATH} fi } - diff --git a/inc/librelp/files/librelp-ptest.patch b/inc/scarthgap/librelp/files/librelp-ptest.patch similarity index 100% rename from inc/librelp/files/librelp-ptest.patch rename to inc/scarthgap/librelp/files/librelp-ptest.patch diff --git a/inc/scarthgap/librelp/librelp-ptest.inc b/inc/scarthgap/librelp/librelp-ptest.inc new file mode 100644 index 00000000..af09f3c5 --- /dev/null +++ b/inc/scarthgap/librelp/librelp-ptest.inc @@ -0,0 +1,7 @@ +inherit wolfssl-compatibility + +python __anonymous() { + if bb.data.inherits_class('target', d): + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://librelp-ptest.patch') +} diff --git a/inc/scarthgap/libssh/files/enable-fips-mode.patch b/inc/scarthgap/libssh/files/enable-fips-mode.patch new file mode 100644 index 00000000..52aa1695 --- /dev/null +++ b/inc/scarthgap/libssh/files/enable-fips-mode.patch @@ -0,0 +1,30 @@ +From: WolfSSL +Date: Tue, 17 Dec 2024 00:00:00 +0000 +Subject: [PATCH] Enable FIPS mode for libssh with libgcrypt backend + +Hardcode ssh_fips_mode() to return true to enable FIPS mode in libssh +when using the libgcrypt backend. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: WolfSSL +--- + include/libssh/libgcrypt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/libssh/libgcrypt.h b/include/libssh/libgcrypt.h +index 1234567..abcdefg 100644 +--- a/include/libssh/libgcrypt.h ++++ b/include/libssh/libgcrypt.h +@@ -115,7 +115,7 @@ ssh_string ssh_sexp_extract_mpi(const gcry_sexp_t sexp, + enum gcry_mpi_format informat, + enum gcry_mpi_format outformat); + +-#define ssh_fips_mode() false ++#define ssh_fips_mode() true + + #ifdef __cplusplus + } +-- +2.34.1 + diff --git a/inc/scarthgap/libssh/libssh-enable-libgcrypt-wolfssl.inc b/inc/scarthgap/libssh/libssh-enable-libgcrypt-wolfssl.inc new file mode 100644 index 00000000..a0088df6 --- /dev/null +++ b/inc/scarthgap/libssh/libssh-enable-libgcrypt-wolfssl.inc @@ -0,0 +1,9 @@ +# Disable chacha20-poly1305 in libssh when using libgcrypt-wolfssl backend +# wolfSSL-backed libgcrypt does not support chacha20 cipher in FIPS mode + +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://enable-fips-mode.patch') +} diff --git a/inc/nettle/files/run-ptest b/inc/scarthgap/nettle/files/run-ptest similarity index 100% rename from inc/nettle/files/run-ptest rename to inc/scarthgap/nettle/files/run-ptest diff --git a/inc/nettle/nettle.inc b/inc/scarthgap/nettle/nettle.inc similarity index 84% rename from inc/nettle/nettle.inc rename to inc/scarthgap/nettle/nettle.inc index bc044e7e..561aa805 100644 --- a/inc/nettle/nettle.inc +++ b/inc/scarthgap/nettle/nettle.inc @@ -1,4 +1,4 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +inherit wolfssl-compatibility PV = "3.10" SUMMARY = "A low level cryptographic library" @@ -31,8 +31,15 @@ EXTRA_AUTORECONF += "--exclude=aclocal" EXTRA_OECONF = "--disable-openssl" -EXTRA_OECONF:append:armv7a = "${@bb.utils.contains("TUNE_FEATURES","neon",""," --disable-arm-neon --disable-fat",d)}" -EXTRA_OECONF:append:armv7ve = "${@bb.utils.contains("TUNE_FEATURES","neon",""," --disable-arm-neon --disable-fat",d)}" +python __anonymous() { + # Handle ARM NEON settings + if bb.utils.contains('TUNE_FEATURES', 'neon', False, True, d): + if d.getVar('TARGET_ARCH') in ['armv7a', 'armv7ve']: + wolfssl_varAppendNonOverride(d, 'EXTRA_OECONF', ' --disable-arm-neon --disable-fat') + + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppend(d, 'RDEPENDS', '${PN}-ptest', ' ${PN}-bin') +} do_compile_ptest() { oe_runmake -C testsuite @@ -57,6 +64,4 @@ do_install_ptest() { sed -i -e 's|../examples/|./|g' ${D}${PTEST_PATH}/testsuite/*-test } -RDEPENDS:${PN}-ptest += "${PN}-bin" - BBCLASSEXTEND = "native nativesdk" diff --git a/inc/scarthgap/rsyslog/files/rsyslog-libgcrypt-wolfssl-fips.conf b/inc/scarthgap/rsyslog/files/rsyslog-libgcrypt-wolfssl-fips.conf new file mode 100644 index 00000000..4541e8a3 --- /dev/null +++ b/inc/scarthgap/rsyslog/files/rsyslog-libgcrypt-wolfssl-fips.conf @@ -0,0 +1,32 @@ +# FIPS-compliant encryption configuration for rsyslog +# This configuration enforces FIPS 140-2/140-3 approved ciphers + +# Load encryption support module +$ModLoad lmcry_gcry + +# Global encryption defaults (FIPS-compliant) +# Use AES256 with CBC mode for maximum security +global( + defaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.pem" + defaultNetstreamDriverCertFile="/etc/rsyslog.d/cert.pem" + defaultNetstreamDriverKeyFile="/etc/rsyslog.d/key.pem" +) + +# Example: Encrypted log file with FIPS-approved cipher +# Uncomment and configure as needed: +# +# action(type="omfile" +# file="/var/log/encrypted.log" +# cry.provider="gcry" +# cry.algo="AES256" +# cry.mode="CBC" +# cry.keyfile="/etc/rsyslog.d/encryption.key" +# ) +# +# FIPS-Approved Encryption Options: +# cry.algo: AES128, AES192, AES256 +# cry.mode: CBC, CTR +# +# Non-FIPS algorithms (DO NOT USE in FIPS mode): +# 3DES, BLOWFISH, DES, CAST5, ARCFOUR, TWOFISH, SERPENT + diff --git a/inc/scarthgap/rsyslog/rsyslog-enable-fips-crypto.inc b/inc/scarthgap/rsyslog/rsyslog-enable-fips-crypto.inc new file mode 100644 index 00000000..6ec338c6 --- /dev/null +++ b/inc/scarthgap/rsyslog/rsyslog-enable-fips-crypto.inc @@ -0,0 +1,21 @@ +# Enable FIPS-compliant encryption configuration for rsyslog +# This keeps libgcrypt for log file encryption while using wolfSSL for TLS/SSL + +inherit wolfssl-compatibility + +SRC_URI += "file://rsyslog-libgcrypt-wolfssl-fips.conf" + +python __anonymous() { + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/files:') + wolfssl_varAppendNonOverride(d, 'PACKAGECONFIG', ' libgcrypt') + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${sysconfdir}/rsyslog.d/rsyslog-libgcrypt-wolfssl-fips.conf') +} + +# Install FIPS crypto configuration +do_install_rsyslog_fips_config() { + install -d ${D}${sysconfdir}/rsyslog.d + install -m 0644 ${WORKDIR}/rsyslog-libgcrypt-wolfssl-fips.conf ${D}${sysconfdir}/rsyslog.d/ +} + +addtask do_install_rsyslog_fips_config after do_install before do_package +do_install_rsyslog_fips_config[fakeroot] = "1" diff --git a/inc/wolf-py-tests/wolfcrypt-py-enable-tests.inc b/inc/wolf-py-tests/wolfcrypt-py-enable-tests.inc index 3eba064a..6c6ca4a3 100644 --- a/inc/wolf-py-tests/wolfcrypt-py-enable-tests.inc +++ b/inc/wolf-py-tests/wolfcrypt-py-enable-tests.inc @@ -3,12 +3,13 @@ # This include file configures wolfcrypt-py to install its test directory # to the target system for running Python binding tests. +inherit wolfssl-compatibility + WOLFCRYPT_PY_TEST_DIR = "${S}" WOLFCRYPT_PY_DIR = "/home/root/wolf-py-tests/wolfcrypt-py-test" WOLFCRYPT_PY_TEST_TARGET_DIR = "${D}${WOLFCRYPT_PY_DIR}" python () { - distro_version = d.getVar('DISTRO_VERSION', True) wolfcrypt_py_test_dir = d.getVar('WOLFCRYPT_PY_TEST_DIR', True) wolfcrypt_py_test_target_dir = d.getVar('WOLFCRYPT_PY_TEST_TARGET_DIR', True) @@ -17,20 +18,14 @@ python () { d.appendVar('do_install', installDirCmd) d.appendVar('do_install', cpWolfcryptPyTestCmd) +} - pn = d.getVar('PN', True) - wolfcrypt_py_dir = d.getVar('WOLFCRYPT_PY_DIR', True) - - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfcrypt_py_dir + '/*' - d.setVar(files_var_name, new_files) +python __anonymous() { + pn = d.getVar('PN') or d.getVar('PN', True) + wolfcrypt_py_dir = d.getVar('WOLFCRYPT_PY_DIR') or d.getVar('WOLFCRYPT_PY_DIR', True) + + wolfssl_varAppend(d, 'FILES', pn, ' ' + wolfcrypt_py_dir + '/*') } # Python Specific option export PYTHONDONTWRITEBYTECODE = "1" - diff --git a/inc/wolf-py-tests/wolfssl-enable-wolf-py-tests.inc b/inc/wolf-py-tests/wolfssl-enable-wolf-py-tests.inc index f58a21b9..c4387e76 100644 --- a/inc/wolf-py-tests/wolfssl-enable-wolf-py-tests.inc +++ b/inc/wolf-py-tests/wolfssl-enable-wolf-py-tests.inc @@ -1,5 +1,8 @@ # Configuration to enable wolf-py-tests support in wolfssl # Python tests may need specific features enabled + +inherit wolfssl-compatibility + EXTRA_OECONF += "--enable-shared" WOLFSSL_PY_TEST_CERTS_DIR = "/home/root/wolf-py-tests/certs" @@ -8,7 +11,6 @@ WOLFSSL_PY_CERTS_INSTALL_DIR = "${D}${WOLFSSL_PY_TEST_CERTS_DIR}" WOLFSSL_PY_CERTS_SOURCE_DIR = "${S}${WOLFSSL_PY_CERTS_DIR}" python () { - distro_version = d.getVar('DISTRO_VERSION', True) wolfssl_py_certs_install_dir = d.getVar('WOLFSSL_PY_CERTS_INSTALL_DIR', True) wolfssl_py_certs_source_dir = d.getVar('WOLFSSL_PY_CERTS_SOURCE_DIR', True) @@ -21,16 +23,11 @@ python () { d.appendVar('do_install', installDir) d.appendVar('do_install', cpDer) d.appendVar('do_install', cpPem) +} - pn = d.getVar('PN', True) - wolfssl_py_test_certs_dir = d.getVar('WOLFSSL_PY_TEST_CERTS_DIR', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn +python __anonymous() { + pn = d.getVar('PN') or d.getVar('PN', True) + wolfssl_py_test_certs_dir = d.getVar('WOLFSSL_PY_TEST_CERTS_DIR') or d.getVar('WOLFSSL_PY_TEST_CERTS_DIR', True) - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfssl_py_test_certs_dir + '/*' - d.setVar(files_var_name, new_files) + wolfssl_varAppend(d, 'FILES', pn, ' ' + wolfssl_py_test_certs_dir + '/*') } - diff --git a/inc/wolf-py-tests/wolfssl-py-enable-tests.inc b/inc/wolf-py-tests/wolfssl-py-enable-tests.inc index eada0c89..f0cac116 100644 --- a/inc/wolf-py-tests/wolfssl-py-enable-tests.inc +++ b/inc/wolf-py-tests/wolfssl-py-enable-tests.inc @@ -3,12 +3,13 @@ # This include file configures wolfssl-py to install its test directory # to the target system for running Python binding tests. +inherit wolfssl-compatibility + WOLFSSL_PY_TEST_DIR = "${S}" WOLFSSL_PY_DIR = "/home/root/wolf-py-tests/wolfssl-py-test" WOLFSSL_PY_TEST_TARGET_DIR = "${D}${WOLFSSL_PY_DIR}" python () { - distro_version = d.getVar('DISTRO_VERSION', True) wolfssl_py_test_dir = d.getVar('WOLFSSL_PY_TEST_DIR', True) wolfssl_py_test_target_dir = d.getVar('WOLFSSL_PY_TEST_TARGET_DIR', True) @@ -17,21 +18,14 @@ python () { d.appendVar('do_install', installDir) d.appendVar('do_install', cpWolfsslPyTest) +} - # Append to FILES:${PN} within the Python function - pn = d.getVar('PN', True) - wolfssl_py_dir = d.getVar('WOLFSSL_PY_DIR', True) - - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfssl_py_dir + '/*' - d.setVar(files_var_name, new_files) +python __anonymous() { + pn = d.getVar('PN') or d.getVar('PN', True) + wolfssl_py_dir = d.getVar('WOLFSSL_PY_DIR') or d.getVar('WOLFSSL_PY_DIR', True) + + wolfssl_varAppend(d, 'FILES', pn, ' ' + wolfssl_py_dir + '/*') } # Python Specific option export PYTHONDONTWRITEBYTECODE = "1" - diff --git a/inc/wolfcryptbenchmark/wolfssl-enable-wolfcryptbenchmark.inc b/inc/wolfcryptbenchmark/wolfssl-enable-wolfcryptbenchmark.inc index de8c7334..9fce1a8d 100644 --- a/inc/wolfcryptbenchmark/wolfssl-enable-wolfcryptbenchmark.inc +++ b/inc/wolfcryptbenchmark/wolfssl-enable-wolfcryptbenchmark.inc @@ -1,13 +1,10 @@ # Configuration to enable wolfcryptbenchmark support in wolfssl -EXTRA_OECONF += "--enable-crypttests" -python () { - files_var = 'FILES:' + d.getVar('PN') - d.appendVar(files_var, ' ${bindir}/wolfcryptbenchmark') -} +inherit wolfssl-compatibility + +EXTRA_OECONF += "--enable-crypttests" -do_install:append() { - bbnote "Installing wolfCrypt Benchmarks" +do_install_wolfcryptbenchmark() { if [ ! -x "${B}/wolfcrypt/benchmark/.libs/benchmark" ]; then bbwarn "wolfCrypt benchmark binary missing at ${B}/wolfcrypt/benchmark/.libs/benchmark" return @@ -16,4 +13,11 @@ do_install:append() { install -Dm0755 "${B}/wolfcrypt/benchmark/.libs/benchmark" "${D}${bindir}/wolfcryptbenchmark" } +addtask do_install_wolfcryptbenchmark after do_install before do_package +do_install_wolfcryptbenchmark[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${bindir}/wolfcryptbenchmark') +} + TARGET_CFLAGS += "-DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DBENCH_EMBEDDED" diff --git a/inc/wolfcrypttest/wolfssl-enable-wolfcrypttest.inc b/inc/wolfcrypttest/wolfssl-enable-wolfcrypttest.inc index efd6f147..5b5285e9 100644 --- a/inc/wolfcrypttest/wolfssl-enable-wolfcrypttest.inc +++ b/inc/wolfcrypttest/wolfssl-enable-wolfcrypttest.inc @@ -1,13 +1,10 @@ # Configuration to enable wolfcrypttest support in wolfssl -EXTRA_OECONF += "--enable-crypttests" -python () { - files_var = 'FILES:' + d.getVar('PN') - d.appendVar(files_var, ' ${bindir}/wolfcrypttest') -} +inherit wolfssl-compatibility + +EXTRA_OECONF += "--enable-crypttests" -do_install:append() { - bbnote "Installing wolfCrypt Tests" +do_install_wolfcrypttest() { if [ ! -x "${B}/wolfcrypt/test/.libs/testwolfcrypt" ]; then bbwarn "wolfCrypt test binary missing at ${B}/wolfcrypt/test/.libs/testwolfcrypt" return @@ -16,4 +13,12 @@ do_install:append() { install -Dm0755 "${B}/wolfcrypt/test/.libs/testwolfcrypt" "${D}${bindir}/wolfcrypttest" } +addtask do_install_wolfcrypttest after do_install before do_package +do_install_wolfcrypttest[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${bindir}/wolfcrypttest') +} + TARGET_CFLAGS += "-DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_RSA_KEY_CHECK -DNO_WRITE_TEMP_FILES" + diff --git a/inc/wolfprovider/openssh/openssh-enable-wolfprovider.inc b/inc/wolfprovider/openssh/openssh-enable-wolfprovider.inc index b4d64295..75314013 100644 --- a/inc/wolfprovider/openssh/openssh-enable-wolfprovider.inc +++ b/inc/wolfprovider/openssh/openssh-enable-wolfprovider.inc @@ -1,20 +1,23 @@ # OpenSSH wolfProvider FIPS mode configuration # Include this file for standard wolfProvider integration as a provider plugin -# Bring in the openssh patch from the OSP repository (target only) -SRC_URI:append:class-target = " \ - git://github.com/wolfSSL/osp.git;protocol=https;branch=master;name=osp;destsuffix=git/osp \ -" +inherit wolfssl-compatibility # Track the revision for the OSP auxiliary repo fetch SRCREV_osp = "${AUTOREV}" -# Ensure BitBake can locate the updated run-ptest script in this include's files directory -FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssh/files:" -SRC_URI:append:class-target = " file://run-ptest" +python __anonymous() { + if bb.data.inherits_class('target', d): + # Bring in the openssh patch from the OSP repository + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' git://github.com/wolfSSL/osp.git;protocol=https;branch=master;name=osp;destsuffix=git/osp') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://run-ptest') + + # Ensure BitBake can locate the updated run-ptest script in this include's files directory + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssh/files:') +} # Apply the patch for the correct version of OpenSSH -python do_patch:append:class-target () { +python do_patch_openssh_wolfprov() { import os, subprocess # Only run this when FIPS is enabled if not bb.utils.contains('IMAGE_FEATURES', 'fips', True, False, d): @@ -36,3 +39,6 @@ python do_patch:append:class-target () { except Exception as e: bb.warn(f"{patch_path}: Error applying patch: {e}") } + +addtask do_patch_openssh_wolfprov after do_patch before do_configure +do_patch_openssh_wolfprov[class-target] = "" diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc index c311017a..69cd275a 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -2,18 +2,26 @@ # This file is included when wolfProvider is configured to replace OpenSSL's default crypto provider # It should be included from the image recipe when replace-default mode is desired +inherit wolfssl-compatibility + # Build OpenSSL as plain, non-FIPS OpenSSL # wolfProvider will provide FIPS functionality using wolfSSL FIPS -PACKAGECONFIG:class-target = "" -EXTRA_OECONF:append:class-target = " no-fips shared " +python __anonymous() { + # Only apply to class-target + if bb.data.inherits_class('target', d): + d.setVar('PACKAGECONFIG', '') + wolfssl_varAppendNonOverride(d, 'EXTRA_OECONF', ' no-fips shared ') + wolfssl_varAppend(d, 'RDEPENDS', 'libcrypto3', ' wolfprovider') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' git://github.com/wolfSSL/wolfProvider.git;protocol=https;nobranch=1;rev=v1.1.0;destsuffix=git/wolfProvider') +} # OpenSSL target-only tweaks for replace-default mode -do_configure:prepend:class-target () { +do_configure_version_metadata() { set -eu # Be explicit about where we are - echo "TARGET do_configure prepend: S='${S}', B='${B}'" + echo "TARGET do_configure: S='${S}', B='${B}'" vfile="${S}/VERSION.dat" @@ -30,11 +38,13 @@ do_configure:prepend:class-target () { if echo "${IMAGE_FEATURES}" | grep -qw "fips"; then sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/' $vfile fi - } +addtask do_configure_version_metadata after do_unpack before do_configure +do_configure_version_metadata[class-target] = "" + # Override do_configure to filter enable-fips from the actual configure command -do_configure:append:class-target () { +do_configure_filter_fips() { # The base do_configure uses ${PACKAGECONFIG_CONFARGS} which still has enable-fips # We need to regenerate it without enable-fips # Re-run configure with enable-fips explicitly removed @@ -63,15 +73,10 @@ do_configure:append:class-target () { fi } -# Ensure provider is present on TARGET runtime (doesn't touch -native/-nativesdk) -RDEPENDS:libcrypto3:append:class-target = " wolfprovider" - -# Bring in the replace-default patch (target only) -SRC_URI:append:class-target = " \ - git://github.com/wolfSSL/wolfProvider.git;protocol=https;nobranch=1;rev=v1.1.0;destsuffix=git/wolfProvider \ -" +addtask do_configure_filter_fips after do_configure before do_compile +do_configure_filter_fips[class-target] = "" -python do_patch:append:class-target () { +python do_patch_replace_default() { import os, subprocess s = d.getVar("S") patch_path = os.path.join(d.getVar("WORKDIR"), "git/wolfProvider/patches/openssl3-replace-default.patch") @@ -79,7 +84,7 @@ python do_patch:append:class-target () { # Try to apply patch; if it fails with "already applied", log it and continue try: # First check with --dry-run to see if patch can be applied - result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], + result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], capture_output=True, text=True, check=False) if result.returncode == 0: bb.note("REPLACE-DEFAULT MODE: Patch can be applied, applying now...") @@ -89,7 +94,7 @@ python do_patch:append:class-target () { bb.debug(1, f"Patch check output: {result.stderr}") except Exception as e: bb.warn(f"REPLACE-DEFAULT MODE: Error applying patch: {e}") - + # Export ossl_provider_* symbols by patching libcrypto.num # This is required for replace-default unit tests to link libcrypto_num = os.path.join(s, "util", "libcrypto.num") @@ -99,7 +104,7 @@ python do_patch:append:class-target () { # Read the file to find the last symbol number and version with open(libcrypto_num, 'r') as f: lines = f.readlines() - + # Find the last symbol number and version last_num = 0 last_version = "3.0.0" @@ -114,14 +119,14 @@ python do_patch:append:class-target () { last_version = parts[2] except ValueError: pass - + # Check if symbols are already added with open(libcrypto_num, 'r') as f: content = f.read() if 'ossl_provider_new' in content: bb.note("REPLACE-DEFAULT MODE: ossl_provider_* symbols already in libcrypto.num") return - + # Append the 6 provider symbols symbols_to_add = [ ("ossl_provider_new", last_num + 1), @@ -131,12 +136,12 @@ python do_patch:append:class-target () { ("ossl_provider_free", last_num + 5), ("ossl_default_provider_init", last_num + 6), ] - + with open(libcrypto_num, 'a') as f: for symbol_name, symbol_num in symbols_to_add: # Format: symbol_name NUM VERSION EXIST::FUNCTION: f.write(f"{symbol_name:<40} {symbol_num}\t{last_version}\tEXIST::FUNCTION:\n") - + bb.note(f"REPLACE-DEFAULT MODE: Added {len(symbols_to_add)} provider symbols to libcrypto.num") except Exception as e: bb.warn(f"REPLACE-DEFAULT MODE: Error patching libcrypto.num: {e}") @@ -144,10 +149,13 @@ python do_patch:append:class-target () { bb.warn(f"REPLACE-DEFAULT MODE: libcrypto.num not found at {libcrypto_num}") } +addtask do_patch_replace_default after do_patch before do_configure +do_patch_replace_default[class-target] = "" + # Disable internal keymgmt tests under wolfprovider FIPS mode which # fails on the FACTOR3 and EXPONENT3 and COEFFICIENT2 parameters which # are not supported by wolfProvider. -python do_patch:append:class-target () { +python do_patch_disable_keymgmt_tests() { import os, subprocess # Only run this when FIPS is enabled if not bb.utils.contains('IMAGE_FEATURES', 'fips', True, False, d): @@ -164,7 +172,7 @@ python do_patch:append:class-target () { # Try to apply the patch; if it fails with "already applied", log it and continue try: - result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], + result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], capture_output=True, text=True, check=False) if result.returncode == 0: bb.note("openssl-disable-internal-keymgmt-tests.patch can be applied, applying now...") @@ -176,7 +184,13 @@ python do_patch:append:class-target () { bb.warn(f"openssl-disable-internal-keymgmt-tests.patch: Error applying patch: {e}") } -do_install:append() { +addtask do_patch_disable_keymgmt_tests after do_patch_replace_default before do_configure +do_patch_disable_keymgmt_tests[class-target] = "" + +do_install_replace_default_config() { install -d ${D}${sysconfdir}/openssl echo "1" > ${D}${sysconfdir}/openssl/replace-default-enabled } + +addtask do_install_replace_default_config after do_install before do_package +do_install_replace_default_config[fakeroot] = "1" diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc index 0e272336..c78f7a0f 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc @@ -1,17 +1,22 @@ # OpenSSL standalone wolfProvider mode configuration # Include this file for standard wolfProvider integration as a provider plugin +inherit wolfssl-compatibility + EXTRA_OECONF += " no-fips shared " -do_install:append() { +do_install_wolfprovider_config() { install -d ${D}${sysconfdir}/openssl echo "0" > ${D}${sysconfdir}/openssl/replace-default-enabled } +addtask do_install_wolfprovider_config after do_install before do_package +do_install_wolfprovider_config[fakeroot] = "1" + # Disable internal keymgmt tests under wolfprovider FIPS mode which # fails on the FACTOR3 and EXPONENT3 and COEFFICIENT2 parameters which # are not supported by wolfProvider. -python do_patch:append:class-target () { +python do_patch_disable_keymgmt_tests() { import os, subprocess # Only run this when FIPS is enabled if not bb.utils.contains('IMAGE_FEATURES', 'fips', True, False, d): @@ -28,7 +33,7 @@ python do_patch:append:class-target () { # Try to apply the patch; if it fails with "already applied", log it and continue try: - result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], + result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], capture_output=True, text=True, check=False) if result.returncode == 0: bb.note("openssl-disable-internal-keymgmt-tests.patch can be applied, applying now...") @@ -40,3 +45,5 @@ python do_patch:append:class-target () { bb.warn(f"openssl-disable-internal-keymgmt-tests.patch: Error applying patch: {e}") } +addtask do_patch_disable_keymgmt_tests after do_patch before do_configure +do_patch_disable_keymgmt_tests[class-target] = "" diff --git a/inc/wolfprovider/wolfprovider-enable-replace-default-unittest.inc b/inc/wolfprovider/wolfprovider-enable-replace-default-unittest.inc index ec0536b4..a6ebbc8e 100644 --- a/inc/wolfprovider/wolfprovider-enable-replace-default-unittest.inc +++ b/inc/wolfprovider/wolfprovider-enable-replace-default-unittest.inc @@ -1,5 +1,7 @@ # Enable replace default unit tests with wolfProvider +inherit wolfssl-compatibility + # Also export as environment variable for configure script compatibility export WOLFPROV_REPLACE_DEFAULT = "1" export WOLFPROV_REPLACE_DEFAULT_TESTING = "1" @@ -7,8 +9,8 @@ export WOLFPROV_REPLACE_DEFAULT_TESTING = "1" # Enable unit tests that use internal OpenSSL provider functions # These functions (ossl_provider_new, ossl_provider_activate, etc.) are only available # when OpenSSL is patched with the replace-default patch -CPPFLAGS:append = " -DWOLFPROV_REPLACE_DEFAULT" -CPPFLAGS:append = " -DWOLFPROV_REPLACE_DEFAULT_UNIT_TEST" -CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" - - +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'CPPFLAGS', ' -DWOLFPROV_REPLACE_DEFAULT') + wolfssl_varAppendNonOverride(d, 'CPPFLAGS', ' -DWOLFPROV_REPLACE_DEFAULT_UNIT_TEST') + wolfssl_varAppendNonOverride(d, 'CPPFLAGS', ' -DWOLFPROV_QUICKTEST') +} diff --git a/inc/wolfprovider/wolfprovider-enable-unittest.inc b/inc/wolfprovider/wolfprovider-enable-unittest.inc index 114f3010..8499aec8 100644 --- a/inc/wolfprovider/wolfprovider-enable-unittest.inc +++ b/inc/wolfprovider/wolfprovider-enable-unittest.inc @@ -1,19 +1,19 @@ # Configuration to enable wolfProvider unit tests # Modeled exactly after wolfcrypttest approach - simple and clean +inherit wolfssl-compatibility + # Set FILESEXTRAPATHS and SRC_URI early using Python to ensure correct evaluation order python __anonymous() { layerdir = d.getVar('WOLFSSL_LAYERDIR') if not layerdir: bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") - + # Set FILESEXTRAPATHS first, then SRC_URI - filespath = layerdir + "/recipes-examples/wolfprovider/wolfprovidertest/files:" - existing_paths = d.getVar('FILESEXTRAPATHS') or '' - d.setVar('FILESEXTRAPATHS', filespath + existing_paths) - + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', layerdir + '/recipes-examples/wolfprovider/wolfprovidertest/files:') + # Add SRC_URI entry - d.appendVar('SRC_URI', ' file://wolfprovidertest.sh') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://wolfprovidertest.sh') } # Unit test directory and binary names @@ -26,8 +26,8 @@ WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" # Override CERTS_DIR to point to the installed location instead of build directory # First undefine CERTS_DIR (in case autotools defined it), then redefine it -CFLAGS:append = ' -UCERTS_DIR -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' -CXXFLAGS:append = ' -UCERTS_DIR -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CFLAGS += ' -UCERTS_DIR -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CXXFLAGS += ' -UCERTS_DIR -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' # Simple installation using Python function, exactly like wolfcrypttest python () { @@ -41,16 +41,16 @@ python () { bbnote = 'bbnote "Installing wolfProvider Tests"\n' installDir = 'install -m 0755 -d "%s"\n' % (install_dir) - + # Try multiple locations for the test binary (exactly like wolfcrypttest) cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; ' % (test_dir, test_bin, test_dir, test_bin, install_dir, test_yocto) cpTest += 'elif [ -f "${B}/test/%s" ]; then cp "${B}/test/%s" "%s/%s"; ' % (test_bin, test_bin, install_dir, test_yocto) cpTest += 'elif [ -f "${B}/%s" ]; then cp "${B}/%s" "%s/%s"; fi\n' % (test_bin, test_bin, install_dir, test_yocto) - + # Install wrapper script installScript = 'cp "${WORKDIR}/wolfprovidertest.sh" "%s/wolfprovidertest"\n' % (install_dir) installScript += 'chmod 755 "%s/wolfprovidertest"\n' % (install_dir) - + # Install certificates installCerts = 'bbnote "Installing wolfProvider Certificates"\n' installCerts += 'install -m 0755 -d "%s"\n' % (certs_install_dir) @@ -66,29 +66,28 @@ python () { # Append test files and library files to FILES using Python python __anonymous() { pn = d.getVar('PN') - - # Get existing FILES value (set by autotools class and base recipe) - existing_files = d.getVar('FILES:' + pn) or '' - - # Append our test files (don't re-add library files - they're in base recipe FILES) + + # Get existing FILES value using compatibility function + existing_files = wolfssl_varGet(d, 'FILES', pn) or '' + + # Append our test files new_files = existing_files + ' ' + ' '.join([ '${bindir}/wolfprovidertest', '${bindir}/unit.test', '${datadir}/wolfprovider-test/certs/*' ]) - - # Set the combined value (this avoids the "replaces original key" warning) - d.setVar('FILES:' + pn, new_files) - + + # Set using compatibility function + wolfssl_varSet(d, 'FILES', pn, new_files) + # Same approach for RDEPENDS - existing_rdepends = d.getVar('RDEPENDS:' + pn) or '' + existing_rdepends = wolfssl_varGet(d, 'RDEPENDS', pn) or '' new_rdepends = existing_rdepends + ' bash wolfproviderenv' - d.setVar('RDEPENDS:' + pn, new_rdepends) - + wolfssl_varSet(d, 'RDEPENDS', pn, new_rdepends) + # Same approach for INSANE_SKIP - existing_skip = d.getVar('INSANE_SKIP:' + pn) or '' + existing_skip = wolfssl_varGet(d, 'INSANE_SKIP', pn) or '' new_skip = existing_skip + ' dev-so build-deps' - d.setVar('INSANE_SKIP:' + pn, new_skip) + wolfssl_varSet(d, 'INSANE_SKIP', pn, new_skip) } - diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index e7eb34ff..8e1a620b 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -1,6 +1,8 @@ # Configuration to enable wolfprovider FIPS support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF +inherit wolfssl-compatibility + EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist" TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" @@ -8,15 +10,20 @@ TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" WOLFSSL_ISFIPS = "1" # commercial bundle missing stamp-h.in required by automake with 5.2.1 -do_configure:prepend() { +do_create_stamp_h() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } -do_install:append() { +addtask do_create_stamp_h after do_unpack before do_configure + + +do_install_wolfprovider_fips() { install -d ${D}${sysconfdir}/wolfssl echo "1" > ${D}${sysconfdir}/wolfssl/fips-enabled } +addtask do_install_wolfprovider_fips after do_install before do_package +do_install_wolfprovider_fips[fakeroot] = "1" diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index f857e98f..12555553 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,15 +1,19 @@ # Configuration to enable wolfprovider support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF +inherit wolfssl-compatibility + EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha" TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" # Use a marker file to signal we are a non-FIPS build WOLFSSL_ISFIPS = "0" -do_install:append() { +do_install_wolfprovider() { install -d ${D}${sysconfdir}/wolfssl echo "0" > ${D}${sysconfdir}/wolfssl/fips-enabled } +addtask do_install_wolfprovider after do_install before do_package +do_install_wolfprovider[fakeroot] = "1" diff --git a/recipes-core/images/gnutls-image-minimal/gnutls_%.bbappend b/recipes-core/images/gnutls-image-minimal/gnutls_%.bbappend index 16519a8b..8dd1ccf6 100644 --- a/recipes-core/images/gnutls-image-minimal/gnutls_%.bbappend +++ b/recipes-core/images/gnutls-image-minimal/gnutls_%.bbappend @@ -6,9 +6,12 @@ inherit wolfssl-osp-support python __anonymous() { + yocto_version = d.getVar('LAYERSERIES_CORENAMES') or '' + inc_path = f'inc/{yocto_version}/gnutls/gnutls-enable-wolfssl.inc' + wolfssl_osp_include_if_provider( d, - inc_file='inc/gnutls/gnutls-enable-wolfssl.inc', + inc_file=inc_path, allowed_providers=['wolfssl-fips'] ) } diff --git a/recipes-core/images/gnutls-image-minimal/nettle_%.bbappend b/recipes-core/images/gnutls-image-minimal/nettle_%.bbappend index fd625ee7..4c98aace 100644 --- a/recipes-core/images/gnutls-image-minimal/nettle_%.bbappend +++ b/recipes-core/images/gnutls-image-minimal/nettle_%.bbappend @@ -3,4 +3,4 @@ # the latest release of gnutls. # -require ${WOLFSSL_LAYERDIR}/inc/nettle/nettle.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/nettle/nettle.inc diff --git a/recipes-core/images/libgcrypt-image-minimal/gnupg_%.bbappend b/recipes-core/images/libgcrypt-image-minimal/gnupg_%.bbappend index 815e0b81..7f238cdb 100644 --- a/recipes-core/images/libgcrypt-image-minimal/gnupg_%.bbappend +++ b/recipes-core/images/libgcrypt-image-minimal/gnupg_%.bbappend @@ -6,9 +6,12 @@ inherit wolfssl-osp-support python __anonymous() { + yocto_version = d.getVar('LAYERSERIES_CORENAMES') or '' + inc_path = f'inc/{yocto_version}/gnupg/gnupg-enable-libgcrypt-wolfssl.inc' + wolfssl_osp_include_if_provider( d, - inc_file='inc/gnupg/gnupg-enable-libgcrypt-wolfssl.inc', + inc_file=inc_path, allowed_providers=['wolfssl-fips'] ) } diff --git a/recipes-core/images/libgcrypt-image-minimal/libgcrypt_%.bbappend b/recipes-core/images/libgcrypt-image-minimal/libgcrypt_%.bbappend index e2045902..de109a84 100644 --- a/recipes-core/images/libgcrypt-image-minimal/libgcrypt_%.bbappend +++ b/recipes-core/images/libgcrypt-image-minimal/libgcrypt_%.bbappend @@ -6,9 +6,12 @@ inherit wolfssl-osp-support python __anonymous() { + yocto_version = d.getVar('LAYERSERIES_CORENAMES') or '' + inc_path = f'inc/{yocto_version}/libgcrypt/libgcrypt-enable-wolfssl.inc' + wolfssl_osp_include_if_provider( d, - inc_file='inc/libgcrypt/libgcrypt-enable-wolfssl.inc', + inc_file=inc_path, allowed_providers=['wolfssl-fips'] ) } diff --git a/recipes-core/images/libgcrypt-image-minimal/libssh_%.bbappend b/recipes-core/images/libgcrypt-image-minimal/libssh_%.bbappend new file mode 100644 index 00000000..152a659e --- /dev/null +++ b/recipes-core/images/libgcrypt-image-minimal/libssh_%.bbappend @@ -0,0 +1 @@ +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/libssh/libssh-enable-libgcrypt-wolfssl.inc diff --git a/recipes-core/images/libgcrypt-image-minimal/rsyslog_%.bbappend b/recipes-core/images/libgcrypt-image-minimal/rsyslog_%.bbappend new file mode 100644 index 00000000..378d04b6 --- /dev/null +++ b/recipes-core/images/libgcrypt-image-minimal/rsyslog_%.bbappend @@ -0,0 +1,2 @@ +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/rsyslog/rsyslog-enable-fips-crypto.inc + diff --git a/recipes-core/images/wolfclu-combined-image-minimal/wolfclu-combined-image-minimal.bb b/recipes-core/images/wolfclu-combined-image-minimal/wolfclu-combined-image-minimal.bb index a5877bb6..a2499f93 100644 --- a/recipes-core/images/wolfclu-combined-image-minimal/wolfclu-combined-image-minimal.bb +++ b/recipes-core/images/wolfclu-combined-image-minimal/wolfclu-combined-image-minimal.bb @@ -3,11 +3,12 @@ DESCRIPTION = "A combined demonstration image including wolfclu, wolfssl-py, and require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb -IMAGE_INSTALL:append = " \ - wolfclu \ - wolfssl-py wolfcrypt-py wolf-py-tests python3 python3-cffi python3-pytest \ - ca-certificates \ -" +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfclu wolfssl-py wolfcrypt-py wolf-py-tests python3 python3-cffi python3-pytest ca-certificates') + wolfssl_varAppendNonOverride(d, 'ROOTFS_POSTPROCESS_COMMAND', ' setup_dns_config; ') +} IMAGE_FEATURES += "package-management" @@ -48,6 +49,3 @@ EOF chmod 755 ${IMAGE_ROOTFS}/etc/init.d/dns-config ln -sf ../init.d/dns-config ${IMAGE_ROOTFS}/etc/rcS.d/S99dns-config } - -ROOTFS_POSTPROCESS_COMMAND:append = " setup_dns_config; " - diff --git a/recipes-core/images/wolfclu-image-minimal/wolfclu-image-minimal.bb b/recipes-core/images/wolfclu-image-minimal/wolfclu-image-minimal.bb index 1c1aeffb..18d6afc2 100644 --- a/recipes-core/images/wolfclu-image-minimal/wolfclu-image-minimal.bb +++ b/recipes-core/images/wolfclu-image-minimal/wolfclu-image-minimal.bb @@ -1,9 +1,10 @@ SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfCLU" DESCRIPTION = "A minimal Linux image that includes wolfSSL library, test/benchmark utilities, and wolfCLU command-line utility" -# Add wolfCLU configured with wolfSSL support -# The wolfssl_%.bbappend in this directory configures wolfSSL with --enable-wolfclu -IMAGE_INSTALL:append = " wolfclu" +inherit wolfssl-compatibility -require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfclu') +} +require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/curl_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/curl_%.bbappend index 4b029867..40c66bfe 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/curl_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/curl_%.bbappend @@ -5,9 +5,12 @@ inherit wolfssl-osp-support python __anonymous() { + yocto_version = d.getVar('LAYERSERIES_CORENAMES') or '' + inc_path = f'inc/{yocto_version}/curl/curl-enable-wolfprovider-fips.inc' + wolfssl_osp_include_if_provider( d, - inc_file='inc/curl/curl-enable-wolfprovider-fips.inc', + inc_file=inc_path, allowed_providers=['wolfssl-fips'] ) } diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/librelp_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/librelp_%.bbappend index afc7301a..dde3c5f4 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/librelp_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/librelp_%.bbappend @@ -1 +1 @@ -require ${WOLFSSL_LAYERDIR}/inc/librelp/librelp-ptest.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/librelp/librelp-ptest.inc diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb index 709ce9b0..61897bf7 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb @@ -1,24 +1,10 @@ SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfProvider" DESCRIPTION = "A minimal Linux image that includes wolfSSL library, test/benchmark utilities, and wolfProvider for OpenSSL 3.x integration" -# Add wolfProvider packages with OpenSSL 3.x support -# The wolfssl_%.bbappend in this directory configures wolfSSL with wolfProvider features -IMAGE_INSTALL:append = " \ - wolfssl \ - wolfprovider \ - openssl \ - openssl-bin \ -" +inherit wolfssl-compatibility -# Add test utilities which are not strictly necessary for the image -IMAGE_INSTALL:append = " \ - openssl-ptest \ - wolfprovidertest \ - wolfprovidercmd \ - wolfproviderenv \ - bash \ -" +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfssl wolfprovider openssl openssl-bin openssl-ptest wolfprovidertest wolfprovidercmd wolfproviderenv bash') +} require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb - - diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider_%.bbappend index 6dcd1606..ae2cd52f 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfprovider_%.bbappend @@ -4,6 +4,9 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc # Enable unit tests for wolfprovider require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfprovider-enable-unittest.inc -# Enable quick test mode for standalone mode -CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" +inherit wolfssl-compatibility +# Enable quick test mode for standalone mode +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'CPPFLAGS', ' -DWOLFPROV_QUICKTEST') +} diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl-fips.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl-fips.bbappend index 9855e6d7..84b72d8e 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl-fips.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl-fips.bbappend @@ -6,10 +6,10 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc # Fix for commercial bundle missing stamp-h.in required by automake -do_configure:prepend() { +do_configure_create_stamph() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } - +addtask do_configure_create_stamph after do_patch before do_configure diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl_%.bbappend index ef3e6225..bc1fbc67 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -6,10 +6,10 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc # Fix for commercial bundle missing stamp-h.in required by automake -do_configure:prepend() { +do_configure_create_stamph() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } - +addtask do_configure_create_stamph after do_patch before do_configure diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/curl_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/curl_%.bbappend index 4b029867..40c66bfe 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/curl_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/curl_%.bbappend @@ -5,9 +5,12 @@ inherit wolfssl-osp-support python __anonymous() { + yocto_version = d.getVar('LAYERSERIES_CORENAMES') or '' + inc_path = f'inc/{yocto_version}/curl/curl-enable-wolfprovider-fips.inc' + wolfssl_osp_include_if_provider( d, - inc_file='inc/curl/curl-enable-wolfprovider-fips.inc', + inc_file=inc_path, allowed_providers=['wolfssl-fips'] ) } diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/librelp_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/librelp_%.bbappend index afc7301a..dde3c5f4 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/librelp_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/librelp_%.bbappend @@ -1 +1 @@ -require ${WOLFSSL_LAYERDIR}/inc/librelp/librelp-ptest.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/librelp/librelp-ptest.inc diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb index c0de6c80..a3045f6c 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb +++ b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb @@ -1,24 +1,10 @@ SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfProvider in replace-default mode" DESCRIPTION = "A minimal Linux image that includes wolfSSL library, and wolfProvider configured to replace OpenSSL's default provider" -# Add wolfProvider packages with OpenSSL 3.x support in replace-default mode -# The openssl_%.bbappend in this directory configures OpenSSL with replace-default mode -# Unit tests are disabled in replace-default mode for now until we have a way to correctly run them -IMAGE_INSTALL:append = " \ - wolfssl \ - wolfprovider \ - openssl \ - openssl-bin \ -" +inherit wolfssl-compatibility -# Add test utilities which are not strictly necessary for the image -IMAGE_INSTALL:append = " \ - openssl-ptest \ - wolfprovidertest \ - wolfprovidercmd \ - wolfproviderenv \ - bash \ -" +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfssl wolfprovider openssl openssl-bin openssl-ptest wolfprovidertest wolfprovidercmd wolfproviderenv bash') +} require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb - diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl-fips.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl-fips.bbappend index 9855e6d7..84b72d8e 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl-fips.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl-fips.bbappend @@ -6,10 +6,10 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc # Fix for commercial bundle missing stamp-h.in required by automake -do_configure:prepend() { +do_configure_create_stamph() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } - +addtask do_configure_create_stamph after do_patch before do_configure diff --git a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend index ef3e6225..bc1fbc67 100644 --- a/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-images/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend @@ -6,10 +6,10 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc # Fix for commercial bundle missing stamp-h.in required by automake -do_configure:prepend() { +do_configure_create_stamph() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } - +addtask do_configure_create_stamph after do_patch before do_configure diff --git a/recipes-core/images/wolfssl-combined-image-minimal/wolfssl-combined-image-minimal.bb b/recipes-core/images/wolfssl-combined-image-minimal/wolfssl-combined-image-minimal.bb index c71011bf..7fe691bb 100644 --- a/recipes-core/images/wolfssl-combined-image-minimal/wolfssl-combined-image-minimal.bb +++ b/recipes-core/images/wolfssl-combined-image-minimal/wolfssl-combined-image-minimal.bb @@ -3,33 +3,28 @@ DESCRIPTION = "A combined demonstration image including wolfssh, wolfmqtt, wolfp require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb -IMAGE_INSTALL:append = " \ - wolfssh \ - wolfmqtt \ - wolfprovider wolfprovidertest openssl openssl-bin \ - wolftpm-wrap-test tpm2-tools tpm2-tss libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim \ - bash \ -" +inherit wolfssl-compatibility -IMAGE_FEATURES += "package-management" +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfssh wolfmqtt wolfprovider wolfprovidertest openssl openssl-bin wolftpm-wrap-test tpm2-tools tpm2-tss libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim bash') + wolfssl_varAppendNonOverride(d, 'DISTRO_FEATURES', ' security tpm tpm2') + wolfssl_varAppendNonOverride(d, 'MACHINE_FEATURES', ' tpm tpm2') + wolfssl_varAppendNonOverride(d, 'KERNEL_FEATURES', ' features/tpm/tpm.scc') +} -# TPM support -DISTRO_FEATURES:append = " security tpm tpm2" -MACHINE_FEATURES:append = " tpm tpm2" -KERNEL_FEATURES:append = " features/tpm/tpm.scc" +IMAGE_FEATURES += "package-management" # Validate TPM features are enabled python __anonymous() { distro_features = d.getVar('DISTRO_FEATURES') or '' if 'tpm' not in distro_features or 'tpm2' not in distro_features or 'security' not in distro_features: bb.fatal("TPM support requires 'DISTRO_FEATURES += \"security tpm tpm2\"' in local.conf") - + machine_features = d.getVar('MACHINE_FEATURES') or '' if 'tpm' not in machine_features or 'tpm2' not in machine_features: bb.fatal("TPM support requires 'MACHINE_FEATURES += \"tpm tpm2\"' in local.conf") - + kernel_features = d.getVar('KERNEL_FEATURES') or '' if 'features/tpm/tpm.scc' not in kernel_features: bb.fatal("TPM support requires 'KERNEL_FEATURES += \"features/tpm/tpm.scc\"' in local.conf") } - diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/README.md b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/README.md index 37506c38..0c6b40e0 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/README.md +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/README.md @@ -1,111 +1,251 @@ -# fips-image-minimal +# FIPS Image Minimal - Comprehensive FIPS Demonstration Image -Minimal demo image showcasing FIPS integration with libgcrypt, gnutls, and wolfProvider. All components use wolfSSL FIPS as their cryptographic backend. +This image demonstrates a complete FIPS-validated Linux system using wolfSSL FIPS 140-3 certified cryptography across multiple layers: -## Configuration +- **User-space libraries**: libgcrypt and gnutls backed by wolfSSL FIPS +- **OpenSSL replacement**: wolfProvider in replace-default mode +- **Kernel module**: wolfSSL FIPS kernel module loaded via initramfs (optional) -In `build/conf/local.conf`: +## Features + +- wolfSSL FIPS 140-3 validated cryptography +- libgcrypt with wolfSSL backend +- GnuTLS with wolfSSL backend +- wolfProvider (OpenSSL 3.x provider) in replace-default mode +- OpenSSH, curl, and other applications using FIPS crypto +- Optional: wolfSSL FIPS kernel module loaded before rootfs mount +- Comprehensive test suite with ptest support + +## Requirements + +### Mandatory Configuration + +Add to your `local.conf`: ```bitbake +# Enable FIPS image WOLFSSL_DEMOS = "fips-image-minimal" + +# Include FIPS configuration require /path/to/meta-wolfssl/conf/wolfssl-fips.conf ``` -Build: +### Optional: Early Kernel Module Loading + +To load the wolfSSL FIPS kernel module in initramfs (before rootfs mounts), add to `local.conf`: + +```bitbake +# FIPS initramfs configuration +INITRAMFS_IMAGE = "fips-initramfs" +INITRAMFS_IMAGE_BUNDLE = "1" +``` + +**Why in local.conf?** +- The kernel must see `INITRAMFS_IMAGE` at its build time +- Setting it only in the image recipe doesn't work because the kernel builds before the image +- This ensures the kernel bundles the initramfs with the wolfSSL FIPS kernel module + +**When is this needed?** +- Systems requiring crypto operations before rootfs mount +- Early boot security requirements +- Kernel-space crypto dependencies on wolfSSL +- FIPS compliance requirements for kernel crypto + +## FIPS Configuration + +Your `wolfssl-fips.conf` should include: + +```bitbake +# wolfSSL FIPS providers (user-space) +PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" +PREFERRED_PROVIDER_wolfssl = "wolfssl-fips" + +# wolfSSL FIPS kernel module (optional, for initramfs) +PREFERRED_PROVIDER_virtual/wolfssl-linuxkm = "wolfssl-linuxkm-fips" +PREFERRED_PROVIDER_wolfssl-linuxkm = "wolfssl-linuxkm-fips" + +# FIPS bundle details +WOLFSSL_VERSION = "x.x.x" +WOLFSSL_SRC = "wolfssl-x.x.x-commercial-fips-linux" +# ... (see conf/wolfssl-fips.conf.sample for full configuration) +``` + +## Building + +### Standard Build (No Initramfs) ```bash +cd /path/to/poky +source oe-init-build-env bitbake fips-image-minimal ``` -Run in QEMU: +### With Initramfs (Kernel Module in Early Boot) ```bash -runqemu fips-image-minimal nographic +cd /path/to/poky +source oe-init-build-env + +# First build: Build initramfs and kernel with it bundled +bitbake fips-initramfs +bitbake virtual/kernel -c cleansstate +bitbake fips-image-minimal + +# Subsequent builds: Just rebuild the image +bitbake fips-image-minimal ``` -## Testing +**Note**: Only rebuild the kernel (`cleansstate`) when: +- First time enabling initramfs +- Changing `INITRAMFS_IMAGE` setting +- Updating the kernel module in `fips-initramfs` + +## Running in QEMU -### 1. Testing libgcrypt +Use the provided script: -libgcrypt is a cryptographic library that provides low-level cryptographic primitives. In this image, it's configured to use wolfSSL FIPS as its backend. +```bash +source oe-init-build-env +./run-fips-qemu.sh [MACHINE] +``` -**How the testing works:** +Supported machines: +- `qemux86-64` (default) +- `qemuarm64` +- `qemuarm` -The libgcrypt package includes a ptest suite that exercises all cryptographic functions. When you run the tests, they call libgcrypt's API, which internally uses the wolfSSL FIPS backend. The tests verify that all cryptographic algorithms work correctly, key generation produces valid keys, encryption/decryption operations succeed, hash functions produce correct outputs, and digital signatures can be created and verified. +## Verification -**Run libgcrypt tests:** +### Check User-Space FIPS ```bash -ptest-runner libgcrypt +# On target system +openssl version +wolfssl-fips-check +libgcrypt-config --version +gnutls-cli --version ``` -**Expected Output:** +### Check Kernel Module (if using initramfs) -``` -START: ptest-runner -BEGIN: /usr/lib/libgcrypt/ptest -PASS: basic -PASS: mpitests -PASS: t-mpi-bit -PASS: curves -PASS: fips186-dsa -... -END: /usr/lib/libgcrypt/ptest -STOP: ptest-runner +```bash +# On target system +lsmod | grep wolfssl +dmesg | grep wolfssl ``` -All tests should pass, confirming that libgcrypt is correctly using the wolfSSL FIPS backend. +The kernel module should show as loaded early in `dmesg` output, before the rootfs mount message. -**Verify library linking:** +### Run Test Suites ```bash -ldd /usr/lib/libgcrypt.so.20 -readelf -d /usr/lib/libgcrypt.so.20 | grep NEEDED +# libgcrypt tests +ptest-runner libgcrypt + +# GnuTLS tests +ptest-runner gnutls + +# wolfProvider tests +wolfprovidertest ``` -You should see `libwolfssl` in the dependency list. +## Package Contents -**Library locations:** -- Main library: `/usr/lib/libgcrypt.so.20` -- Development library: `/usr/lib/libgcrypt.so` (symlink) +The image includes: -### 2. Testing gnutls +**Core FIPS Libraries:** +- `wolfssl-fips` - FIPS 140-3 validated crypto library +- `libgcrypt` - With wolfSSL backend +- `gnutls` - With wolfSSL backend +- `wolfprovider` - OpenSSL 3.x provider (replace-default mode) -gnutls is a TLS/SSL library that implements secure communication protocols. In this image, it's configured to use wolfSSL FIPS as its cryptographic backend through the `wolfssl-gnutls-wrapper`, which intercepts gnutls cryptographic calls and routes them to wolfSSL. +**Applications:** +- `openssh` - SSH client/server +- `curl` - HTTP client with FIPS crypto +- `openssl-bin` - OpenSSL command-line tools -**How the testing works:** +**Testing Tools:** +- `ptest-runner` - Run package tests +- `wolfprovidercmd` - wolfProvider command-line tests +- `wolfproviderenv` - Environment setup/verification +- Various ptest packages for validation -The gnutls test suite in `/opt/wolfssl-gnutls-wrapper/tests/` performs various TLS/SSL operations including TLS handshake establishment, certificate validation, cipher suite negotiation, data encryption/decryption over TLS connections, and key exchange operations. When these tests run, gnutls makes cryptographic calls that are intercepted by the wrapper and forwarded to wolfSSL FIPS. The wrapper logs all cryptographic operations, allowing you to see exactly when and how wolfSSL is being used. +**Optional (with initramfs):** +- `wolfssl-linuxkm-fips` - Kernel module loaded via initramfs -**Run gnutls tests:** +## Architecture -**Note:** The RAM needs to be increased for tests to pass. Ensure QEMU has sufficient memory allocated. +### Without Initramfs +``` +┌─────────────────────────────────────┐ +│ Applications (SSH, curl, etc.) │ +├─────────────────────────────────────┤ +│ OpenSSL API (wolfProvider) │ +│ GnuTLS API │ +│ libgcrypt API │ +├─────────────────────────────────────┤ +│ wolfSSL FIPS (User-space) │ +└─────────────────────────────────────┘ +``` -```bash -cd /opt/wolfssl-gnutls-wrapper/tests/ -make run_fips +### With Initramfs +``` +Boot Sequence: + 1. Kernel starts + 2. Initramfs mounts + 3. wolfssl-linuxkm-fips loads ← FIPS module in kernel + 4. Root filesystem mounts + 5. Applications start with user-space wolfSSL FIPS + +┌─────────────────────────────────────┐ +│ Applications (SSH, curl, etc.) │ +├─────────────────────────────────────┤ +│ OpenSSL API (wolfProvider) │ +│ GnuTLS API │ +│ libgcrypt API │ +├─────────────────────────────────────┤ +│ wolfSSL FIPS (User-space) │ +└─────────────────────────────────────┘ +┌─────────────────────────────────────┐ +│ wolfSSL FIPS (Kernel-space) │ +│ libwolfssl.ko │ +└─────────────────────────────────────┘ ``` -**Expected Output:** +## Troubleshooting -The test suite will run various TLS/SSL operations and print ✔️/❌ for each test, followed by a summary. All tests should pass, confirming that gnutls is correctly using the wolfSSL FIPS backend. You'll see wrapper log messages showing cryptographic operations being routed to wolfSSL. +### Initramfs Not Loading -**Verify library linking:** +**Symptom**: Kernel boots directly to rootfs, no initramfs messages in dmesg -The main gnutls library doesn't directly link to wolfSSL. Instead, the wrapper library links to both gnutls and wolfSSL: +**Solution**: +1. Check `INITRAMFS_IMAGE` is set in `local.conf` (not just image recipe) +2. Rebuild kernel: `bitbake virtual/kernel -c cleansstate && bitbake fips-image-minimal` +3. Verify initramfs exists: `ls tmp/deploy/images/*/fips-initramfs*.cpio*` -```bash -ldd /opt/wolfssl-gnutls-wrapper/lib/libgnutls-wolfssl-wrapper.so -``` +### Kernel Module Not Loading + +**Symptom**: `lsmod | grep wolfssl` shows nothing + +**Solution**: +1. Check initramfs was built: `bitbake fips-initramfs -e | grep PACKAGE_INSTALL` +2. Verify module is in initramfs: Extract and check the .cpio.gz file +3. Check kernel messages: `dmesg | grep -i wolf` + +### FIPS Validation Errors -You should see both `libgnutls.so.30` and `libwolfssl.so.44` in the dependency list, confirming the wrapper links to both libraries. +**Symptom**: FIPS self-tests fail or crypto operations fail -**Library locations:** -- Main gnutls library: `/usr/lib/libgnutls.so.30` -- Development library: `/usr/lib/libgnutls.so` (symlink) -- Wrapper library: `/opt/wolfssl-gnutls-wrapper/lib/libgnutls-wolfssl-wrapper.so` -- Additional gnutls libraries: `/usr/lib/libgnutls-openssl.so.27`, `/usr/lib/libgnutls-dane.so.0` +**Solution**: +1. Verify FIPS hash is correct in `wolfssl-fips.conf` +2. Check license file matches bundle +3. Ensure `WOLFSSL_SRC_DIRECTORY` or bundle extraction is correct +4. Rebuild everything: `bitbake wolfssl-fips -c cleansstate && bitbake fips-image-minimal` -### 3. Testing wolfProvider +## See Also -**TODO:** Add testing instructions for wolfProvider. +- `recipes-core/images/wolfssl-linux-fips-images/fips-initramfs.bb` - Initramfs recipe +- `conf/wolfssl-fips.conf.sample` - FIPS configuration template +- `recipes-wolfssl/wolfssl/README-fips.md` - wolfSSL FIPS recipe documentation +- `recipes-wolfssl/wolfssl/README-linuxkm.md` - Kernel module documentation +- `classes/wolfssl-initramfs.bbclass` - Initramfs integration helpers diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/curl_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/curl_%.bbappend index f78bac1a..a9a6b6db 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/curl_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/curl_%.bbappend @@ -1,3 +1,3 @@ # Conditionally configure curl with wolfProvider support -require ${WOLFSSL_LAYERDIR}/inc/curl/curl-enable-wolfprovider-fips.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/curl/curl-enable-wolfprovider-fips.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-image-minimal.bb b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-image-minimal.bb index c4976b48..e58cb504 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-image-minimal.bb +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-image-minimal.bb @@ -1,6 +1,8 @@ SUMMARY = "Minimal FIPS image with libgcrypt, gnutls, and wolfProvider (replace-default mode)" DESCRIPTION = "A minimal Linux image that includes libgcrypt, gnutls, and wolfProvider all configured to use wolfSSL FIPS as the crypto backend. wolfProvider is configured in replace-default mode. This image requires wolfSSL FIPS and does not require wolfssl-image-minimal." +inherit wolfssl-compatibility + # Validate that wolfssl-fips is the provider # Just to be sure that the user has set the correct provider python __anonymous() { @@ -12,36 +14,9 @@ python __anonymous() { if wolfssl_provider != 'wolfssl-fips': bb.fatal("fips-image-minimal requires PREFERRED_PROVIDER_wolfssl = 'wolfssl-fips'. Current value: '%s'. Please set 'require conf/wolfssl-fips.conf' in local.conf" % wolfssl_provider) -} -# Add packages with wolfSSL FIPS backend support -# Includes all testing applications from libgcrypt, gnutls, and wolfProvider demo images -IMAGE_INSTALL:append = " \ - wolfssl \ - libgcrypt \ - libgcrypt-ptest \ - gnutls \ - gnutls-dev \ - gnutls-bin \ - gnutls-fips \ - wolfssl-gnutls-wrapper \ - wolfssl-gnutls-wrapper-dev \ - wolfprovider \ - openssl \ - openssl-bin \ - openssh \ - wolfprovidercmd \ - wolfproviderenv \ - pkgconfig \ - ptest-runner \ - bash \ - make \ - glibc-utils \ - binutils \ - ldd \ - curl \ - librelp-ptest \ -" + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfssl libgcrypt libgcrypt-ptest gnutls gnutls-dev gnutls-bin gnutls-fips wolfssl-gnutls-wrapper wolfssl-gnutls-wrapper-dev wolfprovider openssl openssl-bin openssh wolfprovidercmd wolfproviderenv pkgconfig ptest-runner bash make glibc-utils binutils ldd curl librelp-ptest') +} require recipes-core/images/core-image-minimal.bb @@ -49,3 +24,10 @@ require recipes-core/images/core-image-minimal.bb # Set in local.conf: # WOLFSSL_DEMOS = "fips-image-minimal" # require conf/wolfssl-fips.conf +# +# For early kernel module loading (initramfs), also add to local.conf: +# INITRAMFS_IMAGE = "fips-initramfs" +# INITRAMFS_IMAGE_BUNDLE = "1" +# +# Note: INITRAMFS_IMAGE must be set in local.conf (not here) because +# the kernel needs to see it at build time, not just the image. diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-initramfs.bb b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-initramfs.bb new file mode 100644 index 00000000..6359d245 --- /dev/null +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-initramfs.bb @@ -0,0 +1,32 @@ +SUMMARY = "Minimal initramfs with wolfSSL FIPS kernel module" +DESCRIPTION = "An initramfs image that loads the wolfSSL FIPS kernel module early in the boot process, before the root filesystem is mounted." + +LICENSE = "MIT" + +# Include wolfssl-linuxkm (will use -fips version if PREFERRED_PROVIDER is set) +PACKAGE_INSTALL = "initramfs-framework-base initramfs-module-udev initramfs-module-setup-live wolfssl-linuxkm busybox udev base-passwd ${ROOTFS_BOOTSTRAP_INSTALL}" + +# Set the image fstypes to cpio.gz (required for kernel bundling) +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" + +# Don't allow the initramfs to contain a kernel +PACKAGE_EXCLUDE = "kernel-image-*" + +IMAGE_NAME_SUFFIX ?= "" +IMAGE_LINGUAS = "" + +# Do not pollute the initrd image with rootfs features +IMAGE_FEATURES = "" + +IMAGE_ROOTFS_SIZE = "8192" +IMAGE_ROOTFS_EXTRA_SPACE = "0" + +# Inherit core-image for basic image functionality +inherit core-image + +# Inherit wolfssl-initramfs helpers +inherit wolfssl-initramfs + +# Use the bbclass methods as documented +ROOTFS_POSTPROCESS_COMMAND += "wolfssl_initramfs_run_depmod; " +ROOTFS_POSTPROCESS_COMMAND += "wolfssl_initramfs_inject_after_loadmodules; " diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnupg_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnupg_%.bbappend index 80b91deb..328c849d 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnupg_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnupg_%.bbappend @@ -3,5 +3,5 @@ # This bbappend is needed when using gnupg with libgcrypt to use wolfSSL backend # when wolfssl-fips is the preferred provider. -require ${WOLFSSL_LAYERDIR}/inc/gnupg/gnupg-enable-libgcrypt-wolfssl.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/gnupg/gnupg-enable-libgcrypt-wolfssl.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnutls_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnutls_%.bbappend index 3d37046e..ce487bc8 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnutls_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/gnutls_%.bbappend @@ -3,5 +3,5 @@ # This bbappend directly configures gnutls to use wolfSSL backend # when wolfssl-fips is the preferred provider. -require ${WOLFSSL_LAYERDIR}/inc/gnutls/gnutls-enable-wolfssl.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/gnutls/gnutls-enable-wolfssl.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/libgcrypt_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/libgcrypt_%.bbappend index 8160da26..764e622d 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/libgcrypt_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/libgcrypt_%.bbappend @@ -3,5 +3,5 @@ # This bbappend directly configures libgcrypt to use wolfSSL backend # when wolfssl-fips is the preferred provider. -require ${WOLFSSL_LAYERDIR}/inc/libgcrypt/libgcrypt-enable-wolfssl.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/libgcrypt/libgcrypt-enable-wolfssl.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/librelp_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/librelp_%.bbappend index afc7301a..dde3c5f4 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/librelp_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/librelp_%.bbappend @@ -1 +1 @@ -require ${WOLFSSL_LAYERDIR}/inc/librelp/librelp-ptest.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/librelp/librelp-ptest.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/linux-yocto_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/linux-yocto_%.bbappend new file mode 100644 index 00000000..a62446de --- /dev/null +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/linux-yocto_%.bbappend @@ -0,0 +1,10 @@ +# Apply wolfSSL kernel randomness patches for FIPS DRBG integration +# This adds callback hooks to drivers/char/random.c and include/linux/random.h +# allowing the wolfSSL kernel module (libwolfssl.ko) to register its FIPS-certified +# DRBG implementation with the kernel. +# +# See: meta-wolfssl/recipes-wolfssl/wolfssl/README-linuxkm-randomness-patch.md + +inherit wolfssl-kernel-random +WOLFSSL_KERNEL_RANDOM_PATCH = "6.12" + diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/nettle_%.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/nettle_%.bbappend index fd625ee7..4c98aace 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/nettle_%.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/nettle_%.bbappend @@ -3,4 +3,4 @@ # the latest release of gnutls. # -require ${WOLFSSL_LAYERDIR}/inc/nettle/nettle.inc +require ${WOLFSSL_LAYERDIR}/inc/${LAYERSERIES_CORENAMES}/nettle/nettle.inc diff --git a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/wolfssl-fips.bbappend b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/wolfssl-fips.bbappend index e96e9553..e5d28d36 100644 --- a/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/wolfssl-fips.bbappend +++ b/recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/wolfssl-fips.bbappend @@ -7,9 +7,10 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfssl-fips/wolfssl-enable-gnutls.inc require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc # Fix for commercial bundle missing stamp-h.in required by automake -do_configure:prepend() { +do_configure_create_stamph() { if [ ! -f ${S}/stamp-h.in ]; then touch ${S}/stamp-h.in fi } +addtask do_configure_create_stamph after do_patch before do_configure diff --git a/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb b/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb index 222f6e55..c5983ab6 100644 --- a/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb +++ b/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb @@ -1,8 +1,10 @@ SUMMARY = "Minimal image with wolfSSL and test utilities" DESCRIPTION = "A minimal Linux image that includes wolfSSL library with test/benchmark utilities" -# Add wolfSSL configured with test/benchmark support -# The wolfssl_%.bbappend in this directory configures wolfSSL with --enable-crypttests -IMAGE_INSTALL:append = " wolfcrypttest wolfcryptbenchmark" +inherit wolfssl-compatibility -require recipes-core/images/core-image-minimal.bb \ No newline at end of file +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfcrypttest wolfcryptbenchmark') +} + +require recipes-core/images/core-image-minimal.bb diff --git a/recipes-core/images/wolfssl-py-image-minimal/wolfssl-py-image-minimal.bb b/recipes-core/images/wolfssl-py-image-minimal/wolfssl-py-image-minimal.bb index e9c6d55a..a5cf4d4e 100644 --- a/recipes-core/images/wolfssl-py-image-minimal/wolfssl-py-image-minimal.bb +++ b/recipes-core/images/wolfssl-py-image-minimal/wolfssl-py-image-minimal.bb @@ -1,17 +1,10 @@ SUMMARY = "Minimal image with wolfSSL, test utilities, and Python bindings" DESCRIPTION = "A minimal Linux image that includes wolfSSL library, test/benchmark utilities, and Python bindings (wolfssl-py and wolfcrypt-py) with testing support" -# Add Python packages with wolfSSL support and testing requirements -# The wolfssl_%.bbappend in this directory configures wolfSSL with Python features -IMAGE_INSTALL:append = " \ - wolfssl \ - wolfssl-py \ - wolfcrypt-py \ - wolf-py-tests \ - python3 \ - python3-cffi \ - python3-pytest \ -" +inherit wolfssl-compatibility -require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolfssl wolfssl-py wolfcrypt-py wolf-py-tests python3 python3-cffi python3-pytest') +} +require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb diff --git a/recipes-core/images/wolftpm-image-minimal/wolftpm-image-minimal.bb b/recipes-core/images/wolftpm-image-minimal/wolftpm-image-minimal.bb index 19243846..74a52c72 100644 --- a/recipes-core/images/wolftpm-image-minimal/wolftpm-image-minimal.bb +++ b/recipes-core/images/wolftpm-image-minimal/wolftpm-image-minimal.bb @@ -1,6 +1,8 @@ SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfTPM" DESCRIPTION = "A minimal Linux image that includes wolfSSL library, test/benchmark utilities, and wolfTPM with TPM 2.0 support" +inherit wolfssl-compatibility + # Validate TPM configuration python __anonymous() { """ @@ -9,46 +11,34 @@ python __anonymous() { distro_features = d.getVar('DISTRO_FEATURES') or '' machine_features = d.getVar('MACHINE_FEATURES') or '' kernel_features = d.getVar('KERNEL_FEATURES') or '' - + errors = [] - + # Check DISTRO_FEATURES if 'security' not in distro_features or 'tpm' not in distro_features or 'tpm2' not in distro_features: errors.append("DISTRO_FEATURES must contain 'security tpm tpm2'") errors.append(" Add to local.conf: DISTRO_FEATURES:append = \" security tpm tpm2\"") - + # Check MACHINE_FEATURES if 'tpm' not in machine_features or 'tpm2' not in machine_features: errors.append("MACHINE_FEATURES must contain 'tpm tpm2'") errors.append(" Add to local.conf: MACHINE_FEATURES:append = \" tpm tpm2\"") - + # Check KERNEL_FEATURES if 'features/tpm/tpm.scc' not in kernel_features: errors.append("KERNEL_FEATURES must contain 'features/tpm/tpm.scc'") errors.append(" Add to local.conf: KERNEL_FEATURES:append = \" features/tpm/tpm.scc\"") - + # Report errors if errors: error_msg = "\n%s requires TPM support to be properly configured in local.conf:\n\n" % d.getVar('PN') error_msg += "\n".join([" - " + e for e in errors]) error_msg += "\n\nThese settings MUST be in local.conf, not in the image recipe.\n" bb.fatal(error_msg) -} -# Add wolfTPM wrap test configured with wolfSSL support -# wolfTPM will be pulled in automatically via RDEPENDS -# The wolfssl_%.bbappend in this directory configures wolfSSL with --enable-certgen, etc. -IMAGE_INSTALL:append = " \ - wolftpm-wrap-test \ - tpm2-tools \ - tpm2-tss \ - libtss2 \ - libtss2-mu \ - libtss2-tcti-device \ - libtss2-tcti-mssim \ -" + wolfssl_varAppendNonOverride(d, 'IMAGE_INSTALL', ' wolftpm-wrap-test tpm2-tools tpm2-tss libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim') +} # Enable security and TPM features require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb - diff --git a/recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb b/recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb index 37c908c4..f39d1e71 100644 --- a/recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb +++ b/recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb @@ -9,7 +9,12 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://benchmark.c;beginline=1;endline=20;md5=6a14f1f3bfbb40d2c3b7d0f3a1f98ffc" S = "${WORKDIR}/git/wolfcrypt/benchmark" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" + +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=59f4fa568615396fbf381b073b220d1e8d61e4c2" @@ -21,27 +26,15 @@ WOLFCRYPT_BENCHMARK_INSTALL_DIR = "${D}${WOLFCRYPT_BENCHMARK_DIR}" WOLFCRYPT_BENCHMARK_README = "README.txt" WOLFCRYPT_BENCHMARK_README_DIR = "${WOLFCRYPT_BENCHMARK_INSTALL_DIR}/${WOLFCRYPT_BENCHMARK_README}" -python () { - distro_version = d.getVar('DISTRO_VERSION', True) - wolfcrypt_benchmark_dir = d.getVar('WOLFCRYPT_BENCHMARK_DIR', True) - wolfcrypt_benchmark_install_dir = d.getVar('WOLFCRYPT_BENCHMARK_INSTALL_DIR', True) - wolfcrypt_benchmark_readme_dir = d.getVar('WOLFCRYPT_BENCHMARK_README_DIR', True) - - bbnote = 'bbnote "Installing dummy file for wolfCrypt benchmark example"\n' - installDir = 'install -m 0755 -d "%s"\n' % wolfcrypt_benchmark_install_dir - makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfcrypt_benchmark_readme_dir - - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', makeDummy) - - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfcrypt_benchmark_dir + '/*' - d.setVar(files_var_name, new_files) +do_install_wolfcryptbenchmark_dummy() { + bbnote "Installing dummy file for wolfCrypt benchmark example" + install -m 0755 -d "${WOLFCRYPT_BENCHMARK_INSTALL_DIR}" + echo "This is a dummy package" > "${WOLFCRYPT_BENCHMARK_README_DIR}" +} + +addtask do_install_wolfcryptbenchmark_dummy after do_install before do_package +do_install_wolfcryptbenchmark_dummy[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFCRYPT_BENCHMARK_DIR}/*') } diff --git a/recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb b/recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb index 051ddecf..4095e386 100644 --- a/recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb +++ b/recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb @@ -9,7 +9,12 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://test.c;beginline=1;endline=20;md5=928770bfaa2d2704ecffeb131cc7bfd8" S = "${WORKDIR}/git/wolfcrypt/test" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" + +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=59f4fa568615396fbf381b073b220d1e8d61e4c2" @@ -22,28 +27,15 @@ WOLFCRYPT_TEST_INSTALL_DIR = "${D}${WOLFCRYPT_TEST_DIR}" WOLFCRYPT_TEST_README = "README.txt" WOLFCRYPT_TEST_README_DIR = "${WOLFCRYPT_TEST_INSTALL_DIR}/${WOLFCRYPT_TEST_README}" -python () { - distro_version = d.getVar('DISTRO_VERSION', True) - wolfcrypt_test_dir = d.getVar('WOLFCRYPT_TEST_DIR', True) - wolfcrypt_test_install_dir = d.getVar('WOLFCRYPT_TEST_INSTALL_DIR', True) - wolfcrypt_test_readme_dir = d.getVar('WOLFCRYPT_TEST_README_DIR', True) - - bbnote = 'bbnote "Installing dummy file for wolfCrypt test example"\n' - installDir = 'install -m 0755 -d "%s"\n' % wolfcrypt_test_install_dir - makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfcrypt_test_readme_dir - - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', makeDummy) - - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfcrypt_test_dir + '/*' - d.setVar(files_var_name, new_files) +do_install_wolfcrypttest_dummy() { + bbnote "Installing dummy file for wolfCrypt test example" + install -m 0755 -d "${WOLFCRYPT_TEST_INSTALL_DIR}" + echo "This is a dummy package" > "${WOLFCRYPT_TEST_README_DIR}" } +addtask do_install_wolfcrypttest_dummy after do_install before do_package +do_install_wolfcrypttest_dummy[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFCRYPT_TEST_DIR}/*') +} diff --git a/recipes-examples/wolfengine/wolfenginetest/wolfenginetest.bb b/recipes-examples/wolfengine/wolfenginetest/wolfenginetest.bb index 7f4eab79..0075470d 100644 --- a/recipes-examples/wolfengine/wolfenginetest/wolfenginetest.bb +++ b/recipes-examples/wolfengine/wolfenginetest/wolfenginetest.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "" DEPENDS = "openssl pkgconfig-native virtual/wolfssl wolfengine" PROVIDES += "wolfenginetest" +inherit pkgconfig wolfssl-compatibility + WOLFENGINE_TEST = "${bindir}/wolfenginetest" WOLFENGINE_ENV = "${bindir}/wolfenginetest" @@ -17,8 +19,6 @@ SRC_URI = "file://wolfenginetest.c \ S = "${WORKDIR}" -inherit pkgconfig - do_compile() { ${CC} ${WORKDIR}/wolfenginetest.c -o wolfenginetest \ ${CFLAGS} ${LDFLAGS} $(pkg-config --cflags --libs openssl) -ldl -lwolfssl -lwolfengine @@ -28,29 +28,10 @@ do_install() { install -d ${D}${bindir} install -m 0755 ${WORKDIR}/wolfenginetest ${D}${bindir}/wolfenginetest install -m 0755 ${WORKDIR}/wolfengineenv.sh ${D}${bindir}/wolfengineenv - -} - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - wolfengine_test = d.getVar('WOLFENGINE_TEST', True) - wolfengine_env = d.getVar('WOLFENGINE_ENV', True) - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfengine_test + ' ' + wolfengine_env - d.setVar(files_var_name, new_files) - - rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn - - current_rdepends = d.getVar(rdepends_var_name, True) or "" - new_rdepends = current_rdepends + " bash" - d.setVar(rdepends_var_name, new_rdepends) +} +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFENGINE_TEST} ${WOLFENGINE_ENV}') + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' bash') } diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb index 6dc14846..997dbd39 100644 --- a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb +++ b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb @@ -8,7 +8,12 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "openssl virtual/wolfssl wolfprovider" -RDEPENDS:${PN} = "bash openssl wolfprovider" + +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varSet(d, 'RDEPENDS', '${PN}', 'bash openssl wolfprovider') +} SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a \ file://wolfprovidercmd.sh" @@ -48,12 +53,6 @@ do_install() { install -m 0755 ${WORKDIR}/wolfprovidercmd.sh ${D}${bindir}/wolfprovidercmd } -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - pn = d.getVar('PN', True) - - files_var_name = 'FILES_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'FILES:' + pn - - wolfprov_cmd_test_dir = d.getVar('WOLFPROV_CMD_TEST_DIR', True) - d.setVar(files_var_name, wolfprov_cmd_test_dir + '/* ${bindir}/wolfprovidercmd') +python __anonymous() { + wolfssl_varSet(d, 'FILES', '${PN}', '${WOLFPROV_CMD_TEST_DIR}/* ${bindir}/wolfprovidercmd') } diff --git a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb index 572d2b26..f879c57a 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb +++ b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb @@ -7,7 +7,12 @@ LIC_FILES_CHKSUM = "" DEPENDS = "openssl pkgconfig-native virtual/wolfssl wolfprovider" PROVIDES += "wolfproviderenv" -RPROVIDES_${PN} = "wolfproviderenv" + +inherit pkgconfig wolfssl-compatibility + +python __anonymous() { + wolfssl_varSet(d, 'RPROVIDES', '${PN}', 'wolfproviderenv') +} SRC_URI = "file://wolfproviderenv.c \ file://wolfproviderenv.sh \ @@ -34,16 +39,7 @@ do_install() { install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv } -FILES_${PN} = "${bindir}/wolfproviderverify ${bindir}/wolfproviderenv" - -# Dynamic RDEPENDS adjustment for bash -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - pn = d.getVar('PN', True) - - rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn - - current_rdepends = d.getVar(rdepends_var_name, True) or "" - new_rdepends = current_rdepends + " bash" - d.setVar(rdepends_var_name, new_rdepends) +python __anonymous() { + wolfssl_varSet(d, 'FILES', '${PN}', '${bindir}/wolfproviderverify ${bindir}/wolfproviderenv') + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' bash') } diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb index c55b0f62..ed17f9e3 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb +++ b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb @@ -8,6 +8,8 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891" DEPENDS += "wolfprovider" +inherit wolfssl-compatibility + do_configure[noexec] = "1" do_compile[noexec] = "1" @@ -16,27 +18,15 @@ WOLFPROVIDER_TEST_INSTALL_DIR = "${D}${WOLFPROVIDER_TEST_DIR}" WOLFPROVIDER_TEST_README = "README.txt" WOLFPROVIDER_TEST_README_DIR = "${WOLFPROVIDER_TEST_INSTALL_DIR}/${WOLFPROVIDER_TEST_README}" -python () { - distro_version = d.getVar('DISTRO_VERSION', True) - wolfprovider_test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) - wolfprovider_test_install_dir = d.getVar('WOLFPROVIDER_TEST_INSTALL_DIR', True) - wolfprovider_test_readme_dir = d.getVar('WOLFPROVIDER_TEST_README_DIR', True) - - bbnote = 'bbnote "Installing dummy file for wolfProvider test example"\n' - installDir = 'install -m 0755 -d "%s"\n' % wolfprovider_test_install_dir - makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfprovider_test_readme_dir +do_install_wolfprovidertest_dummy() { + bbnote "Installing dummy file for wolfProvider test example" + install -m 0755 -d "${WOLFPROVIDER_TEST_INSTALL_DIR}" + echo "This is a dummy package" > "${WOLFPROVIDER_TEST_README_DIR}" +} - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', makeDummy) +addtask do_install_wolfprovidertest_dummy after do_install before do_package +do_install_wolfprovidertest_dummy[fakeroot] = "1" - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfprovider_test_dir + '/*' - d.setVar(files_var_name, new_files) +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFPROVIDER_TEST_DIR}/*') } diff --git a/recipes-examples/wolfssl-py/wolf-py-tests/wolf-py-tests_5.6.0.bb b/recipes-examples/wolfssl-py/wolf-py-tests/wolf-py-tests_5.6.0.bb index cc91cc14..58a2d460 100644 --- a/recipes-examples/wolfssl-py/wolf-py-tests/wolf-py-tests_5.6.0.bb +++ b/recipes-examples/wolfssl-py/wolf-py-tests/wolf-py-tests_5.6.0.bb @@ -15,7 +15,9 @@ SRC_URI = "git://github.com/wolfSSL/wolfssl-py.git;nobranch=1;protocol=https;rev DEPENDS += " wolfssl-py \ wolfcrypt-py \ - " + " + +inherit wolfssl-compatibility S = "${WORKDIR}/git" @@ -27,27 +29,15 @@ WOLFCRYPT_TEST_PY_INSTALL_DIR = "${D}${WOLFCRYPT_TEST_PY_DIR}" WOLFCRYPT_TEST_PY_README = "README.txt" WOLFCRYPT_TEST_PY_README_DIR = "${WOLFCRYPT_TEST_PY_INSTALL_DIR}/${WOLFCRYPT_TEST_PY_README}" -python () { - distro_version = d.getVar('DISTRO_VERSION', True) - wolfcrypt_test_py_dir = d.getVar('WOLFCRYPT_TEST_PY_DIR', True) - wolfcrypt_test_py_install_dir = d.getVar('WOLFCRYPT_TEST_PY_INSTALL_DIR', True) - wolfcrypt_test_py_readme_dir = d.getVar('WOLFCRYPT_TEST_PY_README_DIR', True) - - bbnote = 'bbnote "Installing dummy file for wolfCrypt test example"\n' - installDir = 'install -m 0755 -d "%s"\n' % wolfcrypt_test_py_install_dir - makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfcrypt_test_py_readme_dir - - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', makeDummy) - - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wolfcrypt_test_py_dir + '/*' - d.setVar(files_var_name, new_files) +do_install_wolf_py_tests_dummy() { + bbnote "Installing dummy file for wolfCrypt test example" + install -m 0755 -d "${WOLFCRYPT_TEST_PY_INSTALL_DIR}" + echo "This is a dummy package" > "${WOLFCRYPT_TEST_PY_README_DIR}" +} + +addtask do_install_wolf_py_tests_dummy after do_install before do_package +do_install_wolf_py_tests_dummy[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFCRYPT_TEST_PY_DIR}/*') } diff --git a/recipes-examples/wolftpm/wolftpm-wrap-test.bb b/recipes-examples/wolftpm/wolftpm-wrap-test.bb index d341200b..b9ca98fd 100644 --- a/recipes-examples/wolftpm/wolftpm-wrap-test.bb +++ b/recipes-examples/wolftpm/wolftpm-wrap-test.bb @@ -10,7 +10,12 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolftpm wolfssl" + +inherit wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolftpm wolfssl') +} SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=bcf2647ebcf76e76a75cefc46f7187d213eb1fcd" @@ -22,27 +27,15 @@ WOLFTPM_EXAMPLES_INSTALL_DIR = "${D}${WOLFTPM_EXAMPLES_DIR}" WOLFTPM_EXAMPLES_README = "README.txt" WOLFTPM_EXAMPLES_README_DIR = "${WOLFTPM_EXAMPLES_INSTALL_DIR}/${WOLFTPM_EXAMPLES_README}" -python () { - distro_version = d.getVar('DISTRO_VERSION', True) - wofltpm_examples_dir = d.getVar('WOLFTPM_EXAMPLES_DIR', True) - wolftpm_examples_install_dir = d.getVar('WOLFTPM_EXAMPLES_INSTALL_DIR', True) - wolftpm_examples_readme_dir = d.getVar('WOLFTPM_EXAMPLES_README_DIR', True) - - bbnote = 'bbnote "Installing dummy file for wolfTPM test example"\n' - installDir = 'install -m 0755 -d "%s"\n' % wolftpm_examples_install_dir - makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolftpm_examples_readme_dir - - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', makeDummy) - - pn = d.getVar('PN', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - files_var_name = 'FILES_' + pn - else: - files_var_name = 'FILES:' + pn - - current_files = d.getVar(files_var_name, True) or "" - new_files = current_files + ' ' + wofltpm_examples_dir + '/*' - d.setVar(files_var_name, new_files) +do_install_wolftpm_dummy() { + bbnote "Installing dummy file for wolfTPM test example" + install -m 0755 -d "${WOLFTPM_EXAMPLES_INSTALL_DIR}" + echo "This is a dummy package" > "${WOLFTPM_EXAMPLES_README_DIR}" +} + +addtask do_install_wolftpm_dummy after do_install before do_package +do_install_wolftpm_dummy[fakeroot] = "1" + +python __anonymous() { + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${WOLFTPM_EXAMPLES_DIR}/*') } diff --git a/recipes-extended/rsyslog/files/rsyslog-fips-crypto.conf b/recipes-extended/rsyslog/files/rsyslog-fips-crypto.conf new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/recipes-extended/rsyslog/files/rsyslog-fips-crypto.conf @@ -0,0 +1 @@ + diff --git a/recipes-support/curl/kirkstone/curl_7.82.0.bbappend b/recipes-support/curl/kirkstone/curl_7.82.0.bbappend index 9fbc2d28..aab81635 100644 --- a/recipes-support/curl/kirkstone/curl_7.82.0.bbappend +++ b/recipes-support/curl/kirkstone/curl_7.82.0.bbappend @@ -1,15 +1,19 @@ -PACKAGECONFIG:remove:class-target = "openssl" -DEPENDS:class-target += "virtual/wolfssl" -EXTRA_OECONF:class-target += "--with-wolfssl=${STAGING_DIR_HOST}${prefix} \ +inherit wolfssl-compatibility + +PACKAGECONFIG_remove_class-target = "openssl" +DEPENDS_class-target += "virtual/wolfssl" +EXTRA_OECONF_class-target += "--with-wolfssl=${STAGING_DIR_HOST}${prefix} \ --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ " -CPPFLAGS:class-target += "-I${STAGING_DIR_HOST}${prefix}/include/wolfssl" +CPPFLAGS_class-target += "-I${STAGING_DIR_HOST}${prefix}/include/wolfssl" # Uncomment the line below if you're targeting FIPS compliance. NTLM uses MD5, # which isn't a FIPS-approved algorithm. -# EXTRA_OECONF:class-target += "--disable-ntlm" - -# Add the directory where the patch is located to the search path -FILESEXTRAPATHS:prepend := "${THISDIR}/../patches:" +# EXTRA_OECONF_class-target += "--disable-ntlm" -SRC_URI += "file://wolfssl-m4-options-fix.patch" \ No newline at end of file +python __anonymous() { + if bb.data.inherits_class('target', d): + # Add the directory where the patch is located to the search path + wolfssl_varPrepend(d, 'FILESEXTRAPATHS', '${THISDIR}/../patches:') + wolfssl_varAppendNonOverride(d, 'SRC_URI', ' file://wolfssl-m4-options-fix.patch') +} diff --git a/recipes-support/gnutls/wolfssl-gnutls-wrapper_git.bb b/recipes-support/gnutls/wolfssl-gnutls-wrapper_git.bb index 61e136ca..34c72679 100644 --- a/recipes-support/gnutls/wolfssl-gnutls-wrapper_git.bb +++ b/recipes-support/gnutls/wolfssl-gnutls-wrapper_git.bb @@ -9,7 +9,12 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171d PV = "1.0+git${SRCPV}" DEPENDS = "virtual/wolfssl gnutls" -RDEPENDS:${PN} += "wolfssl gnutls bash" + +inherit pkgconfig wolfssl-compatibility + +python __anonymous() { + wolfssl_varSet(d, 'RDEPENDS', '${PN}', 'wolfssl gnutls bash') +} SRC_URI = "git://github.com/wolfssl/gnutls-wolfssl.git;protocol=https;branch=main;destsuffix=git" SRCREV = "${AUTOREV}" @@ -27,19 +32,10 @@ EXTRA_OEMAKE = " \ 'WOLFSSL_INSTALL=${STAGING_DIR_TARGET}${prefix}' \ " -CFLAGS:append = " \ - -I${STAGING_INCDIR} \ - -DENABLE_WOLFSSL \ - -fPIC \ -" - -LDFLAGS:append = " \ - -L${STAGING_LIBDIR} \ - -Wl,-rpath,${libdir} \ - -Wl,-rpath,${WOLFSSL_GNUTLS_PREFIX}/lib \ - -Wl,--no-as-needed \ - -Wl,-z,now \ -" +python __anonymous() { + wolfssl_varAppendNonOverride(d, 'CFLAGS', ' -I${STAGING_INCDIR} -DENABLE_WOLFSSL -fPIC') + wolfssl_varAppendNonOverride(d, 'LDFLAGS', ' -L${STAGING_LIBDIR} -Wl,-rpath,${libdir} -Wl,-rpath,${WOLFSSL_GNUTLS_PREFIX}/lib -Wl,--no-as-needed -Wl,-z,now') +} do_compile() { bbnote "Building wolfSSL-GnuTLS wrapper..." @@ -67,7 +63,7 @@ do_compile() { all } -do_install:class-target() { +do_install() { # Install to /usr/lib/gnutls install -d ${D}${libdir} if [ -f ${S}/libgnutls-wolfssl-wrapper.so ]; then @@ -155,18 +151,11 @@ EOF ln -sf ${WOLFSSL_GNUTLS_PREFIX}/tests/run-tests.sh ${D}${bindir}/gnutls-wolfssl-tests } -FILES:${PN}:class-target = "\ - ${libdir}/*.so \ - /opt/wolfssl-gnutls-wrapper/lib/*.so \ - ${WOLFSSL_GNUTLS_PREFIX}/tests/* \ - ${bindir}/gnutls-wolfssl-tests \ -" - -FILES:${PN}-dev:class-target = "\ - ${includedir}/* \ - ${libdir}/pkgconfig/* \ -" +python __anonymous() { + wolfssl_varSet(d, 'FILES', '${PN}', '${libdir}/*.so /opt/wolfssl-gnutls-wrapper/lib/*.so ${WOLFSSL_GNUTLS_PREFIX}/tests/* ${bindir}/gnutls-wolfssl-tests') + wolfssl_varSet(d, 'FILES', '${PN}-dev', '${includedir}/* ${libdir}/pkgconfig/*') + wolfssl_varAppend(d, 'INSANE_SKIP', '${PN}', ' dev-so ldflags') +} -INSANE_SKIP:${PN}:class-target += "dev-so ldflags" -SOLIBS:class-target = ".so" -FILES_SOLIBSDEV:class-target = "" +SOLIBS = ".so" +FILES_SOLIBSDEV = "" diff --git a/recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend b/recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend index 59bc3a76..b7191051 100644 --- a/recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend +++ b/recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFCLU_LICENSE};md5=${WOLFCLU_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFCLU_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFCLU_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFCLU_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFCLU_SRC}.7z" -p"${WOLFCLU_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfclu/wolfclu_0.1.8.bb b/recipes-wolfssl/wolfclu/wolfclu_0.1.8.bb index f9c15655..077f13f0 100644 --- a/recipes-wolfssl/wolfclu/wolfclu_0.1.8.bb +++ b/recipes-wolfssl/wolfclu/wolfclu_0.1.8.bb @@ -11,13 +11,16 @@ PROVIDES += "wolfclu" RPROVIDES_${PN} = "wolfclu" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" SRC_URI = "git://github.com/wolfssl/wolfclu.git;nobranch=1;protocol=https;rev=439a801afb3b9050af7906479300afb29f7b72ff" S = "${WORKDIR}/git" -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} EXTRA_OECONF = "--with-wolfssl=${STAGING_EXECPREFIXDIR}" diff --git a/recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.8.2.bb b/recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.8.2.bb index d8e7d29e..3ec5ded7 100644 --- a/recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.8.2.bb +++ b/recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.8.2.bb @@ -1,6 +1,6 @@ SUMMARY = "wolfCrypt Python, a.k.a. wolfcrypt is a Python module that \ encapsulates wolfSSL's wolfCrypt API." - + DESCRIPTION = "wolfCrypt is a lightweight, portable, C-language-based crypto \ library targeted at IoT, embedded, and RTOS environments \ primarily because of its size, speed, and feature set. It works \ @@ -29,12 +29,11 @@ DEPENDS += " virtual/wolfssl \ python3 \ " -RDEPENDS:${PN} += " wolfssl \ - python3 \ - python3-cffi \ - " +inherit setuptools3 wolfssl-compatibility -inherit setuptools3 +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl python3 python3-cffi') +} S = "${WORKDIR}/git" diff --git a/recipes-wolfssl/wolfengine/commercial/wolfengine_%.bbappend b/recipes-wolfssl/wolfengine/commercial/wolfengine_%.bbappend index 6f705525..52a4905f 100644 --- a/recipes-wolfssl/wolfengine/commercial/wolfengine_%.bbappend +++ b/recipes-wolfssl/wolfengine/commercial/wolfengine_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFENGINE_LICENSE};md5=${WOLFENGINE_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFENGINE_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFENGINE_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFENGINE_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFENGINE_SRC}.7z" -p"${WOLFENGINE_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfengine/wolfengine_1.4.0.bb b/recipes-wolfssl/wolfengine/wolfengine_1.4.0.bb index 22bc62d7..18cfd353 100644 --- a/recipes-wolfssl/wolfengine/wolfengine_1.4.0.bb +++ b/recipes-wolfssl/wolfengine/wolfengine_1.4.0.bb @@ -18,9 +18,11 @@ DEPENDS += " virtual/wolfssl \ openssl \ " -RDEPENDS:${PN} += "wolfssl openssl" +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility -inherit autotools pkgconfig wolfssl-helper +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl openssl') +} CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." diff --git a/recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend b/recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend index 0d9b57dc..6ef8f98a 100644 --- a/recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend +++ b/recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFMQTT_LICENSE};md5=${WOLFMQTT_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFMQTT_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFMQTT_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFMQTT_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFMQTT_SRC}.7z" -p"${WOLFMQTT_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfmqtt/wolfmqtt_1.20.0.bb b/recipes-wolfssl/wolfmqtt/wolfmqtt_1.20.0.bb index 86641c3c..2bbc88cc 100644 --- a/recipes-wolfssl/wolfmqtt/wolfmqtt_1.20.0.bb +++ b/recipes-wolfssl/wolfmqtt/wolfmqtt_1.20.0.bb @@ -11,14 +11,17 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" SRC_URI = "git://github.com/wolfssl/wolfMQTT.git;nobranch=1;protocol=https;rev=320ed37633f896cf2485c9c5f8bed3400ae8b4d5" S = "${WORKDIR}/git" -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} EXTRA_OECONF = "--with-libwolfssl-prefix=${STAGING_EXECPREFIXDIR}" @@ -27,5 +30,5 @@ export CFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export CXXFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export LDFLAGS += ' -Wl,--build-id=none' -# Ensure consistent locale +# Ensure consistent locale export LC_ALL = "C" \ No newline at end of file diff --git a/recipes-wolfssl/wolfpkcs11/commercial/wolfpkcs11_%.bbappend b/recipes-wolfssl/wolfpkcs11/commercial/wolfpkcs11_%.bbappend index 050b2d39..407e7e3c 100644 --- a/recipes-wolfssl/wolfpkcs11/commercial/wolfpkcs11_%.bbappend +++ b/recipes-wolfssl/wolfpkcs11/commercial/wolfpkcs11_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFPKCS11_LICENSE};md5=${WOLFPKCS11_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFPKCS11_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFPKCS11_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFPKCS11_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFPKCS11_SRC}.7z" -p"${WOLFPKCS11_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfpkcs11/wolfpkcs11_2.0.0.bb b/recipes-wolfssl/wolfpkcs11/wolfpkcs11_2.0.0.bb index 8bc5d20b..96a8dc0e 100644 --- a/recipes-wolfssl/wolfpkcs11/wolfpkcs11_2.0.0.bb +++ b/recipes-wolfssl/wolfpkcs11/wolfpkcs11_2.0.0.bb @@ -7,13 +7,16 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://gpl-3.0.txt;md5=d32239bcb673463ab874e80d47fae504" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" SRC_URI = "git://github.com/wolfSSL/wolfPKCS11.git;nobranch=1;protocol=https;rev=6b76537e4cc5bea0358b7059fda26d1872584be4" S = "${WORKDIR}/git" -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} export CFLAGS += ' -I${STAGING_INCDIR} -L${STAGING_LIBDIR}' diff --git a/recipes-wolfssl/wolfprovider/commercial/wolfprovider_%.bbappend b/recipes-wolfssl/wolfprovider/commercial/wolfprovider_%.bbappend index d1ac873a..ee2be3e9 100644 --- a/recipes-wolfssl/wolfprovider/commercial/wolfprovider_%.bbappend +++ b/recipes-wolfssl/wolfprovider/commercial/wolfprovider_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFPROVIDER_LICENSE};md5=${WOLFPROVIDER_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFPROVIDER_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFPROVIDER_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFPROVIDER_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFPROVIDER_SRC}.7z" -p"${WOLFPROVIDER_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 5e5bd493..5fb08808 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -16,9 +16,15 @@ DEPENDS += " virtual/wolfssl \ openssl \ " -RDEPENDS:${PN} += "wolfssl openssl" - -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl openssl') + wolfssl_varSet(d, 'FILES', '${PN}-dev', '${includedir} ${libdir}/pkgconfig/*.pc') + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${libdir}/libwolfprov.so ${libdir}/ssl-3/modules/libwolfprov.so ${libdir}/ossl-modules/libwolfprov.so') + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${sysconfdir}/ssl/openssl.cnf.d/wolfprovider*.conf') + wolfssl_varAppend(d, 'INSANE_SKIP', '${PN}', ' dev-so') +} S = "${WORKDIR}/git" @@ -29,7 +35,7 @@ install_provider_module() { echo "libwolfprov.so.0.0.0 not found in ${D}${libdir}/" >&2 exit 1 fi - + # Create the OpenSSL module directory symlink install -d ${D}${libdir}/ssl-3/modules if [ ! -e ${D}${libdir}/ssl-3/modules/libwolfprov.so ]; then @@ -50,22 +56,12 @@ install_provider_module() { do_install[postfuncs] += "install_provider_module" -CFLAGS:append = " -I${S}/include" -CXXFLAGS:append = " -I${S}/include" -CPPFLAGS:append = " -I${S}/include" +CFLAGS += " -I${S}/include" +CXXFLAGS += " -I${S}/include" +CPPFLAGS += " -I${S}/include" EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" # Keep unversioned .so in the runtime package FILES_SOLIBSDEV = "" -# Explicitly list what goes to -dev instead (headers, pc) -FILES:${PN}-dev = "${includedir} ${libdir}/pkgconfig/*.pc" - -# Ensure the symlink is assigned to runtime -FILES:${PN} += "${libdir}/libwolfprov.so ${libdir}/ssl-3/modules/libwolfprov.so ${libdir}/ossl-modules/libwolfprov.so" -FILES:${PN} += "${sysconfdir}/ssl/openssl.cnf.d/wolfprovider*.conf" - -# Shipping an unversioned .so in runtime: suppress QA warning -INSANE_SKIP:${PN} += "dev-so" - diff --git a/recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend b/recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend index 23bebf83..df2084fd 100644 --- a/recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend +++ b/recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFSSH_LICENSE};md5=${WOLFSSH_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFSSH_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFSSH_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFSSH_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFSSH_SRC}.7z" -p"${WOLFSSH_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolfssh/wolfssh_1.4.21.bb b/recipes-wolfssl/wolfssh/wolfssh_1.4.21.bb index 31fa7055..e1ba1eac 100644 --- a/recipes-wolfssl/wolfssh/wolfssh_1.4.21.bb +++ b/recipes-wolfssl/wolfssh/wolfssh_1.4.21.bb @@ -10,13 +10,16 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSING;md5=2c2d0ee3db6ceba278dd43212ed03733" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" SRC_URI = "git://github.com/wolfssl/wolfssh.git;nobranch=1;protocol=https;rev=c10896cae99ecf2b5c1ae170d0eb001f18008809" S = "${WORKDIR}/git" -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} EXTRA_OECONF = "--with-wolfssl=${STAGING_EXECPREFIXDIR}" @@ -25,5 +28,5 @@ export CFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export CXXFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export LDFLAGS += ' -Wl,--build-id=none' -# Ensure consistent locale +# Ensure consistent locale export LC_ALL = "C" \ No newline at end of file diff --git a/recipes-wolfssl/wolfssl/README-linuxkm.md b/recipes-wolfssl/wolfssl/README-linuxkm.md index 25d8bd2a..9d388654 100644 --- a/recipes-wolfssl/wolfssl/README-linuxkm.md +++ b/recipes-wolfssl/wolfssl/README-linuxkm.md @@ -51,8 +51,25 @@ inherit wolfssl-initramfs PACKAGE_INSTALL:append = " wolfssl-linuxkm" ``` -For FIPS: +**Automatic FIPS Selection:** +If you have configured `wolfssl-fips.conf` with: +```bitbake +# Use wolfSSL FIPS Linux kernel module (FIPS-validated kernel module) +PREFERRED_PROVIDER_virtual/wolfssl-linuxkm = "wolfssl-linuxkm-fips" +PREFERRED_PROVIDER_wolfssl-linuxkm = "wolfssl-linuxkm-fips" +``` + +**Note:** Both lines are required: +- `virtual/wolfssl-linuxkm` - Controls build-time dependencies +- `wolfssl-linuxkm` - Controls runtime package installation + +Then `wolfssl-linuxkm` will automatically resolve to the FIPS-validated version (`wolfssl-linuxkm-fips`). +No code changes needed - the virtual provider system handles the switch automatically. + +**Manual FIPS Selection (alternative):** + +You can also explicitly specify the FIPS version: ```bitbake PACKAGE_INSTALL:append = " wolfssl-linuxkm-fips" ``` diff --git a/recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend b/recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend index a5fcbbd7..4f4f116a 100644 --- a/recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend +++ b/recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend @@ -22,14 +22,13 @@ COMMERCIAL_BUNDLE_GCS_TOOL = "${@d.getVar('WOLFSSL_BUNDLE_GCS_TOOL') or 'auto'}" SRC_URI = "${@get_commercial_src_uri(d)}" S = "${@get_commercial_source_dir(d)}" -inherit wolfssl-commercial +inherit wolfssl-commercial wolfssl-compatibility # Ensure autogen.sh never runs for commercial bundles -python() { - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - distro_version = d.getVar('DISTRO_VERSION', True) - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - d.appendVar('do_configure_prepend', autogen_create) - else: - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure + diff --git a/recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend b/recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend index 1c7f1a43..5417944a 100644 --- a/recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend +++ b/recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend @@ -6,18 +6,16 @@ FIPSREADY_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" SRC_URI = "file://${FIPSREADY_CONFIG_DIR}/files/${WOLFSSL_SRC}.zip" SRC_URI[sha256sum] = "${WOLFSSL_SRC_SHA}" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFSSL_SRC}" -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } +addtask do_configure_disable_autogen after do_unpack before do_configure + TARGET_CFLAGS += "-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=${FIPS_HASH} -DFP_MAX_BITS=16384" EXTRA_OECONF += "--enable-fips=ready " diff --git a/recipes-wolfssl/wolfssl/wolfssl-fips.bb b/recipes-wolfssl/wolfssl/wolfssl-fips.bb index c306abe5..2e264a6b 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-fips.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-fips.bb @@ -19,7 +19,12 @@ DEPENDS += "util-linux-native" # - virtual/wolfssl (build-time interface for switching implementations) # At runtime, the wolfssl-fips package provides wolfssl to satisfy package dependencies PROVIDES += "wolfssl-fips virtual/wolfssl" -RPROVIDES:${PN} += "wolfssl" + +inherit autotools pkgconfig wolfssl-helper wolfssl-commercial wolfssl-fips-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RPROVIDES', '${PN}', ' wolfssl') +} # Lower preference so regular wolfssl is default # Users must explicitly set PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" @@ -37,13 +42,15 @@ DEFAULT_PREFERENCE = "-1" # Commercial bundle configuration # Users can set WOLFSSL_SRC_DIR in local.conf to specify bundle location +# Users can set WOLFSSL_SRC_DIRECTORY in local.conf to point directly to extracted source WOLFSSL_SRC_DIR ?= "${@os.path.dirname(d.getVar('FILE', True))}/commercial/files" +WOLFSSL_SRC_DIRECTORY ?= "" WOLFSSL_BUNDLE_FILE ?= "" WOLFSSL_BUNDLE_GCS_URI ?= "" WOLFSSL_BUNDLE_GCS_TOOL ?= "" -# Enable commercial bundle extraction only when WOLFSSL_SRC is configured -COMMERCIAL_BUNDLE_ENABLED ?= "${@'1' if d.getVar('WOLFSSL_SRC') else '0'}" +# Enable commercial bundle extraction only when WOLFSSL_SRC or WOLFSSL_SRC_DIRECTORY is configured +COMMERCIAL_BUNDLE_ENABLED ?= "${@'1' if (d.getVar('WOLFSSL_SRC') or d.getVar('WOLFSSL_SRC_DIRECTORY')) else '0'}" # Map to commercial class variables COMMERCIAL_BUNDLE_DIR = "${WOLFSSL_SRC_DIR}" @@ -54,6 +61,7 @@ COMMERCIAL_BUNDLE_SHA = "${WOLFSSL_SRC_SHA}" COMMERCIAL_BUNDLE_TARGET = "${WORKDIR}" COMMERCIAL_BUNDLE_GCS_URI = "${WOLFSSL_BUNDLE_GCS_URI}" COMMERCIAL_BUNDLE_GCS_TOOL = "${@d.getVar('WOLFSSL_BUNDLE_GCS_TOOL') or 'auto'}" +COMMERCIAL_BUNDLE_SRC_DIR = "${WOLFSSL_SRC_DIRECTORY}" # Use helper functions from wolfssl-commercial.bbclass for conditional configuration SRC_URI = "${@get_commercial_src_uri(d)}" @@ -62,8 +70,6 @@ S = "${@get_commercial_source_dir(d)}" # Optional: switch to GCS/tarball flow (gs:// URI) when set require ${WOLFSSL_LAYERDIR}/inc/wolfssl-fips/wolfssl-commercial-gcs.inc -inherit autotools pkgconfig wolfssl-helper wolfssl-commercial wolfssl-fips-helper - # Skip the package check for wolfssl-fips itself (it's the base library) deltask do_wolfssl_check_package diff --git a/recipes-wolfssl/wolfssl/wolfssl-linuxkm-fips.bb b/recipes-wolfssl/wolfssl/wolfssl-linuxkm-fips.bb index edc1c08c..a5d6ca38 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-linuxkm-fips.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-linuxkm-fips.bb @@ -1,25 +1,55 @@ -SUMMARY = "wolfSSL Linux kernel module (libwolfssl.ko)" -DESCRIPTION = "Out-of-tree Linux kernel module for wolfSSL/wolfCrypt" +SUMMARY = "wolfSSL FIPS Linux kernel module (libwolfssl.ko)" +DESCRIPTION = "Out-of-tree Linux kernel module for wolfSSL/wolfCrypt with FIPS 140-3 validation" LICENSE = "CLOSED" -LIC_FILES_CHKSUM = "file://WolfSSL_LicenseAgmt_JAN-2024.pdf;md5=9b56a02d020e92a4bd49d0914e7d7db8" +WOLFSSL_LICENSE ?= "WolfSSL_LicenseAgmt_JAN-2024.pdf" +WOLFSSL_LICENSE_MD5 ?= "9b56a02d020e92a4bd49d0914e7d7db8" +LIC_FILES_CHKSUM = "file://${WOLFSSL_LICENSE};md5=${WOLFSSL_LICENSE_MD5}" DEPENDS += "virtual/kernel openssl-native" +# This recipe provides: +# - wolfssl-linuxkm-fips (automatic from recipe name) +# - virtual/wolfssl-linuxkm (build-time interface for switching implementations) +# At runtime, the wolfssl-linuxkm-fips package provides wolfssl-linuxkm to satisfy package dependencies +PROVIDES += "wolfssl-linuxkm-fips virtual/wolfssl-linuxkm" + +# Build for target kernel +inherit module-base wolfssl-helper autotools wolfssl-commercial wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RPROVIDES', '${PN}', ' wolfssl-linuxkm') + wolfssl_varAppend(d, 'FILES', '${PN}', ' ${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra/libwolfssl.ko') + wolfssl_varAppend(d, 'FILES', '${PN}-dbg', ' ${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra/.debug') + wolfssl_varAppend(d, 'INSANE_SKIP', '${PN}', ' buildpaths debug-files') + wolfssl_varAppend(d, 'INSANE_SKIP', '${PN}-dbg', ' buildpaths') +} + +# Lower preference so regular wolfssl-linuxkm is default +# Users must explicitly set PREFERRED_PROVIDER_virtual/wolfssl-linuxkm = "wolfssl-linuxkm-fips" +DEFAULT_PREFERENCE = "-1" + # Use the same commercial FIPS bundle as user-mode wolfssl # These come from wolfssl-fips.conf (WOLFSSL_SRC, WOLFSSL_SRC_PASS, WOLFSSL_SRC_SHA) # Users can set WOLFSSL_SRC_DIR in local.conf to specify bundle location +# Users can set WOLFSSL_SRC_DIRECTORY in local.conf to point directly to extracted source WOLFSSL_SRC_DIR ?= "${@os.path.dirname(d.getVar('FILE', True))}/commercial/files" +WOLFSSL_SRC_DIRECTORY ?= "" -# Enable commercial bundle extraction only when WOLFSSL_SRC is configured +# Enable commercial bundle extraction only when WOLFSSL_SRC or WOLFSSL_SRC_DIRECTORY is configured # Set BEFORE inherit so it overrides the class default -COMMERCIAL_BUNDLE_ENABLED ?= "${@'1' if d.getVar('WOLFSSL_SRC') else '0'}" +COMMERCIAL_BUNDLE_ENABLED ?= "${@'1' if (d.getVar('WOLFSSL_SRC') or d.getVar('WOLFSSL_SRC_DIRECTORY')) else '0'}" COMMERCIAL_BUNDLE_DIR = "${WOLFSSL_SRC_DIR}" COMMERCIAL_BUNDLE_NAME = "${WOLFSSL_SRC}" COMMERCIAL_BUNDLE_PASS = "${WOLFSSL_SRC_PASS}" COMMERCIAL_BUNDLE_SHA = "${WOLFSSL_SRC_SHA}" COMMERCIAL_BUNDLE_TARGET = "${WORKDIR}" +COMMERCIAL_BUNDLE_SRC_DIR = "${WOLFSSL_SRC_DIRECTORY}" -# Build for target kernel -inherit module-base wolfssl-helper autotools wolfssl-commercial +# Kernel module FIPS hash configuration +# WOLFSSL_FIPS_HASH_MODE_LINUXKM controls whether to use manual hash or kernel's auto-generation +# - "manual": Use FIPS_HASH_LINUXKM from config +# - "auto": Let kernel module build system handle it (extract from error on first build) +WOLFSSL_FIPS_HASH_MODE_LINUXKM ?= "manual" +FIPS_HASH_LINUXKM ?= "" # Skip the package check for wolfssl itself (it's the base library) deltask do_wolfssl_check_package @@ -37,8 +67,6 @@ DEPENDS += "binutils-cross-${TARGET_ARCH}" # Make sure we package the .ko PACKAGES = "${PN} ${PN}-dbg" -FILES:${PN} += "${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra/libwolfssl.ko" -FILES:${PN}-dbg += "${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra/.debug" # Tie package arch to machine PACKAGE_ARCH = "${MACHINE_ARCH}" @@ -58,12 +86,29 @@ EXTRA_OECONF = " \ --enable-crypttests \ " +python __anonymous() { + # Pass FIPS hash as compile-time define (same approach as userspace wolfssl-fips) + if d.getVar('WOLFSSL_FIPS_HASH_MODE_LINUXKM') == 'manual' and d.getVar('FIPS_HASH_LINUXKM'): + hash_val = d.getVar('FIPS_HASH_LINUXKM') + wolfssl_varAppendNonOverride(d, 'EXTRA_OEMAKE', ' KERNEL_EXTRA_CFLAGS="-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=' + hash_val + '"') +} + +do_configure_fips_hash_check() { + if [ "${WOLFSSL_FIPS_HASH_MODE_LINUXKM}" = "manual" ]; then + if [ -n "${FIPS_HASH_LINUXKM}" ]; then + bbnote "Kernel module manual FIPS mode - hash: ${FIPS_HASH_LINUXKM}" + else + bbwarn "WOLFSSL_FIPS_HASH_MODE_LINUXKM=manual but FIPS_HASH_LINUXKM is not set" + fi + else + bbnote "Kernel module auto FIPS mode - hash will be determined by build" + fi +} + +addtask do_configure_fips_hash_check after do_patch before do_configure + do_install() { install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra install -m 0644 ${S}/linuxkm/libwolfssl.ko \ ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/extra/ } - -# Skip package QA warnings for kernel modules -INSANE_SKIP:${PN} += "buildpaths debug-files" -INSANE_SKIP:${PN}-dbg += "buildpaths" \ No newline at end of file diff --git a/recipes-wolfssl/wolfssl/wolfssl-linuxkm.bb b/recipes-wolfssl/wolfssl/wolfssl-linuxkm.bb index 0eef8bd8..140a06d1 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-linuxkm.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-linuxkm.bb @@ -4,8 +4,19 @@ LICENSE = "GPL-3.0-only" DEPENDS += "virtual/kernel openssl-native" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +# This recipe provides: +# - wolfssl-linuxkm (automatic from recipe name) +# - virtual/wolfssl-linuxkm (build-time interface for switching implementations) +PROVIDES += "wolfssl-linuxkm virtual/wolfssl-linuxkm" + # Build for target kernel -inherit module-base autotools wolfssl-helper +inherit module-base autotools wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varSet(d, 'RDEPENDS', '${PN}', '') + wolfssl_varSet(d, 'FILES', '${PN}', '${nonarch_base_libdir}/modules ${sysconfdir}/modules-load.d') + wolfssl_varAppend(d, 'INSANE_SKIP', '${PN}', ' buildpaths debug-files') +} # Skip the package check for wolfssl itself (it's the base library) deltask do_wolfssl_check_package @@ -45,20 +56,12 @@ do_install() { } # Remove debug directory if present -do_install:append() { +do_install_linuxkm_autoload() { install -d ${D}/etc/modules-load.d echo "libwolfssl" > ${D}/etc/modules-load.d/wolfssl.conf } -RDEPENDS:${PN} = "" - -# Provide alias so both names work -RPROVIDES:${PN} = "kernel-module-libwolfssl" +addtask do_install_linuxkm_autoload after do_install before do_package +do_install_linuxkm_autoload[fakeroot] = "1" INHIBIT_PACKAGE_DEBUG_SPLIT = "1" - -FILES:${PN} = "${nonarch_base_libdir}/modules \ - ${sysconfdir}/modules-load.d" - -# Skip package QA warnings for kernel modules -INSANE_SKIP:${PN} += "buildpaths debug-files" diff --git a/recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend b/recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend index 3e052be6..9e696ff3 100644 --- a/recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend +++ b/recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend @@ -1,6 +1,6 @@ BBFILE_PRIORITY='2' COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}" -LICENSE="Proprietary" +LICENSE="Proprietary" LIC_FILES_CHKSUM="file://${WOLFTPM_LICENSE};md5=${WOLFTPM_LICENSE_MD5}" SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLFTPM_SRC}.7z" @@ -8,6 +8,8 @@ SRC_URI[sha256sum]="${WOLFTPM_SRC_SHA}" DEPENDS += "p7zip-native" +inherit wolfssl-compatibility + S = "${WORKDIR}/${WOLFTPM_SRC}" do_unpack[depends] += "p7zip-native:do_populate_sysroot" @@ -17,14 +19,9 @@ do_unpack() { 7za x "${WORKDIR}/${WOLFTPM_SRC}.7z" -p"${WOLFTPM_SRC_PASS}" -o"${WORKDIR}" -aoa } - -python() { - distro_version = d.getVar('DISTRO_VERSION', True) - autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh' - if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): - # For Dunfell and earlier - d.appendVar('do_configure_prepend', autogen_create) - else: - # For Kirkstone and later - d.appendVar('do_configure:prepend', autogen_create) +do_configure_disable_autogen() { + echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh + chmod +x ${S}/autogen.sh } + +addtask do_configure_disable_autogen after do_unpack before do_configure diff --git a/recipes-wolfssl/wolftpm/wolftpm_3.9.2.bb b/recipes-wolfssl/wolftpm/wolftpm_3.9.2.bb index d5887c3f..e34cf3fa 100644 --- a/recipes-wolfssl/wolftpm/wolftpm_3.9.2.bb +++ b/recipes-wolfssl/wolftpm/wolftpm_3.9.2.bb @@ -11,13 +11,16 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504" DEPENDS += "virtual/wolfssl" -RDEPENDS:${PN} += "wolfssl" SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=75938ca2b0810aba6ed21c5184e7a45d28003522" S = "${WORKDIR}/git" -inherit autotools pkgconfig wolfssl-helper +inherit autotools pkgconfig wolfssl-helper wolfssl-compatibility + +python __anonymous() { + wolfssl_varAppend(d, 'RDEPENDS', '${PN}', ' wolfssl') +} EXTRA_OECONF = "--with-wolfcrypt=${STAGING_EXECPREFIXDIR}" @@ -26,5 +29,5 @@ export CFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export CXXFLAGS += ' -g0 -O2 -ffile-prefix-map=${WORKDIR}=.' export LDFLAGS += ' -Wl,--build-id=none' -# Ensure consistent locale +# Ensure consistent locale export LC_ALL = "C" \ No newline at end of file