On Tue, Jan 12, 2010, jim.r...@sncorp.com wrote:
> I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a
> debian-based linux filesystem. Build system is an x86-Knoppix machine.
>
> I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User
> Manual and Security Policy.
>
> After setting $CROSS_COMPILE and $HOSTCC as needed, I am running into a
> problem during the build where fipsld is trying to generate a signature.
>
> Here's the error:
> make[2]: Entering directory
> `/hda1/softw-local/uadmas/openssl/openssl-build/openssl-fips-1.2'
> fips/fipsld: line 121: fips/../fips/fips_premain_dso: cannot execute
> binary
> file
>
>
>
> The following section of openssl-fips-1.2/fips/fipsld was patched when I
> applied the openssl-fips-1.2.crossbuild.patch:
>
> # generate signature...
> ! if [ -z "${FIPS_SIG}" ]; then
> ! SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`
> ! else
> ! SIG=`"${FIPS_SIG}" -dso "${TARGET}"`
> ! fi
>
> Now I'm pretty sure that fips_premain_dso is the wrong path because it is
> built for the ARM target. I'm having trouble figuring out what $FIPS_SIG
> should be set to? Do I build an x86 version of fips_premain_dso and point
> $FIPS_SIG to it?
>
During a normal build (i.e. not cross compiling) OpenSSL would initially run
the executable or run fips_dso against a shared library. This would output the
signature to standard output and that signature would be used to relink the
target.
When cross compiling this can't be done because you need to run an executable
on the target system to get the signature. So fips_dso is correct but it just
can't be run on the host.
You have two options here.
One is to write a script that copies the files to the target system, executes
them and then returns the signature. The script should be set in the
environment variable FIPS_SIG and usage is:
$FIPS_SIG -dso target_share_library
$FIPS_SIG -exe target_exectutable
Since that process will vary from one system to another we can't write a
general solution for OpenSSL.
The other is to download the "incore" script from:
http://www.openssl.org/docs/fips/incore.gz
This attempts to do everything on the host system. It should work but during
testing the offset value did need changing sometimes. If you get signature
errors on the target system that's the most likely cause.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
