On 9/16/19 9:34 PM, Hongxu Jia wrote: > Signed-off-by: Hongxu Jia <hongxu....@windriver.com> > --- > README.build | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/README.build b/README.build > index 9735028..bc8fcf3 100644 > --- a/README.build > +++ b/README.build > @@ -245,3 +245,39 @@ Note this sample command is functionally equivalent to: > $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c > HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc > > +=============== > +FAQ > +=============== > +1. How to support fips on 32bit arm (such as MACHINE = qemuarm)? > +Set env MACHINE='arm' before Building the FIPS Object Module > +(Building Steps 3), which affects fips config not to add option > +`-march=armv7-a' to avoid failure on gcc8: > +[snip] > +|`cc1: error: -mfloat-abi=hard: selected processor lacks an FPU' > +[snip] > + > +2. How to support fips on aarch64 (such as MACHINE = qemuarm64)? > +For aarch64, FIPS 140-2 module only support android, wrapper gcc > +at Building the FIPS Object Module(Building Steps 3) to define > +macro FIPS_REF_POINT_IS_CROSS_COMPILER_AWARE to simulate what > +android did. Provide a way to add bbappend to wrapper gcc: > +mkdir -p recipes-devtools/gcc > +cat << ENDOF > recipes-devtools/gcc/gcc_9.%.bbappend > +do_install_append_aarch64() { > + create_cmdline_wrapper \${D}/\${bindir}/gcc > -DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE > +} > + > +FILES_\${PN}-symlinks += "\${bindir}/gcc.real" > +ENDOF
I'm not sure the above wrapper is really allowed by the FIPS 140-2 User Guide. However, if it were, the instructions should be different. Something like cat > gcc-wrapper.sh << EOF #!/bin/sh gcc -FFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE $@ EOF chmod +x gcc-wrapper.sh export CC='gcc-wrapper.sh' I've not tried this though. I'll give this a try and see if this will work. We will document it with a caveat about being unclear if it's allowed. --Mark > +3. How to support fips on 32bit x86? (Such as MACHINE = qemux86, > +or lib32-image on qemux86-64) > +Set env MACHINE='i686' before Building the FIPS Object Module > +(Building Steps 3) which affect fips config not to add option > +`-m 64' on lib32-image which workaround the following failure > +[snip] > +|/usr/include/bits/long-double.h:44:10: fatal error: > +bits/long-double-64.h: No such file or directory > +| 44 | #include <bits/long-double-64.h> > +[snip] > + -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto