Re: [yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Hongxu Jia Sat, 12 Oct 2019 19:13:51 -0700

On 10/13/19 5:22 AM, Mark Hatle wrote:

The original goal of this work was to enable a FIPS-140-2 OpenSSL module.  Why
is NSS part of this?


Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?


No, there is no relation between openssl and nss, but while kernel enable

fips "pass boot params `fips=1"', nss fips is enabled and trigger the issue,

It seems all of them are part of fips system, fips includes kernel anduserspace,


and fips 140-2 is also part of it

//Hongxu

--Mark

On 10/12/19 3:17 AM, Hongxu Jia wrote:

Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips

...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.

$rpm -h
|error: Failed to initialize NSS library
...

Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
---
  .../nss/nss/0001-conditionally-enable-fips.patch   | 93 ++++++++++++++++++++++
  recipes-support/nss/nss_3.%.bbappend               |  4 +
  recipes-support/nss/nss_fips.inc                   |  4 +
  3 files changed, 101 insertions(+)
  create mode 100644 
recipes-support/nss/nss/0001-conditionally-enable-fips.patch
  create mode 100644 recipes-support/nss/nss_3.%.bbappend
  create mode 100644 recipes-support/nss/nss_fips.inc

diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch 
b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 0000000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu....@windriver.com>
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
+---
+ nss/coreconf/config.mk       | 2 ++
+ nss/lib/freebl/nsslowhash.c  | 2 +-
+ nss/lib/pk11wrap/pk11util.c  | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4 ++++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
++++ b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
++++ b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
++++ b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+     FILE *f;
+     char d;
+     size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+     if (d != '1')
+         return PR_FALSE;
+     return PR_TRUE;
++#else
++    return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend 
b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 0000000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 
'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 0000000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+    file://0001-conditionally-enable-fips.patch \
+"


--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Reply via email to