Reputation: 1520
How to create a FIPS-capable OpenSSL in a Bitbake recipe?
Main Question
I need to create a FIPS-capable OpenSSL for my project. The OpenSSL FIPS object module is successfully cross-compiled and installed for my target platform. I can't seem to get the FIPS-capable library to point to it for its own compilation phase.
Does anyone know the appropriate flags to add to the openssl_%.bbappend?
Extra Info
I've tried many things at this point - many different flags with many different error output. I'm not certain what's related to my specific environment versus what could be considered a generic error, so I'll add info here if it becomes relevant / requested.
My openssl version is 1.0.2d and my FIPS version is 2.0.14.
Upvotes: 0
Views: 1494
Answers (1)
Reputation: 21
If you plan to use the OpenSSL FIPS Module certificate, you MUST follow the steps listed in the user's guide -exactly-.
This is difficult to do within a recipe. When I've done this, I've always built an SDK and then used the SDK to cross compile the module and OpenSSL program (following the steps in the user's guide -exactly-.)
The I created a patch (bbappend or new recipe) that simply takes the binaries that I previous built and packages them up for others to use.
If you are planning on getting your own certificate, then a lot of this is not necessary. However, the user's guide steps should still be used as a reference for all of the arguments.
Start with section 4.2 in the user's guide...
Upvotes: 2
Related Questions
- FIPS Capable OpenSSL cross-compiled: incore fingerprint issue
- Building OpenSSL FIPS for arm64
- How to dynamically use FIPS and non-FIPS openssl library based on flags?
- Building OpenSSL with FIPS on Mac OSX 10.11
- Consuming FIPS validated OpenSSL runtime
- FIPS Capable OpenSSL and `make depend`
- Compiling openssl-fips on Solaris10 x86
- OpenSSL 1.0.1e failed in FIPS mode
- No fips and --with-fipsdir arguments in OpenSSL 1.0.0l configure script
- How to use DRBG from OpenSSL FIPS Object module v2.0