WolfSSL
/
meta-wolfssl
mirror of https://github.com/wolfSSL/meta-wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Adding in FIPS Ready, and commerical recipes 

Updating wolfssl products and adding in a wolftpm patch until release happens
pull/81/head
night1rider 2024-03-22 12:29:27 -06:00
parent 3deb64f24e
commit 5cdc3ebe05
32 changed files with 4591 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -64,7 +64,7 @@ After installing your build's Yocto/OpenEmbedded components:
2. Once the 'meta-wolfssl' layer has been added to your BBLAYERS collection,
you have two options
1. If you want to directly add wolfssl recipes to your image recipe
1. If you want to directly add wolfSSL recipes to your image recipe
proceed to step 3.
@ -93,7 +93,7 @@ After installing your build's Yocto/OpenEmbedded components:
recipes.
You should make sure to comment out recipes you don't want to use to
avoid uneeded --enable-options in your wolfssl version. wolfssl is
avoid uneeded --enable-options in your wolfSSL version. wolfSSL is
uncommented by default.
Once the recipes that need to be compiled are uncommented,
@ -267,8 +267,8 @@ or by deleting the recipe directory.
Wolfssl-py and Wolfcrypt-py Installation Requirements
-----------------------------------------------------
To use the python wrapper for wolfssl and wolfcrypt in a yocto build it will
require python3, python3-cffi and wolfssl are built on the target system.
To use the python wrapper for wolfSSL and wolfcrypt in a yocto build it will
require python3, python3-cffi and wolfSSL are built on the target system.
If you are using older version of yocto (2.x) or (3.x), you will need to download
and add the meta-oe and meta-python recipes from openembedded's [meta-openembedded](https://github.com/openembedded/meta-openembedded) to the image.
@ -308,8 +308,8 @@ Testing Wolfssl-py and Wolfcrypt-py
-----------------------------------
To test the python wrapper for wolfssl and wolfcrypt in a yocto build it will
require python3, python3-pytest, python3-cffi and wolfssl are built on the target system.
To test the python wrapper for wolfSSL and wolfcrypt in a yocto build it will
require python3, python3-pytest, python3-cffi and wolfSSL are built on the target system.
It will be necassary then to make sure at minimum that the IMAGE_INSTALL:append
looks as follows:
@ -359,6 +359,16 @@ to add a DNS server to /etc/resolv.conf like such with root perms
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
```
FIPS-READY
----------
For building FIPS-Ready for wolfSSL view the instruction in this [README](recipes-wolfssl/wolfssl/fips-ready/README.md)
Commercial/FIPS Bundles
-----------------------
For building FIPS and/or commercial bundles of wolfSSL products view the instructions in this [README](recipes-wolfssl/wolfssl/commercial/README.md).
To gain access to these bundles contact support@wolfssl.com to get a qoute.
Maintenance
-----------

38
conf/layer.conf
View File

@ -123,8 +123,42 @@ BBFILE_COLLECTIONS += "wolfssl"
BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/"
BBFILE_PRIORITY_wolfssl = "5"
# BitBake user manual: "You must control all spacing when you use the override
# syntax." Thus, we need a leading space below.
BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
'fips', \
'${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/fips/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
'fips-ready', \
'${LAYERDIR}/recipes-wolfssl/wolfssl/fips-ready/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
'commercial', \
'${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/commercial/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFSSH_TYPE', \
'commercial', \
'${LAYERDIR}/recipes-wolfssl/wolfssh/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssh/commercial/commercial/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFMQTT_TYPE', \
'commerical', \
'${LAYERDIR}/recipes-wolfssl/wolfmqtt/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfmqtt/commercial/commercial/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFCLU_TYPE', \
'commercial', \
'${LAYERDIR}/recipes-wolfssl/wolfclu/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfclu/commercial/commercial/*.bbappend', \
'', d)}"
BBFILES += "${@bb.utils.contains('WOLFTPM_TYPE', \
'commercial', \
'${LAYERDIR}/recipes-wolfssl/wolftpm/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolftpm/commercial/commercial/*.bbappend', \
'', d)}"
# Versions of OpenEmbedded-Core which layer has been tested against
LAYERSERIES_COMPAT_wolfssl = "sumo thud warrior zeus hardknott gatesgarth dunfell kirkstone nanbield"

2
recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb
View File

@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://benchmark.c;beginline=1;endline=20;md5=aca0c406899b74
S = "${WORKDIR}/git/wolfcrypt/benchmark"
DEPENDS += "wolfssl"
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
do_configure[noexec] = "1"
do_compile[noexec] = "1"

2
recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb
View File

@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://test.c;beginline=1;endline=20;md5=61d63fb8b820bae4d85
S = "${WORKDIR}/git/wolfcrypt/test"
DEPENDS += "wolfssl"
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
do_configure[noexec] = "1"

14
recipes-wolfssl/wolfclu/commercial/commercial-details/wolfclu_%.bbappend 100644
View File

@ -0,0 +1,14 @@
#Adjust these as needed
WOLFCLU_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
#Do not adjust these variables
PR = "commercial"
PV = "${WOLFCLU_VERSION}"
BBFILE_PRIORITY='1'

12
recipes-wolfssl/wolfclu/commercial/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for Commerical wolfCLU 7Zip Archives
## Overview
This directory is designated for storing commercially licensed 7Zip archives of wolfCLU.
## Contact Information
For questions regarding obtaining a licensed version of wolfCLU,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

30
recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend 100644
View File

@ -0,0 +1,30 @@
BBFILE_PRIORITY='2'
COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
LICENSE="Proprietary"
LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
DEPENDS += "p7zip-native"
S = "${WORKDIR}/${WOLF_SRC}"
do_unpack[depends] += "p7zip-native:do_populate_sysroot"
do_unpack() {
cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
}
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}

2
recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.6.0.bb → recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.6.6.bb
View File

@ -13,7 +13,7 @@ SECTION = "libs"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSING.rst;md5=e4abd0c56c3f6dc95a7a7eed4c77414b"
SRC_URI = "git://github.com/wolfSSL/wolfcrypt-py.git;nobranch=1;protocol=https;rev=1c242652a799190b55cc20964135297357e00b67"
SRC_URI = "git://github.com/wolfSSL/wolfcrypt-py.git;nobranch=1;protocol=https;rev=b74b0687a856237bc1b83b596c5c9a6991129d1b"
DEPENDS += " wolfssl \

14
recipes-wolfssl/wolfmqtt/commercial/commercial-details/wolfmqtt_%.bbappend 100644
View File

@ -0,0 +1,14 @@
#Adjust these as needed
WOLFMQTT_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
#Do not adjust these variables
PR = "commercial"
PV = "${WOLFMQTT_VERSION}"
BBFILE_PRIORITY='1'

12
recipes-wolfssl/wolfmqtt/commercial/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for Commerical wolfMQTT 7Zip Archives
## Overview
This directory is designated for storing commercially licensed 7Zip archives of wolfMQTT.
## Contact Information
For questions regarding obtaining a licensed version of wolfMQTT,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

30
recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend 100644
View File

@ -0,0 +1,30 @@
BBFILE_PRIORITY='2'
COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
LICENSE="Proprietary"
LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
DEPENDS += "p7zip-native"
S = "${WORKDIR}/${WOLF_SRC}"
do_unpack[depends] += "p7zip-native:do_populate_sysroot"
do_unpack() {
cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
}
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}

2
recipes-wolfssl/wolfmqtt/wolfmqtt_1.18.0.bb → recipes-wolfssl/wolfmqtt/wolfmqtt_1.19.0.bb
View File

@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2"
DEPENDS += "wolfssl"
SRC_URI = "git://github.com/wolfssl/wolfMQTT.git;nobranch=1;protocol=https;rev=91b01f4be412fff883374168aa4da2bd00d2968c"
SRC_URI = "git://github.com/wolfssl/wolfMQTT.git;nobranch=1;protocol=https;rev=06a781272f4e774909c03479adc4f8c455812304"
S = "${WORKDIR}/git"

14
recipes-wolfssl/wolfssh/commercial/commercial-details/wolfssh_%.bbappend 100644
View File

@ -0,0 +1,14 @@
#Adjust these as needed
WOLFSSH_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
#Do not adjust these variables
PR = "commercial"
PV = "${WOLFSSH_VERSION}"
BBFILE_PRIORITY='1'

12
recipes-wolfssl/wolfssh/commercial/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for Commerical wolfSSH 7Zip Archives
## Overview
This directory is designated for storing commercially licensed 7Zip archives of wolfSSH.
## Contact Information
For questions regarding obtaining a licensed version of wolfSSH,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

30
recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend 100644
View File

@ -0,0 +1,30 @@
BBFILE_PRIORITY='2'
COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
LICENSE="Proprietary"
LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
DEPENDS += "p7zip-native"
S = "${WORKDIR}/${WOLF_SRC}"
do_unpack[depends] += "p7zip-native:do_populate_sysroot"
do_unpack() {
cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
}
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}

2
recipes-wolfssl/wolfssl-py/wolfssl-py_5.6.0.bb → recipes-wolfssl/wolfssl-py/wolfssl-py_5.6.6.bb
View File

@ -11,7 +11,7 @@ SECTION = "libs"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSING.rst;md5=e4abd0c56c3f6dc95a7a7eed4c77414b"
SRC_URI = "git://github.com/wolfSSL/wolfssl-py.git;nobranch=1;protocol=https;rev=0a8a76c6d426289d9019e10d02db9a5af051fba8"
SRC_URI = "git://github.com/wolfSSL/wolfssl-py.git;nobranch=1;protocol=https;rev=6ba654c216d2c2b967d8babaf72673f12c7bd73f"
DEPENDS += " wolfssl \

105
recipes-wolfssl/wolfssl/commercial/README.md 100644
View File

@ -0,0 +1,105 @@
# Yocto wolfssl FIPS and Commerical Setup Instructions
## Prerequisites
- Yocto environment is set up and ready.
## Steps
1. **Clone the meta-wolfssl Repository**
```bash
git clone https://github.com/wolfSSL/meta-wolfssl.git
```
2. **Add meta-wolfssl to Yocto's bblayers.conf**
Add the path to meta-wolfssl in the `bblayers.conf` file, typically found under `poky/build/conf/`:
```bash
BBLAYERS ?= " \
...
/path/to/yocto/poky/meta-wolfssl \
...
"
```
3. **Update the IMAGE_INSTALL and WOLFSSL_TYPE Variable**
Add `wolfssl` and `wolfcrypttest` to the `IMAGE_INSTALL` then add `fips` or `commerical` to the `WOLFSSL_TYPE` variables in your recipe or `poky/conf/local.conf`. If using `poky/conf/local.conf`, append as follows:
```
IMAGE_INSTALL:append = " wolfssl wolfcrypttest "
WOLFSSL_TYPE = "fips"
```
If using other products with their commercial varient, make sure to set those variables to the `commerical` type:
```
WOLFTPM_TYPE = "commercial"
WOLFSSH_TYPE = "commercial"
WOLFMQTT_TYPE = "commercial"
WOLFCLU_TYPE = "commercial"
```
4. **Move the Downloaded FIPS/Commerical Bundle**
Move or copy the downloaded `wolfssl-x.x.x-*.7z` file to the appropriate directory within the meta-wolfssl repository:
```
cp /path/to/wolfssl-x.x.x-*.7z /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commerical/files
```
Each product that has commerical support has their own respective directory structures to place their bundles.
5. **Edit *-details/wolfssl_%.bbappend**
Using a test editor update the file `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commercial/*-details/wolfssl_%.bbappend`
Update the variables:
`WOLFSSL_VERSION = "x.x.x"`: x.x.x should be the version of the fips/commercial bundle you downloaded.
`WOLF_SRC_SHA = "<SHA_HASH>"`: `<SHA_HASH>` This is the sha hash given when you received the bundle.
`WOLF_SRC_PASS = "<PASSWORD>"`: `<PASSWORD>` This is the password given to unarchive the bundle.
`WOLF_SRC = "<BUNDLE_NAME>"`: `<BUNDLE_NAME>` This is the name of the bundle you wish to use without the .7z extension.
6. **Clean and Build wolfssl and wolfcrypttest**
Ensure any artifacts from old builds are cleaned up, and then build `wolfssl` and `wolfcrypttest` with no errors:
```bash
bitbake -c cleanall wolfssl
bitbake -c cleanall wolfcrypttest
bitbake wolfssl
bitbake wolfcrypttest
```
7. **Compile Your Image**
Perform a bitbake on your image recipe, for example: `bitbake core-image-minimal`.
8. **Extract the Hash Value**
Skip to Step:10 if you are using the commercial bundle of wolfssl
After compiling the image, extract the hash through QEMU or by loading the image on hardware. Use `runqemu nographic` for testing with QEMU.
Once you are inside the qemu image and logged in use the command `wolfcrypttest`. This should produce the following error:
```
in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = <HASH_VALUE>
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
RANDOM test failed!
error L=15305 code=-197 (FIPS mode not allowed error)
[fiducial line numbers: 7943 25060 37640 49885]
Exiting main with return code: -1
```
Copy or write down the resulting `<HASH_VALUE>`, then exit the qemu image
9. **Edit the .bbappend File**
Open `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commercial/fips-details/wolfssl_%.bbappend` file in a text editor and update the `<FIPS_HASH>` variable with the copied `<HASH_VALUE>`.
`FIPS_HASH="<HASH_VALUE>"`
10. **Rebuild and Test**
Perform bitbake on wolfssl and wolfcrypttest again to ensure they compile correctly. Rebuild your image and test with QEMU as before. The command `wolfcrypttest` should result in no errors.

14
recipes-wolfssl/wolfssl/commercial/commercial-details/wolfssl_%.bbappend 100644
View File

@ -0,0 +1,14 @@
#Adjust these as needed
WOLFSSL_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
#Do not adjust these variables
PR = "commercial"
PV = "${WOLFSSL_VERSION}"
BBFILE_PRIORITY='1'

12
recipes-wolfssl/wolfssl/commercial/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for Commerical wolfSSL 7Zip Archives
## Overview
This directory is designated for storing commercially licensed 7Zip archives of wolfSSL.
## Contact Information
For questions regarding obtaining a licensed version of wolfSSL,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

19
recipes-wolfssl/wolfssl/commercial/fips-details/wolfssl_%.bbappend 100644
View File

@ -0,0 +1,19 @@
#Adjust these as needed
WOLFSSL_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
FIPS_HASH="FFBB0434EB0EF2860CBAF6CB29F8F39B4432439EFD2A24C7D6442CBA8E06A4CC"
#Do not adjust these variables
PR = "commercial.fips"
PV = "${WOLFSSL_VERSION}"
BBFILE_PRIORITY='1'
TARGET_CFLAGS += "-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=${FIPS_HASH} -DFP_MAX_BITS=16384"
EXTRA_OECONF += "--enable-fips=v5 "

30
recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend 100644
View File

@ -0,0 +1,30 @@
BBFILE_PRIORITY='2'
COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
LICENSE="Proprietary"
LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
DEPENDS += "p7zip-native"
S = "${WORKDIR}/${WOLF_SRC}"
do_unpack[depends] += "p7zip-native:do_populate_sysroot"
do_unpack() {
cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
}
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}

95
recipes-wolfssl/wolfssl/fips-ready/README.md 100644
View File

@ -0,0 +1,95 @@
# Yocto wolfSSL FIPS Ready Setup Instructions
## Prerequisites
- Yocto environment is set up and ready.
## Steps
1. **Clone the meta-wolfssl Repository**
```bash
git clone https://github.com/wolfSSL/meta-wolfssl.git
```
2. **Add meta-wolfssl to Yocto's bblayers.conf**
Add the path to meta-wolfssl in the `bblayers.conf` file, typically found under `poky/build/conf/`:
```bash
BBLAYERS ?= " \
...
/path/to/yocto/poky/meta-wolfssl \
...
"
```
3. **Update the IMAGE_INSTALL and WOLFSSL_TYPE Variable**
Add `wolfssl` and `wolfcrypttest` to the `IMAGE_INSTALL` then add `fips-ready` to the `WOLFSSL_TYPE` variables in your recipe or `poky/conf/local.conf`. If using `poky/conf/local.conf`, append as follows:
```bash
IMAGE_INSTALL:append = " wolfssl wolfcrypttest "
WOLFSSL_TYPE = "fips-ready"
```
4. **Download the FIPS-Ready Package**
Download the FIPS-ready package from wolfSSL's [download page](https://www.wolfssl.com/download/). The file to download is `wolfssl-x.x.x-gplv3-fips-ready.zip`.
5. **Move the Downloaded FIPS-Ready Bundle**
Move or copy the downloaded `wolfssl-x.x.x-gplv3-fips-ready.zip` file to the appropriate directory within the meta-wolfssl repository:
```
cp /path/to/wolfssl-x.x.x-gplv3-fips-ready.zip /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/files
```
6. **Edit fips-ready-details/wolfssl_%.bbappend**
Using a test editor update the file `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend`
Update the variables:
`WOLFSSL_VERSION = "x.x.x"`: x.x.x should be the version of the fips-ready bundle you downloaded.
`WOLF_SRC_SHA = "<SHA_HASH>"`: `<SHA_HASH>` should be the sha hash posted under the bundle on the wolfssl download page.
7. **Clean and Build wolfSSL and wolfcrypttest**
Ensure any artifacts from old builds are cleaned up, and then build `wolfssl` and `wolfcrypttest` with no errors:
```bash
bitbake -c cleanall wolfssl
bitbake -c cleanall wolfcrypttest
bitbake wolfssl
bitbake wolfcrypttest
```
8. **Compile Your Image**
Perform a bitbake on your image recipe, for example: `bitbake core-image-minimal`.
9. **Extract the Hash Value**
After compiling the image, extract the hash through QEMU or by loading the image on hardware. Use `runqemu nographic` for testing with QEMU.
Once you are inside the qemu image and logged in use the command `wolfcrypttest`. This should produce the following error:
```
in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = <HASH_VALUE>
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
RANDOM test failed!
error L=15305 code=-197 (FIPS mode not allowed error)
[fiducial line numbers: 7943 25060 37640 49885]
Exiting main with return code: -1
```
Copy or write down the resulting `<HASH_VALUE>`, then exit the qemu image
10. **Edit the .bbappend File**
Open `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend` file in a text editor and update the `<FIPS_HASH>` variable with the copied `<HASH_VALUE>`.
`FIPS_HASH="<HASH_VALUE>"`
11. **Rebuild and Test**
Perform bitbake on wolfssl and wolfcrypttest again to ensure they compile correctly. Rebuild your image and test with QEMU as before. The command `wolfcrypttest` should result in no errors.

12
recipes-wolfssl/wolfssl/fips-ready/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for wolfSSL FIPS-Ready Bundles
## Overview
This directory is designated for placing the downloaded FIPS-Ready bundle from the wolfSSL [download page](https://www.wolfssl.com/download/).
## Contact Information
For questions regarding FIPS-Ready and FIPS versions of wolfSSL,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

13
recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend 100644
View File

@ -0,0 +1,13 @@
#Adjust these as needed
WOLFSSL_VERSION=""
WOLF_SRC="wolfssl-${WOLFSSL_VERSION}-gplv3-fips-ready"
WOLF_SRC_SHA=""
FIPS_HASH="FFBB0434EB0EF2860CBAF6CB29F8F39B4432439EFD2A24C7D6442CBA8E06A4CC"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
#Do not adjust these variables
PR = "fipsReady"
PV = "${WOLFSSL_VERSION}"
BBFILE_PRIORITY='1'

23
recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend 100644
View File

@ -0,0 +1,23 @@
BBFILE_PRIORITY='2'
LICENSE = "GPL-3.0-only"
FIPSREADY_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
SRC_URI = "file://${FIPSREADY_CONFIG_DIR}/files/${WOLF_SRC}.zip"
SRC_URI[sha256sum] = "${WOLF_SRC_SHA}"
S = "${WORKDIR}/${WOLF_SRC}"
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}
TARGET_CFLAGS += "-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=${FIPS_HASH} -DFP_MAX_BITS=16384"
EXTRA_OECONF += "--enable-fips=ready "

2
recipes-wolfssl/wolfssl/wolfssl_5.6.6.bb → recipes-wolfssl/wolfssl/wolfssl_5.7.0.bb
View File

@ -10,7 +10,7 @@ DEPENDS += "util-linux-native"
PROVIDES += "wolfssl"
RPROVIDES_${PN} = "wolfssl"
SRC_URI = "git://github.com/wolfssl/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
SRC_URI = "git://github.com/wolfssl/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
S = "${WORKDIR}/git"

14
recipes-wolfssl/wolftpm/commercial/commercial-details/wolftpm_%.bbappend 100644
View File

@ -0,0 +1,14 @@
#Adjust these as needed
WOLFTPM_VERSION=""
WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
WOLF_SRC=""
WOLF_SRC_SHA=""
WOLF_SRC_PASS=""
#Do not adjust these variables
PR = "commercial"
PV = "${WOLFTPM_VERSION}"
BBFILE_PRIORITY='1'

12
recipes-wolfssl/wolftpm/commercial/files/README.md 100644
View File

@ -0,0 +1,12 @@
# Directory for Commerical wolfTPM 7Zip Archives
## Overview
This directory is designated for storing commercially licensed 7Zip archives of wolfTPM.
## Contact Information
For questions regarding obtaining a licensed version of wolfTPM,
please contact wolfSSL Inc. directly at:
Email: support@wolfssl.com

30
recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend 100644
View File

@ -0,0 +1,30 @@
BBFILE_PRIORITY='2'
COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
LICENSE="Proprietary"
LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
DEPENDS += "p7zip-native"
S = "${WORKDIR}/${WOLF_SRC}"
do_unpack[depends] += "p7zip-native:do_populate_sysroot"
do_unpack() {
cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
}
python() {
distro_version = d.getVar('DISTRO_VERSION', True)
autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
# For Dunfell and earlier
d.appendVar('do_configure_prepend', autogen_create)
else:
# For Kirkstone and later
d.appendVar('do_configure:prepend', autogen_create)
}

3910
recipes-wolfssl/wolftpm/files/wolftpm_3_1_0.patch 100644
View File

File diff suppressed because it is too large Load Diff

3
recipes-wolfssl/wolftpm/wolftpm_3.1.0.bb
View File

@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "wolfssl"
SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=e54734a3ab2507fbba378567d16aa3e27c54655b"
SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=e54734a3ab2507fbba378567d16aa3e27c54655b \
file://wolftpm_3_1_0.patch"
S = "${WORKDIR}/git"

89
update-version.sh
View File

@ -24,37 +24,84 @@ get_current() {
}
get_new() {
NEW=`curl -s https://api.github.com/repos/wolfssl/$1/releases/latest | grep -i $1- | grep name | grep -Eo -m 1 '[0-9]+.[0-9]+.[0-9]+'`
NEW=$(curl -s "https://api.github.com/repos/wolfssl/$1/releases/latest" | jq -r '.tag_name' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
}
update() {
if [ -z "$CURRENT" ] || [ -z "$NEW" ]; then
printf "Error: Current or new version is empty for %s. Skipping update.\n" "$1"
return
fi
if [ "$CURRENT" != "$NEW" ]; then
printf "updating from $CURRENT to $NEW\n"
printf "Updating from %s to %s for %s...\n" "$CURRENT" "$NEW" "$1"
TAG="v$NEW-stable"
if [ "$1" = "wolfmqtt" ] || [ "$1" == "wolftpm" ]; then
TAG="v$NEW"
fi
git clone -b $TAG git@github.com:wolfssl/$1 &> /dev/null
cd $1 &> /dev/null
REV=`git rev-list -n 1 $TAG`
cd ..
rm -rf $1
git mv ./recipes-wolfssl/$1/$1_$CURRENT.bb ./recipes-wolfssl/$1/$1_$NEW.bb &> /dev/null
sed -i "s/rev=.*/rev=$REV\"/" ./recipes-wolfssl/$1/$1_$NEW.bb
git add ./recipes-wolfssl/$1/$1_$NEW.bb &> /dev/null
# Clone the new version repository
if ! git clone -b "$TAG" "git@github.com:wolfssl/$1" &> /dev/null; then
printf "Error cloning %s. Skipping.\n" "$1"
return
fi
# Get the new revision
cd "$1" &> /dev/null
REV=$(git rev-list -n 1 "$TAG")
cd .. && rm -rf "$1"
# Check if the old .bb file exists before attempting to move
if [ ! -f "./recipes-wolfssl/$1/$1_$CURRENT.bb" ]; then
printf "Error: .bb file for %s with version %s not found. Skipping.\n" "$1" "$CURRENT"
return
fi
# Check if the new .bb file already exists
if [ -f "./recipes-wolfssl/$1/$1_$NEW.bb" ]; then
echo "New .bb file for version $NEW already exists. Deleting it to proceed with update."
# Delete the existing new .bb file
rm -f "./recipes-wolfssl/$1/$1_$NEW.bb"
fi
# Move the .bb file to the new version
git mv "./recipes-wolfssl/$1/$1_$CURRENT.bb" "./recipes-wolfssl/$1/$1_$NEW.bb" &> /dev/null
# Update the revision in the new .bb file
if [ -f "./recipes-wolfssl/$1/$1_$NEW.bb" ]; then
sed -i "s/rev=.*/rev=$REV\"/" "./recipes-wolfssl/$1/$1_$NEW.bb"
git add "./recipes-wolfssl/$1/$1_$NEW.bb" &> /dev/null
else
printf "Error updating .bb file for %s to version %s. File not found after move.\n" "$1" "$NEW"
return
fi
# Additional steps for wolfSSL
if [ "$1" = "wolfssl" ]; then
printf "\tUpdating wolfcrypt test and benchmark...\n"
sed -i "s/rev=.*/rev=$REV\"/" ./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb
git add ./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb &> /dev/null
sed -i "s/rev=.*/rev=$REV\"/" ./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb
git add ./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb &> /dev/null
# Update wolfcrypt test
if [ -f "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb" ]; then
sed -i "s/rev=.*/rev=$REV\"/" "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb"
git add "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb" &> /dev/null
else
printf "Error: wolfcrypttest.bb file not found.\n"
fi
# Update wolfcrypt benchmark
if [ -f "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb" ]; then
sed -i "s/rev=.*/rev=$REV\"/" "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb"
git add "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb" &> /dev/null
else
printf "Error: wolfcryptbenchmark.bb file not found.\n"
fi
fi
else
printf "version $CURRENT is the latest\n"
printf "Version %s is the latest for %s. No update needed.\n" "$CURRENT" "$1"
fi
}
printf "Checking version of wolfSSL to use..."
get_current "wolfssl"
get_new "wolfssl"
@ -80,6 +127,18 @@ get_current "wolfclu"
get_new "wolfclu"
update "wolfclu"
printf "Checking version of wolfssl-py to use..."
get_current "wolfssl-py"
get_new "wolfssl-py"
update "wolfssl-py"
printf "Checking version of wolfcrypt-py to use..."
get_current "wolfcrypt-py"
get_new "wolfcrypt-py"
update "wolfcrypt-py"
exit 0