Adding in FIPS Ready, and commerical recipes

Updating wolfssl products and adding in a wolftpm patch until release happens

README.md

@@ -64,7 +64,7 @@ After installing your build's Yocto/OpenEmbedded components:
 2.  Once the 'meta-wolfssl' layer has been added to your BBLAYERS collection,
     you have two options
    
-    1.  If you want to directly add wolfssl recipes to your image recipe 
+    1.  If you want to directly add wolfSSL recipes to your image recipe 
         proceed to step 3.
 
 
@@ -93,7 +93,7 @@ After installing your build's Yocto/OpenEmbedded components:
         recipes. 
         
         You should make sure to comment out recipes you don't want to use to 
-        avoid uneeded --enable-options in your wolfssl version. wolfssl is 
+        avoid uneeded --enable-options in your wolfSSL version. wolfSSL is 
         uncommented by default.
 
         Once the recipes that need to be compiled are uncommented,
@@ -267,8 +267,8 @@ or by deleting the recipe directory.
 Wolfssl-py and Wolfcrypt-py Installation Requirements
 -----------------------------------------------------
 
-To use the python wrapper for wolfssl and wolfcrypt in a yocto build it will
+To use the python wrapper for wolfSSL and wolfcrypt in a yocto build it will
-require python3, python3-cffi and wolfssl are built on the target system.
+require python3, python3-cffi and wolfSSL are built on the target system.
 
 If you are using older version of yocto (2.x) or (3.x), you will need to download 
 and add the meta-oe and meta-python recipes from openembedded's [meta-openembedded](https://github.com/openembedded/meta-openembedded) to the image.
@@ -308,8 +308,8 @@ Testing Wolfssl-py and Wolfcrypt-py
 -----------------------------------
 
 
-To test the python wrapper for wolfssl and wolfcrypt in a yocto build it will
+To test the python wrapper for wolfSSL and wolfcrypt in a yocto build it will
-require python3, python3-pytest, python3-cffi and wolfssl are built on the target system.
+require python3, python3-pytest, python3-cffi and wolfSSL are built on the target system.
 
 It will be necassary then to make sure at minimum that the IMAGE_INSTALL:append 
 looks as follows:
@@ -359,6 +359,16 @@ to add a DNS server to /etc/resolv.conf like such with root perms
 echo "nameserver 8.8.8.8" >> /etc/resolv.conf
 ```
 
+FIPS-READY
+----------
+For building FIPS-Ready for wolfSSL view the instruction in this [README](recipes-wolfssl/wolfssl/fips-ready/README.md)
+
+Commercial/FIPS Bundles
+-----------------------
+For building FIPS and/or commercial bundles of wolfSSL products view the instructions in this [README](recipes-wolfssl/wolfssl/commercial/README.md).
+
+To gain access to these bundles contact support@wolfssl.com to get a qoute.
+
 Maintenance
 -----------
 

conf/layer.conf

@@ -123,8 +123,42 @@ BBFILE_COLLECTIONS += "wolfssl"
 BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/"
 BBFILE_PRIORITY_wolfssl = "5"
 
-# BitBake user manual: "You must control all spacing when you use the override
+BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
-# syntax." Thus, we need a leading space below.
+                                 'fips', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/fips/*.bbappend', \
+                                 '', d)}"
+
+BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
+                                 'fips-ready', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfssl/fips-ready/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/*.bbappend', \
+                                 '', d)}"
+
+BBFILES += "${@bb.utils.contains('WOLFSSL_TYPE', \
+                                 'commercial', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssl/commercial/commercial/*.bbappend', \
+                                 '', d)}"
+
+
+BBFILES += "${@bb.utils.contains('WOLFSSH_TYPE', \
+                                 'commercial', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfssh/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfssh/commercial/commercial/*.bbappend', \
+                                 '', d)}"
+
+BBFILES += "${@bb.utils.contains('WOLFMQTT_TYPE', \
+                                 'commerical', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfmqtt/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfmqtt/commercial/commercial/*.bbappend', \
+                                 '', d)}"
+
+BBFILES += "${@bb.utils.contains('WOLFCLU_TYPE', \
+                                 'commercial', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolfclu/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolfclu/commercial/commercial/*.bbappend', \
+                                 '', d)}"
+
+BBFILES += "${@bb.utils.contains('WOLFTPM_TYPE', \
+                                 'commercial', \
+                                 '${LAYERDIR}/recipes-wolfssl/wolftpm/commercial/*.bbappend ${LAYERDIR}/recipes-wolfssl/wolftpm/commercial/commercial/*.bbappend', \
+                                 '', d)}"
+
 
 # Versions of OpenEmbedded-Core which layer has been tested against
 LAYERSERIES_COMPAT_wolfssl = "sumo thud warrior zeus hardknott gatesgarth dunfell kirkstone nanbield"

recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb

@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://benchmark.c;beginline=1;endline=20;md5=aca0c406899b74
 S = "${WORKDIR}/git/wolfcrypt/benchmark"
 DEPENDS += "wolfssl"
 
-SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
+SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"

recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb

@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://test.c;beginline=1;endline=20;md5=61d63fb8b820bae4d85
 S = "${WORKDIR}/git/wolfcrypt/test"
 DEPENDS += "wolfssl"
 
-SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
+SRC_URI = "git://github.com/wolfSSL/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
 
 
 do_configure[noexec] = "1"

recipes-wolfssl/wolfclu/commercial/commercial-details/wolfclu_%.bbappend

@@ -0,0 +1,14 @@
+#Adjust these as needed
+WOLFCLU_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+#Do not adjust these variables
+PR = "commercial"
+PV = "${WOLFCLU_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolfclu/commercial/files/README.md

@@ -0,0 +1,12 @@
+# Directory for Commerical wolfCLU 7Zip Archives
+
+## Overview
+
+This directory is designated for storing commercially licensed 7Zip archives of wolfCLU.
+
+## Contact Information
+
+For questions regarding obtaining a licensed version of wolfCLU,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolfclu/commercial/wolfclu_%.bbappend

@@ -0,0 +1,30 @@
+BBFILE_PRIORITY='2'
+COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+LICENSE="Proprietary"                                                           
+LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
+
+SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
+SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
+
+DEPENDS += "p7zip-native"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+do_unpack[depends] += "p7zip-native:do_populate_sysroot"
+
+do_unpack() {
+    cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
+    7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
+}
+
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}

recipes-wolfssl/wolfcrypt-py/wolfcrypt-py_5.6.6.bb

@@ -13,7 +13,7 @@ SECTION = "libs"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSING.rst;md5=e4abd0c56c3f6dc95a7a7eed4c77414b"
 
-SRC_URI = "git://github.com/wolfSSL/wolfcrypt-py.git;nobranch=1;protocol=https;rev=1c242652a799190b55cc20964135297357e00b67"
+SRC_URI = "git://github.com/wolfSSL/wolfcrypt-py.git;nobranch=1;protocol=https;rev=b74b0687a856237bc1b83b596c5c9a6991129d1b"
 
 
 DEPENDS += " wolfssl \

recipes-wolfssl/wolfmqtt/commercial/commercial-details/wolfmqtt_%.bbappend

@@ -0,0 +1,14 @@
+#Adjust these as needed
+WOLFMQTT_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+#Do not adjust these variables
+PR = "commercial"
+PV = "${WOLFMQTT_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolfmqtt/commercial/files/README.md

@@ -0,0 +1,12 @@
+# Directory for Commerical wolfMQTT 7Zip Archives
+
+## Overview
+
+This directory is designated for storing commercially licensed 7Zip archives of wolfMQTT.
+
+## Contact Information
+
+For questions regarding obtaining a licensed version of wolfMQTT,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolfmqtt/commercial/wolfmqtt_%.bbappend

@@ -0,0 +1,30 @@
+BBFILE_PRIORITY='2'
+COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+LICENSE="Proprietary"                                                           
+LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
+
+SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
+SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
+
+DEPENDS += "p7zip-native"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+do_unpack[depends] += "p7zip-native:do_populate_sysroot"
+
+do_unpack() {
+    cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
+    7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
+}
+
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}

recipes-wolfssl/wolfmqtt/wolfmqtt_1.19.0.bb

@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2"
 
 DEPENDS += "wolfssl"
 
-SRC_URI = "git://github.com/wolfssl/wolfMQTT.git;nobranch=1;protocol=https;rev=91b01f4be412fff883374168aa4da2bd00d2968c"
+SRC_URI = "git://github.com/wolfssl/wolfMQTT.git;nobranch=1;protocol=https;rev=06a781272f4e774909c03479adc4f8c455812304"
 
 
 S = "${WORKDIR}/git"

recipes-wolfssl/wolfssh/commercial/commercial-details/wolfssh_%.bbappend

@@ -0,0 +1,14 @@
+#Adjust these as needed
+WOLFSSH_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+#Do not adjust these variables
+PR = "commercial"
+PV = "${WOLFSSH_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolfssh/commercial/files/README.md

@@ -0,0 +1,12 @@
+# Directory for Commerical wolfSSH 7Zip Archives
+
+## Overview
+
+This directory is designated for storing commercially licensed 7Zip archives of wolfSSH.
+
+## Contact Information
+
+For questions regarding obtaining a licensed version of wolfSSH,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolfssh/commercial/wolfssh_%.bbappend

@@ -0,0 +1,30 @@
+BBFILE_PRIORITY='2'
+COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+LICENSE="Proprietary"                                                           
+LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
+
+SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
+SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
+
+DEPENDS += "p7zip-native"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+do_unpack[depends] += "p7zip-native:do_populate_sysroot"
+
+do_unpack() {
+    cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
+    7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
+}
+
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}

recipes-wolfssl/wolfssl-py/wolfssl-py_5.6.6.bb

@@ -11,7 +11,7 @@ SECTION = "libs"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSING.rst;md5=e4abd0c56c3f6dc95a7a7eed4c77414b"
 
-SRC_URI = "git://github.com/wolfSSL/wolfssl-py.git;nobranch=1;protocol=https;rev=0a8a76c6d426289d9019e10d02db9a5af051fba8"
+SRC_URI = "git://github.com/wolfSSL/wolfssl-py.git;nobranch=1;protocol=https;rev=6ba654c216d2c2b967d8babaf72673f12c7bd73f"
 
 
 DEPENDS += " wolfssl \

recipes-wolfssl/wolfssl/commercial/README.md

@@ -0,0 +1,105 @@
+# Yocto wolfssl FIPS and Commerical Setup Instructions
+
+## Prerequisites
+
+- Yocto environment is set up and ready.
+
+## Steps
+
+1. **Clone the meta-wolfssl Repository**
+
+   ```bash
+   git clone https://github.com/wolfSSL/meta-wolfssl.git
+   ```
+
+2. **Add meta-wolfssl to Yocto's bblayers.conf**
+
+   Add the path to meta-wolfssl in the `bblayers.conf` file, typically found under `poky/build/conf/`:
+   ```bash
+   BBLAYERS ?= " \
+         ...
+         /path/to/yocto/poky/meta-wolfssl \
+         ...
+      "
+   ```
+
+3. **Update the IMAGE_INSTALL and WOLFSSL_TYPE Variable**
+
+   Add `wolfssl` and `wolfcrypttest` to the `IMAGE_INSTALL` then add `fips` or `commerical` to the `WOLFSSL_TYPE` variables in your recipe or `poky/conf/local.conf`. If using `poky/conf/local.conf`, append as follows:
+   ```
+   IMAGE_INSTALL:append = " wolfssl wolfcrypttest "
+   WOLFSSL_TYPE = "fips"
+   ```
+
+   If using other products with their commercial varient, make sure to set those variables to the `commerical` type:
+    ```
+    WOLFTPM_TYPE = "commercial"
+    WOLFSSH_TYPE = "commercial"
+    WOLFMQTT_TYPE = "commercial"
+    WOLFCLU_TYPE = "commercial"
+    ```
+
+4. **Move the Downloaded FIPS/Commerical Bundle**
+
+   Move or copy the downloaded `wolfssl-x.x.x-*.7z` file to the appropriate directory within the meta-wolfssl repository:
+   ```
+   cp /path/to/wolfssl-x.x.x-*.7z /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commerical/files
+   ```
+
+    Each product that has commerical support has their own respective directory structures to place their bundles.
+
+5. **Edit *-details/wolfssl_%.bbappend**
+
+    Using a test editor update the file `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commercial/*-details/wolfssl_%.bbappend`
+    Update the variables:
+    `WOLFSSL_VERSION = "x.x.x"`: x.x.x should be the version of the fips/commercial bundle you downloaded. 
+    `WOLF_SRC_SHA = "<SHA_HASH>"`: `<SHA_HASH>` This is the sha hash given when you received the bundle.
+    `WOLF_SRC_PASS = "<PASSWORD>"`: `<PASSWORD>` This is the password given to unarchive the bundle.
+    `WOLF_SRC = "<BUNDLE_NAME>"`: `<BUNDLE_NAME>` This is the name of the bundle you wish to use without the .7z extension.  
+
+6. **Clean and Build wolfssl and wolfcrypttest**
+
+   Ensure any artifacts from old builds are cleaned up, and then build `wolfssl` and `wolfcrypttest` with no errors:
+   ```bash
+   bitbake -c cleanall wolfssl
+   bitbake -c cleanall wolfcrypttest
+   bitbake wolfssl
+   bitbake wolfcrypttest
+   ```
+
+7. **Compile Your Image**
+
+   Perform a bitbake on your image recipe, for example: `bitbake core-image-minimal`.
+
+8. **Extract the Hash Value**
+
+    Skip to Step:10 if you are using the commercial bundle of wolfssl
+
+    After compiling the image, extract the hash through QEMU or by loading the image on hardware. Use `runqemu nographic` for testing with QEMU.
+
+    Once you are inside the qemu image and logged in use the command `wolfcrypttest`. This should produce the following error:
+
+    ```
+    in my Fips callback, ok = 0, err = -203
+    message = In Core Integrity check FIPS error
+    hash = <HASH_VALUE>
+    In core integrity hash check failure, copy above hash
+    into verifyCore[] in fips_test.c and rebuild
+    RANDOM   test failed!
+    error L=15305 code=-197 (FIPS mode not allowed error)
+    [fiducial line numbers: 7943 25060 37640 49885]
+    Exiting main with return code: -1
+    ```
+
+    Copy or write down the resulting `<HASH_VALUE>`, then exit the qemu image
+
+9. **Edit the .bbappend File**
+
+    Open  `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/commercial/fips-details/wolfssl_%.bbappend` file in a text editor and update the `<FIPS_HASH>` variable with the copied `<HASH_VALUE>`.
+
+    `FIPS_HASH="<HASH_VALUE>"`
+
+10. **Rebuild and Test**
+
+    Perform bitbake on wolfssl and wolfcrypttest again to ensure they compile correctly. Rebuild your image and test with QEMU as before. The command `wolfcrypttest` should result in no errors.
+

recipes-wolfssl/wolfssl/commercial/commercial-details/wolfssl_%.bbappend

@@ -0,0 +1,14 @@
+#Adjust these as needed
+WOLFSSL_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+#Do not adjust these variables
+PR = "commercial"
+PV = "${WOLFSSL_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolfssl/commercial/files/README.md

@@ -0,0 +1,12 @@
+# Directory for Commerical wolfSSL 7Zip Archives
+
+## Overview
+
+This directory is designated for storing commercially licensed 7Zip archives of wolfSSL.
+
+## Contact Information
+
+For questions regarding obtaining a licensed version of wolfSSL,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolfssl/commercial/fips-details/wolfssl_%.bbappend

@@ -0,0 +1,19 @@
+#Adjust these as needed
+WOLFSSL_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+FIPS_HASH="FFBB0434EB0EF2860CBAF6CB29F8F39B4432439EFD2A24C7D6442CBA8E06A4CC"
+
+#Do not adjust these variables
+PR = "commercial.fips"
+PV = "${WOLFSSL_VERSION}"
+
+BBFILE_PRIORITY='1'
+
+TARGET_CFLAGS += "-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=${FIPS_HASH} -DFP_MAX_BITS=16384"
+EXTRA_OECONF += "--enable-fips=v5 "

recipes-wolfssl/wolfssl/commercial/wolfssl_%.bbappend

@@ -0,0 +1,30 @@
+BBFILE_PRIORITY='2'
+COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+LICENSE="Proprietary"                                                           
+LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
+
+SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
+SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
+
+DEPENDS += "p7zip-native"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+do_unpack[depends] += "p7zip-native:do_populate_sysroot"
+
+do_unpack() {
+    cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
+    7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
+}
+
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}

recipes-wolfssl/wolfssl/fips-ready/README.md

@@ -0,0 +1,95 @@
+# Yocto wolfSSL FIPS Ready Setup Instructions
+
+## Prerequisites
+
+- Yocto environment is set up and ready.
+
+## Steps
+
+1. **Clone the meta-wolfssl Repository**
+
+   ```bash
+   git clone https://github.com/wolfSSL/meta-wolfssl.git
+   ```
+
+2. **Add meta-wolfssl to Yocto's bblayers.conf**
+
+   Add the path to meta-wolfssl in the `bblayers.conf` file, typically found under `poky/build/conf/`:
+   ```bash
+   BBLAYERS ?= " \
+         ...
+         /path/to/yocto/poky/meta-wolfssl \
+         ...
+      "
+   ```
+
+3. **Update the IMAGE_INSTALL and WOLFSSL_TYPE Variable**
+
+   Add `wolfssl` and `wolfcrypttest` to the `IMAGE_INSTALL` then add `fips-ready` to the `WOLFSSL_TYPE` variables in your recipe or `poky/conf/local.conf`. If using `poky/conf/local.conf`, append as follows:
+   ```bash
+   IMAGE_INSTALL:append = " wolfssl wolfcrypttest "
+   WOLFSSL_TYPE = "fips-ready"
+   ```
+
+4. **Download the FIPS-Ready Package**
+
+   Download the FIPS-ready package from wolfSSL's [download page](https://www.wolfssl.com/download/). The file to download is `wolfssl-x.x.x-gplv3-fips-ready.zip`.
+
+5. **Move the Downloaded FIPS-Ready Bundle**
+
+   Move or copy the downloaded `wolfssl-x.x.x-gplv3-fips-ready.zip` file to the appropriate directory within the meta-wolfssl repository:
+   ```
+   cp /path/to/wolfssl-x.x.x-gplv3-fips-ready.zip /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/files
+   ```
+
+6. **Edit fips-ready-details/wolfssl_%.bbappend**
+
+    Using a test editor update the file `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend`
+    Update the variables:
+    `WOLFSSL_VERSION = "x.x.x"`: x.x.x should be the version of the fips-ready bundle you downloaded. 
+    `WOLF_SRC_SHA = "<SHA_HASH>"`: `<SHA_HASH>` should be the sha hash posted under the bundle on the wolfssl download page.
+
+7. **Clean and Build wolfSSL and wolfcrypttest**
+
+   Ensure any artifacts from old builds are cleaned up, and then build `wolfssl` and `wolfcrypttest` with no errors:
+   ```bash
+   bitbake -c cleanall wolfssl
+   bitbake -c cleanall wolfcrypttest
+   bitbake wolfssl
+   bitbake wolfcrypttest
+   ```
+
+8. **Compile Your Image**
+
+   Perform a bitbake on your image recipe, for example: `bitbake core-image-minimal`.
+
+9. **Extract the Hash Value**
+
+    After compiling the image, extract the hash through QEMU or by loading the image on hardware. Use `runqemu nographic` for testing with QEMU.
+
+    Once you are inside the qemu image and logged in use the command `wolfcrypttest`. This should produce the following error:
+
+    ```
+    in my Fips callback, ok = 0, err = -203
+    message = In Core Integrity check FIPS error
+    hash = <HASH_VALUE>
+    In core integrity hash check failure, copy above hash
+    into verifyCore[] in fips_test.c and rebuild
+    RANDOM   test failed!
+    error L=15305 code=-197 (FIPS mode not allowed error)
+    [fiducial line numbers: 7943 25060 37640 49885]
+    Exiting main with return code: -1
+    ```
+
+    Copy or write down the resulting `<HASH_VALUE>`, then exit the qemu image
+
+10. **Edit the .bbappend File**
+
+    Open  `/path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend` file in a text editor and update the `<FIPS_HASH>` variable with the copied `<HASH_VALUE>`.
+
+    `FIPS_HASH="<HASH_VALUE>"`
+
+11. **Rebuild and Test**
+
+    Perform bitbake on wolfssl and wolfcrypttest again to ensure they compile correctly. Rebuild your image and test with QEMU as before. The command `wolfcrypttest` should result in no errors.
+

recipes-wolfssl/wolfssl/fips-ready/files/README.md

@@ -0,0 +1,12 @@
+# Directory for wolfSSL FIPS-Ready Bundles
+
+## Overview
+
+This directory is designated for placing the downloaded FIPS-Ready bundle from the wolfSSL [download page](https://www.wolfssl.com/download/).
+
+## Contact Information
+
+For questions regarding FIPS-Ready and FIPS versions of wolfSSL,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend

@@ -0,0 +1,13 @@
+#Adjust these as needed
+WOLFSSL_VERSION=""
+
+WOLF_SRC="wolfssl-${WOLFSSL_VERSION}-gplv3-fips-ready"
+WOLF_SRC_SHA=""
+
+FIPS_HASH="FFBB0434EB0EF2860CBAF6CB29F8F39B4432439EFD2A24C7D6442CBA8E06A4CC"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
+#Do not adjust these variables
+PR = "fipsReady"
+PV = "${WOLFSSL_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolfssl/fips-ready/wolfssl_%.bbappend

@@ -0,0 +1,23 @@
+BBFILE_PRIORITY='2'
+
+LICENSE = "GPL-3.0-only"
+FIPSREADY_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+
+SRC_URI = "file://${FIPSREADY_CONFIG_DIR}/files/${WOLF_SRC}.zip"
+SRC_URI[sha256sum] = "${WOLF_SRC_SHA}"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}
+
+TARGET_CFLAGS += "-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=${FIPS_HASH} -DFP_MAX_BITS=16384"
+EXTRA_OECONF += "--enable-fips=ready "

recipes-wolfssl/wolfssl/wolfssl_5.7.0.bb

@@ -10,7 +10,7 @@ DEPENDS += "util-linux-native"
 PROVIDES += "wolfssl"
 RPROVIDES_${PN} = "wolfssl"
 
-SRC_URI = "git://github.com/wolfssl/wolfssl.git;nobranch=1;protocol=https;rev=66596ad9e1d7efa8479656872cf09c9c1870a02e"
+SRC_URI = "git://github.com/wolfssl/wolfssl.git;nobranch=1;protocol=https;rev=8970ff4c34034dbb3594943d11f8c9d4c5512bd5"
 
 S = "${WORKDIR}/git"
 

recipes-wolfssl/wolftpm/commercial/commercial-details/wolftpm_%.bbappend

@@ -0,0 +1,14 @@
+#Adjust these as needed
+WOLFTPM_VERSION=""
+
+WOLF_LICENSE="WolfSSL_LicenseAgmt_JAN-2022.pdf"
+WOLF_LICENSE_MD5="be28609dc681e98236c52428fadf04dd"
+WOLF_SRC=""
+WOLF_SRC_SHA=""
+WOLF_SRC_PASS=""
+
+#Do not adjust these variables
+PR = "commercial"
+PV = "${WOLFTPM_VERSION}"
+
+BBFILE_PRIORITY='1'

recipes-wolfssl/wolftpm/commercial/files/README.md

@@ -0,0 +1,12 @@
+# Directory for Commerical wolfTPM 7Zip Archives
+
+## Overview
+
+This directory is designated for storing commercially licensed 7Zip archives of wolfTPM.
+
+## Contact Information
+
+For questions regarding obtaining a licensed version of wolfTPM,
+please contact wolfSSL Inc. directly at:
+
+Email: support@wolfssl.com

recipes-wolfssl/wolftpm/commercial/wolftpm_%.bbappend

@@ -0,0 +1,30 @@
+BBFILE_PRIORITY='2'
+COMMERCIAL_CONFIG_DIR := "${@os.path.dirname(d.getVar('FILE', True))}"
+LICENSE="Proprietary"                                                           
+LIC_FILES_CHKSUM="file://${WOLF_LICENSE};md5=${WOLF_LICENSE_MD5}"
+
+SRC_URI="file://${COMMERCIAL_CONFIG_DIR}/files/${WOLF_SRC}.7z"
+SRC_URI[sha256sum]="${WOLF_SRC_SHA}"
+
+DEPENDS += "p7zip-native"
+
+S = "${WORKDIR}/${WOLF_SRC}"
+
+do_unpack[depends] += "p7zip-native:do_populate_sysroot"
+
+do_unpack() {
+    cp -f "${FILE_DIRNAME}/commercial/files/${WOLF_SRC}.7z" "${WORKDIR}"
+    7za x "${WORKDIR}/${WOLF_SRC}.7z" -p"${WOLF_SRC_PASS}" -o"${WORKDIR}" -aoa
+}
+
+
+python() {
+    distro_version = d.getVar('DISTRO_VERSION', True)
+    autogen_create = 'echo -e "#!/bin/sh\nexit 0" > ${S}/autogen.sh && chmod +x ${S}/autogen.sh'
+    if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')):
+        # For Dunfell and earlier
+        d.appendVar('do_configure_prepend', autogen_create)
+    else:
+        # For Kirkstone and later
+        d.appendVar('do_configure:prepend', autogen_create)
+}

recipes-wolfssl/wolftpm/wolftpm_3.1.0.bb

@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 DEPENDS += "wolfssl"
 
-SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=e54734a3ab2507fbba378567d16aa3e27c54655b"
+SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=e54734a3ab2507fbba378567d16aa3e27c54655b \
+           file://wolftpm_3_1_0.patch"
 
 S = "${WORKDIR}/git"
 

update-version.sh

@@ -24,37 +24,84 @@ get_current() {
 }
 
 get_new() {
-    NEW=`curl -s https://api.github.com/repos/wolfssl/$1/releases/latest | grep -i $1- | grep name | grep -Eo -m 1 '[0-9]+.[0-9]+.[0-9]+'`
+    NEW=$(curl -s "https://api.github.com/repos/wolfssl/$1/releases/latest" | jq -r '.tag_name' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
 }
 
+
 update() {
+    if [ -z "$CURRENT" ] || [ -z "$NEW" ]; then
+        printf "Error: Current or new version is empty for %s. Skipping update.\n" "$1"
+        return
+    fi
+
     if [ "$CURRENT" != "$NEW" ]; then
-        printf "updating from $CURRENT to $NEW\n"
+        printf "Updating from %s to %s for %s...\n" "$CURRENT" "$NEW" "$1"
         TAG="v$NEW-stable"
         if [ "$1" = "wolfmqtt" ] || [ "$1" == "wolftpm" ]; then
             TAG="v$NEW"
         fi
-        git clone -b $TAG git@github.com:wolfssl/$1 &> /dev/null
+
-        cd $1 &> /dev/null
+        # Clone the new version repository
-        REV=`git rev-list -n 1 $TAG`
+        if ! git clone -b "$TAG" "git@github.com:wolfssl/$1" &> /dev/null; then
-        cd ..
+            printf "Error cloning %s. Skipping.\n" "$1"
-        rm -rf $1
+            return
-        git mv ./recipes-wolfssl/$1/$1_$CURRENT.bb ./recipes-wolfssl/$1/$1_$NEW.bb &> /dev/null
+        fi
-        sed -i "s/rev=.*/rev=$REV\"/" ./recipes-wolfssl/$1/$1_$NEW.bb
+
-        git add ./recipes-wolfssl/$1/$1_$NEW.bb &> /dev/null
+        # Get the new revision
+        cd "$1" &> /dev/null
+        REV=$(git rev-list -n 1 "$TAG")
+        cd .. && rm -rf "$1"
+
+        # Check if the old .bb file exists before attempting to move
+        if [ ! -f "./recipes-wolfssl/$1/$1_$CURRENT.bb" ]; then
+            printf "Error: .bb file for %s with version %s not found. Skipping.\n" "$1" "$CURRENT"
+            return
+        fi
+
+        # Check if the new .bb file already exists
+        if [ -f "./recipes-wolfssl/$1/$1_$NEW.bb" ]; then
+            echo "New .bb file for version $NEW already exists. Deleting it to proceed with update."
+            # Delete the existing new .bb file
+            rm -f "./recipes-wolfssl/$1/$1_$NEW.bb"
+        fi
+
+        # Move the .bb file to the new version
+        git mv "./recipes-wolfssl/$1/$1_$CURRENT.bb" "./recipes-wolfssl/$1/$1_$NEW.bb" &> /dev/null
+
+        # Update the revision in the new .bb file
+        if [ -f "./recipes-wolfssl/$1/$1_$NEW.bb" ]; then
+            sed -i "s/rev=.*/rev=$REV\"/" "./recipes-wolfssl/$1/$1_$NEW.bb"
+            git add "./recipes-wolfssl/$1/$1_$NEW.bb" &> /dev/null
+        else
+            printf "Error updating .bb file for %s to version %s. File not found after move.\n" "$1" "$NEW"
+            return
+        fi
+
+        # Additional steps for wolfSSL
         if [ "$1" = "wolfssl" ]; then
             printf "\tUpdating wolfcrypt test and benchmark...\n"
-            sed -i "s/rev=.*/rev=$REV\"/" ./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb
+            # Update wolfcrypt test
-            git add ./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb &> /dev/null
+            if [ -f "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb" ]; then
-            sed -i "s/rev=.*/rev=$REV\"/" ./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb
+                sed -i "s/rev=.*/rev=$REV\"/" "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb"
-            git add ./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb &> /dev/null
+                git add "./recipes-examples/wolfcrypt/wolfcrypttest/wolfcrypttest.bb" &> /dev/null
+            else
+                printf "Error: wolfcrypttest.bb file not found.\n"
+            fi
+            # Update wolfcrypt benchmark
+            if [ -f "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb" ]; then
+                sed -i "s/rev=.*/rev=$REV\"/" "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb"
+                git add "./recipes-examples/wolfcrypt/wolfcryptbenchmark/wolfcryptbenchmark.bb" &> /dev/null
+            else
+                printf "Error: wolfcryptbenchmark.bb file not found.\n"
+            fi
         fi
     else
-        printf "version $CURRENT is the latest\n"
+        printf "Version %s is the latest for %s. No update needed.\n" "$CURRENT" "$1"
     fi
 }
 
 
+
 printf "Checking version of wolfSSL to use..."
 get_current "wolfssl"
 get_new "wolfssl"
@@ -80,6 +127,18 @@ get_current "wolfclu"
 get_new "wolfclu"
 update "wolfclu"
 
+printf "Checking version of wolfssl-py to use..."
+get_current "wolfssl-py"
+get_new "wolfssl-py"
+update "wolfssl-py"
+
+
+printf "Checking version of wolfcrypt-py to use..."
+get_current "wolfcrypt-py"
+get_new "wolfcrypt-py"
+update "wolfcrypt-py"
+
+
 
 
 exit 0