meta-digi-arm: remove old WolfSSL FIPS support

* Delete custom wolfssl_5.4.0-fips.bb recipe and README. * Removed WolfSSL dynamic layer registration. FIPS support is now managed through the external meta-wolfssl layer, making this implementation unnecessary in meta-digi. https://onedigi.atlassian.net/browse/DEL-9631 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2025-06-03 18:23:06 +02:00 · 2025-06-03 18:23:06 +02:00 · 78a1e7864f
parent 93c6deb2d8
commit 78a1e7864f
3 changed files with 0 additions and 214 deletions
--- a/meta-digi-arm/conf/layer.conf
+++ b/meta-digi-arm/conf/layer.conf
@ -14,8 +14,6 @@ BBFILES_DYNAMIC += " \
    freescale-layer:${LAYERDIR}/dynamic-layers/freescale-layer/*/*/*.bbappend \
    stm-st-stm32mp:${LAYERDIR}/dynamic-layers/stm-st-stm32mp/*/*/*.bb \
    stm-st-stm32mp:${LAYERDIR}/dynamic-layers/stm-st-stm32mp/*/*/*.bbappend \
-    wolfssl:${LAYERDIR}/dynamic-layers/wolfssl/*/*/*.bb \
-    wolfssl:${LAYERDIR}/dynamic-layers/wolfssl/*/*/*.bbappend \
 "

 LAYERDEPENDS_digi-arm = "core"
--- a/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/README.fips
+++ b/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/README.fips
@ -1,139 +0,0 @@
-Digi Embedded Yocto FIPS-certified WolfSSL support
-==================================================
-
-WolfSSL is a lightweight SSL/TLS library written in C and targeted for
-embedded and resource-constrained environments.
-
-WolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt
-library has been FIPS 140-2 validated, with FIPS 140-3 validation currently
-in progress.
-
-For more information, visit:
-https://www.wolfssl.com/license/fips/
-
-DEY support
-----------
-Digi Embedded Yocto (DEY) supports building the FIPS validated version of
-WolfSSL. The source package is usually provided under a commercial license
-agreement by WolfSSL. DEY provides the recipes and configurations to build
-the recipe into your final image.
-
-Instructions
------------
-These instructions assume that DEY is properly installed and a project
-has already been created. For more info on those tasks, see the online
-documentation on the Digi Embedded Documentation portal:
-
-https://www.digi.com/resources/documentation/digidocs/embedded/index.html
-
-1. Add 'meta-wolfssl' layer to the project.
-
-  # cd <project-dir>
-  # bitbake-layers add-layer <DEY-installdir>/sources/meta-wolfssl
-
-2. Configure the project for building wolfssl FIPS bundle (1st build).
-
-  DEY added support for building the library from a password-protected
-  7z-compressed package, but any other package format supported by Yocto may
-  be used.
-
-  The build is controlled by variables configured in the project's
-  configuration file (<project-dir>/conf/local.conf).
-
-    * PREFERRED_VERSION_wolfssl: the version of the wolfssl recipe to build
-    * WOLFSSL_FIPS_PKG_PATH: absolute local path to the package
-    * WOLFSSL_FIPS_PKG_PASSWORD: package's unpack password (only for 7z compression)
-    * WOLFSSL_FIPS_CORE_HASH: in-core integrity hash (not available until
-      after a first run)
-
-  An example follows:
-
-    PREFERRED_VERSION_wolfssl = "5.4.0-fips"
-    WOLFSSL_FIPS_PKG_PATH = "/PATH/TO/wolfssl-5.4.0-commercial-fips-linuxv5.7z"
-    WOLFSSL_FIPS_PKG_PASSWORD = "xxxx"
-    #WOLFSSL_FIPS_CORE_HASH = ""
-
-  Note: Leave the variable WOLFSSL_FIPS_CORE_HASH commented. The `wolfcrypttest`
-  application provides the WolfSSL FIPS integrity hash value after the first run.
-
-3. Add the wolfCrypt test programs to the image.
-
-  In the project's configuration file:
-
-  IMAGE_INSTALL:append = " wolfssl wolfcrypttest wolfcryptbenchmark"
-
-4. Build and program the images in the device.
-
-  If you need more information on this topic, refer to the DEY online
-  documentation (link above).
-
-5. Compute the WolfSSL FIPS integrity hash.
-
-  In the device, run the `wolfcrypttest` test application. At this point,
-  it is expected that the application fails because the library has not been
-  built with the integrity hash.
-
-    root:~# wolfcrypttest
-    ------------------------------------------------------------------------------
-    wolfSSL version 5.4.0
-    ------------------------------------------------------------------------------
-    error    test passed!
-    MEMORY   test passed!
-    base64   test passed!
-    base16   test passed!
-    asn      test passed!
-    in my Fips callback, ok = 0, err = -203
-    message = In Core Integrity check FIPS error
-    hash = 9490AAFD1786A11115256841AA71F9B5313BAA244ACF1A07DD8BB8A893CBC5BC
-    In core integrity hash check failure, copy above hash
-    into verifyCore[] in fips_test.c and rebuild
-    RANDOM   test failed!
-    error = -7000
-    Exiting main with return code: -1
-
-6. Reconfigure the project and build the images again (2nd build).
-
-  Feed the FIPS integrity hash back into the build process with the
-  WOLFSSL_FIPS_CORE_HASH variable.
-
-  For example, the final configuration would be:
-
-    PREFERRED_VERSION_wolfssl = "5.4.0-fips"
-    WOLFSSL_FIPS_PKG_PATH = "/PATH/TO/wolfssl-5.4.0-commercial-fips-linuxv5.7z"
-    WOLFSSL_FIPS_PKG_PASSWORD = "xxxx"
-    WOLFSSL_FIPS_CORE_HASH = "9490AAFD1786A11115256841AA71F9B5313BAA244ACF1A07DD8BB8A893CBC5BC"
-
-    IMAGE_INSTALL:append = " wolfssl wolfcrypttest wolfcryptbenchmark"
-
-  Make sure you get rid of the old build objects and rebuild the images:
-
-    # bitbake -c cleansstate wolfssl wolfcrypttest wolfcryptbenchmark
-    # bitbake -c cleanall <image-recipe>
-
-7. Build and program the images in the device again.
-
-  Now the test application should complete just fine:
-
-    root:~# wolfcrypttest
-    ------------------------------------------------------------------------------
-    wolfSSL version 5.4.0
-    ------------------------------------------------------------------------------
-    error    test passed!
-    MEMORY   test passed!
-    base64   test passed!
-    base16   test passed!
-    asn      test passed!
-    RANDOM   test passed!
-    MD5      test passed!
-    SHA      test passed!
-    SHA-224  test passed!
-    ...
-    PKCS7authenveloped  test passed!
-    prime    test passed!
-    logging  test passed!
-    time test passed!
-    mutex    test passed!
-    memcb    test passed!
-    crypto callback test passed!
-    Test complete
-    Exiting main with return code: 0
--- a/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/wolfssl_5.4.0-fips.bb
+++ b/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/wolfssl_5.4.0-fips.bb
@ -1,73 +0,0 @@
-SUMMARY = "wolfSSL Lightweight Embedded SSL/TLS Library"
-DESCRIPTION = "wolfSSL is a lightweight SSL/TLS library written in C and \
-               optimized for embedded and RTOS environments. It can be up \
-               to 20 times smaller than OpenSSL while still supporting \
-               a full TLS client and server, up to TLS 1.3"
-HOMEPAGE = "https://www.wolfssl.com/products/wolfssl"
-BUGTRACKER = "https://github.com/wolfssl/wolfssl/issues"
-SECTION = "libs"
-LICENSE = "WolfSSL-Commercial"
-LICENSE_FLAGS = "commercial"
-LIC_FILES_CHKSUM = "file://WolfSSL_LicenseAgmt_JAN-2022.pdf;md5=be28609dc681e98236c52428fadf04dd"
-NO_GENERIC_LICENSE[WolfSSL-Commercial] = "WolfSSL_LicenseAgmt_JAN-2022.pdf"
-
-PROVIDES += "cyassl"
-RPROVIDES:${PN} = "cyassl"
-PROVIDES += "wolfssl"
-RPROVIDES:${PN} = "wolfssl"
-
-# To be configured in project's config file
-WOLFSSL_FIPS_PKG_NAME ?= "wolfssl-5.4.0-commercial-fips-linuxv5"
-WOLFSSL_FIPS_PKG_PASSWORD ?= ""
-WOLFSSL_FIPS_PKG_PATH ?= ""
-
-python() {
-    # The package is not publicly available, so provide a PREMIRROR to a local directory
-    # that can be configured in the project's local.conf file using WOLFSSL_FIPS_PKG_PATH
-    # variable.
-    wolfssl_fips_local_path = d.getVar('WOLFSSL_FIPS_PKG_PATH')
-    if wolfssl_fips_local_path:
-        premirrors = d.getVar('PREMIRRORS')
-        d.setVar('PREMIRRORS', "http:///not/exist/${WOLFSSL_FIPS_PKG_NAME}.7z file://%s \\n %s" % (wolfssl_fips_local_path, premirrors))
-
-    # Yocto does not support unpacking password protected packages, so configure the
-    # SRC_URI as unpack=false in that case.
-    d.setVar('WOLFSSL_FIPS_PKG_UNPACK', str(not d.getVar('WOLFSSL_FIPS_PKG_PASSWORD')))
-
-    # Aux variable to prevent running 7za archiver on a not-7z package
-    d.setVar('WOLFSSL_FIPS_PKG_IS_7Z', str(d.getVar('WOLFSSL_FIPS_PKG_PATH').endswith('.7z')))
-
-    # FIPS core integrity hash needs to be added back to build process
-    wolfssl_fips_core_hash = d.getVar('WOLFSSL_FIPS_CORE_HASH')
-    if wolfssl_fips_core_hash:
-        d.setVar('CFLAGS:append', " -DWOLFCRYPT_FIPS_CORE_HASH_VALUE=%s" % wolfssl_fips_core_hash)
-}
-
-SRC_URI = "http:///not/exist/${WOLFSSL_FIPS_PKG_NAME}.7z;unpack=${WOLFSSL_FIPS_PKG_UNPACK}"
-SRC_URI[sha256sum] = "0743e481e9e3ec2b7ba531c5821c44d55b313c0af04ded148caf4db7e0baa582"
-
-S = "${WORKDIR}/${WOLFSSL_FIPS_PKG_NAME}"
-
-inherit autotools
-
-do_unpack[depends] += "p7zip-native:do_populate_sysroot"
-do_unpack[postfuncs] += "${@oe.utils.vartrue('WOLFSSL_FIPS_PKG_UNPACK', '', 'unpack_7z_password_pkg', d)}"
-unpack_7z_password_pkg() {
-	if [ "${WOLFSSL_FIPS_PKG_IS_7Z}" = "True" ]; then
-		7za x -o${WORKDIR} -p${WOLFSSL_FIPS_PKG_PASSWORD} -y ${WORKDIR}/${WOLFSSL_FIPS_PKG_NAME}.7z 1>/dev/null
-	fi
-}
-
-# Enable FIPS support, the compatibility layer and some other useful options
-EXTRA_OECONF += " \
-    --enable-fips=v5 \
-    --enable-opensslextra \
-    --enable-postauth \
-    --enable-sha3 \
-    --enable-tls13 \
-    --enable-tlsx \
-"
-
-BBCLASSEXTEND += "native nativesdk"
-
-DEFAULT_PREFERENCE = "-1"