meta-digi-arm: remove old WolfSSL FIPS support

* Delete custom wolfssl_5.4.0-fips.bb recipe and README. * Removed WolfSSL dynamic layer registration. FIPS support is now managed through the external meta-wolfssl layer, making this implementation unnecessary in meta-digi. https://onedigi.atlassian.net/browse/DEL-9631 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2025-06-03 18:23:06 +02:00 · 2025-06-03 18:23:06 +02:00 · 78a1e7864f
parent 93c6deb2d8
commit 78a1e7864f
3 changed files with 0 additions and 214 deletions
--- a/meta-digi-arm/conf/layer.conf
+++ b/meta-digi-arm/conf/layer.conf
@ -14,8 +14,6 @@ BBFILES_DYNAMIC += " \
    freescale-layer:${LAYERDIR}/dynamic-layers/freescale-layer/*/*/*.bbappend \
    stm-st-stm32mp:${LAYERDIR}/dynamic-layers/stm-st-stm32mp/*/*/*.bb \
    stm-st-stm32mp:${LAYERDIR}/dynamic-layers/stm-st-stm32mp/*/*/*.bbappend \
    wolfssl:${LAYERDIR}/dynamic-layers/wolfssl/*/*/*.bb \
    wolfssl:${LAYERDIR}/dynamic-layers/wolfssl/*/*/*.bbappend \
 "
 LAYERDEPENDS_digi-arm = "core"
--- a/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/README.fips
+++ b/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/README.fips
@ -1,139 +0,0 @@
 Digi Embedded Yocto FIPS-certified WolfSSL support
 ==================================================
 WolfSSL is a lightweight SSL/TLS library written in C and targeted for
 embedded and resource-constrained environments.
 WolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt
 library has been FIPS 140-2 validated, with FIPS 140-3 validation currently
 in progress.
 For more information, visit:
 https://www.wolfssl.com/license/fips/
 DEY support
 -----------
 Digi Embedded Yocto (DEY) supports building the FIPS validated version of
 WolfSSL. The source package is usually provided under a commercial license
 agreement by WolfSSL. DEY provides the recipes and configurations to build
 the recipe into your final image.
 Instructions
 ------------
 These instructions assume that DEY is properly installed and a project
 has already been created. For more info on those tasks, see the online
 documentation on the Digi Embedded Documentation portal:
 https://www.digi.com/resources/documentation/digidocs/embedded/index.html
 1. Add 'meta-wolfssl' layer to the project.
  # cd <project-dir>
  # bitbake-layers add-layer <DEY-installdir>/sources/meta-wolfssl
 2. Configure the project for building wolfssl FIPS bundle (1st build).
  DEY added support for building the library from a password-protected
  7z-compressed package, but any other package format supported by Yocto may
  be used.
  The build is controlled by variables configured in the project's
  configuration file (<project-dir>/conf/local.conf).
    * PREFERRED_VERSION_wolfssl: the version of the wolfssl recipe to build
    * WOLFSSL_FIPS_PKG_PATH: absolute local path to the package
    * WOLFSSL_FIPS_PKG_PASSWORD: package's unpack password (only for 7z compression)
    * WOLFSSL_FIPS_CORE_HASH: in-core integrity hash (not available until
      after a first run)
  An example follows:
    PREFERRED_VERSION_wolfssl = "5.4.0-fips"
    WOLFSSL_FIPS_PKG_PATH = "/PATH/TO/wolfssl-5.4.0-commercial-fips-linuxv5.7z"
    WOLFSSL_FIPS_PKG_PASSWORD = "xxxx"
    #WOLFSSL_FIPS_CORE_HASH = ""
  Note: Leave the variable WOLFSSL_FIPS_CORE_HASH commented. The `wolfcrypttest`
  application provides the WolfSSL FIPS integrity hash value after the first run.
 3. Add the wolfCrypt test programs to the image.
  In the project's configuration file:
  IMAGE_INSTALL:append = " wolfssl wolfcrypttest wolfcryptbenchmark"
 4. Build and program the images in the device.
  If you need more information on this topic, refer to the DEY online
  documentation (link above).
 5. Compute the WolfSSL FIPS integrity hash.
  In the device, run the `wolfcrypttest` test application. At this point,
  it is expected that the application fails because the library has not been
  built with the integrity hash.
    root:~# wolfcrypttest
    ------------------------------------------------------------------------------
    wolfSSL version 5.4.0
    ------------------------------------------------------------------------------
    error    test passed!
    MEMORY   test passed!
    base64   test passed!
    base16   test passed!
    asn      test passed!
    in my Fips callback, ok = 0, err = -203
    message = In Core Integrity check FIPS error
    hash = 9490AAFD1786A11115256841AA71F9B5313BAA244ACF1A07DD8BB8A893CBC5BC
    In core integrity hash check failure, copy above hash
    into verifyCore[] in fips_test.c and rebuild
    RANDOM   test failed!
    error = -7000
    Exiting main with return code: -1
 6. Reconfigure the project and build the images again (2nd build).
  Feed the FIPS integrity hash back into the build process with the
  WOLFSSL_FIPS_CORE_HASH variable.
  For example, the final configuration would be:
    PREFERRED_VERSION_wolfssl = "5.4.0-fips"
    WOLFSSL_FIPS_PKG_PATH = "/PATH/TO/wolfssl-5.4.0-commercial-fips-linuxv5.7z"
    WOLFSSL_FIPS_PKG_PASSWORD = "xxxx"
    WOLFSSL_FIPS_CORE_HASH = "9490AAFD1786A11115256841AA71F9B5313BAA244ACF1A07DD8BB8A893CBC5BC"
    IMAGE_INSTALL:append = " wolfssl wolfcrypttest wolfcryptbenchmark"
  Make sure you get rid of the old build objects and rebuild the images:
    # bitbake -c cleansstate wolfssl wolfcrypttest wolfcryptbenchmark
    # bitbake -c cleanall <image-recipe>
 7. Build and program the images in the device again.
  Now the test application should complete just fine:
    root:~# wolfcrypttest
    ------------------------------------------------------------------------------
    wolfSSL version 5.4.0
    ------------------------------------------------------------------------------
    error    test passed!
    MEMORY   test passed!
    base64   test passed!
    base16   test passed!
    asn      test passed!
    RANDOM   test passed!
    MD5      test passed!
    SHA      test passed!
    SHA-224  test passed!
    ...
    PKCS7authenveloped  test passed!
    prime    test passed!
    logging  test passed!
    time test passed!
    mutex    test passed!
    memcb    test passed!
    crypto callback test passed!
    Test complete
    Exiting main with return code: 0
--- a/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/wolfssl_5.4.0-fips.bb
+++ b/meta-digi-arm/dynamic-layers/wolfssl/recipes-wolfssl/wolfssl/wolfssl_5.4.0-fips.bb
@ -1,73 +0,0 @@
 SUMMARY = "wolfSSL Lightweight Embedded SSL/TLS Library"
 DESCRIPTION = "wolfSSL is a lightweight SSL/TLS library written in C and \
               optimized for embedded and RTOS environments. It can be up \
               to 20 times smaller than OpenSSL while still supporting \
               a full TLS client and server, up to TLS 1.3"
 HOMEPAGE = "https://www.wolfssl.com/products/wolfssl"
 BUGTRACKER = "https://github.com/wolfssl/wolfssl/issues"
 SECTION = "libs"
 LICENSE = "WolfSSL-Commercial"
 LICENSE_FLAGS = "commercial"
 LIC_FILES_CHKSUM = "file://WolfSSL_LicenseAgmt_JAN-2022.pdf;md5=be28609dc681e98236c52428fadf04dd"
 NO_GENERIC_LICENSE[WolfSSL-Commercial] = "WolfSSL_LicenseAgmt_JAN-2022.pdf"
 PROVIDES += "cyassl"
 RPROVIDES:${PN} = "cyassl"
 PROVIDES += "wolfssl"
 RPROVIDES:${PN} = "wolfssl"
 # To be configured in project's config file
 WOLFSSL_FIPS_PKG_NAME ?= "wolfssl-5.4.0-commercial-fips-linuxv5"
 WOLFSSL_FIPS_PKG_PASSWORD ?= ""
 WOLFSSL_FIPS_PKG_PATH ?= ""
 python() {
    # The package is not publicly available, so provide a PREMIRROR to a local directory
    # that can be configured in the project's local.conf file using WOLFSSL_FIPS_PKG_PATH
    # variable.
    wolfssl_fips_local_path = d.getVar('WOLFSSL_FIPS_PKG_PATH')
    if wolfssl_fips_local_path:
        premirrors = d.getVar('PREMIRRORS')
        d.setVar('PREMIRRORS', "http:///not/exist/${WOLFSSL_FIPS_PKG_NAME}.7z file://%s \\n %s" % (wolfssl_fips_local_path, premirrors))
    # Yocto does not support unpacking password protected packages, so configure the
    # SRC_URI as unpack=false in that case.
    d.setVar('WOLFSSL_FIPS_PKG_UNPACK', str(not d.getVar('WOLFSSL_FIPS_PKG_PASSWORD')))
    # Aux variable to prevent running 7za archiver on a not-7z package
    d.setVar('WOLFSSL_FIPS_PKG_IS_7Z', str(d.getVar('WOLFSSL_FIPS_PKG_PATH').endswith('.7z')))
    # FIPS core integrity hash needs to be added back to build process
    wolfssl_fips_core_hash = d.getVar('WOLFSSL_FIPS_CORE_HASH')
    if wolfssl_fips_core_hash:
        d.setVar('CFLAGS:append', " -DWOLFCRYPT_FIPS_CORE_HASH_VALUE=%s" % wolfssl_fips_core_hash)
 }
 SRC_URI = "http:///not/exist/${WOLFSSL_FIPS_PKG_NAME}.7z;unpack=${WOLFSSL_FIPS_PKG_UNPACK}"
 SRC_URI[sha256sum] = "0743e481e9e3ec2b7ba531c5821c44d55b313c0af04ded148caf4db7e0baa582"
 S = "${WORKDIR}/${WOLFSSL_FIPS_PKG_NAME}"
 inherit autotools
 do_unpack[depends] += "p7zip-native:do_populate_sysroot"
 do_unpack[postfuncs] += "${@oe.utils.vartrue('WOLFSSL_FIPS_PKG_UNPACK', '', 'unpack_7z_password_pkg', d)}"
 unpack_7z_password_pkg() {
 	if [ "${WOLFSSL_FIPS_PKG_IS_7Z}" = "True" ]; then
 		7za x -o${WORKDIR} -p${WOLFSSL_FIPS_PKG_PASSWORD} -y ${WORKDIR}/${WOLFSSL_FIPS_PKG_NAME}.7z 1>/dev/null
 	fi
 }
 # Enable FIPS support, the compatibility layer and some other useful options
 EXTRA_OECONF += " \
    --enable-fips=v5 \
    --enable-opensslextra \
    --enable-postauth \
    --enable-sha3 \
    --enable-tls13 \
    --enable-tlsx \
 "
 BBCLASSEXTEND += "native nativesdk"
 DEFAULT_PREFERENCE = "-1"