Skip to content

Latest commit

 

History

History
95 lines (65 loc) · 3.45 KB

README.md

File metadata and controls

95 lines (65 loc) · 3.45 KB

Yocto wolfSSL FIPS Ready Setup Instructions

Prerequisites

  • Yocto environment is set up and ready.

Steps

  1. Clone the meta-wolfssl Repository

    git clone https://github.com/wolfSSL/meta-wolfssl.git

  2. Add meta-wolfssl to Yocto's bblayers.conf

    Add the path to meta-wolfssl in the bblayers.conf file, typically found under poky/build/conf/:

    BBLAYERS ?= " \
      ...
      /path/to/yocto/poky/meta-wolfssl \
      ...
   "

  3. Update the IMAGE_INSTALL and WOLFSSL_TYPE Variable

    Add wolfssl and wolfcrypttest to the IMAGE_INSTALL then add fips-ready to the WOLFSSL_TYPE variables in your recipe or poky/conf/local.conf. If using poky/conf/local.conf, append as follows:

    IMAGE_INSTALL:append = " wolfssl wolfcrypttest "
WOLFSSL_TYPE = "fips-ready"

  4. Download the FIPS-Ready Package

    Download the FIPS-ready package from wolfSSL's download page. The file to download is wolfssl-x.x.x-gplv3-fips-ready.zip.

  5. Move the Downloaded FIPS-Ready Bundle

    Move or copy the downloaded wolfssl-x.x.x-gplv3-fips-ready.zip file to the appropriate directory within the meta-wolfssl repository:

    cp /path/to/wolfssl-x.x.x-gplv3-fips-ready.zip /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/files

  6. Edit fips-ready-details/wolfssl_%.bbappend

    Using a test editor update the file /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend Update the variables: WOLFSSL_VERSION = "x.x.x": x.x.x should be the version of the fips-ready bundle you downloaded. WOLF_SRC_SHA = "<SHA_HASH>": <SHA_HASH> should be the sha hash posted under the bundle on the wolfssl download page.

  7. Clean and Build wolfSSL and wolfcrypttest

    Ensure any artifacts from old builds are cleaned up, and then build wolfssl and wolfcrypttest with no errors:

    bitbake -c cleanall wolfssl
bitbake -c cleanall wolfcrypttest
bitbake wolfssl
bitbake wolfcrypttest

  8. Compile Your Image

    Perform a bitbake on your image recipe, for example: bitbake core-image-minimal.

  9. Extract the Hash Value

    After compiling the image, extract the hash through QEMU or by loading the image on hardware. Use runqemu nographic for testing with QEMU.

    Once you are inside the qemu image and logged in use the command wolfcrypttest. This should produce the following error:

    in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = <HASH_VALUE>
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
RANDOM   test failed!
error L=15305 code=-197 (FIPS mode not allowed error)
[fiducial line numbers: 7943 25060 37640 49885]
Exiting main with return code: -1

    Copy or write down the resulting <HASH_VALUE>, then exit the qemu image

  10. Edit the .bbappend File

    Open /path/to/meta-wolfssl/recipes-wolfssl/wolfssl/fips-ready/fips-ready-details/wolfssl_%.bbappend file in a text editor and update the <FIPS_HASH> variable with the copied <HASH_VALUE>.

    FIPS_HASH="<HASH_VALUE>"

  11. Rebuild and Test

    Perform bitbake on wolfssl and wolfcrypttest again to ensure they compile correctly. Rebuild your image and test with QEMU as before. The command wolfcrypttest should result in no errors.