From 736f6980a42131b607cd267f1ce1ddb27dc5b399 Mon Sep 17 00:00:00 2001 From: Test User Date: Wed, 12 Nov 2025 09:39:52 -0800 Subject: [PATCH 01/19] Merged refactor and new test changes --- conf/layer.conf | 4 + .../wolfprovider-image-minimal.bb | 2 + .../wolfprovidercmd/files/wolfprovidercmd.sh | 57 +++++++++ .../wolfprovidercmd/wolfprovidercmd.bb | 59 +++++++++ .../files/wolfproviderenv.c} | 2 +- .../wolfproviderenv/files/wolfproviderenv.sh | 114 ++++++++++++++++++ .../wolfproviderenv/wolfproviderenv.bb | 43 +++++++ .../wolfprovidertest/files/wolfproviderenv.sh | 43 ------- .../files/wolfprovidertest.sh | 58 +++++++++ .../wolfprovidertest/wolfprovider_%.bbappend | 46 +++++++ .../wolfprovidertest/wolfprovidertest.bb | 70 ++++++----- .../wolfprovider/wolfprovider_1.1.0.bb | 34 +++++- 12 files changed, 448 insertions(+), 84 deletions(-) create mode 100644 recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh create mode 100644 recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb rename recipes-examples/wolfprovider/{wolfprovidertest/files/wolfprovidertest.c => wolfproviderenv/files/wolfproviderenv.c} (99%) create mode 100644 recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh create mode 100644 recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb delete mode 100644 recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh create mode 100644 recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.sh create mode 100644 recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend diff --git a/conf/layer.conf b/conf/layer.conf index 59ca3524..df6cdb90 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -35,6 +35,10 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ ${LAYERDIR}/recipes-examples/wolfssl-py/wolf-py-tests/*.bbappend \ ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bb \ ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bbappend \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bb \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bbappend \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bb \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bbappend \ ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bb \ ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bbappend" diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb index 8c4d1477..7d3fc3fd 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb @@ -9,6 +9,8 @@ IMAGE_INSTALL:append = " \ openssl \ openssl-bin \ wolfprovidertest \ + wolfprovidercmd \ + wolfproviderenv \ bash \ " diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh b/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh new file mode 100644 index 00000000..f6627e0d --- /dev/null +++ b/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +echo "Setting up environment..." +if [ -f /usr/bin/wolfproviderenv ]; then + source /usr/bin/wolfproviderenv + if [ $? -ne 0 ]; then + echo "✗ Failed to source environment setup!" + exit 1 + fi +else + echo "✗ wolfproviderenv not found!" + exit 1 +fi + +echo "==========================================" +echo "wolfProvider Command-Line Tests" +echo "==========================================" +if [ -f /usr/share/wolfprovider-cmd-tests/scripts/cmd_test/do-cmd-tests.sh ]; then + echo "Running command-line test suite..." + echo "" + + # Set environment for cmd tests - use system-wide installations + export WOLFSSL_ISFIPS=1 # openssl built without cfb which fips also is + export OPENSSL_BIN=$(which openssl) + export WOLFPROV_PATH=/usr/lib/ssl-3/modules + export WOLFPROV_CONFIG=/opt/wolfprovider-configs/wolfprovider.conf + + # Set library paths for system-wide OpenSSL/wolfSSL + export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH + export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig:$PKG_CONFIG_PATH + + # Prevent env-setup from trying to find build directories + export OPENSSL_DIR=/usr + export WOLFSSL_DIR=/usr + + # Change to test directory and run + ( + cd /usr/share/wolfprovider-cmd-tests/scripts/cmd_test + bash ./do-cmd-tests.sh + ) + CMD_TEST_RESULT=$? + + echo "" + echo "==========================================" + if [ $CMD_TEST_RESULT -eq 0 ]; then + echo "✓ Command-line tests PASSED!" + else + echo "✗ Command-line tests FAILED! (exit code: $CMD_TEST_RESULT)" + exit $CMD_TEST_RESULT + fi +else + echo "Command-line test suite not found at + /usr/share/wolfprovider-cmd-tests/scripts/cmd_test/do-cmd-tests.sh" + exit 1 +fi + +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb new file mode 100644 index 00000000..36a2a926 --- /dev/null +++ b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb @@ -0,0 +1,59 @@ +SUMMARY = "wolfProvider Command-Line Test Suite" +DESCRIPTION = "Command-line test scripts for wolfProvider - tests hash, AES, RSA, ECC, and certificate operations" +HOMEPAGE = "https://github.com/wolfssl/wolfProvider" +BUGTRACKER = "https://github.com/wolfssl/wolfProvider/issues" +SECTION = "examples" + +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openssl wolfssl wolfprovider" +RDEPENDS:${PN} = "bash openssl wolfprovider" + +SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a \ + file://wolfprovidercmd.sh" + + +S = "${WORKDIR}/git" + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +WOLFPROV_CMD_TEST_DIR = "${datadir}/wolfprovider-cmd-tests" +WOLFPROV_CMD_TEST_INSTALL_DIR = "${D}${WOLFPROV_CMD_TEST_DIR}" + +do_install() { + # Create directory structure that do-cmd-tests.sh expects + install -d ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test + + # Copy main cmd-test scripts to scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/do-cmd-tests.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/cmd-test-common.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/clean-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/hash-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/aes-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/rsa-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/ecc-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/req-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + + # Copy env setup script to scripts/ + install -m 0755 ${S}/scripts/env-setup ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/ + + # Copy provider configuration files to root of test dir + install -m 0644 ${S}/provider.conf ${WOLFPROV_CMD_TEST_INSTALL_DIR}/ + install -m 0644 ${S}/provider-fips.conf ${WOLFPROV_CMD_TEST_INSTALL_DIR}/ || true + + # Install wrapper script to bindir + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfprovidercmd.sh ${D}${bindir}/wolfprovidercmd +} + +python() { + distro_version = d.getVar('DISTRO_VERSION', True) + pn = d.getVar('PN', True) + + files_var_name = 'FILES_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'FILES:' + pn + + wolfprov_cmd_test_dir = d.getVar('WOLFPROV_CMD_TEST_DIR', True) + d.setVar(files_var_name, wolfprov_cmd_test_dir + '/* ${bindir}/wolfprovidercmd') +} diff --git a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c similarity index 99% rename from recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c rename to recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c index 882f745a..2b8d182f 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c @@ -12,4 +12,4 @@ int main(void) { printf("Custom provider 'libwolfprov' loaded successfully.\n"); OSSL_PROVIDER_unload(prov); return 0; -} \ No newline at end of file +} diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh new file mode 100644 index 00000000..7da89acf --- /dev/null +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -0,0 +1,114 @@ +#!/bin/bash + +# This script can be both executed and sourced +# When sourced: Sets up environment variables for other scripts to use +# When executed: Also runs verification tests + +# Detect if wolfProvider is in replace-default mode +REPLACE_DEFAULT_MODE=0 + +# Method 1: Check build-time configuration file +if [ -f /etc/wolfprovider/replace-default-mode ]; then + MODE=$(cat /etc/wolfprovider/replace-default-mode) + if [ "$MODE" = "1" ]; then + REPLACE_DEFAULT_MODE=1 + echo "Detected replace-default mode (from config file)" + fi +else + # Method 2: Runtime detection by checking default provider + DEFAULT_PROVIDER=$(openssl list -providers 2>/dev/null | grep -A1 "^ default$" | grep "name:" | grep -i "wolfSSL Provider") + if [ -n "$DEFAULT_PROVIDER" ]; then + REPLACE_DEFAULT_MODE=1 + echo "Detected replace-default mode (runtime detection)" + fi +fi + +# Setup for libwolfprov.so +mkdir -p /usr/lib/ssl-3/modules +if [ ! -L /usr/lib/ssl-3/modules/libwolfprov.so ]; then + ln -s /usr/lib/libwolfprov.so.0.0.0 /usr/lib/ssl-3/modules/libwolfprov.so +fi + +# Environment variables +export OPENSSL_MODULES=/usr/lib/ssl-3/modules +export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH + +# Only create explicit provider config if NOT in replace-default mode +if [ "$REPLACE_DEFAULT_MODE" -eq 0 ]; then + # Configuration for wolfprovider + mkdir -p /opt/wolfprovider-configs + cat > /opt/wolfprovider-configs/wolfprovider.conf </dev/null || exit 1 + fi +else + # In explicit load mode, test explicit provider loading + if wolfproviderverify; then + echo "Passed!" + else + echo "Failed!" + return 1 2>/dev/null || exit 1 + fi +fi + +# Test 2: Provider List +echo "" +echo "==========================================" +echo "Test 2: OpenSSL Provider List" +echo "==========================================" +openssl list -providers -verbose + +# Test 3: OpenSSL Version +echo "" +echo "==========================================" +echo "Test 3: OpenSSL Version" +echo "==========================================" +openssl version -a + +echo "" +echo "==========================================" +echo "Environment setup completed." +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb new file mode 100644 index 00000000..7ac38bbd --- /dev/null +++ b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb @@ -0,0 +1,43 @@ +SUMMARY = "Test suite for wolfProvider OpenSSL provider" +DESCRIPTION = "Enviroment setup for wolfProvider OpenSSL provider" +HOMEPAGE = "https://www.wolfssl.com" +SECTION = "examples" +LICENSE = "CLOSED" +LIC_FILES_CHKSUM = "" + +DEPENDS = "openssl pkgconfig-native wolfssl wolfprovider" +PROVIDES += "wolfproviderenv" +RPROVIDES_${PN} = "wolfproviderenv" + +SRC_URI = "file://wolfproviderenv.c \ + file://wolfproviderenv.sh \ + " + +S = "${WORKDIR}" + +inherit pkgconfig + +do_compile() { + ${CC} ${WORKDIR}/wolfproviderenv.c -o wolfproviderverify \ + ${CFLAGS} ${LDFLAGS} $(pkg-config --cflags --libs openssl) -ldl -lwolfssl -lwolfprov +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfproviderverify ${D}${bindir}/wolfproviderverify + install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv +} + +FILES_${PN} += "${bindir}/wolfproviderverify ${bindir}/wolfproviderenv" + +# Dynamic RDEPENDS adjustment for bash +python() { + distro_version = d.getVar('DISTRO_VERSION', True) + pn = d.getVar('PN', True) + + rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn + + current_rdepends = d.getVar(rdepends_var_name, True) or "" + new_rdepends = current_rdepends + " bash" + d.setVar(rdepends_var_name, new_rdepends) +} diff --git a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh deleted file mode 100644 index b0624029..00000000 --- a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Setup for libwolfprov.so -mkdir -p /usr/lib/ssl-3/modules -if [ ! -L /usr/lib/ssl-3/modules/libwolfprov.so ]; then - ln -s /usr/lib/libwolfprov.so.0.0.0 /usr/lib/ssl-3/modules/libwolfprov.so -fi - -# Environment variables -export OPENSSL_MODULES=/usr/lib/ssl-3/modules -export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH - -# Configuration for wolfprovider -mkdir -p /opt/wolfprovider-configs -cat > /opt/wolfprovider-configs/wolfprovider.conf </dev/null || true + + # Verify certificates are installed (CERTS_DIR is compiled to point here) + echo "Verifying test certificates..." + if [ -d /usr/share/wolfprovider-test/certs ]; then + echo "Certificates found at /usr/share/wolfprovider-test/certs:" + ls -la /usr/share/wolfprovider-test/certs/ + else + echo "Warning: Certificate directory not found at /usr/share/wolfprovider-test/certs" + fi + echo "" + + # Run the test from /tmp where .libs is available + # CERTS_DIR is compiled to point to /usr/share/wolfprovider-test/certs + ( + cd /tmp + echo "Running unit tests from: $(pwd)" + echo "Checking for .libs directory:" + ls -la .libs/ 2>/dev/null || echo "ERROR: .libs directory not found!" + echo "" + unit.test + ) + TEST_RESULT=$? + + echo "" + echo "==========================================" + if [ $TEST_RESULT -eq 0 ]; then + echo "✓ Unit tests PASSED!" + else + echo "✗ Unit tests FAILED! (exit code: $TEST_RESULT)" + exit $TEST_RESULT + fi +else + echo "Unit test binary not found at /usr/bin/unit.test" + exit 1 +fi + +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend new file mode 100644 index 00000000..c59ac97e --- /dev/null +++ b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend @@ -0,0 +1,46 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +SRC_URI += "file://wolfprovidertest.sh" + +# Override CERTS_DIR to point to the installed location instead of build directory +CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' + +WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" +WOLFPROVIDER_TEST = "unit.test" +WOLFPROVIDER_TEST_BIN = "unit.test" +WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" +WOLFPROVIDER_CERTS_DIR = "${S}/certs" +WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" + +python () { + wolfprovider_test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) + wolfprovider_test = d.getVar('WOLFPROVIDER_TEST', True) + wolfprovider_test_bin = d.getVar('WOLFPROVIDER_TEST_BIN', True) + wolfprovider_install_dir = d.getVar('WOLFPROVIDER_INSTALL_DIR', True) + wolfprovider_certs_dir = d.getVar('WOLFPROVIDER_CERTS_DIR', True) + wolfprovider_certs_install_dir = d.getVar('WOLFPROVIDER_CERTS_INSTALL_DIR', True) + + bbnote = 'bbnote "Installing wolfProvider Tests"\n' + installDir = 'install -m 0755 -d "%s"\n' % (wolfprovider_install_dir) + # Install the binary as unit.test (its original name) + cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; fi\n' % (wolfprovider_test_dir, wolfprovider_test, wolfprovider_test_dir, wolfprovider_test, wolfprovider_install_dir, wolfprovider_test_bin) + + bbnote = 'bbnote "Installing wolfProvider Certificates"\n' + installCertsDir = 'install -m 0755 -d "%s"\n' % (wolfprovider_certs_install_dir) + cpCerts = 'if [ -d "%s" ]; then cp -r %s/*.pem %s/ 2>/dev/null || true; fi\n' % (wolfprovider_certs_dir, wolfprovider_certs_dir, wolfprovider_certs_install_dir) + + d.appendVar('do_install', bbnote) + d.appendVar('do_install', installDir) + d.appendVar('do_install', cpTest) + d.appendVar('do_install', installCertsDir) + d.appendVar('do_install', cpCerts) +} + +do_install:append() { + # Install the wrapper script as wolfprovidertest + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfprovidertest.sh ${D}${bindir}/wolfprovidertest +} + +FILES:${PN} += "${bindir}/wolfprovidertest ${bindir}/unit.test ${datadir}/wolfprovider-test/certs/*" +RDEPENDS:${PN} += "bash wolfproviderenv" diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb index 2e513e6f..d25cc620 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb +++ b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb @@ -1,46 +1,44 @@ -SUMMARY = "Test program for custom OpenSSL provider 'libwolfprov'" -DESCRIPTION = "Compiles and runs a test program to verify the functionality of the custom OpenSSL provider libwolfprov." +SUMMARY = "wolfProvider Unit Test Application" +DESCRIPTION = "wolfProvider unit test application used to test provider functionality" HOMEPAGE = "https://www.wolfssl.com" -SECTION = "examples" -LICENSE = "CLOSED" -LIC_FILES_CHKSUM = "" +BUGTRACKER = "https://github.com/wolfssl/wolfprovider/issues" +SECTION = "x11/applications" -DEPENDS = "openssl pkgconfig-native virtual/wolfssl wolfprovider" -PROVIDES += "wolfprovidertest" -RPROVIDES_${PN} = "wolfprovidertest" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891" +DEPENDS += "wolfprovider" +do_configure[noexec] = "1" +do_compile[noexec] = "1" +do_fetch[noexec] = "1" +do_unpack[noexec] = "1" +do_patch[noexec] = "1" -SRC_URI = "file://wolfprovidertest.c \ - file://wolfproviderenv.sh \ - " +WOLFPROVIDER_TEST_DIR = "${datadir}/wolfprovider-test" +WOLFPROVIDER_TEST_INSTALL_DIR = "${D}${WOLFPROVIDER_TEST_DIR}" +WOLFPROVIDER_TEST_README = "README.txt" +WOLFPROVIDER_TEST_README_DIR = "${WOLFPROVIDER_TEST_INSTALL_DIR}/${WOLFPROVIDER_TEST_README}" -S = "${WORKDIR}" - -inherit pkgconfig - -do_compile() { - ${CC} ${WORKDIR}/wolfprovidertest.c -o wolfprovidertest \ - ${CFLAGS} ${LDFLAGS} $(pkg-config --cflags --libs openssl) -ldl -lwolfssl -lwolfprov -} +python () { + distro_version = d.getVar('DISTRO_VERSION', True) + wolfprovider_test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) + wolfprovider_test_install_dir = d.getVar('WOLFPROVIDER_TEST_INSTALL_DIR', True) + wolfprovider_test_readme_dir = d.getVar('WOLFPROVIDER_TEST_README_DIR', True) -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/wolfprovidertest ${D}${bindir}/wolfprovidertest - install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv -} + bb.note("Installing dummy file for wolfProvider test example") + installDir = 'install -m 0755 -d "%s"\n' % wolfprovider_test_install_dir + makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfprovider_test_readme_dir -FILES_${PN} += "${bindir}/wolfprovidertest \ - ${bindir}/wolfproviderenv \ - " + d.appendVar('do_install', installDir) + d.appendVar('do_install', makeDummy) -# Dynamic RDEPENDS adjustment for bash -python() { - distro_version = d.getVar('DISTRO_VERSION', True) pn = d.getVar('PN', True) - - rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn - - current_rdepends = d.getVar(rdepends_var_name, True) or "" - new_rdepends = current_rdepends + " bash" - d.setVar(rdepends_var_name, new_rdepends) + if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): + files_var_name = 'FILES_' + pn + else: + files_var_name = 'FILES:' + pn + + current_files = d.getVar(files_var_name, True) or "" + new_files = current_files + ' ' + wolfprovider_test_dir + '/*' + d.setVar(files_var_name, new_files) } diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 90d4a65a..9999226c 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -1,5 +1,5 @@ -SUMMARY = "wolfProvider is a Proivder designed for Openssl 3.X.X" -DESCRIPTION = "wolfProvider is a library that can be used as an Provider in OpenSSL" +SUMMARY = "wolfProvider is a Provider designed for Openssl 3.X.X" +DESCRIPTION = "wolfProvider is a crypto backend interface for use as an OpenSSL Provider" HOMEPAGE = "https://github.com/wolfSSL/wolfProvider" BUGTRACKER = "https://github.com/wolfSSL/wolfProvider/issues" SECTION = "libs" @@ -10,7 +10,7 @@ DEPENDS += "util-linux-native" PROVIDES += "wolfprovider" RPROVIDES_${PN} = "wolfprovider" -SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=f8f432408f2c6f446a9e5bd9330577d2c2e1ed4f" +SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a" DEPENDS += " virtual/wolfssl \ openssl \ @@ -22,7 +22,33 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" +# Pass replace-default mode to runtime +do_install:append() { + install -d ${D}${sysconfdir}/wolfprovider + if [ "${WOLFPROVIDER_REPLACE_DEFAULT}" = "1" ]; then + echo "1" > ${D}${sysconfdir}/wolfprovider/replace-default-mode + else + echo "0" > ${D}${sysconfdir}/wolfprovider/replace-default-mode + fi + + # Create symlink for unversioned .so + install -d ${D}${libdir} + ln -sf libwolfprov.so.0.0.0 ${D}${libdir}/libwolfprov.so +} + CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." LDFLAGS += " -Wl,--build-id=none" -EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" \ No newline at end of file +EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" + +# Keep unversioned .so in the runtime package +FILES_SOLIBSDEV = "" + +# Explicitly list what goes to -dev instead (headers, pc) +FILES:${PN}-dev = "${includedir} ${libdir}/pkgconfig/*.pc" + +# Ensure the symlink and config are assigned to runtime +FILES:${PN} += "${libdir}/libwolfprov.so ${sysconfdir}/wolfprovider/replace-default-mode" + +# Shipping an unversioned .so in runtime: suppress QA warning +INSANE_SKIP:${PN} += "dev-so" \ No newline at end of file From 9820e20fad9f269e99e55e3f21f99e81ba35cefe Mon Sep 17 00:00:00 2001 From: Test User Date: Wed, 12 Nov 2025 14:41:48 -0800 Subject: [PATCH 02/19] Combine refactor changes and add replace default and fips modes --- conf/layer.conf | 3 +- ...sl-enable-wolfprovider-replace-default.inc | 49 +++++++++++++ .../openssl/openssl-enable-wolfprovider.inc | 3 + .../wolfssl-enable-wolfprovider-fips.inc | 5 ++ .../wolfssl-enable-wolfprovider.inc | 2 +- .../openssl_%.bbappend | 4 ++ .../wolfssl_%.bbappend | 5 +- recipes-wolfssl/wolfprovider/README.md | 71 ++++++++++++++----- .../wolfprovider/openssl_3.%.bbappend | 18 +++++ .../wolfprovider/wolfprovider_1.1.0.bb | 17 ++--- 10 files changed, 145 insertions(+), 32 deletions(-) create mode 100644 inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc create mode 100644 inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc diff --git a/conf/layer.conf b/conf/layer.conf index df6cdb90..1fdbface 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -80,7 +80,8 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ BBFILE_COLLECTIONS += "wolfssl" BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/" -BBFILE_PRIORITY_wolfssl = "5" +# When doing a build with replace default mode enabled, we need to prioritize the wolfssl layer +BBFILE_PRIORITY_wolfssl = "60" # Weak default preferred providers for wolf libraries # These can be overridden by local.conf or distro configurations diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc new file mode 100644 index 00000000..dfd9a322 --- /dev/null +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -0,0 +1,49 @@ +# OpenSSL wolfProvider REPLACE-DEFAULT mode configuration +# This file is included when wolfProvider is configured to replace OpenSSL's default crypto provider +# It should be included from the image recipe when replace-default mode is desired + +# Build OpenSSL as plain, non-FIPS OpenSSL +# wolfProvider will provide FIPS functionality using wolfSSL FIPS +PACKAGECONFIG:class-target:pn-openssl = "" +EXTRA_OECONF:append:class-target = " no-fips" + +# OpenSSL target-only tweaks for replace-default mode +do_configure:prepend:class-target () { + set -eu + + # Be explicit about where we are + echo "TARGET do_configure prepend: S='${S}', B='${B}'" + + vfile="${S}/VERSION.dat" + + # Sanity check: VERSION.dat must exist at the top of the OpenSSL tree + if [ ! -f $vfile ]; then + echo "ERROR: $vfile not found in ${S}" >&2 + exit 1 + fi + + echo "Injecting BUILD_METADATA into VERSION.dat (target only)" + sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/' $vfile + + # Optional FIPS tag based on image features + if echo "${IMAGE_FEATURES}" | grep -qw "fips"; then + sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/' $vfile + fi +} + +# Ensure provider is present on TARGET runtime (doesn't touch -native/-nativesdk) +RDEPENDS:libcrypto3:append:class-target = " wolfprovider" + +# Bring in the replace-default patch (target only) +SRC_URI:append:class-target = " \ + git://github.com/wolfSSL/wolfProvider.git;protocol=https;nobranch=1;rev=v1.1.0;destsuffix=git/wolfProvider \ +" + +python do_patch:append:class-target () { + import os, subprocess + s = d.getVar("S") + patch_path = os.path.join(d.getVar("WORKDIR"), "git/wolfProvider/patches/openssl3-replace-default.patch") + bb.note("REPLACE-DEFAULT MODE: Applying replace-default patch") + subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path], check=True) +} + diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc index 0e0c9e10..a46a4d8c 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc @@ -1,2 +1,5 @@ +# OpenSSL standalone wolfProvider mode configuration +# Include this file for standard wolfProvider integration as a provider plugin + EXTRA_OECONF += " no-fips shared " diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc new file mode 100644 index 00000000..a8a76656 --- /dev/null +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -0,0 +1,5 @@ +# Configuration to enable wolfprovider FIPS support in wolfssl + +EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 " +TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER" + diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index addd53c0..40f84fc3 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,5 +1,5 @@ # Configuration to enable wolfprovider support in wolfssl + EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 " TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024" -TARGET_CFLAGS += " ${@'-DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER' if d.getVar('WOLFSSL_TYPE') not in ("fips", "fips-ready") else ''}" diff --git a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend index dc8c1497..ee83200a 100644 --- a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend @@ -1,6 +1,10 @@ # Manual configuration for wolfprovider-image-minimal # Configure OpenSSL for wolfProvider support +# WARNING: need to specify replace default or standalone mode not both +# Uncomment this to use wolfProvider in standalone mode require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +# Uncomment this to use wolfProvider in replace-default mode +# require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend index 0f460653..ad3471af 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -1,6 +1,9 @@ # Manual configuration for wolfprovider-image-minimal # Enable wolfProvider support in wolfSSL +# WARNING: need to specify non-FIPS or FIPS mode not both +# Uncomment this to use wolfProvider non-FIPS require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc - +# Uncomment this to use wolfProvider FIPS +# require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc diff --git a/recipes-wolfssl/wolfprovider/README.md b/recipes-wolfssl/wolfprovider/README.md index 28528dbd..9435f661 100644 --- a/recipes-wolfssl/wolfprovider/README.md +++ b/recipes-wolfssl/wolfprovider/README.md @@ -36,44 +36,81 @@ The `wolfprovidertest` yocto package will provide two apps, `wolfproviderenv` an 3. **Add wolfprovider to your image**: - Modify your image recipe or `local.conf` file to include `wolfprovider`, `wolfssl`, `openssl`, `openssl-bin`, and `wolfprovidertest`. You will only need `openssl-bin` and `wolfprovidertest` if you want to use and test with our included example and conf file. + Enable the wolfprovider demo image in your `local.conf` file: + ```bitbake + WOLFSSL_DEMOS = "wolfprovider-image-minimal" + ``` +4. **Configure wolfProvider Mode (Optional)**: - For yocto kirkstone or newer: - ``` - IMAGE_INSTALL:append = "wolfprovider wolfssl openssl openssl-bin wolfprovidertest" - ``` + wolfProvider can operate in two modes: + + **Normal Mode (Default)**: wolfProvider acts as a supplementary provider alongside OpenSSL's default provider. No configuration needed. + + **Replace-Default Mode**: wolfProvider replaces OpenSSL's default provider by patching OpenSSL, making wolfSSL the primary crypto backend. + + To enable replace-default mode, simply uncomment the mode you want in the `.inc` files here `recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` - For yocto dunfell or earlier: - ``` - IMAGE_INSTALL_append = "wolfprovider wolfssl openssl openssl-bin wolfprovidertest" + to rebuild with replace default we need to run a clean on the wolfprovider and openssl then rebuild: + + ```sh + bitbake -c cleanall openssl wolfprovider + bitbake wolfprovider-image-minimal ``` -4. **Build Your Image**: +5. **Build Your Image**: With the `meta-wolfssl` layer added and the necessary packages included in your image configuration, proceed to build your Yocto image as usual. ```sh - bitbake + bitbake wolfprovider-image-minimal ``` ### Testing wolfprovider -After building and deploying your image to the target device, you can test `wolfprovider` functionality through the `wolfproviderenv` script. +After building and deploying your image to the target device, you can test `wolfprovider` functionality with three test suites: -1. **Execute the wolfproviderenv Script**: - - `wolfproviderenv` is located in `/usr/bin`, so just execute the script upon entering into your terminal. +1. **Environment Setup and Verification**: ```sh wolfproviderenv ``` + + This sets up the environment and verifies wolfProvider is correctly installed and loaded. It automatically detects replace-default mode. + +2. **Unit Tests**: - The script performs necessary setup actions, executes `wolfprovidertest` to validate the integration, and lists available OpenSSL providers to confirm `wolfprovider` is active and correctly configured. + ```sh + wolfprovidertest + ``` + + Runs the comprehensive wolfProvider unit test suite from the upstream wolfProvider repository. Tests cover all cryptographic operations. -2. **Expected Output**: +3. **Command-Line Tests**: - Look for messages indicating a successful environment setup, execution of `wolfprovidertest` with a custom provider loaded successfully, and `libwolfprovider` listed among active OpenSSL providers. + ```sh + wolfprovidercmd + ``` + + Runs OpenSSL command-line tests including: + - Hash operations (SHA, MD5, etc.) + - AES encryption/decryption + - RSA operations + - ECC operations + - Certificate operations + +### Demo Image + +A demo image is provided to verify wolfProvider works: + +**wolfprovider-image-minimal**: Demonstrates wolfProvider with all test suites +```bash +# In local.conf +WOLFSSL_DEMOS = "wolfprovider-image-minimal" + +# Build +bitbake wolfprovider-image-minimal +``` ### Documentation and Support diff --git a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend index c62bfaf4..4839773d 100644 --- a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend +++ b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend @@ -1,7 +1,25 @@ inherit wolfssl-helper python __anonymous() { + # standalone wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc') + # replace default + wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc') + + # non-FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) + # FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) } # OpenSSL is a dependency of wolfprovider, not a direct image package diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 9999226c..d24b7733 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -22,16 +22,8 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" -# Pass replace-default mode to runtime +# Core build configuration do_install:append() { - install -d ${D}${sysconfdir}/wolfprovider - if [ "${WOLFPROVIDER_REPLACE_DEFAULT}" = "1" ]; then - echo "1" > ${D}${sysconfdir}/wolfprovider/replace-default-mode - else - echo "0" > ${D}${sysconfdir}/wolfprovider/replace-default-mode - fi - - # Create symlink for unversioned .so install -d ${D}${libdir} ln -sf libwolfprov.so.0.0.0 ${D}${libdir}/libwolfprov.so } @@ -47,8 +39,9 @@ FILES_SOLIBSDEV = "" # Explicitly list what goes to -dev instead (headers, pc) FILES:${PN}-dev = "${includedir} ${libdir}/pkgconfig/*.pc" -# Ensure the symlink and config are assigned to runtime -FILES:${PN} += "${libdir}/libwolfprov.so ${sysconfdir}/wolfprovider/replace-default-mode" +# Ensure the symlink is assigned to runtime +FILES:${PN} += "${libdir}/libwolfprov.so" # Shipping an unversioned .so in runtime: suppress QA warning -INSANE_SKIP:${PN} += "dev-so" \ No newline at end of file +INSANE_SKIP:${PN} += "dev-so" + From f4d7faefa00cdb7bc11d2983ce696ea4f1e3a9c6 Mon Sep 17 00:00:00 2001 From: Test User Date: Wed, 12 Nov 2025 18:06:57 -0800 Subject: [PATCH 03/19] Add working and tested fips, replace default, non-fips, non-replace-default work --- conf/layer.conf | 2 +- .../wolfssl-enable-wolfprovider-fips.inc | 15 +++++- .../wolfssl-enable-wolfprovider.inc | 15 +++++- .../wolfssl_%.bbappend | 1 + .../wolfprovidercmd/wolfprovidercmd.bb | 2 +- .../wolfproviderenv/files/wolfproviderenv.sh | 47 ++++++++++++++++++- .../wolfproviderenv/wolfproviderenv.bb | 2 +- recipes-wolfssl/wolfprovider/README.md | 11 +++++ .../wolfprovider/openssl_3.%.bbappend | 15 ------ .../wolfprovider/wolfprovider_1.1.0.bb | 9 +++- .../wolfprovider/wolfssl_%.bbappend | 17 ++++++- recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb | 14 +++--- 12 files changed, 119 insertions(+), 31 deletions(-) diff --git a/conf/layer.conf b/conf/layer.conf index 1fdbface..4d74ec27 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -81,7 +81,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ BBFILE_COLLECTIONS += "wolfssl" BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/" # When doing a build with replace default mode enabled, we need to prioritize the wolfssl layer -BBFILE_PRIORITY_wolfssl = "60" +BBFILE_PRIORITY_wolfssl = "5" # Weak default preferred providers for wolf libraries # These can be overridden by local.conf or distro configurations diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index a8a76656..0282ca7a 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -1,5 +1,16 @@ # Configuration to enable wolfprovider FIPS support in wolfssl -EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 " -TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER" +EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist" +TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" + +# Use a marker file to signal we are a FIPS build +WOLFSSL_ISFIPS = "1" + +do_install:append() { + install -d ${D}${sysconfdir}/wolfssl + echo "1" > ${D}${sysconfdir}/wolfssl/fips-enabled +} + +FILES:${PN} += "${sysconfdir}/wolfssl/fips-enabled" + diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index 40f84fc3..d464317f 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,5 +1,16 @@ # Configuration to enable wolfprovider support in wolfssl -EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 " -TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024" +EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha" +TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" + +# Use a marker file to signal we are a non-FIPS build +WOLFSSL_ISFIPS = "0" + +do_install:append() { + install -d ${D}${sysconfdir}/wolfssl + echo "0" > ${D}${sysconfdir}/wolfssl/fips-enabled +} + +FILES:${PN} += "${sysconfdir}/wolfssl/fips-enabled" + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend index ad3471af..fdeef861 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -7,3 +7,4 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc # Uncomment this to use wolfProvider FIPS # require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc + diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb index 36a2a926..1fd54ab3 100644 --- a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb +++ b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb @@ -7,7 +7,7 @@ SECTION = "examples" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -DEPENDS = "openssl wolfssl wolfprovider" +DEPENDS = "openssl virtual/wolfssl wolfprovider" RDEPENDS:${PN} = "bash openssl wolfprovider" SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a \ diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh index 7da89acf..b3b36d88 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -33,11 +33,48 @@ fi export OPENSSL_MODULES=/usr/lib/ssl-3/modules export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH +# Detect if wolfSSL was built with FIPS support +WOLFSSL_FIPS_MODE=0 +if [ -f /etc/wolfssl/fips-enabled ]; then + FIPS_VALUE=$(cat /etc/wolfssl/fips-enabled) + if [ "$FIPS_VALUE" = "1" ]; then + WOLFSSL_FIPS_MODE=1 + echo "Detected wolfSSL FIPS build" + else + echo "Detected wolfSSL non-FIPS build" + fi +else + echo "WARNING: FIPS marker file not found, assuming non-FIPS build" + echo "Detected wolfSSL non-FIPS build" +fi + # Only create explicit provider config if NOT in replace-default mode if [ "$REPLACE_DEFAULT_MODE" -eq 0 ]; then # Configuration for wolfprovider mkdir -p /opt/wolfprovider-configs - cat > /opt/wolfprovider-configs/wolfprovider.conf < /opt/wolfprovider-configs/wolfprovider.conf < /opt/wolfprovider-configs/wolfprovider.conf < Date: Fri, 14 Nov 2025 17:52:37 -0800 Subject: [PATCH 04/19] Add FIPS replace default to layers and test all options --- ...sl-enable-wolfprovider-replace-default.inc | 16 +++++- .../wolfssl-enable-wolfprovider-fips.inc | 9 +++- .../wolfssl-enable-wolfprovider.inc | 2 - .../wolfproviderenv/files/wolfproviderenv.sh | 23 +++++--- recipes-wolfssl/wolfprovider/README.md | 52 +++++++++++++++++-- .../wolfprovider/wolfssl-fips_%.bbappend | 17 ++++++ .../wolfprovider/wolfssl_%.bbappend | 7 --- 7 files changed, 103 insertions(+), 23 deletions(-) create mode 100644 recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc index dfd9a322..6df4dda8 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -43,7 +43,19 @@ python do_patch:append:class-target () { import os, subprocess s = d.getVar("S") patch_path = os.path.join(d.getVar("WORKDIR"), "git/wolfProvider/patches/openssl3-replace-default.patch") - bb.note("REPLACE-DEFAULT MODE: Applying replace-default patch") - subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path], check=True) + bb.note("REPLACE-DEFAULT MODE: Checking if patch needs to be applied") + # Try to apply patch; if it fails with "already applied", log it and continue + try: + # First check with --dry-run to see if patch can be applied + result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], + capture_output=True, text=True, check=False) + if result.returncode == 0: + bb.note("REPLACE-DEFAULT MODE: Patch can be applied, applying now...") + subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path], check=True) + else: + bb.note("REPLACE-DEFAULT MODE: Patch already applied or cannot apply, skipping") + bb.debug(1, f"Patch check output: {result.stderr}") + except Exception as e: + bb.warn(f"REPLACE-DEFAULT MODE: Error applying patch: {e}") } diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index 0282ca7a..de109228 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -6,11 +6,16 @@ TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" # Use a marker file to signal we are a FIPS build WOLFSSL_ISFIPS = "1" +# commercial bundle missing stamp-h.in required by automake with 5.2.1 +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + do_install:append() { install -d ${D}${sysconfdir}/wolfssl echo "1" > ${D}${sysconfdir}/wolfssl/fips-enabled } -FILES:${PN} += "${sysconfdir}/wolfssl/fips-enabled" - diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index d464317f..fec45457 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -11,6 +11,4 @@ do_install:append() { echo "0" > ${D}${sysconfdir}/wolfssl/fips-enabled } -FILES:${PN} += "${sysconfdir}/wolfssl/fips-enabled" - diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh index b3b36d88..8e481bdc 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -4,8 +4,8 @@ # When sourced: Sets up environment variables for other scripts to use # When executed: Also runs verification tests -# Detect if wolfProvider is in replace-default mode REPLACE_DEFAULT_MODE=0 +WOLFSSL_FIPS_MODE=0 # Method 1: Check build-time configuration file if [ -f /etc/wolfprovider/replace-default-mode ]; then @@ -13,6 +13,8 @@ if [ -f /etc/wolfprovider/replace-default-mode ]; then if [ "$MODE" = "1" ]; then REPLACE_DEFAULT_MODE=1 echo "Detected replace-default mode (from config file)" + else + echo "Detected normal wolfprovider mode (from config file)" fi else # Method 2: Runtime detection by checking default provider @@ -20,6 +22,8 @@ else if [ -n "$DEFAULT_PROVIDER" ]; then REPLACE_DEFAULT_MODE=1 echo "Detected replace-default mode (runtime detection)" + else + echo "Detected normal wolfprovider mode (runtime detection)" fi fi @@ -33,19 +37,24 @@ fi export OPENSSL_MODULES=/usr/lib/ssl-3/modules export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH -# Detect if wolfSSL was built with FIPS support -WOLFSSL_FIPS_MODE=0 +# Method 1: Check build-time configuration file if [ -f /etc/wolfssl/fips-enabled ]; then FIPS_VALUE=$(cat /etc/wolfssl/fips-enabled) if [ "$FIPS_VALUE" = "1" ]; then WOLFSSL_FIPS_MODE=1 - echo "Detected wolfSSL FIPS build" + echo "Detected wolfSSL FIPS build (from config file)" else - echo "Detected wolfSSL non-FIPS build" + echo "Detected wolfSSL non-FIPS build (from config file)" fi else - echo "WARNING: FIPS marker file not found, assuming non-FIPS build" - echo "Detected wolfSSL non-FIPS build" + # Method 2: Runtime detection (Replace default and FIPS mode) + DEFAULT_PROVIDER=$(openssl list -providers 2>/dev/null | grep -A1 "^ default$" | grep "name:" | grep -i "wolfSSL Provider FIPS") + if [ -n "$DEFAULT_PROVIDER" ]; then + WOLFSSL_FIPS_MODE=1 + echo "Detected wolfSSL FIPS build (runtime detection)" + else + echo "Detected wolfSSL non-FIPS build (runtime detection)" + fi fi # Only create explicit provider config if NOT in replace-default mode diff --git a/recipes-wolfssl/wolfprovider/README.md b/recipes-wolfssl/wolfprovider/README.md index 56594db6..1a91a00a 100644 --- a/recipes-wolfssl/wolfprovider/README.md +++ b/recipes-wolfssl/wolfprovider/README.md @@ -49,7 +49,9 @@ The `wolfprovidertest` yocto package will provide two apps, `wolfproviderenv` an **Replace-Default Mode**: wolfProvider replaces OpenSSL's default provider by patching OpenSSL, making wolfSSL the primary crypto backend. - To enable replace-default mode, simply uncomment the mode you want in the `.inc` files here `recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` + To enable and disable modes like FIPS, replace default, etc. for testing you can use these files: + `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend` + `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` to rebuild with replace default we need to run a clean on the wolfprovider and openssl then rebuild: @@ -76,7 +78,7 @@ After building and deploying your image to the target device, you can test `wolf wolfproviderenv ``` - This sets up the environment and verifies wolfProvider is correctly installed and loaded. It automatically detects replace-default mode. + This sets up the environment and verifies wolfProvider is correctly installed and loaded. It automatically detects the mode you are in and does the neccesary things to prepare the env for testing. 2. **Unit Tests**: @@ -112,16 +114,60 @@ WOLFSSL_DEMOS = "wolfprovider-image-minimal" bitbake wolfprovider-image-minimal ``` +### Replace Default Mode + +Enable the wolfprovider demo image in your `local.conf` file: +```bitbake +WOLFSSL_DEMOS = "wolfprovider-image-minimal" +``` + +To enable replace default mode uncomment the following line in the `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` file: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +``` + +Add `WOLFSSL_FEATURES = "wolfprovider"` to the local.conf file or include your bbappend directly to your image recipe. + +run the following commands to build the image: +```bash +bitbake -c cleansstate openssl +bitbake -c cleanall wolfprovider wolfprovider-image-minimal +bitbake wolfprovider-image-minimal +bitbake +``` +Note: Make sure to clean openssl if rebuilding openssl or wolfprovider or the image with replace default mode. + +once in qemu or target image verify with `openssl list -providers` that the default provider is `wolfSSL Provider` or just run `wolfproviderenv`. + ### FIPS Mode To build with fips refer to the `conf/wolfssl-fips.conf.sample` file. Once you have the fips bundle and have extracted the hash you can set the hash in the `conf/wolfssl-fips.conf` file. Then rebuild the image with the following command: + +Enable the wolfprovider demo image in your `local.conf` file so you can veridy FIPS with the wolfcrypttest: +```bitbake +WOLFSSL_DEMOS = "wolfprovider-image-minimal wolfssl-image-minimal" +``` + +To enable fips uncomment the following line in the `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend` file: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +``` + +Add `WOLFSSL_FEATURES = "wolfprovider"` to the local.conf file or include your bbappend directly to your image recipe. + +run the following commands to build the image: ```bash +bitbake -c cleansstate openssl +bitbake wolfssl-fips bitbake -c cleanall wolfprovider wolfprovider-image-minimal wolfssl-image-minimal bitbake wolfprovider-image-minimal wolfssl-image-minimal +bitbake ``` Building with the wolfssl-image-minimal will build the wolfcrypttest which can be used to correctly update the fips hash value. -once you have ran the wolfcrypttest you can update the fips hash value in the `conf/wolfssl-fips.conf` file. Then rebuild the image again and verify FIPS by looking at the `wolfproviderenv` output. +once you have ran the wolfcrypttest you can update the fips hash value in the `conf/wolfssl-fips.conf` file. Then rebuild the image again and verify FIPS by looking at the `wolfproviderenv` output. Or simply add the `auto` HASH version in the wolfssl conf. + +once in qemu or target image run `wolfproviderenv` to load wolfprovider if replace default isnt enabled. ### Documentation and Support diff --git a/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend b/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend new file mode 100644 index 00000000..eab8a07d --- /dev/null +++ b/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend @@ -0,0 +1,17 @@ +# Conditionally configure wolfssl FIPS with wolfprovider support +# This bbappend checks the WOLFSSL_FEATURES and IMAGE_INSTALL variables + +inherit wolfssl-helper +inherit wolfssl-osp-support +deltask do_wolfssl_check_package + +python __anonymous() { + # FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend index 77a7db6f..78b76839 100644 --- a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend +++ b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend @@ -13,12 +13,5 @@ python __anonymous() { inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', allowed_providers=['wolfssl'] ) - # FIPS mode - wolfssl_osp_conditional_include( - d, - feature_name='wolfprovider', - inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', - allowed_providers=['wolfssl-fips'] - ) } From 88f4d38a482ecf9b2121d81c74cba9c8608a59b5 Mon Sep 17 00:00:00 2001 From: Test User Date: Mon, 17 Nov 2025 14:05:29 -0800 Subject: [PATCH 05/19] Refactor bbappends to be more yocto like --- classes/wolfssl-helper.bbclass | 55 +++++++++++++++++++ .../openssl_%.bbappend | 36 +++++++++--- .../wolfssl_%.bbappend | 36 +++++++++--- recipes-wolfssl/wolfprovider/README.md | 15 +++-- .../wolfprovider/openssl_3.%.bbappend | 28 ++++++++-- .../wolfprovider/wolfssl-fips_%.bbappend | 17 ------ .../wolfprovider/wolfssl_%.bbappend | 25 +++++++-- 7 files changed, 162 insertions(+), 50 deletions(-) delete mode 100644 recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend diff --git a/classes/wolfssl-helper.bbclass b/classes/wolfssl-helper.bbclass index aca77da2..29bb15ee 100644 --- a/classes/wolfssl-helper.bbclass +++ b/classes/wolfssl-helper.bbclass @@ -26,6 +26,61 @@ def wolfssl_conditional_require(d, package_name, inc_path): bb.parse.mark_dependency(d, inc_file) bb.parse.handle(inc_file, d, True) + +def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): + """ + Conditionally include an .inc file based on a mode variable and WOLFSSL_FEATURES. + + Args: + d: BitBake datastore + package_name: Name of the package to check for (e.g., 'wolfprovider') + mode: The expected mode (e.g., 'standalone' or 'replace-default') + inc_file: Relative path from layer root to the .inc file + + Returns: + True if configuration was included, False otherwise + + Example: + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='standalone', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' + ) + """ + import os + import bb.parse + + # Check if package is enabled + if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ + bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)): + bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping") + return False + + # Build the mode variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_MODE') + mode_var_name = f"{package_name.upper()}_MODE" + current_mode = d.getVar(mode_var_name) or 'standalone' # Default to standalone + + # Check if current mode matches expected mode + if current_mode != mode: + bb.debug(2, f"{mode_var_name}='{current_mode}' does not match '{mode}' - skipping") + return False + + # Mode matches - include the configuration + bb.note(f"{package_name}: {mode_var_name}='{current_mode}' - including {inc_file}") + + layerdir = d.getVar('WOLFSSL_LAYERDIR') + if not layerdir: + bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") + + full_inc_file = os.path.join(layerdir, inc_file) + bb.parse.mark_dependency(d, full_inc_file) + try: + bb.parse.handle(full_inc_file, d, True) + return True + except Exception as e: + bb.fatal(f"Failed to include {full_inc_file}: {e}") + python do_wolfssl_check_package() { """ Task to check if package is enabled via IMAGE_INSTALL or WOLFSSL_FEATURES diff --git a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend index ee83200a..911ce094 100644 --- a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend @@ -1,10 +1,30 @@ -# Manual configuration for wolfprovider-image-minimal -# Configure OpenSSL for wolfProvider support - -# WARNING: need to specify replace default or standalone mode not both -# Uncomment this to use wolfProvider in standalone mode -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc -# Uncomment this to use wolfProvider in replace-default mode -# require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +# Configure OpenSSL support for wolfProvider +# +# This bbappend automatically configures OpenSSL based on: +# 1. 'wolfprovider' in WOLFSSL_FEATURES +# 2. WOLFPROVIDER_MODE setting (standalone or replace-default) +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# WOLFPROVIDER_MODE = "standalone" # or "replace-default" + +inherit wolfssl-helper + +python __anonymous() { + # Standalone mode + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='standalone', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' + ) + # Replace-default mode + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='replace-default', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc' + ) +} diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend index fdeef861..69aa8025 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -1,10 +1,30 @@ -# Manual configuration for wolfprovider-image-minimal -# Enable wolfProvider support in wolfSSL - -# WARNING: need to specify non-FIPS or FIPS mode not both -# Uncomment this to use wolfProvider non-FIPS -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc -# Uncomment this to use wolfProvider FIPS -# require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +# Configure wolfSSL for wolfProvider support in image +# +# This bbappend automatically configures wolfSSL based on: +# 1. 'wolfprovider' in WOLFSSL_FEATURES +# 2. PREFERRED_PROVIDER_virtual/wolfssl setting +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl" # or "wolfssl-fips" + +inherit wolfssl-osp-support + +python __anonymous() { + # non-FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) + # FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} diff --git a/recipes-wolfssl/wolfprovider/README.md b/recipes-wolfssl/wolfprovider/README.md index 1a91a00a..659acad9 100644 --- a/recipes-wolfssl/wolfprovider/README.md +++ b/recipes-wolfssl/wolfprovider/README.md @@ -121,13 +121,12 @@ Enable the wolfprovider demo image in your `local.conf` file: WOLFSSL_DEMOS = "wolfprovider-image-minimal" ``` -To enable replace default mode uncomment the following line in the `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` file: +To enable replace default mode add these to your `local.conf` file: ```bitbake -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +WOLFSSL_FEATURES = "wolfprovider" +WOLFPROVIDER_MODE = "replace-default" ``` -Add `WOLFSSL_FEATURES = "wolfprovider"` to the local.conf file or include your bbappend directly to your image recipe. - run the following commands to build the image: ```bash bitbake -c cleansstate openssl @@ -136,6 +135,7 @@ bitbake wolfprovider-image-minimal bitbake ``` Note: Make sure to clean openssl if rebuilding openssl or wolfprovider or the image with replace default mode. +Note: If switching between normal and replace default mode you will need to `cleanll openssl` and rebuild the image again. once in qemu or target image verify with `openssl list -providers` that the default provider is `wolfSSL Provider` or just run `wolfproviderenv`. @@ -148,13 +148,12 @@ Enable the wolfprovider demo image in your `local.conf` file so you can veridy F WOLFSSL_DEMOS = "wolfprovider-image-minimal wolfssl-image-minimal" ``` -To enable fips uncomment the following line in the `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend` file: +To enable fips add these to your `local.conf` file: ```bitbake -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +WOLFSSL_FEATURES = "wolfprovider" +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf ``` -Add `WOLFSSL_FEATURES = "wolfprovider"` to the local.conf file or include your bbappend directly to your image recipe. - run the following commands to build the image: ```bash bitbake -c cleansstate openssl diff --git a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend index 7a4b064d..32930d82 100644 --- a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend +++ b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend @@ -1,10 +1,30 @@ +# Conditionally configure openssl with wolfProvider support +# +# This bbappend automatically enables wolfProvider backend when: +# 1. 'wolfprovider' is in WOLFSSL_FEATURES (explicit intent) +# 2. AND WOLFPROVIDER_MODE specifies the desired mode +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# WOLFPROVIDER_MODE = "standalone" # or "replace-default" + inherit wolfssl-helper python __anonymous() { - # standalone - wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc') - # replace default - wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc') + # wolfProvider standalone mode (default) + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='standalone', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' + ) + # wolfProvider replace-default mode + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='replace-default', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc' + ) } # OpenSSL is a dependency of wolfprovider, not a direct image package diff --git a/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend b/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend deleted file mode 100644 index eab8a07d..00000000 --- a/recipes-wolfssl/wolfprovider/wolfssl-fips_%.bbappend +++ /dev/null @@ -1,17 +0,0 @@ -# Conditionally configure wolfssl FIPS with wolfprovider support -# This bbappend checks the WOLFSSL_FEATURES and IMAGE_INSTALL variables - -inherit wolfssl-helper -inherit wolfssl-osp-support -deltask do_wolfssl_check_package - -python __anonymous() { - # FIPS mode - wolfssl_osp_conditional_include( - d, - feature_name='wolfprovider', - inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', - allowed_providers=['wolfssl-fips'] - ) -} - diff --git a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend index 78b76839..c0cdfb85 100644 --- a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend +++ b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend @@ -1,17 +1,32 @@ -# Conditionally configure wolfssl with wolfprovider support -# This bbappend checks the WOLFSSL_FEATURES and IMAGE_INSTALL variables +# Configure wolfProvider FIPS support for wolfSSL +# +# This bbappend automatically configures wolfssl or wolfssl-fips with the features +# needed by wolfprovider when 'wolfprovider' is in WOLFSSL_FEATURES +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# require conf/wolfssl-fips.conf # If FIPS mode is enabled -inherit wolfssl-helper inherit wolfssl-osp-support -deltask do_wolfssl_check_package python __anonymous() { - # non-FIPS mode + # wolfProvider non-FIPS mode wolfssl_osp_conditional_include( d, feature_name='wolfprovider', inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', allowed_providers=['wolfssl'] ) + # wolfProvider FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) } +# Disable package check since this is configuration for wolfssl itself +deltask do_wolfssl_check_package + + From dac219a7fc72c1f78fa019696f67d943cc5ecefd Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Tue, 18 Nov 2025 19:54:48 -0800 Subject: [PATCH 06/19] Add overide to openssl configure --- ...sl-enable-wolfprovider-replace-default.inc | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc index 6df4dda8..3073372d 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -4,8 +4,7 @@ # Build OpenSSL as plain, non-FIPS OpenSSL # wolfProvider will provide FIPS functionality using wolfSSL FIPS -PACKAGECONFIG:class-target:pn-openssl = "" -EXTRA_OECONF:append:class-target = " no-fips" +EXTRA_OECONF:append:class-target = " no-fips shared " # OpenSSL target-only tweaks for replace-default mode do_configure:prepend:class-target () { @@ -29,6 +28,25 @@ do_configure:prepend:class-target () { if echo "${IMAGE_FEATURES}" | grep -qw "fips"; then sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/' $vfile fi + +} + +# Override do_configure to filter enable-fips from the actual configure command +do_configure:append:class-target () { + # The base do_configure uses ${PACKAGECONFIG_CONFARGS} which still has enable-fips + # We need to regenerate it without enable-fips + # Re-run configure with enable-fips explicitly removed + if [ -f "${B}/configdata.pm" ] && grep -q "enable-fips" "${B}/configdata.pm" 2>/dev/null; then + bbwarn "REPLACE-DEFAULT MODE: FIPS detected in config, forcing reconfigure without FIPS" + cd "${B}" + # Get the target from the original config + target=$(grep "our \$config{target}" "${B}/configdata.pm" 2>/dev/null | sed "s/.*'\(.*\)'.*/\1/" || echo "linux-x86_64") + # Reconfigure without enable-fips + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl "${S}/Configure" no-fips shared ${EXTRA_OECONF} ${DEPRECATED_CRYPTO_FLAGS} \ + --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${libdir} "$target" + perl "${B}/configdata.pm" --dump + fi } # Ensure provider is present on TARGET runtime (doesn't touch -native/-nativesdk) @@ -59,3 +77,4 @@ python do_patch:append:class-target () { bb.warn(f"REPLACE-DEFAULT MODE: Error applying patch: {e}") } + From 665fc2ef4f4e9d2baa243ea49e66f54c353ee0e7 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 19 Nov 2025 09:31:55 -0800 Subject: [PATCH 07/19] Address comment concerns --- recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb | 6 ++++-- recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb | 6 ------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 6983e398..e280b7aa 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -22,8 +22,8 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" -# Core build configuration -do_install:append() { +# Install symlinks after main installation +do_install_symlinks() { install -d ${D}${libdir} ln -sf libwolfprov.so.0.0.0 ${D}${libdir}/libwolfprov.so @@ -32,6 +32,8 @@ do_install:append() { ln -sf ../../libwolfprov.so.0.0.0 ${D}${libdir}/ssl-3/modules/libwolfprov.so } +addtask install_symlinks after do_install before do_package + CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." LDFLAGS += " -Wl,--build-id=none" diff --git a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb index 1081ba04..264243b7 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb @@ -65,9 +65,3 @@ EXTRA_OECONF += " \ --enable-reproducible-build \ " -# CRITICAL: Do not strip FIPS libraries! -# Stripping modifies the binary and breaks FIPS integrity verification -# The embedded hash must match the deployed binary exactly -INHIBIT_PACKAGE_STRIP = "1" -INHIBIT_SYSROOT_STRIP = "1" - From 4fddcd3f803dcd3b3deb3c3a7e8133bdb365d871 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 19 Nov 2025 10:51:30 -0800 Subject: [PATCH 08/19] Only do neccesary simlinks --- .../wolfprovider/wolfprovider_1.1.0.bb | 31 ++++++++++++++----- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index e280b7aa..f813cad4 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -22,17 +22,32 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" -# Install symlinks after main installation -do_install_symlinks() { - install -d ${D}${libdir} - ln -sf libwolfprov.so.0.0.0 ${D}${libdir}/libwolfprov.so +# Install provider module symlink (autotools already creates libwolfprov.so symlinks) +# Use Python function to avoid pseudo inode tracking issues with shell symlink creation +python install_provider_module() { + import os + libdir = d.getVar('libdir') + destdir = d.getVar('D') - # Install provider module in OpenSSL's module directory - install -d ${D}${libdir}/ssl-3/modules - ln -sf ../../libwolfprov.so.0.0.0 ${D}${libdir}/ssl-3/modules/libwolfprov.so + # Construct paths properly: libdir is absolute like /usr/lib, D is absolute like /path/to/image + # Strip leading / from libdir for proper join + libdir_rel = libdir.lstrip('/') + target_lib = os.path.join(destdir, libdir_rel, 'libwolfprov.so.0.0.0') + modules_dir = os.path.join(destdir, libdir_rel, 'ssl-3', 'modules') + symlink_path = os.path.join(modules_dir, 'libwolfprov.so') + + # Ensure target library exists + if not os.path.exists(target_lib): + bb.fatal('libwolfprov.so.0.0.0 not found in %s' % os.path.dirname(target_lib)) + + # Create module directory and symlink using Python os.symlink (pseudo-friendly) + os.makedirs(modules_dir, exist_ok=True) + if not os.path.exists(symlink_path): + # Use relative path: from ssl-3/modules to libdir (../../libwolfprov.so.0.0.0) + os.symlink('../../libwolfprov.so.0.0.0', symlink_path) } -addtask install_symlinks after do_install before do_package +do_install[postfuncs] += "install_provider_module" CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." From 46e1e88b1bbe36608f8d55cebfcdcf03e39ecab3 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 19 Nov 2025 10:51:54 -0800 Subject: [PATCH 09/19] Only do neccesary simlinks --- .../wolfprovider/wolfprovider_1.1.0.bb | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index f813cad4..fe8a2ecd 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -23,28 +23,18 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" # Install provider module symlink (autotools already creates libwolfprov.so symlinks) -# Use Python function to avoid pseudo inode tracking issues with shell symlink creation -python install_provider_module() { - import os - libdir = d.getVar('libdir') - destdir = d.getVar('D') - - # Construct paths properly: libdir is absolute like /usr/lib, D is absolute like /path/to/image - # Strip leading / from libdir for proper join - libdir_rel = libdir.lstrip('/') - target_lib = os.path.join(destdir, libdir_rel, 'libwolfprov.so.0.0.0') - modules_dir = os.path.join(destdir, libdir_rel, 'ssl-3', 'modules') - symlink_path = os.path.join(modules_dir, 'libwolfprov.so') - +install_provider_module() { # Ensure target library exists - if not os.path.exists(target_lib): - bb.fatal('libwolfprov.so.0.0.0 not found in %s' % os.path.dirname(target_lib)) + if [ ! -f ${D}${libdir}/libwolfprov.so.0.0.0 ]; then + echo "libwolfprov.so.0.0.0 not found in ${D}${libdir}/" >&2 + exit 1 + fi - # Create module directory and symlink using Python os.symlink (pseudo-friendly) - os.makedirs(modules_dir, exist_ok=True) - if not os.path.exists(symlink_path): - # Use relative path: from ssl-3/modules to libdir (../../libwolfprov.so.0.0.0) - os.symlink('../../libwolfprov.so.0.0.0', symlink_path) + # Create the OpenSSL module directory symlink + install -d ${D}${libdir}/ssl-3/modules + if [ ! -e ${D}${libdir}/ssl-3/modules/libwolfprov.so ]; then + ln -sf ${libdir}/libwolfprov.so.0.0.0 ${D}${libdir}/ssl-3/modules/libwolfprov.so + fi } do_install[postfuncs] += "install_provider_module" From a98887fddf8f80c298f1439aa33ce36d91f15ed2 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Fri, 21 Nov 2025 12:45:51 -0800 Subject: [PATCH 10/19] Convert wolfprovider test bbappend to inc file --- classes/wolfssl-helper.bbclass | 86 +++++++++++++++++-- conf/layer.conf | 1 + .../wolfprovider-enable-unit-test.inc | 71 +++++++++++++++ .../wolfprovidertest/wolfprovider_%.bbappend | 46 ---------- .../wolfprovider/wolfprovider_%.bbappend | 26 ++++++ recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb | 7 ++ 6 files changed, 185 insertions(+), 52 deletions(-) create mode 100644 inc/wolfprovider/wolfprovider-enable-unit-test.inc delete mode 100644 recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend create mode 100644 recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend diff --git a/classes/wolfssl-helper.bbclass b/classes/wolfssl-helper.bbclass index 29bb15ee..b95080a0 100644 --- a/classes/wolfssl-helper.bbclass +++ b/classes/wolfssl-helper.bbclass @@ -30,6 +30,7 @@ def wolfssl_conditional_require(d, package_name, inc_path): def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): """ Conditionally include an .inc file based on a mode variable and WOLFSSL_FEATURES. + Supports space-separated modes (e.g., "replace-default enable-tests"). Args: d: BitBake datastore @@ -47,6 +48,9 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): mode='standalone', inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' ) + + # Supports multiple modes in WOLFPROVIDER_MODE: + # WOLFPROVIDER_MODE = "replace-default enable-tests" """ import os import bb.parse @@ -59,15 +63,85 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): # Build the mode variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_MODE') mode_var_name = f"{package_name.upper()}_MODE" - current_mode = d.getVar(mode_var_name) or 'standalone' # Default to standalone + current_mode_str = d.getVar(mode_var_name) or 'standalone' # Default to standalone - # Check if current mode matches expected mode - if current_mode != mode: - bb.debug(2, f"{mode_var_name}='{current_mode}' does not match '{mode}' - skipping") + # Support space-separated modes: split into list and check if expected mode is in the list + current_modes = [m.strip() for m in current_mode_str.split() if m.strip()] + + # If no modes specified (empty string), default to standalone for backward compatibility + if not current_modes: + current_modes = ['standalone'] + + # Check if expected mode is in the current modes list + if mode not in current_modes: + bb.debug(2, f"{package_name}: {mode_var_name}='{current_mode_str}' does not contain '{mode}' - skipping") + return False + + # Mode found in list - include the configuration + # Show all detected modes for clarity + bb.note(f"{package_name}: {mode_var_name}='{current_mode_str}' contains '{mode}' mode - including {inc_file}") + + layerdir = d.getVar('WOLFSSL_LAYERDIR') + if not layerdir: + bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") + + full_inc_file = os.path.join(layerdir, inc_file) + bb.parse.mark_dependency(d, full_inc_file) + try: + bb.parse.handle(full_inc_file, d, True) + return True + except Exception as e: + bb.fatal(f"Failed to include {full_inc_file}: {e}") + + +def wolfssl_conditional_require_flag(d, package_name, flag_name, inc_file): + """ + Conditionally include an .inc file based on a flags variable and WOLFSSL_FEATURES. + Flags are separate from modes - use for features like tests, not OpenSSL configuration. + + Args: + d: BitBake datastore + package_name: Name of the package to check for (e.g., 'wolfprovider') + flag_name: The flag to check for (e.g., 'enable-tests') + inc_file: Relative path from layer root to the .inc file + + Returns: + True if configuration was included, False otherwise + + Example: + wolfssl_conditional_require_flag( + d, + package_name='wolfprovider', + flag_name='enable-tests', + inc_file='inc/wolfprovider/wolfprovider-enable-test.inc' + ) + + # Usage in local.conf: + # WOLFPROVIDER_FLAGS = "enable-tests" # Can be space-separated: "enable-tests other-flag" + """ + import os + import bb.parse + + # Check if package is enabled + if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ + bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)): + bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping") + return False + + # Build the flags variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_FLAGS') + flags_var_name = f"{package_name.upper()}_FLAGS" + current_flags_str = d.getVar(flags_var_name) or '' + + # Support space-separated flags: split into list and check if expected flag is in the list + current_flags = [f.strip() for f in current_flags_str.split() if f.strip()] + + # Check if expected flag is in the current flags list + if flag_name not in current_flags: + bb.debug(2, f"{package_name}: {flags_var_name}='{current_flags_str}' does not contain '{flag_name}' - skipping") return False - # Mode matches - include the configuration - bb.note(f"{package_name}: {mode_var_name}='{current_mode}' - including {inc_file}") + # Flag found in list - include the configuration + bb.note(f"{package_name}: {flags_var_name}='{current_flags_str}' contains '{flag_name}' flag - including {inc_file}") layerdir = d.getVar('WOLFSSL_LAYERDIR') if not layerdir: diff --git a/conf/layer.conf b/conf/layer.conf index 4d74ec27..10c513ec 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -22,6 +22,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bb \ + ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfssl*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfengine*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfssl*.bbappend \ diff --git a/inc/wolfprovider/wolfprovider-enable-unit-test.inc b/inc/wolfprovider/wolfprovider-enable-unit-test.inc new file mode 100644 index 00000000..964fe570 --- /dev/null +++ b/inc/wolfprovider/wolfprovider-enable-unit-test.inc @@ -0,0 +1,71 @@ +FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/files:" +SRC_URI += "file://wolfprovidertest.sh" + +# Override CERTS_DIR to point to the installed location instead of build directory +CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' + +WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" +WOLFPROVIDER_TEST = "unit.test" +WOLFPROVIDER_TEST_BIN = "unit.test" +WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" +WOLFPROVIDER_CERTS_DIR = "${S}/certs" +WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" + +do_install:append() { + bbnote "Installing wolfProvider Tests" + + # Install the wrapper script as wolfprovidertest + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfprovidertest.sh ${D}${bindir}/wolfprovidertest + + # Install the test binary + if [ -f "${B}/test/.libs/unit.test" ]; then + install -m 0755 ${B}/test/.libs/unit.test ${D}${bindir}/unit.test + elif [ -f "${B}/test/unit.test" ]; then + install -m 0755 ${B}/test/unit.test ${D}${bindir}/unit.test + elif [ -f "${B}/unit.test" ]; then + install -m 0755 ${B}/unit.test ${D}${bindir}/unit.test + fi + + # Install test certificates + bbnote "Installing wolfProvider Certificates" + install -m 0755 -d ${D}${datadir}/wolfprovider-test/certs + if [ -d "${S}/certs" ]; then + cp -r ${S}/certs/*.pem ${D}${datadir}/wolfprovider-test/certs/ 2>/dev/null || true + fi +} + +# Append test files and library files to FILES using Python +python __anonymous() { + pn = d.getVar('PN') + + # Get existing FILES value (set by autotools class and base recipe) + existing_files = d.getVar('FILES:' + pn) or '' + + # Append our test files and ensure base recipe's library files are included + new_files = existing_files + ' '.join([ + '${bindir}/wolfprovidertest', + '${bindir}/unit.test', + '${datadir}/wolfprovider-test/certs/*', + '${libdir}/libwolfprov.so', + '${libdir}/libwolfprov.so.*', + '${libdir}/ssl-3', + '${libdir}/ssl-3/modules', + '${libdir}/ssl-3/modules/libwolfprov.so' + ]) + + # Set the combined value (this avoids the "replaces original key" warning) + d.setVar('FILES:' + pn, new_files) + + # Same approach for RDEPENDS + existing_rdepends = d.getVar('RDEPENDS:' + pn) or '' + new_rdepends = existing_rdepends + ' bash wolfproviderenv' + d.setVar('RDEPENDS:' + pn, new_rdepends) + + # Same approach for INSANE_SKIP + existing_skip = d.getVar('INSANE_SKIP:' + pn) or '' + new_skip = existing_skip + ' dev-so build-deps' + d.setVar('INSANE_SKIP:' + pn, new_skip) +} + diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend deleted file mode 100644 index c59ac97e..00000000 --- a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovider_%.bbappend +++ /dev/null @@ -1,46 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" -SRC_URI += "file://wolfprovidertest.sh" - -# Override CERTS_DIR to point to the installed location instead of build directory -CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' -CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' - -WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" -WOLFPROVIDER_TEST = "unit.test" -WOLFPROVIDER_TEST_BIN = "unit.test" -WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" -WOLFPROVIDER_CERTS_DIR = "${S}/certs" -WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" - -python () { - wolfprovider_test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) - wolfprovider_test = d.getVar('WOLFPROVIDER_TEST', True) - wolfprovider_test_bin = d.getVar('WOLFPROVIDER_TEST_BIN', True) - wolfprovider_install_dir = d.getVar('WOLFPROVIDER_INSTALL_DIR', True) - wolfprovider_certs_dir = d.getVar('WOLFPROVIDER_CERTS_DIR', True) - wolfprovider_certs_install_dir = d.getVar('WOLFPROVIDER_CERTS_INSTALL_DIR', True) - - bbnote = 'bbnote "Installing wolfProvider Tests"\n' - installDir = 'install -m 0755 -d "%s"\n' % (wolfprovider_install_dir) - # Install the binary as unit.test (its original name) - cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; fi\n' % (wolfprovider_test_dir, wolfprovider_test, wolfprovider_test_dir, wolfprovider_test, wolfprovider_install_dir, wolfprovider_test_bin) - - bbnote = 'bbnote "Installing wolfProvider Certificates"\n' - installCertsDir = 'install -m 0755 -d "%s"\n' % (wolfprovider_certs_install_dir) - cpCerts = 'if [ -d "%s" ]; then cp -r %s/*.pem %s/ 2>/dev/null || true; fi\n' % (wolfprovider_certs_dir, wolfprovider_certs_dir, wolfprovider_certs_install_dir) - - d.appendVar('do_install', bbnote) - d.appendVar('do_install', installDir) - d.appendVar('do_install', cpTest) - d.appendVar('do_install', installCertsDir) - d.appendVar('do_install', cpCerts) -} - -do_install:append() { - # Install the wrapper script as wolfprovidertest - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/wolfprovidertest.sh ${D}${bindir}/wolfprovidertest -} - -FILES:${PN} += "${bindir}/wolfprovidertest ${bindir}/unit.test ${datadir}/wolfprovider-test/certs/*" -RDEPENDS:${PN} += "bash wolfproviderenv" diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend new file mode 100644 index 00000000..0497b9bb --- /dev/null +++ b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend @@ -0,0 +1,26 @@ +# Conditionally configure wolfProvider with unit tests +# +# This bbappend automatically enables wolfProvider unit tests when: +# 1. 'wolfprovider' is in WOLFSSL_FEATURES (explicit intent) +# 2. AND WOLFPROVIDER_FLAGS contains "enable-tests" +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# WOLFPROVIDER_FLAGS = "enable-tests" # or dont set + +inherit wolfssl-helper + +python __anonymous() { + # wolfProvider enable unit tests (via WOLFPROVIDER_FLAGS - separate from mode) + wolfssl_conditional_require_flag( + d, + package_name='wolfprovider', + flag_name='enable-tests', + inc_file='inc/wolfprovider/wolfprovider-enable-unit-test.inc' + ) +} + +# OpenSSL is a dependency of wolfprovider, not a direct image package +# The check above already validates wolfprovider is in IMAGE_INSTALL +deltask do_wolfssl_check_package + diff --git a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb index 264243b7..c354f81a 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb @@ -65,3 +65,10 @@ EXTRA_OECONF += " \ --enable-reproducible-build \ " +# Fix for commercial bundle missing stamp-h.in required by automake with 5.2.1 +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + From 81d491e1218769fdc0237b5b0331ab5fb1c4a3d0 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Fri, 21 Nov 2025 18:32:24 -0800 Subject: [PATCH 11/19] Add Image minimals for all wolfprovider modes --- conf/layer.conf | 3 +- .../openssl/openssl-enable-wolfprovider.inc | 1 + .../wolfprovider-enable-unit-test.inc | 71 --------- .../wolfssl-enable-wolfprovidertest.inc | 81 ++++++++++ .../wolfprovider-image-minimal/README.md | 149 ++++++++++++++++++ .../openssl_%.bbappend | 30 ---- .../openssl_%.bbappend | 15 ++ .../wolfprovider-fips-image-minimal.bb | 21 +++ .../wolfprovider_%.bbappend | 6 + .../wolfssl-fips_%.bbappend | 15 ++ .../openssl_%.bbappend | 16 ++ .../wolfprovider-image-minimal.bb | 2 +- .../wolfprovider_%.bbappend | 7 + .../wolfssl_%.bbappend | 16 ++ .../openssl_%.bbappend | 15 ++ ...ider-replace-default-fips-image-minimal.bb | 21 +++ .../wolfprovider_%.bbappend | 1 - .../wolfssl-fips_%.bbappend | 15 ++ .../openssl_%.bbappend | 15 ++ ...fprovider-replace-default-image-minimal.bb | 18 +++ .../wolfprovider_%.bbappend | 3 + .../wolfssl_%.bbappend | 15 ++ .../wolfssl_%.bbappend | 30 ---- .../wolfprovidertest/wolfprovidertest.bb | 8 +- recipes-wolfssl/wolfprovider/README.md | 144 ++++++++++++----- .../wolfprovider/wolfprovider_%.bbappend | 2 +- .../wolfprovider/wolfprovider_1.1.0.bb | 8 +- 27 files changed, 546 insertions(+), 182 deletions(-) delete mode 100644 inc/wolfprovider/wolfprovider-enable-unit-test.inc create mode 100644 inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc create mode 100644 recipes-core/images/wolfprovider-image-minimal/README.md delete mode 100644 recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend rename recipes-core/images/wolfprovider-image-minimal/{ => wolfprovider-image-minimal}/wolfprovider-image-minimal.bb (84%) create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb rename recipes-core/images/wolfprovider-image-minimal/{ => wolfprovider-replace-default-fips-image-minimal}/wolfprovider_%.bbappend (99%) create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend create mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend delete mode 100644 recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend diff --git a/conf/layer.conf b/conf/layer.conf index 10c513ec..b57208a9 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -160,7 +160,8 @@ BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-image-minimal', '${LA BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolftpm-image-minimal', '${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-py-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bbappend', '', d)}" -BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'libgcrypt-image-minimal', '${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bbappend', '', d)}" diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc index a46a4d8c..c21a78b0 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc @@ -3,3 +3,4 @@ EXTRA_OECONF += " no-fips shared " + diff --git a/inc/wolfprovider/wolfprovider-enable-unit-test.inc b/inc/wolfprovider/wolfprovider-enable-unit-test.inc deleted file mode 100644 index 964fe570..00000000 --- a/inc/wolfprovider/wolfprovider-enable-unit-test.inc +++ /dev/null @@ -1,71 +0,0 @@ -FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/files:" -SRC_URI += "file://wolfprovidertest.sh" - -# Override CERTS_DIR to point to the installed location instead of build directory -CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' -CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' - -WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" -WOLFPROVIDER_TEST = "unit.test" -WOLFPROVIDER_TEST_BIN = "unit.test" -WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" -WOLFPROVIDER_CERTS_DIR = "${S}/certs" -WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" - -do_install:append() { - bbnote "Installing wolfProvider Tests" - - # Install the wrapper script as wolfprovidertest - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/wolfprovidertest.sh ${D}${bindir}/wolfprovidertest - - # Install the test binary - if [ -f "${B}/test/.libs/unit.test" ]; then - install -m 0755 ${B}/test/.libs/unit.test ${D}${bindir}/unit.test - elif [ -f "${B}/test/unit.test" ]; then - install -m 0755 ${B}/test/unit.test ${D}${bindir}/unit.test - elif [ -f "${B}/unit.test" ]; then - install -m 0755 ${B}/unit.test ${D}${bindir}/unit.test - fi - - # Install test certificates - bbnote "Installing wolfProvider Certificates" - install -m 0755 -d ${D}${datadir}/wolfprovider-test/certs - if [ -d "${S}/certs" ]; then - cp -r ${S}/certs/*.pem ${D}${datadir}/wolfprovider-test/certs/ 2>/dev/null || true - fi -} - -# Append test files and library files to FILES using Python -python __anonymous() { - pn = d.getVar('PN') - - # Get existing FILES value (set by autotools class and base recipe) - existing_files = d.getVar('FILES:' + pn) or '' - - # Append our test files and ensure base recipe's library files are included - new_files = existing_files + ' '.join([ - '${bindir}/wolfprovidertest', - '${bindir}/unit.test', - '${datadir}/wolfprovider-test/certs/*', - '${libdir}/libwolfprov.so', - '${libdir}/libwolfprov.so.*', - '${libdir}/ssl-3', - '${libdir}/ssl-3/modules', - '${libdir}/ssl-3/modules/libwolfprov.so' - ]) - - # Set the combined value (this avoids the "replaces original key" warning) - d.setVar('FILES:' + pn, new_files) - - # Same approach for RDEPENDS - existing_rdepends = d.getVar('RDEPENDS:' + pn) or '' - new_rdepends = existing_rdepends + ' bash wolfproviderenv' - d.setVar('RDEPENDS:' + pn, new_rdepends) - - # Same approach for INSANE_SKIP - existing_skip = d.getVar('INSANE_SKIP:' + pn) or '' - new_skip = existing_skip + ' dev-so build-deps' - d.setVar('INSANE_SKIP:' + pn, new_skip) -} - diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc b/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc new file mode 100644 index 00000000..d26b54e0 --- /dev/null +++ b/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc @@ -0,0 +1,81 @@ +# Configuration to enable wolfProvider unit tests +# Modeled exactly after wolfcrypttest approach - simple and clean + +FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/files:" +SRC_URI += "file://wolfprovidertest.sh" + +# Unit test directory and binary names +WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" +WOLFPROVIDER_TEST = "unit.test" +WOLFPROVIDER_TEST_YOCTO = "unit.test" +WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" +WOLFPROVIDER_CERTS_DIR = "${S}/certs" +WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" + +# Override CERTS_DIR to point to the installed location instead of build directory +CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' + +# Simple installation using Python function, exactly like wolfcrypttest +python () { + # Get the environment variables + test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) + test_bin = d.getVar('WOLFPROVIDER_TEST', True) + test_yocto = d.getVar('WOLFPROVIDER_TEST_YOCTO', True) + install_dir = d.getVar('WOLFPROVIDER_INSTALL_DIR', True) + certs_dir = d.getVar('WOLFPROVIDER_CERTS_DIR', True) + certs_install_dir = d.getVar('WOLFPROVIDER_CERTS_INSTALL_DIR', True) + + bbnote = 'bbnote "Installing wolfProvider Tests"\n' + installDir = 'install -m 0755 -d "%s"\n' % (install_dir) + + # Try multiple locations for the test binary (exactly like wolfcrypttest) + cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; ' % (test_dir, test_bin, test_dir, test_bin, install_dir, test_yocto) + cpTest += 'elif [ -f "${B}/test/%s" ]; then cp "${B}/test/%s" "%s/%s"; ' % (test_bin, test_bin, install_dir, test_yocto) + cpTest += 'elif [ -f "${B}/%s" ]; then cp "${B}/%s" "%s/%s"; fi\n' % (test_bin, test_bin, install_dir, test_yocto) + + # Install wrapper script + installScript = 'cp "${WORKDIR}/wolfprovidertest.sh" "%s/wolfprovidertest"\n' % (install_dir) + installScript += 'chmod 755 "%s/wolfprovidertest"\n' % (install_dir) + + # Install certificates + installCerts = 'bbnote "Installing wolfProvider Certificates"\n' + installCerts += 'install -m 0755 -d "%s"\n' % (certs_install_dir) + installCerts += 'if [ -d "%s" ]; then cp -r %s/*.pem %s/ 2>/dev/null || true; fi\n' % (certs_dir, certs_dir, certs_install_dir) + + d.appendVar('do_install', bbnote) + d.appendVar('do_install', installDir) + d.appendVar('do_install', cpTest) + d.appendVar('do_install', installScript) + d.appendVar('do_install', installCerts) +} + +# Append test files and library files to FILES using Python +python __anonymous() { + pn = d.getVar('PN') + + # Get existing FILES value (set by autotools class and base recipe) + existing_files = d.getVar('FILES:' + pn) or '' + + # Append our test files (don't re-add library files - they're in base recipe FILES) + new_files = existing_files + ' ' + ' '.join([ + '${bindir}/wolfprovidertest', + '${bindir}/unit.test', + '${datadir}/wolfprovider-test/certs/*' + ]) + + # Set the combined value (this avoids the "replaces original key" warning) + d.setVar('FILES:' + pn, new_files) + + # Same approach for RDEPENDS + existing_rdepends = d.getVar('RDEPENDS:' + pn) or '' + new_rdepends = existing_rdepends + ' bash wolfproviderenv' + d.setVar('RDEPENDS:' + pn, new_rdepends) + + # Same approach for INSANE_SKIP + existing_skip = d.getVar('INSANE_SKIP:' + pn) or '' + new_skip = existing_skip + ' dev-so build-deps' + d.setVar('INSANE_SKIP:' + pn, new_skip) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/README.md b/recipes-core/images/wolfprovider-image-minimal/README.md new file mode 100644 index 00000000..e19ce465 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/README.md @@ -0,0 +1,149 @@ +# wolfProvider Minimal Images + +Minimal demo images showcasing wolfProvider integration with OpenSSL 3.x in various configurations. + +## Overview + +These images demonstrate different wolfProvider configurations for OpenSSL 3.x integration. Each image is self-contained and requires no `local.conf` configuration (except FIPS images which require `wolfssl-fips.conf`). + +## Available Images + +### 1. wolfprovider-image-minimal +**Standalone mode, non-FIPS** + +- wolfProvider configured as an additional provider alongside OpenSSL's default +- Applications can explicitly load wolfProvider or use it alongside the default provider +- Includes test utilities and unit tests + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-image-minimal" +``` + +**Build:** +```bash +bitbake wolfprovider-image-minimal +``` + +### 2. wolfprovider-fips-image-minimal +**Standalone mode, FIPS** + +- wolfProvider configured as an additional provider using FIPS-validated cryptography +- Applications can explicitly load FIPS-validated wolfProvider +- Includes test utilities and unit tests + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-fips-image-minimal wolfssl-image-minimal" + +# In build/conf/local.conf: +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +**Build:** +```bash +bitbake wolfprovider-fips-image-minimal +``` + +### 3. wolfprovider-replace-default-image-minimal +**Replace-default mode, non-FIPS** + +- wolfProvider replaces OpenSSL's default provider +- All OpenSSL operations automatically use wolfProvider +- No code changes needed - transparent drop-in replacement + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-replace-default-image-minimal" +``` + +**Build:** +```bash +bitbake wolfprovider-replace-default-image-minimal +``` + +### 4. wolfprovider-replace-default-fips-image-minimal +**Replace-default mode, FIPS** + +- wolfProvider replaces OpenSSL's default provider using FIPS-validated cryptography +- All OpenSSL operations automatically use FIPS cryptography +- Complete system-wide FIPS 140-3 validated cryptography + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-replace-default-fips-image-minimal wolfssl-image-minimal" + +# In build/conf/local.conf: +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +**Build:** +```bash +bitbake wolfprovider-replace-default-fips-image-minimal +``` + +## What's Included + +All images include: +- Everything from `wolfssl-image-minimal` +- wolfSSL (or wolfSSL FIPS) with wolfProvider support +- OpenSSL 3.x with wolfProvider backend +- wolfProvider environment setup tools (`wolfproviderenv`, `wolfprovidercmd`) +- Unit tests (standalone mode images only) + +## Testing + +Inside QEMU, test wolfProvider: + +```bash +# Run wolfProvider environment setup (standalone mode only) +wolfprovidertest + +# Run wolfProvider command-line tests +wolfprovidercmd + +# Run wolfProvider environment setup +wolfproviderenv + +# Verify provider configuration (replace-default images) +openssl list -providers +``` + +## How It Works + +Each image directory contains `bbappend` files that automatically configure packages: + +- **wolfssl_%.bbappend** or **wolfssl-fips_%.bbappend**: Configures wolfSSL with wolfProvider support +- **openssl_%.bbappend**: Configures OpenSSL to support wolfProvider (standalone or replace-default) +- **wolfprovider_%.bbappend**: Enables unit tests (standalone mode only) + +All configurations use conditional functions (`wolfssl_osp_include_if_provider`) that automatically detect the provider and include the appropriate configuration files. + +## Mode Comparison + +### Standalone Mode +- wolfProvider is an additional provider +- Applications must explicitly load wolfProvider +- OpenSSL's default provider remains available +- Useful for testing and selective adoption + +### Replace-Default Mode +- wolfProvider replaces OpenSSL's default provider +- All OpenSSL operations automatically use wolfProvider +- No application code changes needed +- Useful for system-wide deployment + +## Requirements + +- **FIPS images**: Valid wolfSSL FIPS commercial bundle and `wolfssl-fips.conf` configuration +- **Non-FIPS images**: No additional requirements + +## More Information + +- Main README: [../../../README.md](../../../README.md) +- wolfProvider: [../../../recipes-wolfssl/wolfprovider/README.md](../../../recipes-wolfssl/wolfprovider/README.md) +- wolfSSL FIPS: [../../../recipes-wolfssl/wolfssl/README-fips.md](../../../recipes-wolfssl/wolfssl/README-fips.md) diff --git a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend deleted file mode 100644 index 911ce094..00000000 --- a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend +++ /dev/null @@ -1,30 +0,0 @@ -# Configure OpenSSL support for wolfProvider -# -# This bbappend automatically configures OpenSSL based on: -# 1. 'wolfprovider' in WOLFSSL_FEATURES -# 2. WOLFPROVIDER_MODE setting (standalone or replace-default) -# -# Usage in local.conf: -# WOLFSSL_FEATURES = "wolfprovider" -# WOLFPROVIDER_MODE = "standalone" # or "replace-default" - -inherit wolfssl-helper - -python __anonymous() { - # Standalone mode - wolfssl_conditional_require_mode( - d, - package_name='wolfprovider', - mode='standalone', - inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' - ) - # Replace-default mode - wolfssl_conditional_require_mode( - d, - package_name='wolfprovider', - mode='replace-default', - inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc' - ) -} - - diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..c3073d67 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (FIPS standalone mode) for wolfprovider-fips-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb new file mode 100644 index 00000000..f2096d5d --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb @@ -0,0 +1,21 @@ +SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in standalone mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, test/benchmark utilities, and wolfProvider configured in standalone mode" + +# Set provider to wolfssl-fips for this image (no local.conf configuration needed) +PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" + +# Add wolfProvider packages with OpenSSL 3.x support in standalone mode (FIPS) +# The bbappend files in this directory configure packages based on provider +IMAGE_INSTALL:append = " \ + wolfssl-fips \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidertest \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..1cdb69f7 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,6 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + +# Enable unit tests for standalone mode +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend new file mode 100644 index 00000000..d41e1cf1 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend @@ -0,0 +1,15 @@ +# Configure wolfSSL (FIPS standalone mode) for wolfprovider-fips-image-minimal +# +# This bbappend directly configures wolfSSL to use FIPS mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..ecff7c8a --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend @@ -0,0 +1,16 @@ +# Configure OpenSSL (non-FIPS standalone mode) for wolfprovider-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb similarity index 84% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb index 7d3fc3fd..8dce4b87 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb @@ -14,6 +14,6 @@ IMAGE_INSTALL:append = " \ bash \ " -require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..891ce6f6 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,7 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + +# Enable unit tests for standalone mode +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend new file mode 100644 index 00000000..b364e89e --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -0,0 +1,16 @@ +# Configure wolfSSL (non-FIPS standalone mode) for wolfprovider-image-minimal +# +# This bbappend directly configures wolfSSL to use wolfProvider +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..65e1bec0 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (FIPS replace-default mode) for wolfprovider-replace-default-fips-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider in replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb new file mode 100644 index 00000000..efb1aa13 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb @@ -0,0 +1,21 @@ +SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in replace-default mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, and wolfProvider configured to replace OpenSSL's default provider" + +# Set provider to wolfssl-fips for this image (no local.conf configuration needed) +PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" + +# Add wolfProvider packages with OpenSSL 3.x support in FIPS replace-default mode +# The bbappend files in this directory configure packages based on provider +# Unit tests are disabled in replace-default mode for now until we have a way to correctly run them +IMAGE_INSTALL:append = " \ + wolfssl-fips \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend similarity index 99% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend index 738c84fc..9c45ee3a 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend @@ -1,4 +1,3 @@ # Disable the feature check for manual image configuration require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc - diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend new file mode 100644 index 00000000..59c0872b --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend @@ -0,0 +1,15 @@ +# Configure wolfSSL (FIPS replace-default mode) for wolfprovider-replace-default-fips-image-minimal +# +# This bbappend directly configures wolfSSL to use FIPS mode in replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..0070df1d --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (non-FIPS replace-default mode) for wolfprovider-replace-default-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider in replace-default mode +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc', + allowed_providers=['wolfssl'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb new file mode 100644 index 00000000..b92958f9 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb @@ -0,0 +1,18 @@ +SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfProvider in replace-default mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL library, and wolfProvider configured to replace OpenSSL's default provider" + +# Add wolfProvider packages with OpenSSL 3.x support in replace-default mode +# The openssl_%.bbappend in this directory configures OpenSSL with replace-default mode +# Unit tests are disabled in replace-default mode for now until we have a way to correctly run them +IMAGE_INSTALL:append = " \ + wolfssl \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..9c45ee3a --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,3 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend new file mode 100644 index 00000000..61840cd6 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure wolfSSL (non-FIPS replace-default mode) for wolfprovider-replace-default-image-minimal +# +# This bbappend directly configures wolfSSL to use replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend deleted file mode 100644 index 69aa8025..00000000 --- a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ /dev/null @@ -1,30 +0,0 @@ -# Configure wolfSSL for wolfProvider support in image -# -# This bbappend automatically configures wolfSSL based on: -# 1. 'wolfprovider' in WOLFSSL_FEATURES -# 2. PREFERRED_PROVIDER_virtual/wolfssl setting -# -# Usage in local.conf: -# WOLFSSL_FEATURES = "wolfprovider" -# PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl" # or "wolfssl-fips" - -inherit wolfssl-osp-support - -python __anonymous() { - # non-FIPS mode - wolfssl_osp_conditional_include( - d, - feature_name='wolfprovider', - inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', - allowed_providers=['wolfssl'] - ) - # FIPS mode - wolfssl_osp_conditional_include( - d, - feature_name='wolfprovider', - inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', - allowed_providers=['wolfssl-fips'] - ) -} - - diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb index d25cc620..c55b0f62 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb +++ b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb @@ -10,9 +10,6 @@ DEPENDS += "wolfprovider" do_configure[noexec] = "1" do_compile[noexec] = "1" -do_fetch[noexec] = "1" -do_unpack[noexec] = "1" -do_patch[noexec] = "1" WOLFPROVIDER_TEST_DIR = "${datadir}/wolfprovider-test" WOLFPROVIDER_TEST_INSTALL_DIR = "${D}${WOLFPROVIDER_TEST_DIR}" @@ -25,10 +22,11 @@ python () { wolfprovider_test_install_dir = d.getVar('WOLFPROVIDER_TEST_INSTALL_DIR', True) wolfprovider_test_readme_dir = d.getVar('WOLFPROVIDER_TEST_README_DIR', True) - bb.note("Installing dummy file for wolfProvider test example") + bbnote = 'bbnote "Installing dummy file for wolfProvider test example"\n' installDir = 'install -m 0755 -d "%s"\n' % wolfprovider_test_install_dir makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfprovider_test_readme_dir + d.appendVar('do_install', bbnote) d.appendVar('do_install', installDir) d.appendVar('do_install', makeDummy) @@ -37,7 +35,7 @@ python () { files_var_name = 'FILES_' + pn else: files_var_name = 'FILES:' + pn - + current_files = d.getVar(files_var_name, True) or "" new_files = current_files + ' ' + wolfprovider_test_dir + '/*' d.setVar(files_var_name, new_files) diff --git a/recipes-wolfssl/wolfprovider/README.md b/recipes-wolfssl/wolfprovider/README.md index 659acad9..6642efef 100644 --- a/recipes-wolfssl/wolfprovider/README.md +++ b/recipes-wolfssl/wolfprovider/README.md @@ -68,7 +68,7 @@ The `wolfprovidertest` yocto package will provide two apps, `wolfproviderenv` an bitbake wolfprovider-image-minimal ``` -### Testing wolfprovider +## Testing wolfProvider After building and deploying your image to the target device, you can test `wolfprovider` functionality with three test suites: @@ -101,73 +101,137 @@ After building and deploying your image to the target device, you can test `wolf - ECC operations - Certificate operations -### Demo Image +## Demo Image -A demo image is provided to verify wolfProvider works: +See `recipes-core/images/wolfprovider-image-minimal/` for complete working examples of all configurations. +Refer to the [recipes-core/images/wolfprovider-image-minimal/README.md](recipes-core/images/wolfprovider-image-minimal/README.md) file for more information. -**wolfprovider-image-minimal**: Demonstrates wolfProvider with all test suites -```bash -# In local.conf -WOLFSSL_DEMOS = "wolfprovider-image-minimal" +### Integrating wolfProvider with Custom Image -# Build -bitbake wolfprovider-image-minimal -``` +To integrate wolfProvider into your own image recipe (not using the demo images), directly require the appropriate `.inc` files in `bbappend` files. + +#### Direct Include in bbappend Files -### Replace Default Mode +Create `bbappend` files in your custom layer that directly require the `.inc` files you need. -Enable the wolfprovider demo image in your `local.conf` file: +**1. Create `recipes-wolfssl/wolfssl/wolfssl_%.bbappend` in your layer:** + +For non-FIPS: ```bitbake -WOLFSSL_DEMOS = "wolfprovider-image-minimal" +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc ``` -To enable replace default mode add these to your `local.conf` file: +For FIPS: ```bitbake -WOLFSSL_FEATURES = "wolfprovider" -WOLFPROVIDER_MODE = "replace-default" +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc ``` -run the following commands to build the image: -```bash -bitbake -c cleansstate openssl -bitbake -c cleanall wolfprovider wolfprovider-image-minimal -bitbake wolfprovider-image-minimal -bitbake +**2. Create `recipes-connectivity/openssl/openssl_%.bbappend` in your layer:** + +For standalone mode: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc ``` -Note: Make sure to clean openssl if rebuilding openssl or wolfprovider or the image with replace default mode. -Note: If switching between normal and replace default mode you will need to `cleanll openssl` and rebuild the image again. -once in qemu or target image verify with `openssl list -providers` that the default provider is `wolfSSL Provider` or just run `wolfproviderenv`. +For replace-default mode: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +``` -### FIPS Mode +**3. Add packages to your image recipe:** -To build with fips refer to the `conf/wolfssl-fips.conf.sample` file. Once you have the fips bundle and have extracted the hash you can set the hash in the `conf/wolfssl-fips.conf` file. Then rebuild the image with the following command: +```bitbake +# In your-image.bb +IMAGE_INSTALL:append = " \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfproviderenv \ + wolfprovidercmd \ +" + +**3. For FIPS mode, configure in `local.conf`:** -Enable the wolfprovider demo image in your `local.conf` file so you can veridy FIPS with the wolfcrypttest: ```bitbake -WOLFSSL_DEMOS = "wolfprovider-image-minimal wolfssl-image-minimal" +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf ``` -To enable fips add these to your `local.conf` file: +**See working examples:** +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/` (standalone, non-FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/` (standalone, FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/` (replace-default, non-FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/` (replace-default, FIPS) + +#### Using WOLFSSL_FEATURES (For Testing/Development) + +If you want conditional configuration based on variables, you can use the existing `bbappend` files in `recipes-wolfssl/wolfprovider/`: + +Add to your `local.conf`: + ```bitbake +# Enable wolfProvider feature WOLFSSL_FEATURES = "wolfprovider" + +# For replace-default mode (optional) +WOLFPROVIDER_MODE = "replace-default" + +# For FIPS mode (optional) require /path/to/meta-wolfssl/conf/wolfssl-fips.conf ``` -run the following commands to build the image: +Then add packages to your image recipe: + +```bitbake +# In your-image.bb +IMAGE_INSTALL:append = " \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfproviderenv \ + wolfprovidercmd \ +" +``` + +The following existing files will automatically handle configuration: +- `recipes-wolfssl/wolfprovider/wolfssl_%.bbappend` - Configures wolfSSL with wolfProvider support +- `recipes-wolfssl/wolfprovider/openssl_3.%.bbappend` - Configures OpenSSL for wolfProvider + +#### Available Reusable Files + +**`.inc` files in `inc/wolfprovider/`:** +- `wolfssl-enable-wolfprovider.inc` - Configure wolfSSL for wolfProvider (non-FIPS) +- `wolfssl-enable-wolfprovider-fips.inc` - Configure wolfSSL for wolfProvider (FIPS) +- `openssl/openssl-enable-wolfprovider.inc` - Configure OpenSSL for standalone mode +- `openssl/openssl-enable-wolfprovider-replace-default.inc` - Configure OpenSSL for replace-default mode +- `wolfssl-enable-wolfprovidertest.inc` - Enable unit tests (optional only for standalone mode) + +**Existing `bbappend` files in `recipes-wolfssl/wolfprovider/`:** +- `wolfssl_%.bbappend` - Automatically configures wolfSSL based on `WOLFSSL_FEATURES` +- `openssl_3.%.bbappend` - Automatically configures OpenSSL based on `WOLFPROVIDER_MODE` + +**Demo implementations:** +See `recipes-core/images/wolfprovider-image-minimal/` for complete working examples of all configurations. + +#### Building Your Image + +After setting up your configuration: + ```bash -bitbake -c cleansstate openssl -bitbake wolfssl-fips -bitbake -c cleanall wolfprovider wolfprovider-image-minimal wolfssl-image-minimal -bitbake wolfprovider-image-minimal wolfssl-image-minimal -bitbake +# Clean state if switching modes or providers +bitbake -c cleanall openssl wolfprovider + +# Build your image +bitbake your-image ``` -Building with the wolfssl-image-minimal will build the wolfcrypttest which can be used to correctly update the fips hash value. -once you have ran the wolfcrypttest you can update the fips hash value in the `conf/wolfssl-fips.conf` file. Then rebuild the image again and verify FIPS by looking at the `wolfproviderenv` output. Or simply add the `auto` HASH version in the wolfssl conf. +#### Verifying Integration + +On your target device: -once in qemu or target image run `wolfproviderenv` to load wolfprovider if replace default isnt enabled. +```bash +wolfproviderenv +``` -### Documentation and Support +## Documentation and Support For further information about `wolfprovider` and `wolfssl`, visit the [wolfSSL Documentation](https://www.wolfssl.com/docs/) and the [wolfProvider Github](https://www.github.com/wolfSSL/wolfprovider). If you encounter issues or require support regarding the integration of `wolfprovider` with Yocto, feel free to reach out through [wolfSSL Support](support@wolfssl.com). diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend index 0497b9bb..f22cb0f8 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend +++ b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend @@ -16,7 +16,7 @@ python __anonymous() { d, package_name='wolfprovider', flag_name='enable-tests', - inc_file='inc/wolfprovider/wolfprovider-enable-unit-test.inc' + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc' ) } diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index fe8a2ecd..0bf64455 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -44,8 +44,12 @@ CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." LDFLAGS += " -Wl,--build-id=none" EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" -# wolfProvider unit tests fail to compile with fips mode disabling test for now -EXTRA_OEMAKE += "${@'check_PROGRAMS= noinst_PROGRAMS=' if d.getVar('PREFERRED_PROVIDER_virtual/wolfssl') == 'wolfssl-fips' else ''}" +# Allow unit tests to compile by handling header conflicts between OpenSSL and wolfSSL +CFLAGS:append = " -Wno-error" +CXXFLAGS:append = " -Wno-error" + +# Enable quick test mode +CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" # Keep unversioned .so in the runtime package FILES_SOLIBSDEV = "" From d67fc3d65fb03d1634e9158fc0895629bc91d262 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Mon, 24 Nov 2025 13:51:40 -0800 Subject: [PATCH 12/19] Fully tested images --- conf/layer.conf | 2 ++ ...openssl-enable-wolfprovider-replace-default.inc | 2 ++ .../wolfprovider-fips-image-minimal.bb | 3 --- .../wolfprovider_%.bbappend | 3 +++ .../wolfprovider_%.bbappend | 2 ++ ...fprovider-replace-default-fips-image-minimal.bb | 3 --- recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb | 14 ++++---------- 7 files changed, 13 insertions(+), 16 deletions(-) diff --git a/conf/layer.conf b/conf/layer.conf index b57208a9..2c4e8f58 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -162,6 +162,8 @@ BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolftpm-image-minimal', '${LA BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-py-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'libgcrypt-image-minimal', '${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bbappend', '', d)}" diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc index 3073372d..7b8a9f43 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -4,6 +4,8 @@ # Build OpenSSL as plain, non-FIPS OpenSSL # wolfProvider will provide FIPS functionality using wolfSSL FIPS + +PACKAGECONFIG:class-target = "" EXTRA_OECONF:append:class-target = " no-fips shared " # OpenSSL target-only tweaks for replace-default mode diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb index f2096d5d..49e4b989 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb @@ -1,9 +1,6 @@ SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in standalone mode" DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, test/benchmark utilities, and wolfProvider configured in standalone mode" -# Set provider to wolfssl-fips for this image (no local.conf configuration needed) -PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" - # Add wolfProvider packages with OpenSSL 3.x support in standalone mode (FIPS) # The bbappend files in this directory configure packages based on provider IMAGE_INSTALL:append = " \ diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend index 1cdb69f7..ef9640d3 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend @@ -4,3 +4,6 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc # Enable unit tests for standalone mode require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc +# Enable quick test mode for standalone mode +CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend index 891ce6f6..ef9640d3 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend @@ -4,4 +4,6 @@ require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc # Enable unit tests for standalone mode require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc +# Enable quick test mode for standalone mode +CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb index efb1aa13..2aee6f6d 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb @@ -1,9 +1,6 @@ SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in replace-default mode" DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, and wolfProvider configured to replace OpenSSL's default provider" -# Set provider to wolfssl-fips for this image (no local.conf configuration needed) -PREFERRED_PROVIDER_virtual/wolfssl = "wolfssl-fips" - # Add wolfProvider packages with OpenSSL 3.x support in FIPS replace-default mode # The bbappend files in this directory configure packages based on provider # Unit tests are disabled in replace-default mode for now until we have a way to correctly run them diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 0bf64455..b8c22b7a 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -39,17 +39,11 @@ install_provider_module() { do_install[postfuncs] += "install_provider_module" -CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." -CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." -LDFLAGS += " -Wl,--build-id=none" -EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" - -# Allow unit tests to compile by handling header conflicts between OpenSSL and wolfSSL -CFLAGS:append = " -Wno-error" -CXXFLAGS:append = " -Wno-error" +CFLAGS:append = " -I${S}/include" +CXXFLAGS:append = " -I${S}/include" +CPPFLAGS:append = " -I${S}/include" -# Enable quick test mode -CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" +EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" # Keep unversioned .so in the runtime package FILES_SOLIBSDEV = "" From 573e97606d24655fe29141235bb0ee30b82af1e5 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Tue, 25 Nov 2025 11:09:00 -0800 Subject: [PATCH 13/19] Get conf files from source --- classes/wolfssl-helper.bbclass | 4 -- .../wolfproviderenv/files/wolfproviderenv.sh | 50 +++---------------- .../wolfproviderenv/wolfproviderenv.bb | 13 ++++- 3 files changed, 20 insertions(+), 47 deletions(-) diff --git a/classes/wolfssl-helper.bbclass b/classes/wolfssl-helper.bbclass index b95080a0..48fc4c4a 100644 --- a/classes/wolfssl-helper.bbclass +++ b/classes/wolfssl-helper.bbclass @@ -68,10 +68,6 @@ def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): # Support space-separated modes: split into list and check if expected mode is in the list current_modes = [m.strip() for m in current_mode_str.split() if m.strip()] - # If no modes specified (empty string), default to standalone for backward compatibility - if not current_modes: - current_modes = ['standalone'] - # Check if expected mode is in the current modes list if mode not in current_modes: bb.debug(2, f"{package_name}: {mode_var_name}='{current_mode_str}' does not contain '{mode}' - skipping") diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh index 8e481bdc..4a5fed67 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -57,50 +57,16 @@ else fi fi -# Only create explicit provider config if NOT in replace-default mode -if [ "$REPLACE_DEFAULT_MODE" -eq 0 ]; then - # Configuration for wolfprovider - mkdir -p /opt/wolfprovider-configs - - if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then - # FIPS mode configuration - cat > /opt/wolfprovider-configs/wolfprovider.conf < /opt/wolfprovider-configs/wolfprovider.conf < Date: Tue, 25 Nov 2025 11:17:10 -0800 Subject: [PATCH 14/19] fix stamp.h in append rather than main .bb --- .../wolfssl-fips_%.bbappend | 8 ++++++++ .../wolfssl_%.bbappend | 8 ++++++++ recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb | 8 -------- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend index 59c0872b..164348e5 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend @@ -13,3 +13,11 @@ python __anonymous() { ) } +# Fix for commercial bundle missing stamp-h.in required by automake +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend index 61840cd6..b201dec2 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend @@ -13,3 +13,11 @@ python __anonymous() { ) } +# Fix for commercial bundle missing stamp-h.in required by automake +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + + diff --git a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb index 0fee5c8a..eb385261 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-fips_5.8.2.bb @@ -73,11 +73,3 @@ EXTRA_OECONF += " \ --enable-fips=v5 \ --enable-reproducible-build \ " - -# Fix for commercial bundle missing stamp-h.in required by automake with 5.2.1 -do_configure:prepend() { - if [ ! -f ${S}/stamp-h.in ]; then - touch ${S}/stamp-h.in - fi -} - From 4937c2d7051e5ebe22c3679cdbb6601fe43a769d Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Tue, 25 Nov 2025 11:19:08 -0800 Subject: [PATCH 15/19] Update wolfprovider include files with local changes --- inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc | 3 ++- inc/wolfprovider/wolfssl-enable-wolfprovider.inc | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index de109228..61b69ca4 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -1,6 +1,7 @@ # Configuration to enable wolfprovider FIPS support in wolfssl +# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist" +EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist --enable-debug --enable-keylog-export" TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" # Use a marker file to signal we are a FIPS build diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index fec45457..e7dc9f2a 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,6 +1,7 @@ # Configuration to enable wolfprovider support in wolfssl +# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha" +EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha --enable-debug --enable-keylog-export" TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" # Use a marker file to signal we are a non-FIPS build From c13ed44307d8bd9d219ea854c3981a677cfaf1f6 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Tue, 25 Nov 2025 11:21:19 -0800 Subject: [PATCH 16/19] Add messages for debug files --- inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc | 2 +- inc/wolfprovider/wolfssl-enable-wolfprovider.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index 61b69ca4..e7eb34ff 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -1,7 +1,7 @@ # Configuration to enable wolfprovider FIPS support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist --enable-debug --enable-keylog-export" +EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist" TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" # Use a marker file to signal we are a FIPS build diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index e7dc9f2a..f857e98f 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,7 +1,7 @@ # Configuration to enable wolfprovider support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha --enable-debug --enable-keylog-export" +EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha" TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" # Use a marker file to signal we are a non-FIPS build From 78f1c3518f77c0c239f7a50344d43fd262b44681 Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 26 Nov 2025 09:17:22 -0800 Subject: [PATCH 17/19] Follow Debian convention for provider config in openssl.cnf - Install provider*.conf files to /etc/ssl/openssl.cnf.d/ instead of /opt - Remove OPENSSL_CONF environment variable approach - Add .include directive to openssl.cnf automatically in explicit load mode - This allows OpenSSL to automatically load the provider configuration - Update script output to reflect the new approach --- .../wolfssl-enable-wolfprovider-fips.inc | 2 +- .../wolfssl-enable-wolfprovider.inc | 2 +- .../wolfproviderenv/files/wolfproviderenv.sh | 29 ++++++++++++------- .../wolfproviderenv/wolfproviderenv.bb | 10 +++---- 4 files changed, 26 insertions(+), 17 deletions(-) diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc index e7eb34ff..61b69ca4 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -1,7 +1,7 @@ # Configuration to enable wolfprovider FIPS support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist" +EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist --enable-debug --enable-keylog-export" TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" # Use a marker file to signal we are a FIPS build diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index f857e98f..e7dc9f2a 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,7 +1,7 @@ # Configuration to enable wolfprovider support in wolfssl # To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF -EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha" +EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha --enable-debug --enable-keylog-export" TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" # Use a marker file to signal we are a non-FIPS build diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh index 4a5fed67..72f3c53c 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -57,15 +57,25 @@ else fi fi -if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then - if [ -f /etc/wolfprovider-configs/wolfprovider-fips.conf ]; then - export OPENSSL_CONF="/etc/wolfprovider-configs/wolfprovider-fips.conf" - echo "Using FIPS configuration from /etc/wolfprovider-configs/wolfprovider-fips.conf" +# Add provider config to openssl.cnf (following Debian convention) +# This allows OpenSSL to automatically load the wolfProvider configuration +if [ "$REPLACE_DEFAULT_MODE" -eq 0 ]; then + # Only needed in explicit load mode + OPENSSL_CNF="/etc/ssl/openssl.cnf" + PROVIDER_INCLUDE="" + + if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then + PROVIDER_INCLUDE="/etc/ssl/openssl.cnf.d/wolfprovider-fips.conf" + else + PROVIDER_INCLUDE="/etc/ssl/openssl.cnf.d/wolfprovider.conf" fi -else - if [ -f /etc/wolfprovider-configs/wolfprovider.conf ]; then - export OPENSSL_CONF="/etc/wolfprovider-configs/wolfprovider.conf" - echo "Using non-FIPS configuration from /etc/wolfprovider-configs/wolfprovider.conf" + + if [ -f "$OPENSSL_CNF" ] && [ -f "$PROVIDER_INCLUDE" ]; then + # Check if the include is already present + if ! grep -q ".include $PROVIDER_INCLUDE" "$OPENSSL_CNF"; then + echo ".include $PROVIDER_INCLUDE" >> "$OPENSSL_CNF" + echo "Added provider configuration to $OPENSSL_CNF" + fi fi fi @@ -76,7 +86,7 @@ echo "" if [ "$REPLACE_DEFAULT_MODE" -eq 1 ]; then echo "Mode: Replace-Default (wolfProvider is the default provider)" else - echo "Mode: Explicit Load (using OPENSSL_CONF)" + echo "Mode: Explicit Load (provider config included in openssl.cnf)" fi echo "" if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then @@ -88,7 +98,6 @@ echo "" echo "Environment Variables:" echo " OPENSSL_MODULES: $OPENSSL_MODULES" echo " LD_LIBRARY_PATH: $LD_LIBRARY_PATH" -echo " OPENSSL_CONF: ${OPENSSL_CONF:-(unset - using system default)}" echo "" # Test 1: Provider Verification diff --git a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb index 27d63791..7f002270 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb +++ b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb @@ -33,13 +33,13 @@ do_install() { install -m 0755 ${WORKDIR}/wolfproviderverify ${D}${bindir}/wolfproviderverify install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv - # Install config files to sysconfdir instead of /opt - install -d ${D}${sysconfdir}/wolfprovider-configs - install -m 0644 ${WORKDIR}/provider.conf ${D}${sysconfdir}/wolfprovider-configs/wolfprovider.conf - install -m 0644 ${WORKDIR}/provider-fips.conf ${D}${sysconfdir}/wolfprovider-configs/wolfprovider-fips.conf + # Install config files to openssl.cnf.d/ (following Debian convention) + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d + install -m 0644 ${WORKDIR}/provider.conf ${D}${sysconfdir}/ssl/openssl.cnf.d/wolfprovider.conf + install -m 0644 ${WORKDIR}/provider-fips.conf ${D}${sysconfdir}/ssl/openssl.cnf.d/wolfprovider-fips.conf } -FILES_${PN} = "${bindir}/wolfproviderverify ${bindir}/wolfproviderenv ${sysconfdir}/wolfprovider-configs/*" +FILES_${PN} = "${bindir}/wolfproviderverify ${bindir}/wolfproviderenv ${sysconfdir}/ssl/openssl.cnf.d/wolfprovider*.conf" # Dynamic RDEPENDS adjustment for bash python() { From 717e3d2a0cdca2cf58978fe2d27f75caca1ebceb Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 26 Nov 2025 10:17:04 -0800 Subject: [PATCH 18/19] Append conf fil --- .../wolfproviderenv/files/wolfproviderenv.sh | 33 ++++++++----------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh index 72f3c53c..6ca5033e 100644 --- a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -57,25 +57,20 @@ else fi fi -# Add provider config to openssl.cnf (following Debian convention) -# This allows OpenSSL to automatically load the wolfProvider configuration -if [ "$REPLACE_DEFAULT_MODE" -eq 0 ]; then - # Only needed in explicit load mode - OPENSSL_CNF="/etc/ssl/openssl.cnf" - PROVIDER_INCLUDE="" - - if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then - PROVIDER_INCLUDE="/etc/ssl/openssl.cnf.d/wolfprovider-fips.conf" - else - PROVIDER_INCLUDE="/etc/ssl/openssl.cnf.d/wolfprovider.conf" - fi - - if [ -f "$OPENSSL_CNF" ] && [ -f "$PROVIDER_INCLUDE" ]; then - # Check if the include is already present - if ! grep -q ".include $PROVIDER_INCLUDE" "$OPENSSL_CNF"; then - echo ".include $PROVIDER_INCLUDE" >> "$OPENSSL_CNF" - echo "Added provider configuration to $OPENSSL_CNF" - fi +OPENSSL_CNF="/etc/ssl/openssl.cnf" +PROVIDER_CONF="" + +if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then + PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider-fips.conf" +else + PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider.conf" +fi + +if [ -f "$OPENSSL_CNF" ] && [ -f "$PROVIDER_CONF" ]; then + # Replace the OpenSSL configuration with the wolfProvider configuration + if ! cmp -s "$PROVIDER_CONF" "$OPENSSL_CNF"; then + cp "$PROVIDER_CONF" "$OPENSSL_CNF" + echo "Replaced $OPENSSL_CNF with wolfProvider configuration ($PROVIDER_CONF)" fi fi From e8db004123a0801e1967b1ce0f7c05620a24310e Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Wed, 26 Nov 2025 12:51:59 -0800 Subject: [PATCH 19/19] Fix naming for new fips rename --- .../{wolfssl-fips_%.bbappend => wolfssl-fips.bbappend} | 0 .../{wolfssl-fips_%.bbappend => wolfssl-fips.bbappend} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/{wolfssl-fips_%.bbappend => wolfssl-fips.bbappend} (100%) rename recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/{wolfssl-fips_%.bbappend => wolfssl-fips.bbappend} (100%) diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips.bbappend similarity index 100% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips_%.bbappend rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips.bbappend diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips.bbappend similarity index 100% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips_%.bbappend rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips.bbappend