Conversation
| EXTRA_OECONF += " \ | ||
| --enable-fips=ready \ | ||
| --enable-reproducible-build \ | ||
| --enable-smallstack \ |
There was a problem hiding this comment.
why is small stack forced on?
There was a problem hiding this comment.
Updated to not have it on by default for the fips ready package, I pulled the same configure from the normal fips package
| --enable-fips=ready \ | ||
| --with-linux-source=${STAGING_KERNEL_BUILDDIR} \ | ||
| --enable-crypttests \ | ||
| --enable-smallstack \ |
There was a problem hiding this comment.
small stack? Though with the kernel build maybe that is requires? Also crypt tests should be enabled by default, why explicitly set them?
There was a problem hiding this comment.
This is for the kernel module it needs to be set for the kernel module tests to be included, they are not explicitly enabled.
Default behavior (kernel module build, no --enable-crypttests):
- ENABLED_CRYPT_TESTS=no
- -DNO_CRYPT_TEST is defined, making wolfcrypt_test() a no-op
- wolfcrypt/test/test.o is not compiled into the module
- Module loads without running any self-tests
Why you need --enable-crypttests:
- Compiles wolfcrypt/test/test.o into the module
- Runs the full wolfcrypt_test() KAT suite at insmod time
- If any test fails, module load aborts with -ECANCELED — giving you validation that crypto works correctly in
the kernel environment before anything depends on it
There was a problem hiding this comment.
Smallstack is needed for the kernel module
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Yocto/BitBake support for building wolfSSL “FIPS Ready” variants, including a kernel module recipe and integration toggles for dependent components.
Changes:
- Introduces new
wolfssl-fips-readyandwolfssl-linuxkm-fips-readyrecipes plus a sample configuration file. - Extends libgcrypt/GnuTLS/wolfProvider integration to accept
wolfssl-fips-readyas a valid provider and applies required compile flags. - Updates example image gating and docs to describe using the new FIPS Ready provider.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| recipes-wolfssl/wolfssl/wolfssl-linuxkm-fips-ready.bb | New recipe to build/package the FIPS Ready kernel module and optionally auto-embed a FIPS hash. |
| recipes-wolfssl/wolfssl/wolfssl-fips-ready.bb | New recipe to build the FIPS Ready userspace wolfSSL from a bundle. |
| recipes-wolfssl/wolfprovider/wolfssl-fips-ready.bbappend | Enables wolfProvider-related configuration when using the FIPS Ready provider. |
| recipes-support/libgcrypt/libgcrypt_%.bbappend | Allows wolfssl-fips-ready as a provider for the libgcrypt integration include. |
| recipes-support/gnutls/wolfssl-gnutls-wrapper_git.bb | Adds a FIPS Ready-specific compile define needed by the wrapper build. |
| recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.sh | Adjusts test script to locate the provider library by adding a symlink in the expected directory. |
| recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/wolfssl-fips-ready.bbappend | Image-specific config includes for FIPS Ready plus a stamp-h.in workaround. |
| recipes-core/images/wolfssl-linux-fips-images/fips-image-minimal/fips-image-minimal.bb | Permits either wolfssl-fips or wolfssl-fips-ready providers for the minimal FIPS image. |
| inc/wolfssl-fips-ready/wolfssl-enable-libgcrypt.inc | Selects modern vs legacy include for libgcrypt integration. |
| inc/wolfssl-fips-ready/wolfssl-enable-libgcrypt-modern.inc | Adds FIPS Ready/libgcrypt configure flags and defines (modern). |
| inc/wolfssl-fips-ready/wolfssl-enable-libgcrypt-legacy.inc | Adds FIPS Ready/libgcrypt configure flags and defines (legacy). |
| inc/wolfssl-fips-ready/wolfssl-enable-gnutls.inc | Selects modern vs legacy include for GnuTLS integration. |
| inc/wolfssl-fips-ready/wolfssl-enable-gnutls-modern.inc | Adds FIPS Ready/GnuTLS configure flags and defines (modern). |
| inc/wolfssl-fips-ready/wolfssl-enable-gnutls-legacy.inc | Adds FIPS Ready/GnuTLS configure flags and defines (legacy). |
| inc/wolfprovider/wolfssl-enable-wolfprovider-fips-ready.inc | Selects modern vs legacy include for wolfProvider integration. |
| inc/wolfprovider/wolfssl-enable-wolfprovider-fips-ready-modern.inc | Enables wolfProvider + drops a marker file for FIPS Ready builds (modern). |
| inc/wolfprovider/wolfssl-enable-wolfprovider-fips-ready-legacy.inc | Enables wolfProvider + drops a marker file for FIPS Ready builds (legacy). |
| inc/libgcrypt/scarthgap/libgcrypt-enable-wolfssl-modern.inc | Selects a suitable libgcrypt-wolfssl branch and adds a FIPS Ready AES macro mapping. |
| inc/gnutls/scarthgap/gnutls-enable-wolfssl-modern.inc | Extends FIPS enablement logic to include wolfssl-fips-ready. |
| conf/wolfssl-fips-ready.conf.sample | Adds a sample local.conf fragment for configuring a FIPS Ready bundle build. |
| README.md | Replaces the old link to a separate FIPS-Ready README with an in-tree “Using wolfssl-fips-ready” section. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -34,7 +34,7 @@ EXTRA_OECONF:class-target = "\ | |||
| --disable-dependency-tracking \ | |||
| --enable-srp-authentication \ | |||
| --enable-fips140-mode \ | |||
There was a problem hiding this comment.
--enable-fips140-mode is enabled unconditionally and then conditionally added again. As written, non-FIPS providers will still build GnuTLS with FIPS 140 mode enabled, which contradicts the intent expressed by the conditional and PACKAGECONFIG logic. Remove the unconditional --enable-fips140-mode line (or make it conditional) to ensure only FIPS providers enable this mode.
| --enable-fips140-mode \ |
There was a problem hiding this comment.
This package is intended to be built with only fips
| # Yocto's cross-compilation LDFLAGS (containing --sysroot=...) and CPPFLAGS | ||
| # would leak through and break the host build. Unset them here — the kernel | ||
| # module build itself goes through 'make -C $(KERNEL_ROOT)' which is | ||
| # self-contained. | ||
| unset LDFLAGS | ||
| unset CPPFLAGS | ||
|
|
||
| # Run from top-level source dir so that the autotools-generated Makefile | ||
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | ||
| # to the linuxkm/ sub-make. Pass HOSTCC so the patched linuxkm Makefile | ||
| # uses the correct host-native compiler instead of bare 'cc'. | ||
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC=$(which ${BUILD_CC}) |
There was a problem hiding this comment.
In auto hash mode, the host-native sub-build can still be affected by cross flags via CFLAGS/CXXFLAGS (which commonly include --sysroot in OE), but only LDFLAGS and CPPFLAGS are unset here. Also, HOSTCC=$(which ${BUILD_CC}) is brittle: which may return empty/non-zero or resolve unexpectedly, and ${BUILD_CC} may already be an absolute path or include wrappers. Prefer passing HOSTCC=${BUILD_CC} (properly quoted) and explicitly clearing/overriding host flags (e.g., unset CFLAGS/CXXFLAGS or set HOSTCFLAGS/HOSTLDFLAGS) so the host step reliably compiles.
| # Yocto's cross-compilation LDFLAGS (containing --sysroot=...) and CPPFLAGS | |
| # would leak through and break the host build. Unset them here — the kernel | |
| # module build itself goes through 'make -C $(KERNEL_ROOT)' which is | |
| # self-contained. | |
| unset LDFLAGS | |
| unset CPPFLAGS | |
| # Run from top-level source dir so that the autotools-generated Makefile | |
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | |
| # to the linuxkm/ sub-make. Pass HOSTCC so the patched linuxkm Makefile | |
| # uses the correct host-native compiler instead of bare 'cc'. | |
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC=$(which ${BUILD_CC}) | |
| # Yocto's cross-compilation CFLAGS/CXXFLAGS/LDFLAGS/CPPFLAGS can leak | |
| # through (often including --sysroot=...) and break the host build. Unset | |
| # them here — the kernel module build itself goes through | |
| # 'make -C $(KERNEL_ROOT)' which is self-contained. | |
| unset CFLAGS | |
| unset CXXFLAGS | |
| unset LDFLAGS | |
| unset CPPFLAGS | |
| # Run from top-level source dir so that the autotools-generated Makefile | |
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | |
| # to the linuxkm/ sub-make. Pass HOSTCC directly from BUILD_CC so the | |
| # patched linuxkm Makefile uses the correct host-native compiler instead | |
| # of bare 'cc'. | |
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC="${BUILD_CC}" |
| # Yocto's cross-compilation LDFLAGS (containing --sysroot=...) and CPPFLAGS | ||
| # would leak through and break the host build. Unset them here — the kernel | ||
| # module build itself goes through 'make -C $(KERNEL_ROOT)' which is | ||
| # self-contained. | ||
| unset LDFLAGS | ||
| unset CPPFLAGS | ||
|
|
||
| # Run from top-level source dir so that the autotools-generated Makefile | ||
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | ||
| # to the linuxkm/ sub-make. Pass HOSTCC so the patched linuxkm Makefile | ||
| # uses the correct host-native compiler instead of bare 'cc'. | ||
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC=$(which ${BUILD_CC}) |
There was a problem hiding this comment.
In auto hash mode, the host-native sub-build can still be affected by cross flags via CFLAGS/CXXFLAGS (which commonly include --sysroot in OE), but only LDFLAGS and CPPFLAGS are unset here. Also, HOSTCC=$(which ${BUILD_CC}) is brittle: which may return empty/non-zero or resolve unexpectedly, and ${BUILD_CC} may already be an absolute path or include wrappers. Prefer passing HOSTCC=${BUILD_CC} (properly quoted) and explicitly clearing/overriding host flags (e.g., unset CFLAGS/CXXFLAGS or set HOSTCFLAGS/HOSTLDFLAGS) so the host step reliably compiles.
| # Yocto's cross-compilation LDFLAGS (containing --sysroot=...) and CPPFLAGS | |
| # would leak through and break the host build. Unset them here — the kernel | |
| # module build itself goes through 'make -C $(KERNEL_ROOT)' which is | |
| # self-contained. | |
| unset LDFLAGS | |
| unset CPPFLAGS | |
| # Run from top-level source dir so that the autotools-generated Makefile | |
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | |
| # to the linuxkm/ sub-make. Pass HOSTCC so the patched linuxkm Makefile | |
| # uses the correct host-native compiler instead of bare 'cc'. | |
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC=$(which ${BUILD_CC}) | |
| # Yocto's cross-compilation flags (commonly containing --sysroot=...) | |
| # can still leak through and break the host build. Unset them here — the | |
| # kernel module build itself goes through 'make -C $(KERNEL_ROOT)' which is | |
| # self-contained. | |
| unset LDFLAGS | |
| unset CPPFLAGS | |
| unset CFLAGS | |
| unset CXXFLAGS | |
| # Run from top-level source dir so that the autotools-generated Makefile | |
| # exports KERNEL_ROOT, KERNEL_ARCH, and other configure-derived variables | |
| # to the linuxkm/ sub-make. Pass HOSTCC directly so the patched linuxkm | |
| # Makefile uses the configured host-native compiler instead of bare 'cc'. | |
| oe_runmake module-with-matching-fips-hash-no-sign HOSTCC="${BUILD_CC}" |
| import os | ||
| layerseries = d.getVar('LAYERSERIES_CORENAMES') or "" | ||
|
|
||
| bb.note("wolfssl-fips-ready/wolfssl-enable-libgcrypt.inc: LAYERSERIES_CORENAMES = %s" % layerseries) |
There was a problem hiding this comment.
These bb.note() calls run at parse time for every build, which can add significant log noise (and potentially slow parsing in large builds). Consider switching to bb.debug() with an appropriate debug level, or removing these messages once the include selection is stable.
| else: | ||
| inc_file = os.path.join(layerdir, 'inc/wolfssl-fips-ready/wolfssl-enable-libgcrypt-legacy.inc') | ||
|
|
||
| bb.note("wolfssl-fips-ready/wolfssl-enable-libgcrypt.inc: Including file: %s" % inc_file) |
There was a problem hiding this comment.
These bb.note() calls run at parse time for every build, which can add significant log noise (and potentially slow parsing in large builds). Consider switching to bb.debug() with an appropriate debug level, or removing these messages once the include selection is stable.
| modern_series = ['dunfell', 'gatesgarth', 'hardknott', 'honister', 'kirkstone', 'langdale', 'mickledore', 'nanbield', 'scarthgap'] | ||
| for series in series_list: | ||
| if series in modern_series: | ||
| use_modern = True | ||
| break |
There was a problem hiding this comment.
The modern/legacy selection logic (including the modern_series list) is duplicated across multiple selector .inc files (libgcrypt/gnutls/wolfprovider). To avoid drift and make adding/removing series safer, factor this into a shared helper (e.g., a small .bbclass/shared .inc with a single function) and reuse it from each selector.
There was a problem hiding this comment.
Will look to add this is a future PR
| # This include file configures wolfSSL with the necessary features | ||
| # to support libgcrypt-wolfssl (libgcrypt with wolfSSL/wolfCrypt backend) | ||
| # | ||
| # Required wolfSSL features: | ||
| # --enable-fips=ready : FIPS Ready mode | ||
| # --enable-keygen : Key generation support | ||
| # | ||
| # Required compile flags: | ||
| # HAVE_AES_ECB : AES ECB mode support | ||
| # WC_RSA_DIRECT : Direct RSA operations | ||
| # WC_RSA_NO_PADDING : RSA without padding | ||
| # WOLFSSL_PUBLIC_MP : Public multi-precision math | ||
| # WOLFSSL_RSA_KEY_CHECK : RSA key validation | ||
| # ACVP_VECTOR_TESTING : ACVP test vector support | ||
| # WOLFSSL_ECDSA_SET_K : ECDSA k value setting | ||
|
|
||
| EXTRA_OECONF += " --enable-fips=ready --enable-keygen " | ||
|
|
||
| TARGET_CFLAGS += "-DHAVE_AES_ECB -DWC_RSA_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DWOLFSSL_RSA_KEY_CHECK -DACVP_VECTOR_TESTING -DWOLFSSL_ECDSA_SET_K" |
There was a problem hiding this comment.
wolfssl-enable-libgcrypt-modern.inc and wolfssl-enable-libgcrypt-legacy.inc appear identical in this PR, and the same pattern exists for the GnuTLS enablement files. If there are no actual differences needed per Yocto series, consider collapsing to a single include to reduce duplication; alternatively, have both legacy/modern files require a shared common file so changes don’t need to be made twice.
| # This include file configures wolfSSL with the necessary features | |
| # to support libgcrypt-wolfssl (libgcrypt with wolfSSL/wolfCrypt backend) | |
| # | |
| # Required wolfSSL features: | |
| # --enable-fips=ready : FIPS Ready mode | |
| # --enable-keygen : Key generation support | |
| # | |
| # Required compile flags: | |
| # HAVE_AES_ECB : AES ECB mode support | |
| # WC_RSA_DIRECT : Direct RSA operations | |
| # WC_RSA_NO_PADDING : RSA without padding | |
| # WOLFSSL_PUBLIC_MP : Public multi-precision math | |
| # WOLFSSL_RSA_KEY_CHECK : RSA key validation | |
| # ACVP_VECTOR_TESTING : ACVP test vector support | |
| # WOLFSSL_ECDSA_SET_K : ECDSA k value setting | |
| EXTRA_OECONF += " --enable-fips=ready --enable-keygen " | |
| TARGET_CFLAGS += "-DHAVE_AES_ECB -DWC_RSA_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DWOLFSSL_RSA_KEY_CHECK -DACVP_VECTOR_TESTING -DWOLFSSL_ECDSA_SET_K" | |
| # The modern and legacy libgcrypt enablement settings are currently | |
| # identical. Reuse the legacy include so changes only need to be made | |
| # in one place. | |
| require wolfssl-enable-libgcrypt-legacy.inc |
There was a problem hiding this comment.
Did this for consistency across packages
| # Use a temp directory for the tests because they expect .libs to be present | ||
| mkdir -p /tmp/.libs | ||
| # Symlink the installed provider library so the test can find it | ||
| ln -sf /usr/lib/libwolfprov.so /tmp/.libs/libwolfprov.so |
There was a problem hiding this comment.
The symlink source path is hard-coded to /usr/lib/libwolfprov.so, which will fail on targets where libdir is /usr/lib64 (or otherwise not /usr/lib). To make the test script portable across common Yocto libdir layouts, detect the existing library path (e.g., check /usr/lib vs /usr/lib64, or query via pkg-config if available) before creating the symlink.
| ln -sf /usr/lib/libwolfprov.so /tmp/.libs/libwolfprov.so | |
| WOLFPROV_LIB="" | |
| for lib_path in /usr/lib/libwolfprov.so /usr/lib64/libwolfprov.so; do | |
| if [ -f "$lib_path" ]; then | |
| WOLFPROV_LIB="$lib_path" | |
| break | |
| fi | |
| done | |
| if [ -z "$WOLFPROV_LIB" ]; then | |
| echo "✗ libwolfprov.so not found in /usr/lib or /usr/lib64" | |
| exit 1 | |
| fi | |
| ln -sf "$WOLFPROV_LIB" /tmp/.libs/libwolfprov.so |
| initramfs that includes it). The same `wolfssl-fips-ready.conf` values | ||
| apply — no separate bundle is required. | ||
|
|
There was a problem hiding this comment.
The new wolfssl-linuxkm-fips-ready recipe introduces kernel-module-specific hash controls (WOLFSSL_FIPS_HASH_MODE_LINUXKM and FIPS_HASH_LINUXKM), but the README section implies the same config values apply without mentioning these additional knobs. Please document the kernel-module hash options here (and/or add them to conf/wolfssl-fips-ready.conf.sample) so users know how to switch between manual/auto and how to provide the kernel-module hash when needed.
| initramfs that includes it). The same `wolfssl-fips-ready.conf` values | |
| apply — no separate bundle is required. | |
| initramfs that includes it). The same bundle/source settings from | |
| `wolfssl-fips-ready.conf` apply, so no separate bundle is required. | |
| The kernel module also has its own hash controls: | |
| - `WOLFSSL_FIPS_HASH_MODE_LINUXKM` - Controls how the kernel-module FIPS | |
| hash is provided. Use `"auto"` to extract it during the build, or | |
| `"manual"` to provide it yourself. | |
| - `FIPS_HASH_LINUXKM` - Kernel-module FIPS hash value. Leave this as the | |
| placeholder when using `WOLFSSL_FIPS_HASH_MODE_LINUXKM = "auto"`; set it | |
| manually after the first build if using `"manual"`. | |
| These settings are separate from `WOLFSSL_FIPS_HASH_MODE` and `FIPS_HASH`, | |
| which apply to the userspace/library build. |
There was a problem hiding this comment.
this is talked about already in the normal fips kernel module docs
Working PR on needed recipes to run fips ready builds