nss: create checksum files for the nss libraries

Add checksum files required for the NSS softoken to operate in FIPS 140 mode. The shlibsign is invoked to sign the libraries, and it is built for the target architecture and doesn't support cross-compiling so far. Invoke shlibsign at target's first boot time to generate checksum files. https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note6 http://en.wikipedia.org/wiki/FIPS_140 https://bugzilla.mozilla.org/show_bug.cgi?id=681624 (From OE-Core rev: a4580f967c8064294a06d406acf5deb24aee2acc) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-09 05:29:32 +00:00 · 2013-07-10 15:54:17 +08:00
parent e448ef6698
commit 912efc0c81
2 changed files with 36 additions and 0 deletions
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# signlibs.sh
+#
+# (c)2010 Wind River Systems, Inc.
+#
+# regenerates the .chk files for the NSS libraries that require it
+# since the ones that are built have incorrect checksums that were
+# calculated on the host where they really need to be done on the
+# target
+
+CHK_FILES=`find /lib* /usr/lib* -name "*.chk"`
+SIGN_BINARY=`which shlibsign`
+for I in $CHK_FILES
+do
+       DN=`dirname $I`
+       BN=`basename $I .chk`
+       FN=$DN/$BN.so
+       $SIGN_BINARY -i $FN
+done
@@ -18,6 +18,7 @@ SRC_URI = "\
 "
 SRC_URI_append_class-target += "\
    file://nss.pc.in \
+    file://signlibs.sh \
 "
 inherit siteinfo
 PR = "r0"
@@ -136,6 +137,14 @@ do_install() {
 }

 do_install_append_class-target() {
+    # Create empty .chk files for the NSS libraries at build time. They could
+    # be regenerated at target's boot time.
+    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
+        touch ${D}/${libdir}/$file
+        chmod 755 ${D}/${libdir}/$file
+    done
+    install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
+
    install -d ${D}${libdir}/pkgconfig/
    sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
    sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
@@ -151,6 +160,13 @@ do_install_append_class-target() {
    rm ./empty_password
 }

+pkg_postinst_${PN} () {
+    if [ -n "$D" ]; then
+        exit 1
+    fi
+    signlibs.sh
+}
+
 FILES_${PN} = "\
    ${sysconfdir} \
    ${bindir} \