Fips ready uefi

uefi/fips-ready-uefi/.gitignore

@@ -0,0 +1,4 @@
+wolf*
+.vscode
+build
+efi.disk

uefi/fips-ready-uefi/Makefile

@@ -0,0 +1,76 @@
+BUILD_DIR=./build
+CRYPTO_SRC=./wolfssl/wolfcrypt/src
+CFLAGS=-maes -msse4 -mpclmul -fpie -ffreestanding -fno-stack-protector -fno-stack-check -fshort-wchar -mno-red-zone -maccumulate-outgoing-args -static-libgcc -nostdlib
+CFLAGS+=-DWOLFSSL_USER_SETTINGS
+CFLAGS+=-I./wolfssl/ -I. -I/usr/include/efi -I/usr/include/efi/x86_64
+CFLAGS+=-ggdb
+CC=gcc
+LD=ld
+LDFLAGS_START=-static -pie --no-dynamic-linker -Bsymbolic -L/usr/lib -L/usr/lib/gcc/x86_64-linux-gnu/12/ -Lgnu-efi-dir/x86_64/gnuefi -T/usr/lib/elf_x86_64_efi.lds /usr/lib/crt0-efi-x86_64.o $(LDFLAGS)
+LDFLAGS_END=-lgnuefi -lefi -lgcc
+
+# New VPATH and IPATH system
+VPATH = .
+VPATH += src
+VPATH += wolfssl/src
+VPATH += wolfssl/wolfcrypt/src
+VPATH += wolfssl/wolfcrypt/test
+VPATH += wolfssl/wolfcrypt/benchmark
+
+VPATH := $(VPATH)
+
+IPATH = .
+IPATH += include
+IPATH += wolfssl
+IPATH := $(IPATH)
+
+CFLAGS += $(addprefix -I, $(IPATH))
+
+# Auto-detect sources
+AUTOSEARCH ?= 1
+ifeq ($(AUTOSEARCH), 1)
+SRCS += $(wildcard $(addsuffix /*.c, $(VPATH)))
+SRCS += $(wildcard $(addsuffix /*.cpp, $(VPATH)))
+endif
+
+# Object files
+_OBJS=$(SRCS:.c=.o)
+OBJS=$(addprefix $(BUILD_DIR)/,$(notdir $(_OBJS)))
+
+$(shell mkdir -p $(BUILD_DIR))
+
+all: check_wolfssl wolfcrypt.efi
+
+.PHONY: check_wolfssl
+check_wolfssl:
+	@if [ ! -d "wolfssl" ]; then \
+	    echo "Error: 'wolfssl' directory does not exist."; \
+	    exit 1; \
+	fi
+
+.PHONY: wolfssl-dir
+wolfssl-dir:
+	@read -p "Please provide the path to the wolfSSL directory: " dir_path; \
+	dir_path=$$(eval echo $$dir_path); \
+	if [ -d "$$dir_path" ]; then \
+	    ln -sf $$dir_path wolfssl; \
+	    echo "Symlink created: 'wolfssl' -> $$dir_path"; \
+	else \
+	    echo "Error: Provided path '$$dir_path' is not a valid directory."; \
+	    exit 1; \
+	fi
+
+create_build_dir:
+	@if [ ! -d $(BUILD_DIR) ]; then mkdir -p $(BUILD_DIR); fi
+
+$(BUILD_DIR)/wolfcrypt.elf: $(OBJS)
+	$(LD) $(LDFLAGS_START) $(OBJS) -o $(BUILD_DIR)/wolfcrypt.elf $(LDFLAGS_END)
+
+wolfcrypt.efi: $(BUILD_DIR)/wolfcrypt.elf
+	objcopy -j .text -j .sdata -j .data -j .dynamic -j .dynsym  -j .rel -j .rela -j .rel.* -j .rela.* -j .reloc --target efi-app-x86_64 --subsystem=10 $(BUILD_DIR)/wolfcrypt.elf wolfcrypt.efi
+
+$(BUILD_DIR)/%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR) wolfcrypt.efi

uefi/fips-ready-uefi/Makefile.x86_64_PAA

@@ -0,0 +1,91 @@
+BUILD_DIR=./build
+CRYPTO_SRC=./wolfssl/wolfcrypt/src
+CFLAGS=-fpie -ffreestanding -fno-stack-protector -fno-stack-check -fshort-wchar -mno-red-zone -maccumulate-outgoing-args -static-libgcc -nostdlib
+CFLAGS+=-DWOLFSSL_USER_SETTINGS -DUEFI -DUEFI_VECTOR_TEST
+CFLAGS+=-I./wolfssl/ -I. -I/usr/include/efi -I/usr/include/efi/x86_64
+CFLAGS+=-ggdb -maes
+CC=gcc
+LD=ld
+LDFLAGS_START=-static -pie --no-dynamic-linker -Bsymbolic -L/usr/lib -L/usr/lib/gcc/x86_64-linux-gnu/12/ -L/usr/lib/x86_64-linux-gnu/ -Lgnu-efi-dir/x86_64/gnuefi -T/usr/lib/elf_x86_64_efi.lds /usr/lib/crt0-efi-x86_64.o $(LDFLAGS)
+LDFLAGS_END=-lgnuefi -lefi -lgcc
+
+# New VPATH and IPATH system
+VPATH = .
+VPATH += src
+VPATH += wolfssl/src
+VPATH += wolfssl/wolfcrypt/src
+VPATH += wolfssl/wolfcrypt/test
+VPATH += wolfssl/wolfcrypt/benchmark
+VPATH += utilities/src
+VPATH := $(VPATH)
+
+IPATH = .
+IPATH += include
+IPATH += wolfssl
+IPATH += utilities/include
+IPATH += ../../
+IPATH += ../../src/harness
+IPATH += ../../../optest-140-3
+IPATH := $(IPATH)
+
+CFLAGS += $(addprefix -I, $(IPATH))
+
+# Auto-detect sources
+AUTOSEARCH ?= 1
+ifeq ($(AUTOSEARCH), 1)
+SRCS += $(wildcard $(addsuffix /*.c, $(VPATH)))
+SRCS += $(wildcard $(addsuffix /*.cpp, $(VPATH)))
+
+# For AESNI PAA
+SRCS += wolfssl/wolfcrypt/src/aes_gcm_asm.S
+SRCS += wolfssl/wolfcrypt/src/aes_asm.S
+
+endif
+
+# Object files
+_OBJS=$(SRCS:%.c=$(BUILD_DIR)/%.o)
+_OBJS := $(_OBJS:%.S=$(BUILD_DIR)/%.o)
+
+OBJS=$(addprefix $(BUILD_DIR)/,$(notdir $(_OBJS)))
+
+
+$(shell mkdir -p $(BUILD_DIR))
+
+all: check_wolfssl wolfcrypt.efi
+
+.PHONY: check_wolfssl
+check_wolfssl:
+	@if [ ! -d "wolfssl" ]; then \
+	    echo "Error: 'wolfssl' directory does not exist."; \
+	    exit 1; \
+	fi
+
+.PHONY: wolfssl-dir
+wolfssl-dir:
+	@read -p "Please provide the path to the wolfSSL directory: " dir_path; \
+	dir_path=$$(eval echo $$dir_path); \
+	if [ -d "$$dir_path" ]; then \
+	    ln -sf $$dir_path wolfssl; \
+	    echo "Symlink created: 'wolfssl' -> $$dir_path"; \
+	else \
+	    echo "Error: Provided path '$$dir_path' is not a valid directory."; \
+	    exit 1; \
+	fi
+
+create_build_dir:
+	@if [ ! -d $(BUILD_DIR) ]; then mkdir -p $(BUILD_DIR); fi
+
+$(BUILD_DIR)/wolfcrypt.elf: $(OBJS)
+	$(LD) $(LDFLAGS_START) $(OBJS) -o $(BUILD_DIR)/wolfcrypt.elf $(LDFLAGS_END)
+
+wolfcrypt.efi: $(BUILD_DIR)/wolfcrypt.elf
+	objcopy -j .text -j .sdata -j .data -j .dynamic -j .dynsym  -j .rel -j .rela -j .rel.* -j .rela.* -j .reloc --target efi-app-x86_64 --subsystem=10 $(BUILD_DIR)/wolfcrypt.elf wolfcrypt.efi
+
+$(BUILD_DIR)/%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(BUILD_DIR)/%.o: %.S
+	gcc -c $< -o $@
+
+clean:
+	rm -rf $(BUILD_DIR) wolfcrypt.efi

uefi/fips-ready-uefi/README.md

@@ -0,0 +1,125 @@
+wolfcrypt UEFI FIPS Ready Example Application
+===================================
+
+This application is an expansion of the `basic-uefi` project found in the
+`wolfssl-examples` github repository. This application is an example on how to
+setup a FIPS Ready build of wolfSSL to help kickstart development for an
+eventual FIPS required UEFI applicaiton. FIPS Ready is only for evaluation and
+development purposes for eventual usage and aquirement of the FIPS Certified
+bundle of wolfSSL. FIPS Ready is not certified in anyway, to learn more refer to
+the wolfSSL FIPS Ready user guide.
+
+As UEFI is not POSIX there are a few functions that will need to be added in
+order to for wolfSSL to properly function. These functions are like open/close
+for files and then standard printing functions that wolfSSL uses. The example
+will leverage gnu-efi for some of these standard operations. wolfSSL will need
+access to a form of RNG/Entropy as well.
+
+The functions in this example are not meant for production and only
+serve as an example of functions needed for wolfSSL's crypto to function in
+UEFI. For how the functions are setup please refer to the comments and
+`utility_wolf.c`.
+
+
+
+Requires gnu-efi. Tested with qemu and OVFM UEFI implementation.  It uses a
+custom implementation for string.h functions (`string.c`) based on wolfBoot
+`src/string.c`. You can customize the build by changing `user_settings.h` and
+adding the relevant `.o` file into the Makefile `_OBJS` variable.
+
+
+
+# Compile
+
+## Pre-requisites
+
+```
+git make gcc gnu-efi
+```
+
+You will need to download and unzip the wolfSSL FIPS ready bundle.
+
+wolfSSL FIPS Ready:
+ - [bundle download](https://www.wolfssl.com/download/)
+ - [user guide](https://www.wolfssl.com/documentation/manuals/wolfssl-fips-ready/)
+
+## build
+
+```
+make
+
+```
+
+# Test on qemu
+
+## Pre-requisites
+```
+dosfstools qemu qemu-system-x86 ovmf
+```
+## Create efi disk
+
+We need to create a FAT partition to store efi application.
+
+```
+dd if=/dev/zero of=./efi.disk bs=256M count=1
+sudo mkfs.vfat ./efi.disk
+```
+
+Move wolfcrypt.efi and startup.nsh into the fat32 partition
+```
+mkdir -p /tmp/efi
+sudo mount ./efi.disk /tmp/efi -oloop
+sudo cp wolfcrypt.efi /tmp/efi
+sudo cp startup.nsh /tmp/efi
+sudo umount /tmp/efi
+```
+
+## Run qemu
+
+```
+qemu-system-x86_64 -bios /path/to/OVMF.fd -display none -serial stdio -net none -m 256M -drive file=./efi.disk,index=0,media=disk,format=raw
+```
+
+/path/to/OVMF.fd may be /usr/share/edk2-ovmf/x64 or /usr/share/qemu
+
+## Example output
+
+```
+UEFI Interactive Shell v2.2
+EDK II
+UEFI v2.70 (EDK II, 0x00010000)
+Mapping table
+      FS0: Alias(s):F0a:;BLK0:
+          PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
+     BLK1: Alias(s):
+          PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
+Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
+Shell> fs0:
+FS0:\> wolfcrypt.efi
+status: 0x0
+Image base: 0xE15E000
+------------------------------------------------------------------------------
+ wolfSSL version ⸵⸶6
+------------------------------------------------------------------------------
+error    test passed!
+MEMORY   test passed!
+base64   test passed!
+asn      test passed!
+RANDOM   test passed!
+SHA-256  test passed!
+SHA-3    test passed!
+SHAKE128 test passed!
+SHAKE256 test passed!
+Hash     test passed!
+HMAC-SHA256 test passed!
+HMAC-SHA3   test passed!
+AES      test passed!
+AES192   test passed!
+AES256   test passed!
+RSA      test passed!
+logging  test passed!
+mutex    test passed!
+Test complete
+ret: 0
+FS0:\> 
+```