Add a FIPS element

Adds an element whose purpose is to set the stage
in the resulting image so that a user can generate an
image utilizing DIB which can be used in a FIPS
configuration without doing so with the input image
or after the fact.

Change-Id: Ia8a45584a56f6e06856fc2920c333351935dcd9d

diskimage_builder/elements/bootloader/finalise.d/50-bootloader

@@ -111,6 +111,29 @@ else
     BOOT_FS=""
 fi
 
+# NOTE(TheJulia): While on the subject of FIPS, if there is not an
+# explicit /boot partition, then the fips setup command will return
+# a successful result, but then also tell you to update your grub
+# configuration. This happens specifically with Rocky linux.
+# as such, we check/reconcile the flag into place for the kernel
+# as the utility will return a result code of 1 if the state is
+# inconsistent, i.e. policy in place, but not kernel command line
+# argument.
+
+BOOT_FIPS=""
+
+if [[ -x /bin/fips-mode-setup ]]; then
+    set +e
+    fips-mode-setup --is-enabled
+    is_fips_enabled=$?
+    set -e
+    if [ $is_fips_enabled -eq 1 ]; then
+        BOOT_FIPS="fips=1"
+    fi
+fi
+
+
+
 if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then
     SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}"
 elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then
@@ -123,7 +146,7 @@ else
 fi
 
 GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check"
-echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS}\"" >>/etc/default/grub
+echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS} ${BOOT_FIPS}\"" >>/etc/default/grub
 echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
 
 # os-prober leaks /dev/sda into config file in dual-boot host

diskimage_builder/elements/fips/README.rst

@@ -0,0 +1,24 @@
+====
+fips
+====
+
+This image element attempts to setup the image so it will boot and operate
+in what is often referred to as "FIPS mode", where cryptography policies
+and algorithms are enforced to only those which are FIPS approved and
+certified. In this context, FIPS is an abbreviation for
+Federal Information Processing Standard, specifically publication number
+140. You can learn more about FIPS policies at
+https://csrc.nist.gov/publications/fips
+
+This element is a best-effort element and additional software or elements
+may be processed after the fact which may impact the work of this element.
+It is **generally** regarded as critical to enable FIPS as early as possible,
+as cryptography policy can be applied, but may not be fully enforced without
+the kernel also operating in FIPS mode.
+
+If you intend to utilize this element to generate production FIPS images,
+it is highly recommended you do so on a host which has already had FIPS
+enabled for itself.
+
+Additionally, not all distributions are explicitly supported. Unsupported
+distributions will error providing appropriate guidance, if available.

diskimage_builder/elements/fips/package-installs.yaml

@@ -0,0 +1,14 @@
+crypto-policies:
+  when:
+    - DISTRO_NAME != ubuntu
+    - DISTRO_NAME != gentoo
+# NOTE(TheJulia): crypto-policies does not exist in:
+# - ubuntu
+# - gentoo
+crypto-policies-scripts:
+  when:
+    - DISTRO_NAME != debian
+    - DISTRO_NAME != ubuntu
+    - DISTRO_NAME != gentoo
+# NOTE(TheJulia): Crypto policies includes the
+# fips-mode-setup script in the debian package.

diskimage_builder/elements/fips/pre-install.d/01-setup-fips

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+
+if [[ "${DISTRO_NAME}" == "ubuntu" ]]; then
+    echo "ERROR: Setup of FIPS mode with DIB is not supported with Ubuntu."
+    echo "Please see refer to Ubuntu documentation on how to configure "
+    echo "FIPS, as it requires an Ubuntu Advantage subscription."
+    echo "https://ubuntu.com/security/certifications/docs/fips-enablement"
+    exit 1
+elif [[ "${DISTRO_NAME}" == "gentoo" ]]; then
+    echo "ERROR: Setup of FIPS mode with DIB is not supported with Gentoo."
+    echo "Gentoo's documentation appears to largely omit references to"
+    echo "FIPS setup, and the supportability is unknown."
+    exit 1
+elif [[ "${DISTRO_NAME}" == "opensuse" ]]; then
+    echo "ERROR: Setup of FIPS mode with DIB is not supported with OpenSUSE."
+    echo "Please refer to SUSE documentation on how to perform these actions."
+    echo "https://www.suse.com/support/kb/doc/?id=000019432"
+    exit 1
+else
+    # This command exists in Centos, Fedora, Rocky, and Debian
+    # and is referenced in documentation and posts about how to setup FIPS.
+    echo "Attempting to setup FIPS mode utilizing the fips-mode-setup command."
+    fips-mode-setup --enable
+    echo "FIPS mode setup completed, please remember this only applies to a"
+    echo "running operating system nor implies the certification state of the"
+    echo "resulting running operating system."
+fi

releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Adds a ``fips`` element which attempts to enable FIPS mode configuration
+    into the disk image being created.
+fixes:
+  - |
+    Fixes a possible case with a FIPS enabled disk image where the
+    cryptographic policies may be applied for enforcement of FIPS mode,
+    but the underlying kernel command line may be missing. This in particular
+    was discovered when testing on Rocky Linux. We now test, and add the FIPS
+    kernel command line flag if it is otherwise enabled.