Merge "Add a FIPS element"
This commit is contained in:
commit
f8b0468e06
@ -111,6 +111,29 @@ else
|
||||
BOOT_FS=""
|
||||
fi
|
||||
|
||||
# NOTE(TheJulia): While on the subject of FIPS, if there is not an
|
||||
# explicit /boot partition, then the fips setup command will return
|
||||
# a successful result, but then also tell you to update your grub
|
||||
# configuration. This happens specifically with Rocky linux.
|
||||
# as such, we check/reconcile the flag into place for the kernel
|
||||
# as the utility will return a result code of 1 if the state is
|
||||
# inconsistent, i.e. policy in place, but not kernel command line
|
||||
# argument.
|
||||
|
||||
BOOT_FIPS=""
|
||||
|
||||
if [[ -x /bin/fips-mode-setup ]]; then
|
||||
set +e
|
||||
fips-mode-setup --is-enabled
|
||||
is_fips_enabled=$?
|
||||
set -e
|
||||
if [ $is_fips_enabled -eq 1 ]; then
|
||||
BOOT_FIPS="fips=1"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
||||
if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then
|
||||
SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}"
|
||||
elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then
|
||||
@ -123,7 +146,7 @@ else
|
||||
fi
|
||||
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check"
|
||||
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS}\"" >>/etc/default/grub
|
||||
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS} ${BOOT_FIPS}\"" >>/etc/default/grub
|
||||
echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
|
||||
|
||||
# os-prober leaks /dev/sda into config file in dual-boot host
|
||||
|
24
diskimage_builder/elements/fips/README.rst
Normal file
24
diskimage_builder/elements/fips/README.rst
Normal file
@ -0,0 +1,24 @@
|
||||
====
|
||||
fips
|
||||
====
|
||||
|
||||
This image element attempts to setup the image so it will boot and operate
|
||||
in what is often referred to as "FIPS mode", where cryptography policies
|
||||
and algorithms are enforced to only those which are FIPS approved and
|
||||
certified. In this context, FIPS is an abbreviation for
|
||||
Federal Information Processing Standard, specifically publication number
|
||||
140. You can learn more about FIPS policies at
|
||||
https://csrc.nist.gov/publications/fips
|
||||
|
||||
This element is a best-effort element and additional software or elements
|
||||
may be processed after the fact which may impact the work of this element.
|
||||
It is **generally** regarded as critical to enable FIPS as early as possible,
|
||||
as cryptography policy can be applied, but may not be fully enforced without
|
||||
the kernel also operating in FIPS mode.
|
||||
|
||||
If you intend to utilize this element to generate production FIPS images,
|
||||
it is highly recommended you do so on a host which has already had FIPS
|
||||
enabled for itself.
|
||||
|
||||
Additionally, not all distributions are explicitly supported. Unsupported
|
||||
distributions will error providing appropriate guidance, if available.
|
14
diskimage_builder/elements/fips/package-installs.yaml
Normal file
14
diskimage_builder/elements/fips/package-installs.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
crypto-policies:
|
||||
when:
|
||||
- DISTRO_NAME != ubuntu
|
||||
- DISTRO_NAME != gentoo
|
||||
# NOTE(TheJulia): crypto-policies does not exist in:
|
||||
# - ubuntu
|
||||
# - gentoo
|
||||
crypto-policies-scripts:
|
||||
when:
|
||||
- DISTRO_NAME != debian
|
||||
- DISTRO_NAME != ubuntu
|
||||
- DISTRO_NAME != gentoo
|
||||
# NOTE(TheJulia): Crypto policies includes the
|
||||
# fips-mode-setup script in the debian package.
|
34
diskimage_builder/elements/fips/pre-install.d/01-setup-fips
Executable file
34
diskimage_builder/elements/fips/pre-install.d/01-setup-fips
Executable file
@ -0,0 +1,34 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
|
||||
if [[ "${DISTRO_NAME}" == "ubuntu" ]]; then
|
||||
echo "ERROR: Setup of FIPS mode with DIB is not supported with Ubuntu."
|
||||
echo "Please see refer to Ubuntu documentation on how to configure "
|
||||
echo "FIPS, as it requires an Ubuntu Advantage subscription."
|
||||
echo "https://ubuntu.com/security/certifications/docs/fips-enablement"
|
||||
exit 1
|
||||
elif [[ "${DISTRO_NAME}" == "gentoo" ]]; then
|
||||
echo "ERROR: Setup of FIPS mode with DIB is not supported with Gentoo."
|
||||
echo "Gentoo's documentation appears to largely omit references to"
|
||||
echo "FIPS setup, and the supportability is unknown."
|
||||
exit 1
|
||||
elif [[ "${DISTRO_NAME}" == "opensuse" ]]; then
|
||||
echo "ERROR: Setup of FIPS mode with DIB is not supported with OpenSUSE."
|
||||
echo "Please refer to SUSE documentation on how to perform these actions."
|
||||
echo "https://www.suse.com/support/kb/doc/?id=000019432"
|
||||
exit 1
|
||||
else
|
||||
# This command exists in Centos, Fedora, Rocky, and Debian
|
||||
# and is referenced in documentation and posts about how to setup FIPS.
|
||||
echo "Attempting to setup FIPS mode utilizing the fips-mode-setup command."
|
||||
fips-mode-setup --enable
|
||||
echo "FIPS mode setup completed, please remember this only applies to a"
|
||||
echo "running operating system nor implies the certification state of the"
|
||||
echo "resulting running operating system."
|
||||
fi
|
12
releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml
Normal file
12
releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds a ``fips`` element which attempts to enable FIPS mode configuration
|
||||
into the disk image being created.
|
||||
fixes:
|
||||
- |
|
||||
Fixes a possible case with a FIPS enabled disk image where the
|
||||
cryptographic policies may be applied for enforcement of FIPS mode,
|
||||
but the underlying kernel command line may be missing. This in particular
|
||||
was discovered when testing on Rocky Linux. We now test, and add the FIPS
|
||||
kernel command line flag if it is otherwise enabled.
|
Loading…
Reference in New Issue
Block a user