Merge "Add a FIPS element"

This commit is contained in:
Zuul 2023-03-22 21:39:17 +00:00 committed by Gerrit Code Review
commit f8b0468e06
5 changed files with 108 additions and 1 deletions

View File

@ -111,6 +111,29 @@ else
BOOT_FS="" BOOT_FS=""
fi fi
# NOTE(TheJulia): While on the subject of FIPS, if there is not an
# explicit /boot partition, then the fips setup command will return
# a successful result, but then also tell you to update your grub
# configuration. This happens specifically with Rocky linux.
# as such, we check/reconcile the flag into place for the kernel
# as the utility will return a result code of 1 if the state is
# inconsistent, i.e. policy in place, but not kernel command line
# argument.
BOOT_FIPS=""
if [[ -x /bin/fips-mode-setup ]]; then
set +e
fips-mode-setup --is-enabled
is_fips_enabled=$?
set -e
if [ $is_fips_enabled -eq 1 ]; then
BOOT_FIPS="fips=1"
fi
fi
if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then
SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}" SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}"
elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then
@ -123,7 +146,7 @@ else
fi fi
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check" GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check"
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS}\"" >>/etc/default/grub echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS} ${BOOT_FIPS}\"" >>/etc/default/grub
echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
# os-prober leaks /dev/sda into config file in dual-boot host # os-prober leaks /dev/sda into config file in dual-boot host

View File

@ -0,0 +1,24 @@
====
fips
====
This image element attempts to setup the image so it will boot and operate
in what is often referred to as "FIPS mode", where cryptography policies
and algorithms are enforced to only those which are FIPS approved and
certified. In this context, FIPS is an abbreviation for
Federal Information Processing Standard, specifically publication number
140. You can learn more about FIPS policies at
https://csrc.nist.gov/publications/fips
This element is a best-effort element and additional software or elements
may be processed after the fact which may impact the work of this element.
It is **generally** regarded as critical to enable FIPS as early as possible,
as cryptography policy can be applied, but may not be fully enforced without
the kernel also operating in FIPS mode.
If you intend to utilize this element to generate production FIPS images,
it is highly recommended you do so on a host which has already had FIPS
enabled for itself.
Additionally, not all distributions are explicitly supported. Unsupported
distributions will error providing appropriate guidance, if available.

View File

@ -0,0 +1,14 @@
crypto-policies:
when:
- DISTRO_NAME != ubuntu
- DISTRO_NAME != gentoo
# NOTE(TheJulia): crypto-policies does not exist in:
# - ubuntu
# - gentoo
crypto-policies-scripts:
when:
- DISTRO_NAME != debian
- DISTRO_NAME != ubuntu
- DISTRO_NAME != gentoo
# NOTE(TheJulia): Crypto policies includes the
# fips-mode-setup script in the debian package.

View File

@ -0,0 +1,34 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
if [[ "${DISTRO_NAME}" == "ubuntu" ]]; then
echo "ERROR: Setup of FIPS mode with DIB is not supported with Ubuntu."
echo "Please see refer to Ubuntu documentation on how to configure "
echo "FIPS, as it requires an Ubuntu Advantage subscription."
echo "https://ubuntu.com/security/certifications/docs/fips-enablement"
exit 1
elif [[ "${DISTRO_NAME}" == "gentoo" ]]; then
echo "ERROR: Setup of FIPS mode with DIB is not supported with Gentoo."
echo "Gentoo's documentation appears to largely omit references to"
echo "FIPS setup, and the supportability is unknown."
exit 1
elif [[ "${DISTRO_NAME}" == "opensuse" ]]; then
echo "ERROR: Setup of FIPS mode with DIB is not supported with OpenSUSE."
echo "Please refer to SUSE documentation on how to perform these actions."
echo "https://www.suse.com/support/kb/doc/?id=000019432"
exit 1
else
# This command exists in Centos, Fedora, Rocky, and Debian
# and is referenced in documentation and posts about how to setup FIPS.
echo "Attempting to setup FIPS mode utilizing the fips-mode-setup command."
fips-mode-setup --enable
echo "FIPS mode setup completed, please remember this only applies to a"
echo "running operating system nor implies the certification state of the"
echo "resulting running operating system."
fi

View File

@ -0,0 +1,12 @@
---
features:
- |
Adds a ``fips`` element which attempts to enable FIPS mode configuration
into the disk image being created.
fixes:
- |
Fixes a possible case with a FIPS enabled disk image where the
cryptographic policies may be applied for enforcement of FIPS mode,
but the underlying kernel command line may be missing. This in particular
was discovered when testing on Rocky Linux. We now test, and add the FIPS
kernel command line flag if it is otherwise enabled.