diff --git a/diskimage_builder/elements/bootloader/finalise.d/50-bootloader b/diskimage_builder/elements/bootloader/finalise.d/50-bootloader index d19567233..64f06810f 100755 --- a/diskimage_builder/elements/bootloader/finalise.d/50-bootloader +++ b/diskimage_builder/elements/bootloader/finalise.d/50-bootloader @@ -111,6 +111,29 @@ else BOOT_FS="" fi +# NOTE(TheJulia): While on the subject of FIPS, if there is not an +# explicit /boot partition, then the fips setup command will return +# a successful result, but then also tell you to update your grub +# configuration. This happens specifically with Rocky linux. +# as such, we check/reconcile the flag into place for the kernel +# as the utility will return a result code of 1 if the state is +# inconsistent, i.e. policy in place, but not kernel command line +# argument. + +BOOT_FIPS="" + +if [[ -x /bin/fips-mode-setup ]]; then + set +e + fips-mode-setup --is-enabled + is_fips_enabled=$? + set -e + if [ $is_fips_enabled -eq 1 ]; then + BOOT_FIPS="fips=1" + fi +fi + + + if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then SERIAL_CONSOLE="${DIB_BOOTLOADER_SERIAL_CONSOLE}" elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then @@ -123,7 +146,7 @@ else fi GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=${SERIAL_CONSOLE} no_timer_check" -echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS}\"" >>/etc/default/grub +echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE} ${BOOT_FS} ${BOOT_FIPS}\"" >>/etc/default/grub echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub # os-prober leaks /dev/sda into config file in dual-boot host diff --git a/diskimage_builder/elements/fips/README.rst b/diskimage_builder/elements/fips/README.rst new file mode 100644 index 000000000..14a0a1303 --- /dev/null +++ b/diskimage_builder/elements/fips/README.rst @@ -0,0 +1,24 @@ +==== +fips +==== + +This image element attempts to setup the image so it will boot and operate +in what is often referred to as "FIPS mode", where cryptography policies +and algorithms are enforced to only those which are FIPS approved and +certified. In this context, FIPS is an abbreviation for +Federal Information Processing Standard, specifically publication number +140. You can learn more about FIPS policies at +https://csrc.nist.gov/publications/fips + +This element is a best-effort element and additional software or elements +may be processed after the fact which may impact the work of this element. +It is **generally** regarded as critical to enable FIPS as early as possible, +as cryptography policy can be applied, but may not be fully enforced without +the kernel also operating in FIPS mode. + +If you intend to utilize this element to generate production FIPS images, +it is highly recommended you do so on a host which has already had FIPS +enabled for itself. + +Additionally, not all distributions are explicitly supported. Unsupported +distributions will error providing appropriate guidance, if available. diff --git a/diskimage_builder/elements/fips/package-installs.yaml b/diskimage_builder/elements/fips/package-installs.yaml new file mode 100644 index 000000000..b22545c95 --- /dev/null +++ b/diskimage_builder/elements/fips/package-installs.yaml @@ -0,0 +1,14 @@ +crypto-policies: + when: + - DISTRO_NAME != ubuntu + - DISTRO_NAME != gentoo +# NOTE(TheJulia): crypto-policies does not exist in: +# - ubuntu +# - gentoo +crypto-policies-scripts: + when: + - DISTRO_NAME != debian + - DISTRO_NAME != ubuntu + - DISTRO_NAME != gentoo +# NOTE(TheJulia): Crypto policies includes the +# fips-mode-setup script in the debian package. diff --git a/diskimage_builder/elements/fips/pre-install.d/01-setup-fips b/diskimage_builder/elements/fips/pre-install.d/01-setup-fips new file mode 100755 index 000000000..5d103188e --- /dev/null +++ b/diskimage_builder/elements/fips/pre-install.d/01-setup-fips @@ -0,0 +1,34 @@ +#!/bin/bash + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + + +if [[ "${DISTRO_NAME}" == "ubuntu" ]]; then + echo "ERROR: Setup of FIPS mode with DIB is not supported with Ubuntu." + echo "Please see refer to Ubuntu documentation on how to configure " + echo "FIPS, as it requires an Ubuntu Advantage subscription." + echo "https://ubuntu.com/security/certifications/docs/fips-enablement" + exit 1 +elif [[ "${DISTRO_NAME}" == "gentoo" ]]; then + echo "ERROR: Setup of FIPS mode with DIB is not supported with Gentoo." + echo "Gentoo's documentation appears to largely omit references to" + echo "FIPS setup, and the supportability is unknown." + exit 1 +elif [[ "${DISTRO_NAME}" == "opensuse" ]]; then + echo "ERROR: Setup of FIPS mode with DIB is not supported with OpenSUSE." + echo "Please refer to SUSE documentation on how to perform these actions." + echo "https://www.suse.com/support/kb/doc/?id=000019432" + exit 1 +else + # This command exists in Centos, Fedora, Rocky, and Debian + # and is referenced in documentation and posts about how to setup FIPS. + echo "Attempting to setup FIPS mode utilizing the fips-mode-setup command." + fips-mode-setup --enable + echo "FIPS mode setup completed, please remember this only applies to a" + echo "running operating system nor implies the certification state of the" + echo "resulting running operating system." +fi diff --git a/releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml b/releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml new file mode 100644 index 000000000..abbc22cb9 --- /dev/null +++ b/releasenotes/notes/add-fips-element-a5a3e0e3c653f923.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds a ``fips`` element which attempts to enable FIPS mode configuration + into the disk image being created. +fixes: + - | + Fixes a possible case with a FIPS enabled disk image where the + cryptographic policies may be applied for enforcement of FIPS mode, + but the underlying kernel command line may be missing. This in particular + was discovered when testing on Rocky Linux. We now test, and add the FIPS + kernel command line flag if it is otherwise enabled.