Merge "Add proposed community goal for FIPS compatibility and compliance"

2022-01-28 03:35:39 +00:00 · 2022-01-28 03:35:39 +00:00 · f272a40df0
parent d95ab28bff 4348fb36bd
commit f272a40df0
1 changed files with 200 additions and 0 deletions
--- a/goals/proposed/fips.rst
+++ b/goals/proposed/fips.rst
@ -0,0 +1,200 @@
+=================================
+FIPS Compatibility and Compliance
+=================================
+
+FIPS Compliance is often a requirement not just for organizations conducting
+business with the US Federal Government, but also for other highly regulated
+industries seeking to meet security compliance targets.  The Foundation has,
+in fact, been approached by cloud vendors attempting to run refstack on
+FIPS enabled systems.
+
+There are two distinct goals for FIPS: FIPS Compatibility and FIPS Compliance.
+
+FIPS Compatibility
+==================
+
+The main effect of turning on FIPS mode in the kernel is to set the kernel
+cryptographic modules to disallow certain cryptographic operations, ciphers
+and algorithms, or to only allow their use within certain contexts.  More
+precise details can be obtained from the FIPS spec. [1]
+
+The goal of FIPS Compatibility is ensure that OpenStack functions correctly
+when the control plane nodes are running with FIPS mode enabled.
+
+A lot of work has already been done to advance the FIPS compatibility goal.
+Making this a community goal would raise awareness of this effort and would
+ensure that all projects, as well as third party vendors, test their
+functionality under FIPS.
+
+We would also be able to identify dependencies that need to be updated to work
+under FIPS. [2]
+
+Moreover, there are problems that are common to many projects, which could
+be better solved with a standard approach.
+
+FIPS Compliance
+===============
+
+The goal of FIPS Compliance is to ensure that any crypto operations that are
+performed are done using crypto libraries that are FIPS certified. To complete
+this goal, we will need to:
+
+* Audit the cryptographic libraries used within OpenStack.
+* Replace if possible, or document as a limitiation, libraries which are
+  not FIPS certified.
+
+Champion
+========
+
+#. Ade Lee <alee@redhat.com> (alee)
+
+Gerrit Topic
+============
+
+To facilitate tracking, commits related to this goal should use the
+gerrit topic::
+
+  fips-compatibility or fips-compliance
+
+Completion Criteria for FIPS compatibility
+==========================================
+
+Yoga-2-milestone:
+
+#. Projects that curently have FIPS CI jobs in-flight should have these
+   jobs merged. These jobs should be sufficient to test base functionality
+   and in particular those areas expected to be affected by FIPS. The
+   tests should pass. Any limitations uncovered should be documented.
+
+#. The current role to enable FIPS mode should be enhanced to allow FIPS to
+   be enabled on Ubuntu environments. Jobs using Ubuntu will need to be
+   tested using Python 3.9, as this is the earliest release that supports the
+   usedforsecurity parameter on hashlib.md5().
+
+Yoga-3-milestone:
+
+#. All OpenStack projects should have at least one job to test functionality
+   when FIPS is enabled. These tests should pass with limitations documented.
+
+#. Run Refstack tests in FIPS mode. These tests should pass. It is expected
+   that some FIPS specific configuration may be required [3], or that some
+   tests/features would be invalid under FIPS [4]. These configurations and
+   limitations should be well documented.
+
+#. After milestone-3, a decision can be taken as to whether to make FIPS
+   enabled jobs the default and replace the existing jobs. It is likely,
+   though, that we will not take this step until FIPS supports all the security
+   features we require (eg. ed25519).
+
+Completion Criteria for FIPS compliance
+=======================================
+
+Z-milestone-1:
+
+#. A review of crypto used within OpenStack should be completed. This review
+   should identify crypto that is not FIPS certified and propose alternatives.
+   Depending on which libraries are identified and the projected impact, a
+   schedule for replacement can be decided at that time.
+#. A plan should be formulated to provide a FIPS compliant replacement option
+   to paramiko across OpenStack projects.
+
+Z-milestone-2:
+
+#. A FIPS compliant replacement for paramiko should be implemented as an option
+   across all OpenStack projects.  See details under "Current Issues" below.
+
+Current Status
+==============
+
+A lot of work has already been done to advance the FIPS compatibility goal.
+Making this a community goal will ensure that all projects as well as third
+party vendors test their functionality under FIPS, as well as providing an
+opportunity to solve common problems with a standard approach.
+
+FIPS biggest effect on OpenStack services so far has been in disallowing the
+use of MD5.  Under FIPS, hashlib.md5() will fail unless it is annotated as
+not being used in a security context using a special annotation
+(usedforsecurity) that was introduced in python 3.9 [5].  This annotation
+has been backported by some distributions.
+
+To take advantage of this annotation, an adapter for hashlib.md5() was added
+to oslo.utils() [6], and patches were added to Keystone, Barbican, Nova,
+Glance, Octavia, Neutron and other projects to take advantage of this
+annotation. [7]  A similar wrapping was added to swift [8].
+
+An ansible role has been added to zuul-jobs to enable FIPS mode in CI jobs
+[9].  Right now, this role only works for RHEL/Fedora/Centos systems.
+
+Using this role, a whole slew of CI FIPS jobs have been proposed. [10]
+The vast majority of the tempest tests in these jobs currently pass.
+
+Current Issues
+==============
+
+* Tempest currently uses paramiko to ssh to instances. This currently fails
+  because of a call to md5() to generate fingerprints that are written to log
+  files. This use of md5() is valid under FIPS and so we can patch paramiko
+  to either allow the usage [11] or to use a different algorithm [12].
+
+* Paramiko also uses md5() in generating a key from a password while reading an
+  encrypted PEM file that is not in the newer OpenSSH format. We can get around
+  that by simply making sure that relevant encrypted key files are generated by
+  OpenSSH.
+
+* Paramiko is not FIPS compliant and so will ultimately need to be replaced
+  across OpenStack for compliance. This should be co-ordinated across projects
+  so it can be done consistently. Ideally, a library could be found that can
+  be configured to FIPS compliant and also support algorithms like  ed25519.
+  Alternatively, projects should be changed to allow the selection of either
+  paramiko (as default) or a FIPS certified library at run-time.
+
+* A patch has been proposed to replace paramiko with libssh instead as this
+  library uses FIPS certified crypto [13]. Ultimately, a different library
+  may need to be selected.
+
+References
+==========
+
+#. FIPS Spec:
+   https://csrc.nist.gov/publications/detail/fips/140/3/final
+#. So far, packages that we have found to require FIPS updates include django, certmonger
+   paramiko and sphinx.
+   https://github.com/django/django/pull/14763
+#. Some required setting include:
+   iscsi chap algorithms: https://review.opendev.org/c/openstack/puppet-tripleo/+/778081
+   snmp_auth_type: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/813089
+#. Features and tests that come to mind include:
+   volume encryption using plain encryptor:
+   https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/810782
+#. hashlib.MD5() issue in Python 3.9:
+   https://bugs.python.org/issue9216
+#. Change to oslo.utils to use usedforsecurity:
+   https://review.opendev.org/c/openstack/oslo.utils/+/750031
+#. Patches to various projects to use oslo.utils adapter for hashlib.md5
+   (as examples):
+   glance: https://review.opendev.org/c/openstack/glance/+/756158
+   nova: https://review.opendev.org/c/openstack/nova/+/756434
+   nova: https://review.opendev.org/c/openstack/nova/+/777686
+   os-brick: https://review.opendev.org/c/openstack/os-brick/+/756151
+   oslo: https://review.opendev.org/c/openstack/oslo.versionedobjects/+/756153
+   tooz: https://review.opendev.org/c/openstack/tooz/+/756432
+   opensdk: https://review.opendev.org/c/openstack/openstacksdk/+/767411
+   octavia: https://review.opendev.org/c/openstack/octavia/+/798146
+   designate: https://review.opendev.org/c/openstack/designate/+/798157
+   glance_store: https://review.opendev.org/c/openstack/glance_store/+/756157
+
+#. Swift patch to handle hashlib.md5
+   https://review.opendev.org/c/openstack/swift/+/751966
+#. Ansible role in zuul-jobs
+   https://review.opendev.org/c/zuul/zuul-jobs/+/788778
+   https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L23
+#. Current proposed and merged CI jobs
+   https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L53
+   Currently 6 projects merged and passing, 10 projects pending.
+#. https://github.com/paramiko/paramiko/pull/1928
+   This change is relatively small.  Until it passes, we have added a monkey-patch
+   for paramiko in https://review.opendev.org/c/openstack/tempest/+/822560
+#. https://github.com/vakwetu/paramiko/commit/b4beb535d7293447f25afd12051dbc45bb1e6ddc
+#. https://github.com/paramiko/paramiko/pull/1103
+#. Tempest patches:
+   https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L33