diff --git a/goals/proposed/fips.rst b/goals/proposed/fips.rst new file mode 100644 index 000000000..09f411d1e --- /dev/null +++ b/goals/proposed/fips.rst @@ -0,0 +1,200 @@ +================================= +FIPS Compatibility and Compliance +================================= + +FIPS Compliance is often a requirement not just for organizations conducting +business with the US Federal Government, but also for other highly regulated +industries seeking to meet security compliance targets. The Foundation has, +in fact, been approached by cloud vendors attempting to run refstack on +FIPS enabled systems. + +There are two distinct goals for FIPS: FIPS Compatibility and FIPS Compliance. + +FIPS Compatibility +================== + +The main effect of turning on FIPS mode in the kernel is to set the kernel +cryptographic modules to disallow certain cryptographic operations, ciphers +and algorithms, or to only allow their use within certain contexts. More +precise details can be obtained from the FIPS spec. [1] + +The goal of FIPS Compatibility is ensure that OpenStack functions correctly +when the control plane nodes are running with FIPS mode enabled. + +A lot of work has already been done to advance the FIPS compatibility goal. +Making this a community goal would raise awareness of this effort and would +ensure that all projects, as well as third party vendors, test their +functionality under FIPS. + +We would also be able to identify dependencies that need to be updated to work +under FIPS. [2] + +Moreover, there are problems that are common to many projects, which could +be better solved with a standard approach. + +FIPS Compliance +=============== + +The goal of FIPS Compliance is to ensure that any crypto operations that are +performed are done using crypto libraries that are FIPS certified. To complete +this goal, we will need to: + +* Audit the cryptographic libraries used within OpenStack. +* Replace if possible, or document as a limitiation, libraries which are + not FIPS certified. + +Champion +======== + +#. Ade Lee (alee) + +Gerrit Topic +============ + +To facilitate tracking, commits related to this goal should use the +gerrit topic:: + + fips-compatibility or fips-compliance + +Completion Criteria for FIPS compatibility +========================================== + +Yoga-2-milestone: + +#. Projects that curently have FIPS CI jobs in-flight should have these + jobs merged. These jobs should be sufficient to test base functionality + and in particular those areas expected to be affected by FIPS. The + tests should pass. Any limitations uncovered should be documented. + +#. The current role to enable FIPS mode should be enhanced to allow FIPS to + be enabled on Ubuntu environments. Jobs using Ubuntu will need to be + tested using Python 3.9, as this is the earliest release that supports the + usedforsecurity parameter on hashlib.md5(). + +Yoga-3-milestone: + +#. All OpenStack projects should have at least one job to test functionality + when FIPS is enabled. These tests should pass with limitations documented. + +#. Run Refstack tests in FIPS mode. These tests should pass. It is expected + that some FIPS specific configuration may be required [3], or that some + tests/features would be invalid under FIPS [4]. These configurations and + limitations should be well documented. + +#. After milestone-3, a decision can be taken as to whether to make FIPS + enabled jobs the default and replace the existing jobs. It is likely, + though, that we will not take this step until FIPS supports all the security + features we require (eg. ed25519). + +Completion Criteria for FIPS compliance +======================================= + +Z-milestone-1: + +#. A review of crypto used within OpenStack should be completed. This review + should identify crypto that is not FIPS certified and propose alternatives. + Depending on which libraries are identified and the projected impact, a + schedule for replacement can be decided at that time. +#. A plan should be formulated to provide a FIPS compliant replacement option + to paramiko across OpenStack projects. + +Z-milestone-2: + +#. A FIPS compliant replacement for paramiko should be implemented as an option + across all OpenStack projects. See details under "Current Issues" below. + +Current Status +============== + +A lot of work has already been done to advance the FIPS compatibility goal. +Making this a community goal will ensure that all projects as well as third +party vendors test their functionality under FIPS, as well as providing an +opportunity to solve common problems with a standard approach. + +FIPS biggest effect on OpenStack services so far has been in disallowing the +use of MD5. Under FIPS, hashlib.md5() will fail unless it is annotated as +not being used in a security context using a special annotation +(usedforsecurity) that was introduced in python 3.9 [5]. This annotation +has been backported by some distributions. + +To take advantage of this annotation, an adapter for hashlib.md5() was added +to oslo.utils() [6], and patches were added to Keystone, Barbican, Nova, +Glance, Octavia, Neutron and other projects to take advantage of this +annotation. [7] A similar wrapping was added to swift [8]. + +An ansible role has been added to zuul-jobs to enable FIPS mode in CI jobs +[9]. Right now, this role only works for RHEL/Fedora/Centos systems. + +Using this role, a whole slew of CI FIPS jobs have been proposed. [10] +The vast majority of the tempest tests in these jobs currently pass. + +Current Issues +============== + +* Tempest currently uses paramiko to ssh to instances. This currently fails + because of a call to md5() to generate fingerprints that are written to log + files. This use of md5() is valid under FIPS and so we can patch paramiko + to either allow the usage [11] or to use a different algorithm [12]. + +* Paramiko also uses md5() in generating a key from a password while reading an + encrypted PEM file that is not in the newer OpenSSH format. We can get around + that by simply making sure that relevant encrypted key files are generated by + OpenSSH. + +* Paramiko is not FIPS compliant and so will ultimately need to be replaced + across OpenStack for compliance. This should be co-ordinated across projects + so it can be done consistently. Ideally, a library could be found that can + be configured to FIPS compliant and also support algorithms like ed25519. + Alternatively, projects should be changed to allow the selection of either + paramiko (as default) or a FIPS certified library at run-time. + +* A patch has been proposed to replace paramiko with libssh instead as this + library uses FIPS certified crypto [13]. Ultimately, a different library + may need to be selected. + +References +========== + +#. FIPS Spec: + https://csrc.nist.gov/publications/detail/fips/140/3/final +#. So far, packages that we have found to require FIPS updates include django, certmonger + paramiko and sphinx. + https://github.com/django/django/pull/14763 +#. Some required setting include: + iscsi chap algorithms: https://review.opendev.org/c/openstack/puppet-tripleo/+/778081 + snmp_auth_type: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/813089 +#. Features and tests that come to mind include: + volume encryption using plain encryptor: + https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/810782 +#. hashlib.MD5() issue in Python 3.9: + https://bugs.python.org/issue9216 +#. Change to oslo.utils to use usedforsecurity: + https://review.opendev.org/c/openstack/oslo.utils/+/750031 +#. Patches to various projects to use oslo.utils adapter for hashlib.md5 + (as examples): + glance: https://review.opendev.org/c/openstack/glance/+/756158 + nova: https://review.opendev.org/c/openstack/nova/+/756434 + nova: https://review.opendev.org/c/openstack/nova/+/777686 + os-brick: https://review.opendev.org/c/openstack/os-brick/+/756151 + oslo: https://review.opendev.org/c/openstack/oslo.versionedobjects/+/756153 + tooz: https://review.opendev.org/c/openstack/tooz/+/756432 + opensdk: https://review.opendev.org/c/openstack/openstacksdk/+/767411 + octavia: https://review.opendev.org/c/openstack/octavia/+/798146 + designate: https://review.opendev.org/c/openstack/designate/+/798157 + glance_store: https://review.opendev.org/c/openstack/glance_store/+/756157 + +#. Swift patch to handle hashlib.md5 + https://review.opendev.org/c/openstack/swift/+/751966 +#. Ansible role in zuul-jobs + https://review.opendev.org/c/zuul/zuul-jobs/+/788778 + https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L23 +#. Current proposed and merged CI jobs + https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L53 + Currently 6 projects merged and passing, 10 projects pending. +#. https://github.com/paramiko/paramiko/pull/1928 + This change is relatively small. Until it passes, we have added a monkey-patch + for paramiko in https://review.opendev.org/c/openstack/tempest/+/822560 +#. https://github.com/vakwetu/paramiko/commit/b4beb535d7293447f25afd12051dbc45bb1e6ddc +#. https://github.com/paramiko/paramiko/pull/1103 +#. Tempest patches: + https://etherpad.opendev.org/p/state-of-fips-in-openstack-ci-yoga#L33