Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
crypto-policies
crypto-policies-FIPS.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File crypto-policies-FIPS.patch of Package crypto-policies
Index: fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup =================================================================== --- fedora-crypto-policies-20210917.c9d86d1.orig/fips-mode-setup +++ fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup @@ -7,7 +7,6 @@ enable_fips= check=0 boot_config=1 err_if_disabled=0 -fips_install_complete=0 output_text=1 is_ostree_system=0 @@ -76,47 +75,128 @@ if test "$is_ostree_system" = 1 && test exit 1 fi -if test -f /etc/system-fips ; then - # On OSTree systems, /etc/system-fips in the real root marks completion. - if test ! -d /boot -o "$is_ostree_system" = 1 -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then - fips_install_complete=1 + +if [ "$(id -u)" != 0 ]; then + echo "You must be root to run $(basename $0)" + exit 1 +fi + +# This check must be done as root, otherwise it will fail. +is_transactional_system=0 +if test ! -w /usr ; then + is_transactional_system=1 +fi + +# We don't handle the setup on transactional systems as the process is +# quite different and involves several reboots. +if test "$is_transactional_system" = 1 && test "$check" = 0 ; then + cond_echo -n "Cannot handle transactional systems. " + cond_echo "Please, refer to the fips-mode-setup man pages for more information." + exit 1 +fi + +# Detect 1: kernel FIPS flag +fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) + +# Detect 2: initramfs fips module presence; not always can be done +initramfs_fips_module=0 +initramfs_inspectable=0 +if test -d /boot -a -x /usr/bin/lsinitrd; then + initramfs_inspectable=1 + if lsinitrd -m 2>/dev/null | grep -Fxq fips; then + initramfs_fips_module=1 fi fi +# Detect 3: crypto-policy base policy +current_policy="$(cat /etc/crypto-policies/state/current)" +base_policy="$(echo $current_policy| cut -f 1 -d :)" +if test "$base_policy" == "FIPS" ; then + base_policy_is_fips=1 +else + base_policy_is_fips=0 +fi + + if test $check = 1 ; then - test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not completed." - fips_enabled=$(cat /proc/sys/crypto/fips_enabled) - cond_echo "FIPS mode is $(enable2txt $fips_enabled)." - if test "$fips_enabled" = 1 ; then - if test $fips_install_complete = 0 ; then - cond_echo "Inconsistent state detected." - exit 1 - fi - current="$(cat /etc/crypto-policies/state/current)" - if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then - cond_echo "The current crypto policy ($current) is not a FIPS policy." + # Look for signs for both enabling and disabling FIPS mode + fips_positive=0 + fips_negative=0 + + # Display 1: kernel FIPS flag + cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)." + + # Display 2: initramfs fips module + if test "$initramfs_inspectable" = 1 ; then + cond_echo -n "Initramfs fips module is " + cond_echo "$(enable2txt $initramfs_fips_module)." + fi + + # Display 3: active crypto-policy + cond_echo -n "The current crypto policy ($current_policy) " + if test "$base_policy_is_fips" == 1 ; then + cond_echo 'is based on the FIPS policy.' + else + cond_echo -n 'neither is the FIPS policy ' + cond_echo 'nor is based on the FIPS policy.' + fi + + # Decide 1: kernel FIPS flag + if test "$fips_kernel_enabled" = 1 ; then + fips_positive=1 + else + fips_negative=1 + fi + + # Decide 2: initramfs module presence + if test "$initramfs_inspectable" = 1 ; then + if test "$initramfs_fips_module" = 1 ; then + fips_positive=1 + else + fips_negative=1 fi fi - if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1;then + + # Decide 3: active crypto-policy + if test "$base_policy_is_fips" = 1 ; then + fips_positive=1 + else + fips_negative=1 + fi + + # Make the FIPS mode consistency decision + if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then + cond_echo 'Inconsistent state detected.' + exit 1 + fi + + # Error out if `--is-enabled` was passed and FIPS mode is not enabled + if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then + cond_echo 'FIPS mode is not enabled.' exit 2 fi + exit 0 fi -if [ $(id -u) != 0 ]; then - echo "You must be root to run $(basename $0)" - exit 1 -fi if test $enable_fips = 1 ; then - if test $fips_install_complete = 0 ; then + if test "$initramfs_fips_module" = 0 ; then fips-finish-install --complete if test $? != 0 ; then echo "Installation of FIPS modules could not be completed." exit 1 fi fi - update-crypto-policies --no-reload --set FIPS 2>/dev/null + if test "$base_policy_is_fips" == 1 ; then + cond_echo -n 'Preserving current FIPS-based policy ' + cond_echo "${current_policy}." + cond_echo -n 'Please review the subpolicies to ensure they ' + cond_echo 'only restrict, not relax the FIPS policy.' + else + target=FIPS + fi + update-crypto-policies --no-reload --set "${target}" 2>/dev/null else update-crypto-policies --no-reload --set DEFAULT 2>/dev/null fi @@ -136,9 +216,22 @@ else fi fi -if test $boot_config=1 && test ! -x "$(command -v grubby)" ; then - echo "The grubby command is missing, please configure the bootloader manually." - boot_config=0 +if test "$boot_config" = 1 ; then + # Install required packages: patterns-base-fips and perl-Bootloader + if test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test ! -x "$(command -v pbl)" && \ + test "$enable_fips" = 1; then + zypper -n install patterns-base-fips perl-Bootloader + elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test "$enable_fips" = 1 ; then + zypper -n install patterns-base-fips + elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader + fi + if test $? != 0 ; then + echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." + boot_config=0 + fi fi echo "FIPS mode will be $(enable2txt $enable_fips)." @@ -149,10 +242,19 @@ if test $boot_config = 0 ; then echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" echo "and reboot the system for the setting to take effect." else - grubby --update-kernel=ALL --args="$fipsopts" - if test x"$(uname -m)" = xs390x ; then - zipl >/dev/null 2>&1 - fi + pbl --add-option "$fipsopts" + grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all + + # grubby --update-kernel=ALL --args="$fipsopts" + # if test x"$(uname -m)" = xs390x; then + # if command -v zipl >/dev/null; then + # zipl + # else + # echo -n '`zipl` execution has been skipped: ' + # echo '`zipl` not found.' + # fi + # fi + echo "Please reboot the system for the setting to take effect." fi Index: fedora-crypto-policies-20210917.c9d86d1/fips-finish-install =================================================================== --- fedora-crypto-policies-20210917.c9d86d1.orig/fips-finish-install +++ fedora-crypto-policies-20210917.c9d86d1/fips-finish-install @@ -2,7 +2,6 @@ set -e -system_fips=/etc/system-fips dracut_cfg_d=/etc/dracut.conf.d dracut_cfg=$dracut_cfg_d/40-fips.conf @@ -24,9 +23,16 @@ fi umask 022 -trap "rm -f $system_fips $dracut_cfg" ERR +# trap "rm -f $dracut_cfg" ERR -echo "# FIPS module installation complete" >$system_fips +# Install required packages: patterns-base-fips and perl-Bootloader +if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then + zypper -n install patterns-base-fips perl-Bootloader +elif test ! -f $dracut_cfg ; then + zypper -n install patterns-base-fips +elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader +fi if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then # No dracut configuration or boot directory present, do not try to modify it. @@ -35,12 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot exit 0 fi -cat >$dracut_cfg <<EOF -# turn on fips module - -add_dracutmodules+=" fips " -EOF - -echo "Kernel initramdisks are being regenerated. This might take some time." - -dracut -f --regenerate-all +# cat >$dracut_cfg <<EOF +# # turn on fips module +# +# add_dracutmodules+=" fips " +# EOF +# +# echo "Kernel initramdisks are being regenerated. This might take some time." +# +# dracut -f --regenerate-all +# +# # This is supposed to be a fast and safe operation that's always good to run. +# # Regenerating an initrd and skipping it might render the system unbootable +# # (RHBZ#2013195). +# if test x"$(uname -m)" = xs390x; then +# if command -v zipl >/dev/null; then +# zipl +# else +# echo '`zipl` execution has been skipped: `zipl` not found.' +# fi +# fi Index: fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup.8.txt =================================================================== --- fedora-crypto-policies-20210917.c9d86d1.orig/fips-mode-setup.8.txt +++ fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup.8.txt @@ -33,16 +33,35 @@ DESCRIPTION ----------- fips-mode-setup(8) is used to check and control the system FIPS mode. -When enabling the system FIPS mode the command completes the installation +When enabling the system FIPS mode, the command completes the installation of FIPS modules if needed by calling 'fips-finish-install' and changes the -system crypto policy to FIPS. +system crypto policy to FIPS +(unless the policy has already been set to FIPS plus subpolicies on top, +in which case the currently active subpolicies is retained). Then the command modifies the boot loader configuration to add 'fips=1' and 'boot=<boot-device>' options to the kernel command line. When disabling the system FIPS mode the system crypto policy is switched -to DEFAULT and the kernel command line option 'fips=0' is set. +to DEFAULT and the kernel command line option 'fips=0' is set. +On transactional systems, enabling the system in FIPS mode with the +fips-mode-setup tool is not implemented. To enable the FIPS mode in these +systems requires the following steps: + + 1.- Install the FIPS pattern on a running system: + # transactional-update pkg install -t pattern microos-fips + + 2.- Reboot your system. + + 3.- Add the kernel command line parameter fips=1 to the boot loader + configuration. To do so, edit the file /etc/default/grub and add + fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. + + 4.- After logging in to the system, run: + # transactional-update grub.cfg + + 5.- Reboot your system. [[options]] OPTIONS @@ -54,14 +73,21 @@ The following options are available in f * --disable: Undo some of the FIPS-enablement steps (unsupported). -* --check: Checks the system FIPS mode status. +* --check: Checks for inconsistently enabled FIPS mode. + Exits successfully (0) for both consistently-enabled FIPS mode + and consistently-disabled FIPS mode, + returns error code (1) if inconsistencies are detected. + For checking whether FIPS mode is enabled, + see --is-enabled below. * --is-enabled: Checks the system FIPS mode status and returns failure error code if disabled (2) or inconsistent (1). -* --no-bootcfg: The tool will not attempt to change the boot loader - configuration and it just prints the options that need +* --no-bootcfg: The tool will not reconfigure the boot loader, + and, instead, will print the options that need to be added to the kernel command line. + Exception: it still attempts executing zipl(8) on s390x, + as the system might become unbootable otherwise. FILES
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor