Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:pmonrealgonzalez:branches:security:tls
crypto-policies
crypto-policies-FIPS.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File crypto-policies-FIPS.patch of Package crypto-policies
Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup +++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup @@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then exit 1 fi +# This check must be done as root, otherwise it will fail. +is_transactional_system=0 +if test ! -w /usr ; then + is_transactional_system=1 +fi + +# We don't handle the setup on transactional systems as the process is +# quite different and involves several reboots. +if test "$is_transactional_system" = 1 && test "$check" = 0 ; then + cond_echo -n "Cannot handle transactional systems. " + cond_echo "Please, refer to the fips-mode-setup man pages for more information." + exit 1 +fi # Detect 1: kernel FIPS flag fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) @@ -167,10 +180,10 @@ if test $check = 1 ; then fi # Boot configuration -if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then - echo >&2 "The grubby command is missing, please configure the bootloader manually." - boot_config=0 -fi +# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +# echo >&2 "The grubby command is missing, please configure the bootloader manually." +# boot_config=0 +# fi if test "$boot_config" = 1 && test ! -d /boot ; then echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." @@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then fi fi +if test "$boot_config" = 1 ; then + # Install required packages: patterns-base-fips and perl-Bootloader + if test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test ! -x "$(command -v pbl)" && \ + test "$enable_fips" = 1; then + zypper -n install patterns-base-fips perl-Bootloader + elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test "$enable_fips" = 1 ; then + zypper -n install patterns-base-fips + elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader + fi + if test $? != 0 ; then + echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." + boot_config=0 + fi +fi + echo "FIPS mode will be $(enable2txt $enable_fips)." fipsopts="fips=$enable_fips$boot_device_opt" if test "$boot_config" = 1 ; then - grubby --update-kernel=ALL --args="$fipsopts" - if test x"$(uname -m)" = xs390x; then - if command -v zipl >/dev/null; then - zipl - else - echo -n '`zipl` execution has been skipped: ' - echo '`zipl` not found.' - fi - fi + pbl --add-option "$fipsopts" + grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all + + # grubby --update-kernel=ALL --args="$fipsopts" + # if test x"$(uname -m)" = xs390x; then + # if command -v zipl >/dev/null; then + # zipl + # else + # echo -n '`zipl` execution has been skipped: ' + # echo '`zipl` not found.' + # fi + # fi + echo "Please reboot the system for the setting to take effect." else echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install +++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install @@ -24,6 +24,15 @@ fi umask 022 +# Install required packages: patterns-base-fips and perl-Bootloader +if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then + zypper -n install patterns-base-fips perl-Bootloader +elif test ! -f $dracut_cfg ; then + zypper -n install patterns-base-fips +elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader +fi + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then # No dracut configuration or boot directory present, do not try to modify it. # Also, on OSTree systems, we currently rely on the initrd already including @@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot exit 0 fi -if test x"$1" == x--complete; then - trap "rm -f $dracut_cfg" ERR - cat >$dracut_cfg <<EOF -# turn on fips module - -add_dracutmodules+=" fips " -EOF -elif test x"$1" == x--undo; then - rm -f $dracut_cfg -fi - -echo "Kernel initramdisks are being regenerated. This might take some time." - -dracut -f --regenerate-all - -# This is supposed to be a fast and safe operation that's always good to run. -# Regenerating an initrd and skipping it might render the system unbootable -# (RHBZ#2013195). -if test x"$(uname -m)" = xs390x; then - if command -v zipl >/dev/null; then - zipl - else - echo '`zipl` execution has been skipped: `zipl` not found.' - fi -fi +# if test x"$1" == x--complete; then +# trap "rm -f $dracut_cfg" ERR +# cat >$dracut_cfg <<EOF +# # turn on fips module + +# add_dracutmodules+=" fips " +# EOF +# elif test x"$1" == x--undo; then +# rm -f $dracut_cfg +# fi + +# echo "Kernel initramdisks are being regenerated. This might take some time." + +# dracut -f --regenerate-all + +# # This is supposed to be a fast and safe operation that's always good to run. +# # Regenerating an initrd and skipping it might render the system unbootable +# # (RHBZ#2013195). +# if test x"$(uname -m)" = xs390x; then +# if command -v zipl >/dev/null; then +# zipl +# else +# echo '`zipl` execution has been skipped: `zipl` not found.' +# fi +# fi Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt +++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt @@ -45,6 +45,23 @@ Then the command modifies the boot loade When disabling the system FIPS mode the system crypto policy is switched to DEFAULT and the kernel command line option 'fips=0' is set. +On transactional systems, enabling the system in FIPS mode with the +fips-mode-setup tool is not implemented. To enable the FIPS mode in these +systems requires the following steps: + + 1.- Install the FIPS pattern on a running system: + # transactional-update pkg install -t pattern microos-fips + + 2.- Reboot your system. + + 3.- Add the kernel command line parameter fips=1 to the boot loader + configuration. To do so, edit the file /etc/default/grub and add + fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. + + 4.- After logging in to the system, run: + # transactional-update grub.cfg + + 5.- Reboot your system. [[options]] OPTIONS
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor