feat(fips-crypto-policies): Make c-p follow FIPS mode automatically #2670
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
t184256
reviewed
Aug 8, 2024
|
|
||
| type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh | ||
|
|
||
| if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ] || [ -z "$fipsmode" ]; then |
There was a problem hiding this comment.
should the script proceed on anything but 1 there?
There was a problem hiding this comment.
I copied and modified this from the existing 01fips module, so it's consistent with that. I don't believe we should introduce a difference between those two.
For a system that uses crypto-policies to be switched to FIPS mode correctly, it needs to be - booted with `fips=1` on the kernel command line - switched to the FIPS crypto-policy (or a policy derived from it) - have the fips dracut module enabled On older systems, there were additional steps, for example, creating `/etc/system-fips`. We have repeatedly seen inconsistencies between those different toggles, either because the user space tooling to switch between those does not (for reliability, maintainability, and compliance reasons) undo some of the steps it does when disabling FIPS mode, or because other installation methods (bootc, containers, image builder) independently do some of those steps. Eventually, all of these ended with user confusion. We can avoid this situation by eliminating the difference by treating the `fips=1` kernel command line switch as a single source of truth, and making all others follow automatically. This module provides this for crypto-policies, by adding bind-mounts before pivot if the system has not already been switched to a FIPS-based crypto-policy. This requires some support from the crypto-policies package (because it needs to deal with the bind mounts when a user calls `update-crypto-policies --set`), so make it a no-op unless - `fips=1` is on the kernel command line - crypto-policies is installed - crypto-policies supports the bind-mounts (indicated by the presence of the `default-fips-config` file) - the policy isn't already FIPS These checks should make this safe to add to the initramfs on all current systems. The bind-mounts also need to happen in the initramfs already, because systemd links against OpenSSL, and doing them later means that systemd will start with an OpenSSL configuration that isn't tailored for FIPS. See also [1], which adds the user space support to crypto-policies, along with a systemd service that does the same steps in case dracut hasn't already done them (which is useful for environments that don't use an initramfs like containers). [1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/191 Signed-off-by: Clemens Lang <[email protected]>
neverpanic
force-pushed
the
crypto-policies-autofips
branch
from
4461f0e
to
e9662a1
Compare
|
LGTMy naked eye |
|
Fedora is using https://github.com/dracut-ng/dracut-ng . Would you consider uploading it there. Thanks ! |
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For a system that uses crypto-policies to be switched to FIPS mode correctly, it needs to be
fips=1on the kernel command lineOn older systems, there were additional steps, for example, creating
/etc/system-fips.We have repeatedly seen inconsistencies between those different toggles, either because the user space tooling to switch between those does not (for reliability, maintainability, and compliance reasons) undo some of the steps it does when disabling FIPS mode, or because other installation methods (bootc, containers, image builder) independently do some of those steps. Eventually, all of these ended with user confusion.
We can avoid this situation by eleminating the difference by treating the
fips=1kernel command line switch as a single source of truth, and making all others follow automatically. This module provides this for crypto-policies, by adding bind-mounts before pivot if the system has not already been switched to a FIPS-based crypto-policy.This requires some support from the crypto-policies package (because it needs to deal with the bind mounts when a user calls
update-crypto-policies --set), so make it a no-op unlessThese checks should make this safe to add to the initramfs on all current systems.
The bind-mounts also need to happen in the initramfs already, because systemd links against OpenSSL, and doing them later means that systemd will start with an OpenSSL configuration that isn't tailored for FIPS.
See also 1, which adds the user space support to crypto-policies, along with a systemd service that does the same steps in case dracut hasn't already done them (which is useful for environments that don't use an initramfs like containers).
This pull request changes...
Changes
modules.d/01fips-crypto-policiesChecklist
Can you point me to documentation on how to write a dracut test? I'd be happy to provide tests.