crypto-policies/crypto-policies-FIPS.patch

Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
===================================================================
--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
 	exit 1
 fi
 
+# This check must be done as root, otherwise it will fail.
+is_transactional_system=0
+if test ! -w /usr ; then
+	is_transactional_system=1
+fi
+
+# We don't handle the setup on transactional systems as the process is
+# quite different and involves several reboots.
+if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
+    cond_echo -n "Cannot handle transactional systems. "
+    cond_echo "Please, refer to the fips-mode-setup man pages for more information."
+    exit 1
+fi
 
 # Detect 1: kernel FIPS flag
 fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
@@ -167,10 +180,10 @@ if test $check = 1 ; then
 fi
 
 # Boot configuration
-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-	echo >&2 "The grubby command is missing, please configure the bootloader manually."
-	boot_config=0
-fi
+# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
+# 	boot_config=0
+# fi
 
 if test "$boot_config" = 1 && test ! -d /boot ; then
 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then
 	fi
 fi
 
+if test "$boot_config" = 1 ; then
+	# Install required packages: patterns-base-fips and perl-Bootloader
+	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test ! -x "$(command -v pbl)" && \
+		test "$enable_fips" = 1; then
+            zypper -n install patterns-base-fips perl-Bootloader
+	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test "$enable_fips" = 1 ; then
+            zypper -n install patterns-base-fips
+	elif test ! -x "$(command -v pbl)" ; then
+            zypper -n install perl-Bootloader
+	fi
+	if test $? != 0 ; then
+            echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
+            boot_config=0
+	fi
+fi
+
 echo "FIPS mode will be $(enable2txt $enable_fips)."
 
 fipsopts="fips=$enable_fips$boot_device_opt"
 
 if test "$boot_config" = 1 ; then
-	grubby --update-kernel=ALL --args="$fipsopts"
-	if test x"$(uname -m)" = xs390x; then
-		if command -v zipl >/dev/null; then
-			zipl
-		else
-			echo -n '`zipl` execution has been skipped: '
-			echo '`zipl` not found.'
-		fi
-	fi
+	pbl --add-option "$fipsopts"
+	pbl --config; pbl --install && dracut -f --regenerate-all
+
+	# grubby --update-kernel=ALL --args="$fipsopts"
+	# if test x"$(uname -m)" = xs390x; then
+	# 	if command -v zipl >/dev/null; then
+	# 		zipl
+	# 	else
+	# 		echo -n '`zipl` execution has been skipped: '
+	# 		echo '`zipl` not found.'
+	# 	fi
+	# fi
+
 	echo "Please reboot the system for the setting to take effect."
 else
 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install
===================================================================
--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install
+++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install
@@ -24,6 +24,15 @@ fi
 
 umask 022
 
+# Install required packages: patterns-base-fips and perl-Bootloader
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
+       zypper -n install patterns-base-fips perl-Bootloader
+elif test ! -f $dracut_cfg ; then
+       zypper -n install patterns-base-fips
+elif test ! -x "$(command -v pbl)" ; then
+       zypper -n install perl-Bootloader
+fi
+
 if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
 	# No dracut configuration or boot directory present, do not try to modify it.
 	# Also, on OSTree systems, we currently rely on the initrd already including
@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
 	exit 0
 fi
 
-if test x"$1" == x--complete; then
-	trap "rm -f $dracut_cfg" ERR
-	cat >$dracut_cfg <<EOF
-# turn on fips module
-
-add_dracutmodules+=" fips "
-EOF
-elif test x"$1" == x--undo; then
-	rm -f $dracut_cfg
-fi
-
-echo "Kernel initramdisks are being regenerated. This might take some time."
-
-dracut -f --regenerate-all
-
-# This is supposed to be a fast and safe operation that's always good to run.
-# Regenerating an initrd and skipping it might render the system unbootable
-# (RHBZ#2013195).
-if test x"$(uname -m)" = xs390x; then
-	if command -v zipl >/dev/null; then
-		zipl
-	else
-		echo '`zipl` execution has been skipped: `zipl` not found.'
-	fi
-fi
+# if test x"$1" == x--complete; then
+# 	trap "rm -f $dracut_cfg" ERR
+# 	cat >$dracut_cfg <<EOF
+# # turn on fips module
+
+# add_dracutmodules+=" fips "
+# EOF
+# elif test x"$1" == x--undo; then
+# 	rm -f $dracut_cfg
+# fi
+
+# echo "Kernel initramdisks are being regenerated. This might take some time."
+
+# dracut -f --regenerate-all
+
+# # This is supposed to be a fast and safe operation that's always good to run.
+# # Regenerating an initrd and skipping it might render the system unbootable
+# # (RHBZ#2013195).
+# if test x"$(uname -m)" = xs390x; then
+# 	if command -v zipl >/dev/null; then
+# 		zipl
+# 	else
+# 		echo '`zipl` execution has been skipped: `zipl` not found.'
+# 	fi
+# fi
Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
===================================================================
--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
@@ -45,6 +45,23 @@ Then the command modifies the boot loade
 When disabling the system FIPS mode the system crypto policy is switched
 to DEFAULT and the kernel command line option 'fips=0' is set.
 
+On transactional systems, enabling the system in FIPS mode with the
+fips-mode-setup tool is not implemented. To enable the FIPS mode in these
+systems requires the following steps:
+
+	1.- Install the FIPS pattern on a running system:
+	    # transactional-update pkg install -t pattern microos-fips
+
+	2.- Reboot your system.
+
+	3.- Add the kernel command line parameter fips=1 to the boot loader
+	    configuration. To do so, edit the file /etc/default/grub and add
+	    fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
+
+	4.- After logging in to the system, run:
+	    # transactional-update grub.cfg
+
+	5.- Reboot your system.
 
 [[options]]
 OPTIONS
Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
===================================================================
--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
@@ -8,7 +8,6 @@ check=0
 boot_config=1
 err_if_disabled=0
 output_text=1
-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
 
 is_ostree_system=0
 if test -f /run/ostree-booted -o -d /ostree; then
@@ -61,18 +60,13 @@ while test $# -ge 1 ; do
 done
 
 if test $usage = 1 -o x$enable_fips = x ; then
-	echo "Check, enable, or disable (unsupported) the system FIPS mode."
+	echo "Check, enable, or disable the system FIPS mode."
 	echo "usage: $0 --enable|--disable [--no-bootcfg]"
 	echo "usage: $0 --check"
 	echo "usage: $0 --is-enabled"
 	exit 2
 fi
 
-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then
-	echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg."
-	boot_config=0
-fi
-
 # We don't handle the boot config on OSTree systems for now; it is assumed to be
 # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is
 # intrinsically tied to the firstboot procedure.
@@ -186,12 +180,6 @@ if test $check = 1 ; then
 	exit 0
 fi
 
-# Boot configuration
-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
-# 	boot_config=0
-# fi
-
 if test "$boot_config" = 1 && test ! -d /boot ; then
 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
 	echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg."
@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$
 	exit 1
 fi
 
-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \
-		test -x "$(command -v cryptsetup)" ; then
-	# Best-effort detection of LUKS Argon2 usage
-	argon2_found=''
-	# two redundant ways to list device names
-	devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \
-		dmsetup ls --target crypt | cut -f1) \
-		| sort -u)
-		while IFS= read -r devname; do
-			back=$(cryptsetup status "$devname" | \
-				grep -F device: |
-				sed -E 's/.*device:\s+//')
-			if ! test -b "$back"; then
-				echo >&2 -n "Warning: detected device '$back' "
-				echo >&2 -n 'is not a valid block device. '
-				echo >&2 'Cannot check whether it uses Argon2.'
-				continue
-			fi
-			dump=$(cryptsetup luksDump "$back")
-			if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then
-				argon2_found+=" $back($devname)"
-			fi
-		done <<<"$devs"
-	if test -n "$argon2_found" ; then
-		echo >&2 -n "The following encrypted devices use Argon2 PBKDF:"
-		echo >&2 "$argon2_found"
-		echo >&2 'Aborting fips-mode-setup because of that.'
-		echo >&2 -n 'Please refer to the '
-		echo >&2 'cryptsetup-luksConvertKey(8) manpage.'
-		exit 76
-	fi
-fi
-
 if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then
 	if test $enable_fips = 1 ; then
 		echo >&2 "*****************************************************************"
@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING"
 		echo >&2 "*                                                               *"
 		echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *"
 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
-		echo >&2 "* REINSTALL WITH fips=1 INSTEAD.                                *"
 		echo >&2 "*****************************************************************"
 	elif test $enable_fips = 0 ; then
 		echo >&2 "*****************************************************************"
 		echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT...                 *"
 		echo >&2 "*                                                               *"
-		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED.  *"
+		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*"
 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
-		echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD.          *"
 		echo >&2 "*****************************************************************"
 	fi
 	for i in {15..1}; do
@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_
 if test "$boot_config" = 1 ; then
 	pbl --add-option "$fipsopts"
 	pbl --config; pbl --install && dracut -f --regenerate-all
-
-	# grubby --update-kernel=ALL --args="$fipsopts"
-	# if test x"$(uname -m)" = xs390x; then
-	# 	if command -v zipl >/dev/null; then
-	# 		zipl
-	# 	else
-	# 		echo -n '`zipl` execution has been skipped: '
-	# 		echo '`zipl` not found.'
-	# 	fi
-	# fi
-
-	echo "Please reboot the system for the setting to take effect."
+	echo "Please reboot the system for the settings to take effect."
 else
 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
-	echo "and reboot the system for the setting to take effect."
+	echo "and reboot the system for the settings to take effect."
 fi
 
 exit 0