Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup =================================================================== --- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup +++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup @@ -7,6 +7,7 @@ enable_fips= check=0 boot_config=1 err_if_disabled=0 +fips_install_complete=0 output_text=1 is_ostree_system=0 @@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test exit 1 fi - -if [ "$(id -u)" != 0 ]; then - echo "You must be root to run $(basename $0)" - exit 1 -fi - - -# Detect 1: kernel FIPS flag -fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) - -# Detect 2: initramfs fips module presence; not always can be done -initramfs_fips_module=0 -initramfs_inspectable=0 -if test -d /boot -a -x /usr/bin/lsinitrd; then - initramfs_inspectable=1 - if lsinitrd -m 2>/dev/null | grep -Fxq fips; then - initramfs_fips_module=1 +if test "$enable_fips" = 1 ; then + # Check the required FIPS modules are installed + if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then + cond_echo "Installation of FIPS modules is not complete." + cond_echo "Please, install grubby and the fips pattern." + exit 1 fi fi -# Detect 3: crypto-policy base policy -current_policy="$(cat /etc/crypto-policies/state/current)" -base_policy="$(echo $current_policy| cut -f 1 -d :)" -if test "$base_policy" == "FIPS" ; then - base_policy_is_fips=1 -else - base_policy_is_fips=0 +if test "$enable_fips" = 1 ; then + if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then + fips_install_complete=1 + fi fi - if test $check = 1 ; then - # Look for signs for both enabling and disabling FIPS mode - fips_positive=0 - fips_negative=0 - - # Display 1: kernel FIPS flag - cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)." - - # Display 2: initramfs fips module - if test "$initramfs_inspectable" = 1 ; then - cond_echo -n "Initramfs fips module is " - cond_echo "$(enable2txt $initramfs_fips_module)." - fi - - # Display 3: active crypto-policy - cond_echo -n "The current crypto policy ($current_policy) " - if test "$base_policy_is_fips" == 1 ; then - cond_echo 'is based on the FIPS policy.' - else - cond_echo -n 'neither is the FIPS policy ' - cond_echo 'nor is based on the FIPS policy.' - fi - - # Decide 1: kernel FIPS flag - if test "$fips_kernel_enabled" = 1 ; then - fips_positive=1 - else - fips_negative=1 - fi - - # Decide 2: initramfs module presence - if test "$initramfs_inspectable" = 1 ; then - if test "$initramfs_fips_module" = 1 ; then - fips_positive=1 - else - fips_negative=1 + test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete." + fips_enabled=$(cat /proc/sys/crypto/fips_enabled) + cond_echo "FIPS mode is $(enable2txt $fips_enabled)." + if test "$fips_enabled" = 1 ; then + if test $fips_install_complete = 0 ; then + cond_echo "Inconsistent state detected." + exit 1 + fi + current="$(cat /etc/crypto-policies/state/current)" + if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then + cond_echo -n "The current crypto policy ($current) " + cond_echo -n 'neither is the FIPS policy ' + cond_echo 'nor is based on the FIPS policy.' + cond_echo 'Inconsistent state detected.' + exit 1 fi - fi - - # Decide 3: active crypto-policy - if test "$base_policy_is_fips" = 1 ; then - fips_positive=1 else - fips_negative=1 - fi - - # Make the FIPS mode consistency decision - if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then - cond_echo 'Inconsistent state detected.' - exit 1 + if test $fips_install_complete = 1 ; then + cond_echo "Inconsistent state detected." + exit 1 + fi + current="$(cat /etc/crypto-policies/state/current)" + if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then + cond_echo -n "The current crypto policy ($current) " + cond_echo -n 'is based on the FIPS policy, ' + cond_echo 'but FIPS mode is not enabled.' + cond_echo 'Inconsistent state detected.' + exit 1 + fi fi - - # Error out if `--is-enabled` was passed and FIPS mode is not enabled - if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then - cond_echo 'FIPS mode is not enabled.' + if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then exit 2 fi - exit 0 fi +if [ "$(id -u)" != 0 ]; then + echo "You must be root to run $(basename $0)" + exit 1 +fi if test $enable_fips = 1 ; then - if test "$initramfs_fips_module" = 0 ; then + if test $fips_install_complete = 1 ; then fips-finish-install --complete if test $? != 0 ; then - echo "Installation of FIPS modules could not be completed." + echo "Installation of FIPS modules could not be completed." exit 1 fi fi - if test "$base_policy_is_fips" == 1 ; then - cond_echo -n 'Preserving current FIPS-based policy ' - cond_echo "${current_policy}." + target="$(cat /etc/crypto-policies/state/current)" + if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then + cond_echo "Preserving current FIPS-based policy ${target}." cond_echo -n 'Please review the subpolicies to ensure they ' cond_echo 'only restrict, not relax the FIPS policy.' else @@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then boot_device_opt=" boot=UUID=" boot_config=0 else - if test "$boot_device" = / ; then - boot_device_opt="" - else - boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" - fi + if test "$boot_device" = / ; then + boot_device_opt="" + else + boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" + fi fi if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt =================================================================== --- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt +++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt @@ -39,8 +39,15 @@ system crypto policy to FIPS (unless the policy has already been set to FIPS plus subpolicies on top, in which case the currently active subpolicies is retained). +Some required FIPS modules (grubby, fips pattern) might not be +installed by default. These can be installed in SUSE/openSUSE with +the following command: + + zypper in -y grubby && zypper in -y -t pattern fips + Then the command modifies the boot loader configuration to add 'fips=1' and 'boot=' options to the kernel command line. +Note that, grubby could show a harmless warning about leaked file descriptors. When disabling the system FIPS mode the system crypto policy is switched to DEFAULT and the kernel command line option 'fips=0' is set.