pool/crypto-policies
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f20fe34d25
crypto-policies/crypto-policies-FIPS.patch
Pedro Monreal Gonzalez 743dc266bd Accepting request 1089054 from home:pmonrealgonzalez:branches:security:tls 
- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
  and fips-finish-install commands, add also the man pages. The
  required FIPS modules are left to be installed by the user.
  * Rebase crypto-policies-FIPS.patch

- Revert a breaking change that introduces the config option
  rh-allow-sha1-signatures that is unkown to OpenSSL and fails
  on startup. We will consider adding this option to openssl.
  * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
  * Add crypto-policies-revert-rh-allow-sha1-signatures.patch

  * Skip not needed LibreswanGenerator and SequoiaGenerator:

OBS-URL: https://build.opensuse.org/request/show/1089054
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=16
2023-05-25 16:40:03 +00:00

207 lines
6.7 KiB
Diff
Raw Blame History

Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup
+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
@@ -7,6 +7,7 @@ enable_fips=
check=0
boot_config=1
err_if_disabled=0
+fips_install_complete=0
output_text=1
is_ostree_system=0
@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test
exit 1
fi
-
-if [ "$(id -u)" != 0 ]; then
- echo "You must be root to run $(basename $0)"
- exit 1
-fi
-
-
-# Detect 1: kernel FIPS flag
-fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-
-# Detect 2: initramfs fips module presence; not always can be done
-initramfs_fips_module=0
-initramfs_inspectable=0
-if test -d /boot -a -x /usr/bin/lsinitrd; then
- initramfs_inspectable=1
- if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
- initramfs_fips_module=1
+if test "$enable_fips" = 1 ; then
+ # Check the required FIPS modules are installed
+ if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then
+ cond_echo "Installation of FIPS modules is not complete."
+ cond_echo "Please, install grubby and the fips pattern."
+ exit 1
fi
fi
-# Detect 3: crypto-policy base policy
-current_policy="$(cat /etc/crypto-policies/state/current)"
-base_policy="$(echo $current_policy| cut -f 1 -d :)"
-if test "$base_policy" == "FIPS" ; then
- base_policy_is_fips=1
-else
- base_policy_is_fips=0
+if test "$enable_fips" = 1 ; then
+ if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
+ fips_install_complete=1
+ fi
fi
-
if test $check = 1 ; then
- # Look for signs for both enabling and disabling FIPS mode
- fips_positive=0
- fips_negative=0
-
- # Display 1: kernel FIPS flag
- cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
-
- # Display 2: initramfs fips module
- if test "$initramfs_inspectable" = 1 ; then
- cond_echo -n "Initramfs fips module is "
- cond_echo "$(enable2txt $initramfs_fips_module)."
- fi
-
- # Display 3: active crypto-policy
- cond_echo -n "The current crypto policy ($current_policy) "
- if test "$base_policy_is_fips" == 1 ; then
- cond_echo 'is based on the FIPS policy.'
- else
- cond_echo -n 'neither is the FIPS policy '
- cond_echo 'nor is based on the FIPS policy.'
- fi
-
- # Decide 1: kernel FIPS flag
- if test "$fips_kernel_enabled" = 1 ; then
- fips_positive=1
- else
- fips_negative=1
- fi
-
- # Decide 2: initramfs module presence
- if test "$initramfs_inspectable" = 1 ; then
- if test "$initramfs_fips_module" = 1 ; then
- fips_positive=1
- else
- fips_negative=1
+ test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete."
+ fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
+ cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
+ if test "$fips_enabled" = 1 ; then
+ if test $fips_install_complete = 0 ; then
+ cond_echo "Inconsistent state detected."
+ exit 1
+ fi
+ current="$(cat /etc/crypto-policies/state/current)"
+ if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
+ cond_echo -n "The current crypto policy ($current) "
+ cond_echo -n 'neither is the FIPS policy '
+ cond_echo 'nor is based on the FIPS policy.'
+ cond_echo 'Inconsistent state detected.'
+ exit 1
fi
- fi
-
- # Decide 3: active crypto-policy
- if test "$base_policy_is_fips" = 1 ; then
- fips_positive=1
else
- fips_negative=1
- fi
-
- # Make the FIPS mode consistency decision
- if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
- cond_echo 'Inconsistent state detected.'
- exit 1
+ if test $fips_install_complete = 1 ; then
+ cond_echo "Inconsistent state detected."
+ exit 1
+ fi
+ current="$(cat /etc/crypto-policies/state/current)"
+ if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then
+ cond_echo -n "The current crypto policy ($current) "
+ cond_echo -n 'is based on the FIPS policy, '
+ cond_echo 'but FIPS mode is not enabled.'
+ cond_echo 'Inconsistent state detected.'
+ exit 1
+ fi
fi
-
- # Error out if `--is-enabled` was passed and FIPS mode is not enabled
- if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
- cond_echo 'FIPS mode is not enabled.'
+ if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then
exit 2
fi
-
exit 0
fi
+if [ "$(id -u)" != 0 ]; then
+ echo "You must be root to run $(basename $0)"
+ exit 1
+fi
if test $enable_fips = 1 ; then
- if test "$initramfs_fips_module" = 0 ; then
+ if test $fips_install_complete = 1 ; then
fips-finish-install --complete
if test $? != 0 ; then
- echo "Installation of FIPS modules could not be completed."
+ echo "Installation of FIPS modules could not be completed."
exit 1
fi
fi
- if test "$base_policy_is_fips" == 1 ; then
- cond_echo -n 'Preserving current FIPS-based policy '
- cond_echo "${current_policy}."
+ target="$(cat /etc/crypto-policies/state/current)"
+ if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then
+ cond_echo "Preserving current FIPS-based policy ${target}."
cond_echo -n 'Please review the subpolicies to ensure they '
cond_echo 'only restrict, not relax the FIPS policy.'
else
@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then
boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
boot_config=0
else
- if test "$boot_device" = / ; then
- boot_device_opt=""
- else
- boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
- fi
+ if test "$boot_device" = / ; then
+ boot_device_opt=""
+ else
+ boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
+ fi
fi
if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
@@ -39,8 +39,15 @@ system crypto policy to FIPS
(unless the policy has already been set to FIPS plus subpolicies on top,
in which case the currently active subpolicies is retained).
+Some required FIPS modules (grubby, fips pattern) might not be
+installed by default. These can be installed in SUSE/openSUSE with
+the following command:
+
+ zypper in -y grubby && zypper in -y -t pattern fips
+
Then the command modifies the boot loader configuration to add
'fips=1' and 'boot=<boot-device>' options to the kernel command line.
+Note that, grubby could show a harmless warning about leaked file descriptors.
When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.
Reference in New Issue View Git Blame Copy Permalink