RHEL 10 FIPS adjustments #21264
RHEL 10 FIPS adjustments #21264
Conversation
|
|
||
| try { | ||
| if (policy === "FIPS") { | ||
| await setup_fips("--enable", ["set", "fips=1"]); |
There was a problem hiding this comment.
There's a bit of a catch here. Switching to FIPS by adding fips=1 to the kernel command line is only sufficient if /boot is not on a separate partition. If it is, adding fips=1 without adding boot=UUID=$boot_uuid flag will cause the boot to fail because the initramfs can no longer figure out where to find the HMAC and kernel image to do the required integrity check.
So if you're implementing functionality to enable FIPS mode, I'd recommend you also add boot=UUID=$(blkid --output value --match-tag UUID $(findmnt --first --noheadings -o SOURCE /boot)).
There was a problem hiding this comment.
Meh -- that's exactly the kind of quirk that makes it hard to do and to document, i.e. what the fips-mode-setup helper was good at. By asking users to do that (manually, in Ansible deployments, bootc container builds, and what not), that'd reintroduce brittleness. If there is no choice here, why can't the dracut magic do that by itself?
There was a problem hiding this comment.
@neverpanic Maybe a better alternative would be to drop the FIPS mode enabling if fips-mode-setup isn't available -- as far as I understood your mail, you don't support enabling FIPS mode after installation any more?
There was a problem hiding this comment.
Done, it never offers enabling/disabling FIPS without fips-mode-setup now.
|
For future records, the "support fips=1 enablement" approach was commit 1a8c831. But as the announcement email said quite explicitly
and @neverpanic mentioned the potential breakage with the I'll rework this to disable the FIPS switching if |
If FIPS is enabled, /etc/crypto-policies/state/current will still show the previous non-FIPS policy. Ask `update-crypto-policies --show` for the real policy instead, to avoid second-guessing all of this. Keep the watch, as that's useful to detect dynamic changes, but watch the actual config file instead, as recommended by FIPS maintainer @neverpanic. This was spotted in TestSystemInfo.testCryptoPolicies, which first enabled FIPS and then tried to test the "EMPTY" profile. This doesn't really work, as the end result is still "FIPS". So swap the order.
This will make further conditionals easier, and is generally easier to read.
useEffect() is not necessary here. This allows us to drop a condition.
RHEL 10 drops the `fips-mode-setup` and only supports enabling FIPS on installation or bootc images [1]. For testing one can also add `fips=1` to the kernel command line, but that (1) causes trouble with separate /boot partition, and (2) is not supported. So only offering switching to and away from FIPS if `fips-mode-setup` is present. Otherwise, if FIPS is already enabled, make the crypto policy indicator readonly; if f-m-s is not available, filter out FIPS from available policies. https://issues.redhat.com/browse/COCKPIT-1185
| promise.then(() => cockpit.spawn(["shutdown", "--reboot", "now"], { superuser: "require", err: "message" })) | ||
| .catch(error => setError(error)) | ||
| .finally(() => setInProgress(false)); | ||
| await cockpit.spawn(["shutdown", "--reboot", "now"], { superuser: "require", err: "message" }); |
There was a problem hiding this comment.
Technically should use cockpit.hint('restart'); but that is another issue.
| // Ask crypto-policies to get correct FIPS state, as that dominates the configured policy | ||
| try { | ||
| setCurrentCryptoPolicy((await cockpit.spawn(["update-crypto-policies", "--show"])).trim()); | ||
| } catch (error) { |
There was a problem hiding this comment.
This added line is not executed by any test.
|
|
||
| const policyRender = (currentCryptoPolicy.startsWith("FIPS") && !fipsConfigurable) | ||
| /* read-only mode; can't switch away from FIPS without fips-mode-setup */ | ||
| ? <span id="crypto-policy-current">{displayProfileText(currentCryptoPolicy)}</span> |
There was a problem hiding this comment.
This added line is not executed by any test.
| } catch (error) { | ||
| setError(error); | ||
| } finally { |
There was a problem hiding this comment.
These 3 added lines are not executed by any test.
|
|
||
| useInit(() => { | ||
| cockpit.file("/etc/crypto-policies/state/current") | ||
| .watch(content => setCurrentCryptoPolicy(content ? content.trim().split(':', 1)[0] : undefined)); |
There was a problem hiding this comment.
This added line is not executed by any test.
See commit logs for details.
https://issues.redhat.com/browse/COCKPIT-1185
Testing:
fips-mode-setup, so this PR shouldn't cause any regressions.TestSystemInfo.testCryptoPoliciesandTestSystemInfo.testInconsistentCryptoPolicyshould go green. see the test output, this is exactly as expected.