Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL 10 FIPS adjustments #21264

Merged
merged 4 commits into from
Nov 15, 2024
Merged

RHEL 10 FIPS adjustments #21264

merged 4 commits into from
Nov 15, 2024

Commits on Nov 15, 2024

  1. systemd: Fix detection of current crypto policy in FIPS mode 

    If FIPS is enabled, /etc/crypto-policies/state/current will still show
the previous non-FIPS policy. Ask `update-crypto-policies --show` for
the real policy instead, to avoid second-guessing all of this. Keep the
watch, as that's useful to detect dynamic changes, but watch the actual
config file instead, as recommended by FIPS maintainer @neverpanic.

This was spotted in TestSystemInfo.testCryptoPolicies, which first
enabled FIPS and then tried to test the "EMPTY" profile. This doesn't
really work, as the end result is still "FIPS". So swap the order.
    @martinpitt
    martinpitt committed Nov 15, 2024
    Configuration menu
    Copy the full SHA
    24b5660 View commit details
    Browse the repository at this point in the history

  2. systemd: Rewrite crypto policy setting as async 

    This will make further conditionals easier, and is generally easier to
read.
    @martinpitt
    martinpitt committed Nov 15, 2024
    Configuration menu
    Copy the full SHA
    90becdd View commit details
    Browse the repository at this point in the history

  3. systemd: Move crypto policies components to useInit() 

    useEffect() is not necessary here. This allows us to drop a condition.
    @martinpitt
    martinpitt committed Nov 15, 2024
    Configuration menu
    Copy the full SHA
    8dca495 View commit details
    Browse the repository at this point in the history

  4. systemd: Only change FIPS policy with fips-mode-setup 

    RHEL 10 drops the `fips-mode-setup` and only supports enabling FIPS on
installation or bootc images [1]. For testing one can also add `fips=1`
to the kernel command line, but that (1) causes trouble with separate
/boot partition, and (2) is not supported.

So only offering switching to and away from FIPS if `fips-mode-setup` is
present. Otherwise, if FIPS is already enabled, make the crypto policy
indicator readonly; if f-m-s is not available, filter out FIPS from
available policies.

https://issues.redhat.com/browse/COCKPIT-1185
    @martinpitt
    martinpitt committed Nov 15, 2024
    Configuration menu
    Copy the full SHA
    dae0b2f View commit details
    Browse the repository at this point in the history