Backport fips-crypto-policies module #23
Conversation
For a system that uses crypto-policies to be switched to FIPS mode correctly, it needs to be - booted with `fips=1` on the kernel command line - switched to the FIPS crypto-policy (or a policy derived from it) - have the fips dracut module enabled On older systems, there were additional steps, for example, creating `/etc/system-fips`. We have repeatedly seen inconsistencies between those different toggles, either because the user space tooling to switch between those does not (for reliability, maintainability, and compliance reasons) undo some of the steps it does when disabling FIPS mode, or because other installation methods (bootc, containers, image builder) independently do some of those steps. Eventually, all of these ended with user confusion. We can avoid this situation by eliminating the difference by treating the `fips=1` kernel command line switch as a single source of truth, and making all others follow automatically. This module provides this for crypto-policies, by adding bind-mounts before pivot if the system has not already been switched to a FIPS-based crypto-policy. This requires some support from the crypto-policies package (because it needs to deal with the bind mounts when a user calls `update-crypto-policies --set`), so make it a no-op unless - `fips=1` is on the kernel command line - crypto-policies is installed - crypto-policies supports the bind-mounts (indicated by the presence of the `default-fips-config` file) - the policy isn't already FIPS These checks should make this safe to add to the initramfs on all current systems. The bind-mounts also need to happen in the initramfs already, because systemd links against OpenSSL, and doing them later means that systemd will start with an OpenSSL configuration that isn't tailored for FIPS. See also [1], which adds the user space support to crypto-policies, along with a systemd service that does the same steps in case dracut hasn't already done them (which is useful for environments that don't use an initramfs like containers). [1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/191 (cherry picked from commit bd3c1e1cc2f656f7ee4ff47e00ca716d52a86a3d) Signed-off-by: Clemens Lang <[email protected]> Resolves: RHEL-59678
(cherry picked from commit a2096dafdbfc88eed91ce34b1f4d27e7eb7ca839)
Conflicts:
modules.d/01fips-crypto-policies/module-setup.sh
Due to upstream e6117b92fa0108dbaf9ea3ac0ec8f5a02487c812, which
was not cherry-picked. Resolved the conflict by keeping the
functions (i.e., undoing the cleanup of the upstream commit).
Resolves: RHEL-59678
Signed-off-by: Clemens Lang <[email protected]> Resolves: RHEL-59678
|
Ci failures seem to be caused be the lack of EPEL 10: |
|
@pvalena Any feedback on this? We'd like to land this early in the 10 GA dev cycle so we can rip out |
|
I will upgrade to 103 first (identically to Fedora), which would resolve this as well, right? EDIT: I'll make sure to do this ASAP. |
Unfortunately not, this isn't in 103. I can open a PR once you've rebased to 103, though, if that helps?
That would be much appreciated. |
I will include all Fedora downstream patches in the rebase to 103. |
|
@pvalena Did you have a chance to start this yet? |
|
@pvalena Ping – sorry for asking yet again, but this is on the critical path for us to remove |
Sorry, yes, I'm working on it, fixing the patch collisions; don't want any regression. Will post some update / PR / scrach builds soon.
Yes, sorry for the delay; it'll be ready in time for CTC1. |
|
Closing in favor of #24; please check the changes & test the (incoming) scratch builds, if you can. |
See also redhat-plumbers/dracut-fedora#35 and redhat-plumbers/dracut-fedora#39.
Users that enable FIPS mode using
fips-mode-seutp --enableand later disable it usingfips-mode-setup --disablecommonly notice thatfips-mode-setup --checktells them that their system is in an inconsistent state. This is because (among other things)fips-mode-setup --disabledoes not undo adding thefipsmodule to the initramfs out of an abundance of caution to avoid breaking a system's boot.This situation is not great, because users are often confused by the
fips-mode-setup --checkmessage and will not stop usingfips-mode-setup --disable(despite the manpage clearly saying that it's for testing purposes only and unsupported).We plan on solving this issue once and for all in CentOS 10 Stream by eliminating the possibility of inconsistency. For this to work, we need a single source of truth that decides whether FIPS is enabled or not, and all other parts need to follow along automatically. The obvious choice for the single source of truth is the kernel command line, i.e. if it contains fips=1, FIPS should be enabled, if it doesn't or it contains fips=0, FIPS mode should be disabled.
This backport from upstream achieves a significant part of that, by automatically switching the crypto-policy to FIPS on systems booted with
fips=1on the kernel command line. The crypto-policies package has been adjusted to detect and transparently deal with situation (especially during package updates) in C10S with commit ef8e09a7e4fccdf00ccad630fdfaf60480dc29f2.Cherry picked from commits bd3c1e1cc2f656f7ee4ff47e00ca716d52a86a3d and a2096dafdbfc88eed91ce34b1f4d27e7eb7ca839.
Related: CRYPTO-13556
Resolves: RHEL-59678