✨ Enable FIPS mode for IPA if system is in FIPS mode #535
Conversation
metal3-io-bot
added
the
size/S
elfosardo
force-pushed
the
enable-fips-ipa
branch
2 times, most recently
from
c97acfa
to
c59fef7
Compare
|
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
|
1 similar comment
|
/test metal3-ubuntu-e2e-integration-test-main |
|
/lgtm |
scripts/configure-ironic.sh
Outdated
| @@ -86,6 +86,9 @@ mkdir -p /shared/ironic_prometheus_exporter | |||
|
|
|||
| configure_json_rpc_auth | |||
|
|
|||
| ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled) | |||
There was a problem hiding this comment.
Is this file guaranteed to exist on Centos? It does not exist on my Ubuntu machine, which would result in empty variable, instead of 0 or 1.
There was a problem hiding this comment.
this should be guarantee existing in FIPS enabled kernels, including ubuntu, since at least 4 years
I don't recall exactly the kernel version, but I'm quite sure the file exists since at least RHEL/CENTOS 7.6 and Ubuntu 16.0.4
There was a problem hiding this comment.
found it, a bit older than 4 years :)
https://www.kernelconfig.io/config_crypto_fips
There was a problem hiding this comment.
It still isn't present on Ubuntu 22.04 by default tho. Obviously my desktop kernel isn't FIPS enabled.
Whats the behavior of the flag if it isn't 0 or 1 but empty? simple_strtol used by fips.c isn't well documented.
There was a problem hiding this comment.
probably only very latest kernels are all compiled with fips support by default
I guess I can add a test for the file, just to be on the safe side
|
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the /proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled. Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled. Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
elfosardo
force-pushed
the
enable-fips-ipa
branch
from
c59fef7
to
0ddffa5
Compare
|
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the
/proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled.
Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled.