-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Enable FIPS mode for IPA if system is in FIPS mode #535
Conversation
c97acfa
to
c59fef7
Compare
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
|
1 similar comment
/test metal3-ubuntu-e2e-integration-test-main |
/lgtm |
scripts/configure-ironic.sh
Outdated
@@ -86,6 +86,9 @@ mkdir -p /shared/ironic_prometheus_exporter | |||
|
|||
configure_json_rpc_auth | |||
|
|||
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this file guaranteed to exist on Centos? It does not exist on my Ubuntu machine, which would result in empty variable, instead of 0 or 1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be guarantee existing in FIPS enabled kernels, including ubuntu, since at least 4 years
I don't recall exactly the kernel version, but I'm quite sure the file exists since at least RHEL/CENTOS 7.6 and Ubuntu 16.0.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
found it, a bit older than 4 years :)
https://www.kernelconfig.io/config_crypto_fips
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It still isn't present on Ubuntu 22.04 by default tho. Obviously my desktop kernel isn't FIPS enabled.
Whats the behavior of the flag if it isn't 0 or 1 but empty? simple_strtol
used by fips.c isn't well documented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably only very latest kernels are all compiled with fips support by default
I guess I can add a test for the file, just to be on the safe side
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the /proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled. Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled. Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
c59fef7
to
0ddffa5
Compare
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the
/proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled.
Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled.