Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS on Fedora and RHEL 8/9 images #282

Merged
merged 6 commits into from
Dec 18, 2023
Merged

FIPS on Fedora and RHEL 8/9 images #282

merged 6 commits into from
Dec 18, 2023

Conversation

mmartinv
Copy link
Contributor

@mmartinv mmartinv commented Nov 28, 2023
edited
Loading

  • feat: enable FIPS customization in OS pipeline
  • feat: enable FIPS customization in Anaconda tar installer
  • feat: Enable FIPS customization for RHEL 9
  • feat: Enable FIPS customization for RHEL 8
  • feat: Enable FIPS customization for Fedora

@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from 9e8a721 to 17d1877 Compare November 28, 2023 10:26
@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch 3 times, most recently from 6fd51b9 to cd6e93b Compare November 28, 2023 22:17
@evgenyz
Copy link
Contributor

evgenyz commented Nov 28, 2023

Just to be clear here. Current ssg (0.1.69) won't try to enable FIPS during the oscap remediation phase since it caused troubles with bootloader. Idea is to keep it that way and use Blueprint instead as we do with partitions and packages.

What would be the Blueprint snippet to enable FIPS, BTW?

@kingsleyzissou
Copy link
Contributor

The docs PR for the syntax is here:

osbuild/guides#154

Should just be:

fips = true

@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from cd6e93b to 00bff4a Compare November 30, 2023 17:41
@kingsleyzissou
Copy link
Contributor

FTR I'm testing this locally. Just ran into one or two issues, will report back

@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from 00bff4a to 716dc1a Compare December 4, 2023 18:29
@mmartinv
Copy link
Contributor Author

mmartinv commented Dec 5, 2023

FTR I'm testing this locally. Just ran into one or two issues, will report back

It looks like the oscap remediation stage was setting the system's crypto policy to DEFAULT after it was set to FIPS by the update-crypto-policies stage so I moved the latter to be run just after the former.

@mmartinv
Copy link
Contributor Author

mmartinv commented Dec 5, 2023

I also posted osbuild/osbuild#1484 to fix RHEL/CentOS 8 builds.

@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from 716dc1a to 8e43aa9 Compare December 5, 2023 07:20
@mmartinv mmartinv marked this pull request as ready for review December 5, 2023 07:29
@kingsleyzissou
Copy link
Contributor

It looks like the oscap remediation stage was setting the system's crypto policy to DEFAULT after it was set to FIPS by the update-crypto-policies stage so I moved the latter to be run just after the former.

Yeah this was the issue I was running into, I haven't had time for getting back to it. Thanks for that

@evgenyz
Copy link
Contributor

evgenyz commented Dec 5, 2023

FTR I'm testing this locally. Just ran into one or two issues, will report back

It looks like the oscap remediation stage was setting the system's crypto policy to DEFAULT after it was set to FIPS by the update-crypto-policies stage so I moved the latter to be run just after the former.

That's not good. Ideally oscap should not switch policy from FIPS if it is set in the profile and use the FIPS mode it to adjust its behaviour.

Which profile does that?

@evgenyz
Copy link
Contributor

evgenyz commented Dec 5, 2023

OTOH, if the profile requires a different policy it should be OK that the FIPS mode is reset as the result of remediation.

TLDR: FIPS mode should be set before oscap stage. If there is a discrepancy in the behaviour it should be solved on the oscap/CaC side.

@evgenyz
Copy link
Contributor

evgenyz commented Dec 5, 2023

I'd even say that you should isolate enablement of Blueprint's fips=1 itself from the oscap stages. We'll deal with oscap later.

@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch 2 times, most recently from 432686c to 0d61685 Compare December 11, 2023 09:48
@mmartinv
Copy link
Contributor Author

mmartinv commented Dec 11, 2023
edited
Loading

That's not good. Ideally oscap should not switch policy from FIPS if it is set in the profile and use the FIPS mode it to adjust its behaviour.

Which profile does that?

The blueprint configuration regarding oscap is:

      "openscap": {
        "profile_id": "xccdf_org.ssgproject.content_profile_pci-dss",
        "tailoring": {
          "selected": [
            "bind_crypto_policy"
          ],
          "unselected": [
            "rpm_verify_hashes",
            "enable_fips_mode"
          ]
        }
      }

I also tested by removing the enable_fips_mode from the unselected rules but the result is the same: the crypto policy is reset to the DEFAULT policy. I guess the problem is the bind_crypto_policy maybe?

@mmartinv
Copy link
Contributor Author

mmartinv commented Dec 11, 2023
edited
Loading

Instead of using a copy of the all-with-oscap.json configuration I used all-customizations.json and added the "fips": true. Everything should work now.

@evgenyz
Copy link
Contributor

evgenyz commented Dec 11, 2023

That's not good. Ideally oscap should not switch policy from FIPS if it is set in the profile and use the FIPS mode it to adjust its behaviour.
Which profile does that?

>         "profile_id": "xccdf_org.ssgproject.content_profile_pci-dss",
>         "tailoring": {
>           "selected": [
>             "bind_crypto_policy"

The PCI-DSS profile does not require FIPS mode. It also ensures that DEFAULT crypto policy is in effect. No surprises here.

>           "unselected": [
>             "rpm_verify_hashes",
>             "enable_fips_mode"

I also tested by removing the enable_fips_mode from the unselected rules but the result is the same: the crypto policy is reset to the DEFAULT policy. I guess the problem is the bind_crypto_policy maybe?

The PCI-DSS profile actually does not have enable_fips_mode rule enabled. But even if it would have, the won't be executed with the current version of ssg content as it is disabled globally in osbuild env.

Anyhow, as I said, just get rid of oscap section. Test only BP customization itself. The oscap stage will be bootstrapped with initial BP customization and won't interfere unless misconfigured (but we'll deal with that ourselves).

@mmartinv mmartinv requested a review from evgenyz December 11, 2023 11:47
achilleas-k
achilleas-k reviewed Dec 11, 2023
View reviewed changes
Copy link
Member

@achilleas-k achilleas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall. Just one small question about the dracut stage and where it should be defined and reused.

pkg/distro/rhel8/edge.go Outdated Show resolved Hide resolved
@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from 0d61685 to e432fa6 Compare December 11, 2023 16:09
@mmartinv mmartinv requested a review from achilleas-k December 11, 2023 16:12
@mmartinv
feat: enable FIPS customization in OS pipeline
dfb812f 
Enable FIPS customization in OS pipeline.
Until now only the Anaconda OSTree Installer and
the OSTree deployment based images supported this
customization.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv
feat: enable FIPS customization in Anaconda tar installer
f99c5c5 
Enable FIPS customization in Anaconda tar installer.
Until now only the Anaconda OSTree Installer and
the OSTree deployment based images supported this
customization.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv
feat: Enable FIPS customization for RHEL 9
426d0b7 
Enable FIPS customization for RHEL 9 images.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv
feat: Enable FIPS customization for RHEL 8
8c7ac8e 
Enable FIPS customization for RHEL 8 images.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv
feat: Enable FIPS customization for Fedora
190a92f 
Enable FIPS customization for Fedora images.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv
feat: add tests for Fedora and RHEL 8/9 with FIPS
4b943cd 
Add tests for Fedora and RHEL 8/9 qcow2 images
with system FIPS mode enabled.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv mmartinv force-pushed the fips-on-fedora-rhel-9-rhel-8-images branch from e432fa6 to 4b943cd Compare December 13, 2023 09:27
kingsleyzissou
kingsleyzissou approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@kingsleyzissou kingsleyzissou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me :)

@achilleas-k achilleas-k added this pull request to the merge queue Dec 18, 2023
Merged via the queue into osbuild:main with commit 26c7283 Dec 18, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kingsleyzissou kingsleyzissou kingsleyzissou approved these changes

@evgenyz evgenyz evgenyz approved these changes

@achilleas-k achilleas-k Awaiting requested review from achilleas-k

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mmartinv @evgenyz @kingsleyzissou @achilleas-k