File crypto-policies-FIPS.patch of Package crypto-policies
Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
exit 1
fi
+# This check must be done as root, otherwise it will fail.
+is_transactional_system=0
+if test ! -w /usr ; then
+ is_transactional_system=1
+fi
+
+# We don't handle the setup on transactional systems as the process is
+# quite different and involves several reboots.
+if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
+ cond_echo -n "Cannot handle transactional systems. "
+ cond_echo "Please, refer to the fips-mode-setup man pages for more information."
+ exit 1
+fi
# Detect 1: kernel FIPS flag
fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
@@ -204,9 +217,22 @@ else
fi
fi
-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
- echo "The grubby command is missing, please configure the bootloader manually."
- boot_config=0
+if test "$boot_config" = 1 ; then
+ # Install required packages: patterns-base-fips and perl-Bootloader
+ if test ! -f /etc/dracut.conf.d/40-fips.conf && \
+ test ! -x "$(command -v pbl)" && \
+ test "$enable_fips" = 1; then
+ zypper -n install patterns-base-fips perl-Bootloader
+ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
+ test "$enable_fips" = 1 ; then
+ zypper -n install patterns-base-fips
+ elif test ! -x "$(command -v pbl)" ; then
+ zypper -n install perl-Bootloader
+ fi
+ if test $? != 0 ; then
+ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
+ boot_config=0
+ fi
fi
echo "FIPS mode will be $(enable2txt $enable_fips)."
@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
echo "and reboot the system for the setting to take effect."
else
- grubby --update-kernel=ALL --args="$fipsopts"
- if test x"$(uname -m)" = xs390x; then
- if command -v zipl >/dev/null; then
- zipl
- else
- echo -n '`zipl` execution has been skipped: '
- echo '`zipl` not found.'
- fi
- fi
+ pbl --add-option "$fipsopts"
+ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
+
+ # grubby --update-kernel=ALL --args="$fipsopts"
+ # if test x"$(uname -m)" = xs390x; then
+ # if command -v zipl >/dev/null; then
+ # zipl
+ # else
+ # echo -n '`zipl` execution has been skipped: '
+ # echo '`zipl` not found.'
+ # fi
+ # fi
+
echo "Please reboot the system for the setting to take effect."
fi
Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
+++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
@@ -24,6 +24,15 @@ fi
umask 022
+# Install required packages: patterns-base-fips and perl-Bootloader
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
+ zypper -n install patterns-base-fips perl-Bootloader
+elif test ! -f $dracut_cfg ; then
+ zypper -n install patterns-base-fips
+elif test ! -x "$(command -v pbl)" ; then
+ zypper -n install perl-Bootloader
+fi
+
if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
# No dracut configuration or boot directory present, do not try to modify it.
# Also, on OSTree systems, we currently rely on the initrd already including
@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
exit 0
fi
-if test x"$1" == x--complete; then
- trap "rm -f $dracut_cfg" ERR
- cat >$dracut_cfg <<EOF
-# turn on fips module
-
-add_dracutmodules+=" fips "
-EOF
-elif test x"$1" == x--undo; then
- rm -f $dracut_cfg
-fi
-
-echo "Kernel initramdisks are being regenerated. This might take some time."
-
-dracut -f --regenerate-all
-
-# This is supposed to be a fast and safe operation that's always good to run.
-# Regenerating an initrd and skipping it might render the system unbootable
-# (RHBZ#2013195).
-if test x"$(uname -m)" = xs390x; then
- if command -v zipl >/dev/null; then
- zipl
- else
- echo '`zipl` execution has been skipped: `zipl` not found.'
- fi
-fi
+# if test x"$1" == x--complete; then
+# trap "rm -f $dracut_cfg" ERR
+# cat >$dracut_cfg <<EOF
+# # turn on fips module
+
+# add_dracutmodules+=" fips "
+# EOF
+# elif test x"$1" == x--undo; then
+# rm -f $dracut_cfg
+# fi
+
+# echo "Kernel initramdisks are being regenerated. This might take some time."
+
+# dracut -f --regenerate-all
+
+# # This is supposed to be a fast and safe operation that's always good to run.
+# # Regenerating an initrd and skipping it might render the system unbootable
+# # (RHBZ#2013195).
+# if test x"$(uname -m)" = xs390x; then
+# if command -v zipl >/dev/null; then
+# zipl
+# else
+# echo '`zipl` execution has been skipped: `zipl` not found.'
+# fi
+# fi
Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
@@ -45,6 +45,23 @@ Then the command modifies the boot loade
When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.
+On transactional systems, enabling the system in FIPS mode with the
+fips-mode-setup tool is not implemented. To enable the FIPS mode in these
+systems requires the following steps:
+
+ 1.- Install the FIPS pattern on a running system:
+ # transactional-update pkg install -t pattern microos-fips
+
+ 2.- Reboot your system.
+
+ 3.- Add the kernel command line parameter fips=1 to the boot loader
+ configuration. To do so, edit the file /etc/default/grub and add
+ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
+
+ 4.- After logging in to the system, run:
+ # transactional-update grub.cfg
+
+ 5.- Reboot your system.
[[options]]
OPTIONS
