Overview

File crypto-policies-FIPS.patch of Package crypto-policies.36476

Index: fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup
===================================================================
--- fedora-crypto-policies-20210917.c9d86d1.orig/fips-mode-setup
+++ fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup
@@ -7,7 +7,6 @@ enable_fips=
 check=0
 boot_config=1
 err_if_disabled=0
-fips_install_complete=0
 output_text=1
 
 is_ostree_system=0
@@ -76,47 +75,128 @@ if test "$is_ostree_system" = 1 && test
     exit 1
 fi
 
-if test -f /etc/system-fips ; then
-	# On OSTree systems, /etc/system-fips in the real root marks completion.
-	if test ! -d /boot -o "$is_ostree_system" = 1 -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
-		fips_install_complete=1
+
+if [ "$(id -u)" != 0 ]; then
+	echo "You must be root to run $(basename $0)"
+	exit 1
+fi
+
+# This check must be done as root, otherwise it will fail.
+is_transactional_system=0
+if test ! -w /usr ; then
+	is_transactional_system=1
+fi
+
+# We don't handle the setup on transactional systems as the process is
+# quite different and involves several reboots.
+if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
+    cond_echo -n "Cannot handle transactional systems. "
+    cond_echo "Please, refer to the fips-mode-setup man pages for more information."
+    exit 1
+fi
+
+# Detect 1: kernel FIPS flag
+fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+
+# Detect 2: initramfs fips module presence; not always can be done
+initramfs_fips_module=0
+initramfs_inspectable=0
+if test -d /boot -a -x /usr/bin/lsinitrd; then
+	initramfs_inspectable=1
+	if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
+		initramfs_fips_module=1
 	fi
 fi
 
+# Detect 3: crypto-policy base policy
+current_policy="$(cat /etc/crypto-policies/state/current)"
+base_policy="$(echo $current_policy| cut -f 1 -d :)"
+if test "$base_policy" == "FIPS" ; then
+	base_policy_is_fips=1
+else
+	base_policy_is_fips=0
+fi
+
+
 if test $check = 1 ; then
-	test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not completed."
-	fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
-	cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
-	if test "$fips_enabled" = 1 ; then
-		if test $fips_install_complete = 0 ; then
-			cond_echo "Inconsistent state detected."
-			exit 1
-		fi
-		current="$(cat /etc/crypto-policies/state/current)"
-		if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
-			cond_echo "The current crypto policy ($current) is not a FIPS policy."
+	# Look for signs for both enabling and disabling FIPS mode
+	fips_positive=0
+	fips_negative=0
+
+	# Display 1: kernel FIPS flag
+	cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
+
+	# Display 2: initramfs fips module
+	if test "$initramfs_inspectable" = 1 ; then
+		cond_echo -n "Initramfs fips module is "
+		cond_echo "$(enable2txt $initramfs_fips_module)."
+	fi
+
+	# Display 3: active crypto-policy
+	cond_echo -n "The current crypto policy ($current_policy) "
+	if test "$base_policy_is_fips" == 1 ; then
+		cond_echo 'is based on the FIPS policy.'
+	else
+		cond_echo -n 'neither is the FIPS policy '
+		cond_echo 'nor is based on the FIPS policy.'
+	fi
+
+	# Decide 1: kernel FIPS flag
+	if test "$fips_kernel_enabled" = 1 ; then
+		fips_positive=1
+	else
+		fips_negative=1
+	fi
+
+	# Decide 2: initramfs module presence
+	if test "$initramfs_inspectable" = 1 ; then
+		if test "$initramfs_fips_module" = 1 ; then
+			fips_positive=1
+		else
+			fips_negative=1
 		fi
 	fi
-	if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1;then
+
+	# Decide 3: active crypto-policy
+	if test "$base_policy_is_fips" = 1 ; then
+		fips_positive=1
+	else
+		fips_negative=1
+	fi
+
+	# Make the FIPS mode consistency decision
+	if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
+		cond_echo 'Inconsistent state detected.'
+		exit 1
+	fi
+
+	# Error out if `--is-enabled` was passed and FIPS mode is not enabled
+	if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
+		cond_echo 'FIPS mode is not enabled.'
 		exit 2
 	fi
+
 	exit 0
 fi
 
-if [ $(id -u) != 0 ]; then
-	echo "You must be root to run $(basename $0)"
-	exit 1
-fi
 
 if test $enable_fips = 1 ; then
-	if test $fips_install_complete = 0 ; then
+	if test "$initramfs_fips_module" = 0 ; then
 		fips-finish-install --complete
 		if test $? != 0 ; then
 			echo "Installation of FIPS modules could not be completed."
 			exit 1
 		fi
 	fi
-	update-crypto-policies --no-reload --set FIPS 2>/dev/null
+	if test "$base_policy_is_fips" == 1 ; then
+		cond_echo -n 'Preserving current FIPS-based policy '
+		cond_echo "${current_policy}."
+		cond_echo -n 'Please review the subpolicies to ensure they '
+		cond_echo 'only restrict, not relax the FIPS policy.'
+	else
+		target=FIPS
+	fi
+	update-crypto-policies --no-reload --set "${target}" 2>/dev/null
 else
 	update-crypto-policies --no-reload --set DEFAULT 2>/dev/null
 fi
@@ -136,9 +216,22 @@ else
         fi
 fi
 
-if test $boot_config=1 && test ! -x "$(command -v grubby)" ; then
-	echo "The grubby command is missing, please configure the bootloader manually."
-	boot_config=0
+if test "$boot_config" = 1 ; then
+	# Install required packages: patterns-base-fips and perl-Bootloader
+	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test ! -x "$(command -v pbl)" && \
+		test "$enable_fips" = 1; then
+		zypper -n install patterns-base-fips perl-Bootloader
+	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test "$enable_fips" = 1 ; then
+		zypper -n install patterns-base-fips
+	elif test ! -x "$(command -v pbl)" ; then
+		zypper -n install perl-Bootloader
+	fi
+	if test $? != 0 ; then
+		echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
+		boot_config=0
+	fi
 fi
 
 echo "FIPS mode will be $(enable2txt $enable_fips)."
@@ -149,10 +242,19 @@ if test $boot_config = 0 ; then
 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
 	echo "and reboot the system for the setting to take effect."
 else
-	grubby --update-kernel=ALL --args="$fipsopts"
-	if test x"$(uname -m)" = xs390x ; then
-		zipl >/dev/null 2>&1
-	fi
+	pbl --add-option "$fipsopts"
+	grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
+
+	# grubby --update-kernel=ALL --args="$fipsopts"
+	# if test x"$(uname -m)" = xs390x; then
+	# 	if command -v zipl >/dev/null; then
+	# 		zipl
+	# 	else
+	# 		echo -n '`zipl` execution has been skipped: '
+	# 		echo '`zipl` not found.'
+	# 	fi
+	# fi
+
 	echo "Please reboot the system for the setting to take effect."
 fi
 
Index: fedora-crypto-policies-20210917.c9d86d1/fips-finish-install
===================================================================
--- fedora-crypto-policies-20210917.c9d86d1.orig/fips-finish-install
+++ fedora-crypto-policies-20210917.c9d86d1/fips-finish-install
@@ -2,7 +2,6 @@
 
 set -e
 
-system_fips=/etc/system-fips
 dracut_cfg_d=/etc/dracut.conf.d
 dracut_cfg=$dracut_cfg_d/40-fips.conf
 
@@ -24,9 +23,16 @@ fi
 
 umask 022
 
-trap "rm -f $system_fips $dracut_cfg" ERR
+# trap "rm -f $dracut_cfg" ERR
 
-echo "# FIPS module installation complete" >$system_fips
+# Install required packages: patterns-base-fips and perl-Bootloader
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
+	zypper -n install patterns-base-fips perl-Bootloader
+elif test ! -f $dracut_cfg ; then
+	zypper -n install patterns-base-fips
+elif test ! -x "$(command -v pbl)" ; then
+	zypper -n install perl-Bootloader
+fi
 
 if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
 	# No dracut configuration or boot directory present, do not try to modify it.
@@ -35,12 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
 	exit 0
 fi
 
-cat >$dracut_cfg <<EOF
-# turn on fips module
-
-add_dracutmodules+=" fips "
-EOF
-
-echo "Kernel initramdisks are being regenerated. This might take some time."
-
-dracut -f --regenerate-all
+# cat >$dracut_cfg <<EOF
+# # turn on fips module
+#
+# add_dracutmodules+=" fips "
+# EOF
+#
+# echo "Kernel initramdisks are being regenerated. This might take some time."
+#
+# dracut -f --regenerate-all
+#
+# # This is supposed to be a fast and safe operation that's always good to run.
+# # Regenerating an initrd and skipping it might render the system unbootable
+# # (RHBZ#2013195).
+# if test x"$(uname -m)" = xs390x; then
+# 	if command -v zipl >/dev/null; then
+# 		zipl
+# 	else
+# 		echo '`zipl` execution has been skipped: `zipl` not found.'
+# 	fi
+# fi
Index: fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup.8.txt
===================================================================
--- fedora-crypto-policies-20210917.c9d86d1.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20210917.c9d86d1/fips-mode-setup.8.txt
@@ -33,16 +33,35 @@ DESCRIPTION
 -----------
 fips-mode-setup(8) is used to check and control the system FIPS mode.
 
-When enabling the system FIPS mode the command completes the installation
+When enabling the system FIPS mode, the command completes the installation
 of FIPS modules if needed by calling 'fips-finish-install' and changes the
-system crypto policy to FIPS.
+system crypto policy to FIPS
+(unless the policy has already been set to FIPS plus subpolicies on top,
+in which case the currently active subpolicies is retained).
 
 Then the command modifies the boot loader configuration to add
 'fips=1' and 'boot=<boot-device>' options to the kernel command line.
 
 When disabling the system FIPS mode the system crypto policy is switched
-to DEFAULT and the kernel command line option 'fips=0' is set. 
+to DEFAULT and the kernel command line option 'fips=0' is set.
 
+On transactional systems, enabling the system in FIPS mode with the
+fips-mode-setup tool is not implemented. To enable the FIPS mode in these
+systems requires the following steps:
+
+	1.- Install the FIPS pattern on a running system:
+	    # transactional-update pkg install -t pattern microos-fips
+
+	2.- Reboot your system.
+
+	3.- Add the kernel command line parameter fips=1 to the boot loader
+	    configuration. To do so, edit the file /etc/default/grub and add
+	    fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
+
+	4.- After logging in to the system, run:
+	    # transactional-update grub.cfg
+
+	5.- Reboot your system.
 
 [[options]]
 OPTIONS
@@ -54,14 +73,21 @@ The following options are available in f
 
 * --disable:    Undo some of the FIPS-enablement steps (unsupported).
 
-* --check:      Checks the system FIPS mode status.
+* --check:      Checks for inconsistently enabled FIPS mode.
+                Exits successfully (0) for both consistently-enabled FIPS mode
+                and consistently-disabled FIPS mode,
+                returns error code (1) if inconsistencies are detected.
+                For checking whether FIPS mode is enabled,
+                see --is-enabled below.
 
 * --is-enabled: Checks the system FIPS mode status and returns failure
                 error code if disabled (2) or inconsistent (1).
 
-* --no-bootcfg: The tool will not attempt to change the boot loader
-                configuration and it just prints the options that need
+* --no-bootcfg: The tool will not reconfigure the boot loader,
+                and, instead, will print the options that need
                 to be added to the kernel command line.
+                Exception: it still attempts executing zipl(8) on s390x,
+                as the system might become unbootable otherwise.
 
 
 FILES
openSUSE Build Service is sponsored by
Places