-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: call /usr/libexec/fips-setup-helper #5824
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any version requirements associated with this, e.g., >= c10s?
For this PR I had f41 rawhide in mind, and the crypto-policies version to ship the helper is crypto-policies-20240807-1.git5795660.fc41. For c10s, that'd be crypto-policies-20240807-1.git7ea320f.el10 ELN is special in that crypto-policies ELN follows c10s and not rawhide, and thus the first ELN version to ship the helper is crypto-policies-20240807-1.git7ea320f.eln141 I think it makes sense to file a c10s PR after this one gets merged. |
321d91c
to
dcbab6b
Compare
Hi @t184256 thanks a lot for this PR. |
We also need a RHEL issue filed. |
I'd say yes. It was outright load-bearing in FIPS 140-2 times, and while it became less important since FIPS 140-3, some of the restrictions are not really enforced, but communicated through explicit indicators. In my book, having the configs in place before the transaction begins is better than applying them at a random mid-transaction moment when the crypto-policies scriptlet gets triggered. The actions that PreconfigureFIPSTask performs are up to date. |
RHEL-9 backport is crypto-policies-20240815-1.gite217f03.el9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@t184256 Please rebase the PR to latest master and repush for the tests to run again.
dcbab6b
to
ee0d6aa
Compare
/kickstart-tests --testtype smoke |
This change just wraps the existing command in a script. There is not way this can be affected by this PR. |
/build-image |
Images built based on commit ee0d6aa:
Download the images from the bottom of the job status page. |
Hi @t184256 - have your tested that interactively? |
Hm, tried it now with reanaconda against f41 and ran into a problem:
At the same time, I'm actually not sure why does that happen. EDIT: same with rawhide and a rebased version of this PR |
/build-image |
Images built based on commit ee0d6aa:
Download the images from the bottom of the job status page. |
@t184256 maybe you can use the boot.iso image generated by the CI containing your changes for testing? #5824 (comment) I am not familiar with fips - therefore not sure what I should be testing here. |
Will try when it finishes downloading one eternity later =) To install in FIPS mode, one should add For my testing above, I've used reanaconda as follows:
and next-next-finished to a gui popup with the error. |
Same error =/ I don't have any better ideas than use the package name instead of the script name; despite it was previously a script name and it worked just fine. |
crypto-policies now ships a helper for anaconda to call in order to just "do the right thing" and make it not anaconda's responsibility.
ee0d6aa
to
123d819
Compare
Pushed a change that defines dependency as package name. This worked for me, i.e., there's no error and the helper is being invoked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@t184256 so it's now tested and it works with the new image?
yes, the 123d819 version booted with `fips=1':
|
/kickstart-tests --testtype smoke |
Hi @t184256 should we backport this to RHEL-9 and RHEL-10? Do we have already filed issues for these? |
RHEL-10: yes, that one is of my direct interest. I've filed https://issues.redhat.com/browse/RHEL-57680 RHEL-9: we don't actually plan to change what switching into FIPS mode means on RHEL-9. On the other hand, I feet like there's value in separation of concerns for the anaconda side of things as well, so I've backported the helper to 9, and I'd like to leave the decision of using or not using it up to you. |
@jstodola what do you think about RHEL-9 backport? |
I'm fine with porting the change to RHEL-9. |
crypto-policies now ships a helper for anaconda to call
in order to just "do the right thing"
and make it not anaconda's responsibility.