-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add release-fips package for FIPS-related functionality #3893
Conversation
Provide overlay mounts so that binaries installed to `/usr/fips/bin` and `/usr/fips/libexec` will be available in the standard paths. Install a bootconfig snippet so that `fips=1` will be added to the kernel command line, and to "systemd.unit=fipsheck.target" to systemd to override any default target. Ensure that `/etc/system-fips` is created by default. This file can be mounted into containers for certain distros (RHEL, Amazon Linux) to trigger the use of FIPS certified crypto. Signed-off-by: Ben Cressey <bcressey@amazon.com>
This allows other "runlevel" targets to run before "preconfigured". Signed-off-by: Ben Cressey <bcressey@amazon.com>
The prepare-boot service calls `prairiedog prepare-boot`, which needs to find the active partition set in order to mount the correct boot filesystem. Previously, this depended on the mark-boot-successful service, which adjuts the GPT flags for the active partition set. However, it does not actually change the active partition set, so it's not actually a required dependency for prepare-boot. This matters for FIPS integrity checks because the boot filesystem must be mounted to verify the kernel's HMAC. If the boot is marked as successful and then the integrity check fails, the system could not then be rebooted back into the previous partition set. Signed-off-by: Ben Cressey <bcressey@amazon.com>
The `sha512hmac` program is required to check kernel integrity when running in FIPS mode. Signed-off-by: Ben Cressey <bcressey@amazon.com>
On boot, before starting any other services, ensure that the kernel's HMAC signature is valid. Then load any crypto modules included in the FIPS module boundary before running the "tcrypt" self-test. Any failures in these tests will cause the system to halt. Signed-off-by: Ben Cressey <bcressey@amazon.com>
No FIPS certification is planned for the upstream Amazon Linux 5.10 and 5.15 kernels, so prevent them from being installed in the image when the FIPS image feature flag is enabled. Signed-off-by: Ben Cressey <bcressey@amazon.com>
packages/kernel-6.1/kernel-6.1.spec
Outdated
# This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs | ||
# after placing AL2023 in FIPS mode. | ||
Source200: fipsmodules-x86_64 | ||
Source201: fipsmodules-aarch64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is my least favorite part of this change, but I'm not sure how else to generate this list of files.
The dracut
package in AL23 has a list of modules in /usr/lib/dracut/modules.d/01fips/module-setup.sh
, but some are architecture-specific and it's not really correct to include all of those. That list gets passed to dracut's instmods
function which interacts with the available modules on the running system.
For what it's worth I don't expect this list to change much across the life of the 6.1 kernel - worst case only when it needed to be recertified.
[Unit] | ||
Description=Isolates preconfigured.target | ||
DefaultDependencies=no | ||
After=fipscheck.target | ||
Requires=fipscheck.target |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very similar to the existing activate-configured.service
and activate-multi-user.service
.
StandardOutput=tty | ||
StandardError=inherit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a common feature of the new units since journald
isn't running yet when they run.
WorkingDirectory=/boot | ||
ExecStart=/usr/bin/sha512hmac -q -c /boot/.vmlinuz.hmac |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Slight subtlety here - /boot/.vmlinuz.hmac
gives the SHA512 HMAC of "vmlinuz" so we need to change the directory first.
[Service] | ||
Type=oneshot | ||
# Check if it's a generic algorithm the kernel provides. If so, don't continue. | ||
ExecCondition=/usr/bin/grep -qvzE '(name|driver)\\s+:\\s+%i\\s+' /proc/crypto | ||
# Otherwise, attempt to load the module. | ||
ExecStart=-/sbin/modprobe %i | ||
# Ensure that the stderr file exists. Otherwise, grep fails on an empty file. | ||
ExecStart=-/usr/bin/touch /.read-only.%i | ||
# Succeed unless there was a fatal error. | ||
ExecStart=/usr/bin/grep -Fqvzw FATAL /etc/.fips-modprobe.%i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is my attempt at recreating fips_load_crypto from dracut
, without a shell and with only systemd unit directives to work with.
@@ -0,0 +1,2 @@ | |||
f+ /etc/system-fips 0644 root root - | |||
r /etc/.fips-modprobe.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We end up writing at least one error to a file like this for every module. We only care about fatal errors from modprobe, which will halt the system before we get to the point of running systemd-tmpfiles
. So this just cleans up the garbage with no diagnostic value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LTGM!
%make_install | ||
|
||
ln -s kcapi-hasher %{buildroot}%{_cross_bindir}/sha512hmac | ||
find %{buildroot} -type f -name '*.hmac' -delete |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are passed the %make_install
, why do we need to delete these? Shouldn't they be deleted before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are passed the %make_install, why do we need to delete these? Shouldn't they be deleted before?
The .hmac
files are generated by make install
, but they refer to the unstripped binaries and would be incorrect if retained.
packages/kernel-6.1/kernel-6.1.spec
Outdated
cat <<EOF > %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d/"${drop_in}" | ||
[Unit] | ||
Requires=fips-modprobe@${fipsmod}.service | ||
After=fips-modprobe@${fipsmod}.service | ||
EOF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not a drop-in.conf.in
and sed
the replacement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not a drop-in.conf.in and sed the replacement?
I can do that. It's more consistent with what we do in other specs, plus it avoids the awkward indentation problem of heredocs.
What=overlay | ||
Where=PREFIX/bin | ||
Type=overlay | ||
Options=lowerdir=PREFIX/fips/bin:PREFIX/bin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, in fips variant, we will be shipping the two versions of the binaries? And hide the no-fips
binaries at runtime?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, in fips variant, we will be shipping the two versions of the binaries? And hide the no-fips binaries at runtime?
The packages with fips and non-fips binaries are set to conflict with each other, so they won't both be present. A binary like containerd
will either be in /usr/fips/bin
or /usr/bin
depending on the package that's installed, but not in both places.
This overlay mount is to make sure that regardless of what directory they're in, they are available in /usr/bin
and the standard PATH
.
Signed-off-by: Ben Cressey <bcressey@amazon.com>
⬆️ force push uses a template-and-sed approach instead of a heredoc to generate the drop-in configs |
Issue number:
Related: #1667
Description of changes:
Add a new "release-fips" package that is installed along with "release" when the FIPS image feature flag is set. This package collects all the functionality required for running in "FIPS mode":
fips=1
is added to the kernel command line./usr/fips/bin
and/usr/fips/libexec
are mounted via overlayfs, so binaries in those directories are available in/usr/bin
and/usr/libexec
.Testing done:
Booted
aws-dev
images for aarch64 and x86_64 with a local edit to enable the FIPS feature flag. The power-on self-test passed and the overlayfs directories were mounted.In conjunction with the changes in #3887, I built
aws-ecs-2
andaws-k8s-1.29
images and verified that they could join clusters and run containers with only the FIPS versions of binaries present.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.