Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup +++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup @@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then exit 1 fi +# This check must be done as root, otherwise it will fail. +is_transactional_system=0 +if test ! -w /usr ; then + is_transactional_system=1 +fi + +# We don't handle the setup on transactional systems as the process is +# quite different and involves several reboots. +if test "$is_transactional_system" = 1 && test "$check" = 0 ; then + cond_echo -n "Cannot handle transactional systems. " + cond_echo "Please, refer to the fips-mode-setup man pages for more information." + exit 1 +fi # Detect 1: kernel FIPS flag fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) @@ -167,10 +180,10 @@ if test $check = 1 ; then fi # Boot configuration -if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then - echo >&2 "The grubby command is missing, please configure the bootloader manually." - boot_config=0 -fi +# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +# echo >&2 "The grubby command is missing, please configure the bootloader manually." +# boot_config=0 +# fi if test "$boot_config" = 1 && test ! -d /boot ; then echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." @@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then fi fi +if test "$boot_config" = 1 ; then + # Install required packages: patterns-base-fips and perl-Bootloader + if test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test ! -x "$(command -v pbl)" && \ + test "$enable_fips" = 1; then + zypper -n install patterns-base-fips perl-Bootloader + elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ + test "$enable_fips" = 1 ; then + zypper -n install patterns-base-fips + elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader + fi + if test $? != 0 ; then + echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." + boot_config=0 + fi +fi + echo "FIPS mode will be $(enable2txt $enable_fips)." fipsopts="fips=$enable_fips$boot_device_opt" if test "$boot_config" = 1 ; then - grubby --update-kernel=ALL --args="$fipsopts" - if test x"$(uname -m)" = xs390x; then - if command -v zipl >/dev/null; then - zipl - else - echo -n '`zipl` execution has been skipped: ' - echo '`zipl` not found.' - fi - fi + pbl --add-option "$fipsopts" + pbl --config; pbl --install && dracut -f --regenerate-all + + # grubby --update-kernel=ALL --args="$fipsopts" + # if test x"$(uname -m)" = xs390x; then + # if command -v zipl >/dev/null; then + # zipl + # else + # echo -n '`zipl` execution has been skipped: ' + # echo '`zipl` not found.' + # fi + # fi + echo "Please reboot the system for the setting to take effect." else echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install +++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install @@ -24,6 +24,15 @@ fi umask 022 +# Install required packages: patterns-base-fips and perl-Bootloader +if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then + zypper -n install patterns-base-fips perl-Bootloader +elif test ! -f $dracut_cfg ; then + zypper -n install patterns-base-fips +elif test ! -x "$(command -v pbl)" ; then + zypper -n install perl-Bootloader +fi + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then # No dracut configuration or boot directory present, do not try to modify it. # Also, on OSTree systems, we currently rely on the initrd already including @@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot exit 0 fi -if test x"$1" == x--complete; then - trap "rm -f $dracut_cfg" ERR - cat >$dracut_cfg </dev/null; then - zipl - else - echo '`zipl` execution has been skipped: `zipl` not found.' - fi -fi +# if test x"$1" == x--complete; then +# trap "rm -f $dracut_cfg" ERR +# cat >$dracut_cfg </dev/null; then +# zipl +# else +# echo '`zipl` execution has been skipped: `zipl` not found.' +# fi +# fi Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt +++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt @@ -45,6 +45,23 @@ Then the command modifies the boot loade When disabling the system FIPS mode the system crypto policy is switched to DEFAULT and the kernel command line option 'fips=0' is set. +On transactional systems, enabling the system in FIPS mode with the +fips-mode-setup tool is not implemented. To enable the FIPS mode in these +systems requires the following steps: + + 1.- Install the FIPS pattern on a running system: + # transactional-update pkg install -t pattern microos-fips + + 2.- Reboot your system. + + 3.- Add the kernel command line parameter fips=1 to the boot loader + configuration. To do so, edit the file /etc/default/grub and add + fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. + + 4.- After logging in to the system, run: + # transactional-update grub.cfg + + 5.- Reboot your system. [[options]] OPTIONS Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup =================================================================== --- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup +++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup @@ -8,7 +8,6 @@ check=0 boot_config=1 err_if_disabled=0 output_text=1 -uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f is_ostree_system=0 if test -f /run/ostree-booted -o -d /ostree; then @@ -61,18 +60,13 @@ while test $# -ge 1 ; do done if test $usage = 1 -o x$enable_fips = x ; then - echo "Check, enable, or disable (unsupported) the system FIPS mode." + echo "Check, enable, or disable the system FIPS mode." echo "usage: $0 --enable|--disable [--no-bootcfg]" echo "usage: $0 --check" echo "usage: $0 --is-enabled" exit 2 fi -if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then - echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg." - boot_config=0 -fi - # We don't handle the boot config on OSTree systems for now; it is assumed to be # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is # intrinsically tied to the firstboot procedure. @@ -186,12 +180,6 @@ if test $check = 1 ; then exit 0 fi -# Boot configuration -# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then -# echo >&2 "The grubby command is missing, please configure the bootloader manually." -# boot_config=0 -# fi - if test "$boot_config" = 1 && test ! -d /boot ; then echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg." @@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$ exit 1 fi -if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \ - test -x "$(command -v cryptsetup)" ; then - # Best-effort detection of LUKS Argon2 usage - argon2_found='' - # two redundant ways to list device names - devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \ - dmsetup ls --target crypt | cut -f1) \ - | sort -u) - while IFS= read -r devname; do - back=$(cryptsetup status "$devname" | \ - grep -F device: | - sed -E 's/.*device:\s+//') - if ! test -b "$back"; then - echo >&2 -n "Warning: detected device '$back' " - echo >&2 -n 'is not a valid block device. ' - echo >&2 'Cannot check whether it uses Argon2.' - continue - fi - dump=$(cryptsetup luksDump "$back") - if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then - argon2_found+=" $back($devname)" - fi - done <<<"$devs" - if test -n "$argon2_found" ; then - echo >&2 -n "The following encrypted devices use Argon2 PBKDF:" - echo >&2 "$argon2_found" - echo >&2 'Aborting fips-mode-setup because of that.' - echo >&2 -n 'Please refer to the ' - echo >&2 'cryptsetup-luksConvertKey(8) manpage.' - exit 76 - fi -fi - if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then if test $enable_fips = 1 ; then echo >&2 "*****************************************************************" @@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING" echo >&2 "* *" echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *" echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" - echo >&2 "* REINSTALL WITH fips=1 INSTEAD. *" echo >&2 "*****************************************************************" elif test $enable_fips = 0 ; then echo >&2 "*****************************************************************" echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT... *" echo >&2 "* *" - echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED. *" + echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*" echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" - echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD. *" echo >&2 "*****************************************************************" fi for i in {15..1}; do @@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_ if test "$boot_config" = 1 ; then pbl --add-option "$fipsopts" pbl --config; pbl --install && dracut -f --regenerate-all - - # grubby --update-kernel=ALL --args="$fipsopts" - # if test x"$(uname -m)" = xs390x; then - # if command -v zipl >/dev/null; then - # zipl - # else - # echo -n '`zipl` execution has been skipped: ' - # echo '`zipl` not found.' - # fi - # fi - - echo "Please reboot the system for the setting to take effect." + echo "Please reboot the system for the settings to take effect." else echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" - echo "and reboot the system for the setting to take effect." + echo "and reboot the system for the settings to take effect." fi exit 0