From f3309917d8839dc6146c9f95a0e4507f3abd98f6 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Wed, 10 Apr 2024 19:00:23 +0000 Subject: [PATCH 1/7] release: add subpackage for fips Provide overlay mounts so that binaries installed to `/usr/fips/bin` and `/usr/fips/libexec` will be available in the standard paths. Install a bootconfig snippet so that `fips=1` will be added to the kernel command line, and to "systemd.unit=fipsheck.target" to systemd to override any default target. Ensure that `/etc/system-fips` is created by default. This file can be mounted into containers for certain distros (RHEL, Amazon Linux) to trigger the use of FIPS certified crypto. Signed-off-by: Ben Cressey --- packages/release/bootconfig-fips.conf | 2 + packages/release/release-fips-tmpfiles.conf | 1 + packages/release/release.spec | 43 +++++++++++++++++++-- packages/release/usr-bin.mount.in | 14 +++++++ packages/release/usr-libexec.mount.in | 14 +++++++ 5 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 packages/release/bootconfig-fips.conf create mode 100644 packages/release/release-fips-tmpfiles.conf create mode 100644 packages/release/usr-bin.mount.in create mode 100644 packages/release/usr-libexec.mount.in diff --git a/packages/release/bootconfig-fips.conf b/packages/release/bootconfig-fips.conf new file mode 100644 index 00000000000..ed9be5ffc82 --- /dev/null +++ b/packages/release/bootconfig-fips.conf @@ -0,0 +1,2 @@ +kernel.fips = 1 +init.systemd.unit = fipscheck.target diff --git a/packages/release/release-fips-tmpfiles.conf b/packages/release/release-fips-tmpfiles.conf new file mode 100644 index 00000000000..936541f3d73 --- /dev/null +++ b/packages/release/release-fips-tmpfiles.conf @@ -0,0 +1 @@ +f+ /etc/system-fips 0644 root root - diff --git a/packages/release/release.spec b/packages/release/release.spec index 166df0cecff..9442d2985a9 100644 --- a/packages/release/release.spec +++ b/packages/release/release.spec @@ -9,11 +9,12 @@ License: Apache-2.0 OR MIT URL: https://github.com/bottlerocket-os/bottlerocket Source11: nsswitch.conf +Source93: release-tmpfiles.conf +Source94: release-fips-tmpfiles.conf Source95: release-systemd-networkd.conf Source96: release-repart-local.conf Source97: release-sysctl.conf Source98: release-systemd-system.conf -Source99: release-tmpfiles.conf Source200: motd.template Source201: proxy-env @@ -71,6 +72,8 @@ Source1080: var-lib-kernel-devel-lower.mount.in Source1081: usr-src-kernels.mount.in Source1082: usr-share-licenses.mount.in Source1083: lib-modules.mount.in +Source1084: usr-bin.mount.in +Source1085: usr-libexec.mount.in # Drop-in units to override defaults Source1100: systemd-tmpfiles-setup-service-debug.conf @@ -86,6 +89,9 @@ Source1300: mount-cdrom.rules # Common logdog configuration Source1400: logdog.common.conf +# bootconfig snippets. +Source1500: bootconfig-fips.conf + Requires: %{_cross_os}acpid Requires: %{_cross_os}audit Requires: %{_cross_os}ca-certificates @@ -118,10 +124,19 @@ Requires: %{_cross_os}shim Requires: %{_cross_os}systemd Requires: %{_cross_os}util-linux Requires: %{_cross_os}xfsprogs +Requires: (%{name}-fips if %{_cross_os}image-feature(fips)) %description %{summary}. +%package fips +Summary: Bottlerocket release, FIPS edition +Requires: (%{_cross_os}image-feature(fips) and %{name}) +Conflicts: %{_cross_os}image-feature(no-fips) + +%description fips +%{summary}. + %prep %build @@ -130,6 +145,10 @@ Requires: %{_cross_os}xfsprogs install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir} install -p -m 0644 %{S:11} %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir} +install -d %{buildroot}%{_cross_tmpfilesdir} +install -p -m 0644 %{S:93} %{buildroot}%{_cross_tmpfilesdir}/release.conf +install -p -m 0644 %{S:94} %{buildroot}%{_cross_tmpfilesdir}/release-fips.conf + install -d %{buildroot}%{_cross_libdir}/systemd/networkd.conf.d install -p -m 0644 %{S:95} %{buildroot}%{_cross_libdir}/systemd/networkd.conf.d/80-release.conf @@ -145,9 +164,6 @@ install -p -m 0644 %{S:98} %{buildroot}%{_cross_libdir}/systemd/system.conf.d/80 install -d %{buildroot}%{_cross_libdir}/systemd/network install -p -m 0644 %{S:1200} %{buildroot}%{_cross_libdir}/systemd/network/80-release.link -install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:99} %{buildroot}%{_cross_tmpfilesdir}/release.conf - cat >%{buildroot}%{_cross_libdir}/os-release < ${LIBDIRPATH}-modules.mount install -p -m 0644 ${LIBDIRPATH}-modules.mount %{buildroot}%{_cross_unitdir} +# Mounting on usr/bin requires using the real path: %{_cross_bindir} +BINDIRPATH=$(systemd-escape --path %{_cross_bindir}) +sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1084} > ${BINDIRPATH}.mount +install -p -m 0644 ${BINDIRPATH}.mount %{buildroot}%{_cross_unitdir} + +# Mounting on usr/libexec requires using the real path: %{_cross_libexecdir} +LIBEXECDIRPATH=$(systemd-escape --path %{_cross_libexecdir}) +sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1085} > ${LIBEXECDIRPATH}.mount +install -p -m 0644 ${LIBEXECDIRPATH}.mount %{buildroot}%{_cross_unitdir} + install -d %{buildroot}%{_cross_templatedir} install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd install -p -m 0644 %{S:201} %{buildroot}%{_cross_templatedir}/proxy-env @@ -213,6 +239,9 @@ install -p -m 0644 %{S:1300} %{buildroot}%{_cross_udevrulesdir}/61-mount-cdrom.r install -d %{buildroot}%{_cross_datadir}/logdog.d install -p -m 0644 %{S:1400} %{buildroot}%{_cross_datadir}/logdog.d +install -d %{buildroot}%{_cross_bootconfigdir} +install -p -m 0644 %{S:1500} %{buildroot}%{_cross_bootconfigdir}/10-fips.conf + ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target %files @@ -282,4 +311,10 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target %{_cross_udevrulesdir}/61-mount-cdrom.rules %{_cross_datadir}/logdog.d/logdog.common.conf +%files fips +%{_cross_bootconfigdir}/10-fips.conf +%{_cross_tmpfilesdir}/release-fips.conf +%{_cross_unitdir}/*-bin.mount +%{_cross_unitdir}/*-libexec.mount + %changelog diff --git a/packages/release/usr-bin.mount.in b/packages/release/usr-bin.mount.in new file mode 100644 index 00000000000..f21430812a3 --- /dev/null +++ b/packages/release/usr-bin.mount.in @@ -0,0 +1,14 @@ +[Unit] +Description=Binaries +DefaultDependencies=no +Conflicts=umount.target +Before=umount.target + +[Mount] +What=overlay +Where=PREFIX/bin +Type=overlay +Options=lowerdir=PREFIX/fips/bin:PREFIX/bin + +[Install] +WantedBy=local-fs-pre.target diff --git a/packages/release/usr-libexec.mount.in b/packages/release/usr-libexec.mount.in new file mode 100644 index 00000000000..401b2bc33bb --- /dev/null +++ b/packages/release/usr-libexec.mount.in @@ -0,0 +1,14 @@ +[Unit] +Description=Program Binaries +DefaultDependencies=no +Conflicts=umount.target +Before=umount.target opt-cni.mount opt-csi.mount + +[Mount] +What=overlay +Where=PREFIX/libexec +Type=overlay +Options=lowerdir=PREFIX/fips/libexec:PREFIX/libexec + +[Install] +WantedBy=local-fs-pre.target From e786a7bd2dc1c9b0df732348b4af676688ab0589 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sat, 6 Apr 2024 18:53:50 +0000 Subject: [PATCH 2/7] release: allow manual start/stop for preconfigured This allows other "runlevel" targets to run before "preconfigured". Signed-off-by: Ben Cressey --- packages/release/preconfigured.target | 3 --- 1 file changed, 3 deletions(-) diff --git a/packages/release/preconfigured.target b/packages/release/preconfigured.target index f89e1d582f4..92032d17246 100644 --- a/packages/release/preconfigured.target +++ b/packages/release/preconfigured.target @@ -3,9 +3,6 @@ Description=Bottlerocket initial configuration complete AllowIsolate=yes After=basic.target Requires=basic.target -# Prevent manually starting/stopping the target -RefuseManualStart=true -RefuseManualStop=true [Install] RequiredBy=configured.target multi-user.target From 83714cca23343d78a4ed1e3672064b76fa1260ea Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sat, 6 Apr 2024 18:55:11 +0000 Subject: [PATCH 3/7] release: adjust prepare-boot service dependencies The prepare-boot service calls `prairiedog prepare-boot`, which needs to find the active partition set in order to mount the correct boot filesystem. Previously, this depended on the mark-boot-successful service, which adjuts the GPT flags for the active partition set. However, it does not actually change the active partition set, so it's not actually a required dependency for prepare-boot. This matters for FIPS integrity checks because the boot filesystem must be mounted to verify the kernel's HMAC. If the boot is marked as successful and then the integrity check fails, the system could not then be rebooted back into the previous partition set. Signed-off-by: Ben Cressey --- packages/release/prepare-boot.service | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/release/prepare-boot.service b/packages/release/prepare-boot.service index 2231689b297..89e8d2b8bc4 100644 --- a/packages/release/prepare-boot.service +++ b/packages/release/prepare-boot.service @@ -2,8 +2,7 @@ Description=Prepare Boot Directory (/boot) RefuseManualStart=true RefuseManualStop=true -After=mark-successful-boot.service -Requires=mark-successful-boot.service +DefaultDependencies=no [Service] Type=oneshot From 4eb76c5a8c892ff6ae25ceaffcde46956ccde978 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sat, 6 Apr 2024 18:23:47 +0000 Subject: [PATCH 4/7] packages: add libkcapi The `sha512hmac` program is required to check kernel integrity when running in FIPS mode. Signed-off-by: Ben Cressey --- packages/libkcapi/Cargo.toml | 19 ++++++++ packages/libkcapi/libkcapi.spec | 79 +++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 packages/libkcapi/Cargo.toml create mode 100644 packages/libkcapi/libkcapi.spec diff --git a/packages/libkcapi/Cargo.toml b/packages/libkcapi/Cargo.toml new file mode 100644 index 00000000000..cd7ad6a29b7 --- /dev/null +++ b/packages/libkcapi/Cargo.toml @@ -0,0 +1,19 @@ +[package] +name = "libkcapi" +version = "0.1.0" +edition = "2021" +publish = false +build = "../build.rs" + +[lib] +path = "../packages.rs" + +[package.metadata.build-package] +releases-url = "https://github.com/smuellerDD/libkcapi/releases" + +[[package.metadata.build-package.external-files]] +url = "https://github.com/smuellerDD/libkcapi/archive/v1.5.0/libkcapi-1.5.0.tar.gz" +sha512 = "510d0606cdc9479a77ed07bd3ac59b07c3996402a85cee012e6836d0a31cb06f5b7f715cdb76f3745784aab3154595caec4537b4c774236a139ebfe6e1a8be9b" + +[build-dependencies] +glibc = { path = "../glibc" } diff --git a/packages/libkcapi/libkcapi.spec b/packages/libkcapi/libkcapi.spec new file mode 100644 index 00000000000..f68fc2938a7 --- /dev/null +++ b/packages/libkcapi/libkcapi.spec @@ -0,0 +1,79 @@ +# libkcapi since 85bce6035b (1.5.0) uses sha512hmac with the same key for all +# self-checks. Earlier versions used sha256hmac with a different key to check +# the shared library. +%global openssl_sha512_hmac openssl sha512 -hmac FIPS-FTW-RHT2009 -hex + +# We need to compute the HMAC after the binaries have been stripped. +%define __spec_install_post\ +%{?__debug_package:%{__debug_install_post}}\ +%{__arch_install_post}\ +%{__os_install_post}\ +cd %{buildroot}/%{_cross_bindir}\ +%openssl_sha512_hmac kcapi-hasher\\\ + | awk '{ print $2 }' > .kcapi-hasher.hmac\ +ln -s .kcapi-hasher.hmac .sha512hmac.hmac\ +cd %{buildroot}/%{_cross_libdir}\ +%openssl_sha512_hmac libkcapi.so.%{version}\\\ + | awk '{ print $2 }' > .libkcapi.so.%{version}.hmac\ +ln -s .libkcapi.so.%{version}.hmac .libkcapi.so.1.hmac\ +%{nil} + +Name: %{_cross_os}libkcapi +Version: 1.5.0 +Release: 1%{?dist} +Summary: Library for kernel crypto API +License: BSD-3-Clause OR GPL-2.0-only +URL: https://www.chronox.de/libkcapi/html/index.html +Source0: https://github.com/smuellerDD/libkcapi/archive/v%{version}/libkcapi-%{version}.tar.gz +BuildRequires: %{_cross_os}glibc-devel + +%description +%{summary}. + +%package devel +Summary: Files for development using the library for kernel crypto API +Requires: %{name} + +%description devel +%{summary}. + +%prep +%autosetup -n libkcapi-%{version} -p1 + +%build +autoreconf -fi +%cross_configure \ + --enable-static \ + --enable-shared \ + --enable-kcapi-hasher \ + +%force_disable_rpath + +%make_build + +%install +%make_install + +ln -s kcapi-hasher %{buildroot}%{_cross_bindir}/sha512hmac +find %{buildroot} -type f -name '*.hmac' -delete + +%files +%license COPYING COPYING.bsd COPYING.gplv2 +%{_cross_attribution_file} +%{_cross_libdir}/*.so.* +%{_cross_libdir}/.*.so.*.hmac +%{_cross_bindir}/kcapi-hasher +%{_cross_bindir}/.kcapi-hasher.hmac +%{_cross_bindir}/sha512hmac +%{_cross_bindir}/.sha512hmac.hmac + +%exclude %{_cross_libexecdir}/libkcapi +%exclude %{_cross_mandir} + +%files devel +%{_cross_libdir}/*.a +%{_cross_libdir}/*.so +%{_cross_includedir}/kcapi.h +%{_cross_pkgconfigdir}/*.pc + +%changelog From 4cd64f0c19475ea26b297e5ad2cc9583a9536d0a Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Wed, 10 Apr 2024 19:03:37 +0000 Subject: [PATCH 5/7] release: add FIPS power-on self-tests On boot, before starting any other services, ensure that the kernel's HMAC signature is valid. Then load any crypto modules included in the FIPS module boundary before running the "tcrypt" self-test. Any failures in these tests will cause the system to halt. Signed-off-by: Ben Cressey --- packages/release/Cargo.toml | 1 + .../release/activate-preconfigured.service | 16 +++++++++++ packages/release/check-fips-modules.service | 22 +++++++++++++++ .../release/check-kernel-integrity.service | 22 +++++++++++++++ packages/release/fips-modprobe@.service | 25 +++++++++++++++++ packages/release/fipscheck.target | 8 ++++++ packages/release/prepare-boot.service | 3 ++- packages/release/release-fips-tmpfiles.conf | 1 + packages/release/release.spec | 27 +++++++++++++++---- variants/Cargo.lock | 8 ++++++ 10 files changed, 127 insertions(+), 6 deletions(-) create mode 100644 packages/release/activate-preconfigured.service create mode 100644 packages/release/check-fips-modules.service create mode 100644 packages/release/check-kernel-integrity.service create mode 100644 packages/release/fips-modprobe@.service create mode 100644 packages/release/fipscheck.target diff --git a/packages/release/Cargo.toml b/packages/release/Cargo.toml index f03089ef748..f36fa955177 100644 --- a/packages/release/Cargo.toml +++ b/packages/release/Cargo.toml @@ -37,6 +37,7 @@ kexec-tools = { path = "../../packages/kexec-tools" } keyutils = { path = "../keyutils" } libaudit = { path = "../libaudit" } libgcc = { path = "../libgcc" } +libkcapi = { path = "../libkcapi" } libstd-rust = { path = "../libstd-rust" } makedumpfile = { path = "../../packages/makedumpfile" } os = { path = "../os" } diff --git a/packages/release/activate-preconfigured.service b/packages/release/activate-preconfigured.service new file mode 100644 index 00000000000..48618017397 --- /dev/null +++ b/packages/release/activate-preconfigured.service @@ -0,0 +1,16 @@ +[Unit] +Description=Isolates preconfigured.target +DefaultDependencies=no +After=fipscheck.target +Requires=fipscheck.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/systemctl set-default preconfigured +ExecStart=/usr/bin/systemctl isolate default --no-block +RemainAfterExit=true +StandardOutput=tty +StandardError=inherit + +[Install] +WantedBy=fipscheck.target diff --git a/packages/release/check-fips-modules.service b/packages/release/check-fips-modules.service new file mode 100644 index 00000000000..e9c1e47627d --- /dev/null +++ b/packages/release/check-fips-modules.service @@ -0,0 +1,22 @@ +[Unit] +Description=Run FIPS crypto module check +RefuseManualStart=true +RefuseManualStop=true +DefaultDependencies=no +Before=fipscheck.target +After=check-kernel-integrity.service +Requires=check-kernel-integrity.service +ConditionKernelCommandLine=fips=1 +ConditionPathExists=!/etc/.fips-module-check-passed + +[Service] +Type=oneshot +ExecStart=/usr/bin/modprobe tcrypt +ExecStart=/usr/bin/rmmod tcrypt +ExecStart=/usr/bin/touch /etc/.fips-module-check-passed +RemainAfterExit=true +StandardOutput=tty +StandardError=inherit + +[Install] +RequiredBy=fipscheck.target diff --git a/packages/release/check-kernel-integrity.service b/packages/release/check-kernel-integrity.service new file mode 100644 index 00000000000..e239b42e4f0 --- /dev/null +++ b/packages/release/check-kernel-integrity.service @@ -0,0 +1,22 @@ +[Unit] +Description=Run FIPS kernel integrity check +RefuseManualStart=true +RefuseManualStop=true +DefaultDependencies=no +Before=fipscheck.target +After=prepare-boot.service +Requires=prepare-boot.service +ConditionKernelCommandLine=fips=1 +ConditionPathExists=!/etc/.fips-kernel-check-passed + +[Service] +Type=oneshot +WorkingDirectory=/boot +ExecStart=/usr/bin/sha512hmac -q -c /boot/.vmlinuz.hmac +ExecStart=/usr/bin/touch /etc/.fips-kernel-check-passed +RemainAfterExit=true +StandardOutput=tty +StandardError=inherit + +[Install] +RequiredBy=fipscheck.target diff --git a/packages/release/fips-modprobe@.service b/packages/release/fips-modprobe@.service new file mode 100644 index 00000000000..9b0d61f7c2d --- /dev/null +++ b/packages/release/fips-modprobe@.service @@ -0,0 +1,25 @@ +[Unit] +Description=Load FIPS crypto module %i +RefuseManualStart=true +RefuseManualStop=true +DefaultDependencies=no +Before=fipscheck.target +After=check-kernel-integrity.service +Requires=check-kernel-integrity.service +StartLimitIntervalSec=0 +ConditionKernelCommandLine=fips=1 +ConditionPathExists=!/etc/.fips-module-check-passed + +[Service] +Type=oneshot +# Check if it's a generic algorithm the kernel provides. If so, don't continue. +ExecCondition=/usr/bin/grep -qvzE '(name|driver)\\s+:\\s+%i\\s+' /proc/crypto +# Otherwise, attempt to load the module. +ExecStart=-/sbin/modprobe %i +# Ensure that the stderr file exists. Otherwise, grep fails on an empty file. +ExecStart=-/usr/bin/touch /.read-only.%i +# Succeed unless there was a fatal error. +ExecStart=/usr/bin/grep -Fqvzw FATAL /etc/.fips-modprobe.%i +RemainAfterExit=true +StandardOutput=tty +StandardError=append:/etc/.fips-modprobe.%i diff --git a/packages/release/fipscheck.target b/packages/release/fipscheck.target new file mode 100644 index 00000000000..25bb15ec0da --- /dev/null +++ b/packages/release/fipscheck.target @@ -0,0 +1,8 @@ +[Unit] +Description=FIPS integrity check +AllowIsolate=false +RefuseManualStart=true +RefuseManualStop=true + +[Install] +WantedBy=preconfigured.target diff --git a/packages/release/prepare-boot.service b/packages/release/prepare-boot.service index 89e8d2b8bc4..cffe8dc000f 100644 --- a/packages/release/prepare-boot.service +++ b/packages/release/prepare-boot.service @@ -10,7 +10,8 @@ Type=oneshot # trivial to figure out which partition set is active ExecStart=/usr/bin/prairiedog prepare-boot RemainAfterExit=true -StandardError=journal+console +StandardOutput=tty +StandardError=inherit [Install] WantedBy=preconfigured.target diff --git a/packages/release/release-fips-tmpfiles.conf b/packages/release/release-fips-tmpfiles.conf index 936541f3d73..f53c0919f13 100644 --- a/packages/release/release-fips-tmpfiles.conf +++ b/packages/release/release-fips-tmpfiles.conf @@ -1 +1,2 @@ f+ /etc/system-fips 0644 root root - +r /etc/.fips-modprobe.* diff --git a/packages/release/release.spec b/packages/release/release.spec index 9442d2985a9..879fe84d6cc 100644 --- a/packages/release/release.spec +++ b/packages/release/release.spec @@ -31,10 +31,12 @@ Source209: log4j-hotpatch-enabled Source1001: multi-user.target Source1002: configured.target Source1003: preconfigured.target -Source1004: activate-configured.service -Source1005: activate-multi-user.service -Source1006: set-hostname.service -Source1007: runtime.slice +Source1004: fipscheck.target +Source1005: activate-preconfigured.service +Source1006: activate-configured.service +Source1007: activate-multi-user.service +Source1008: set-hostname.service +Source1009: runtime.slice # Mount units. Source1020: var.mount @@ -66,6 +68,9 @@ Source1061: disable-kexec-load.service Source1062: load-crash-kernel.service Source1063: deprecation-warning@.service Source1064: deprecation-warning@.timer +Source1065: check-kernel-integrity.service +Source1066: check-fips-modules.service +Source1067: fips-modprobe@.service # Mounts that require build-time edits. Source1080: var-lib-kernel-devel-lower.mount.in @@ -133,6 +138,7 @@ Requires: (%{name}-fips if %{_cross_os}image-feature(fips)) Summary: Bottlerocket release, FIPS edition Requires: (%{_cross_os}image-feature(fips) and %{name}) Conflicts: %{_cross_os}image-feature(no-fips) +Requires: %{_cross_os}libkcapi %description fips %{summary}. @@ -172,12 +178,13 @@ EOF install -d %{buildroot}%{_cross_unitdir} install -p -m 0644 \ %{S:1001} %{S:1002} %{S:1003} %{S:1004} %{S:1005} \ - %{S:1006} %{S:1007} \ + %{S:1006} %{S:1007} %{S:1008} %{S:1009} \ %{S:1020} %{S:1021} %{S:1022} %{S:1023} %{S:1024} \ %{S:1025} %{S:1026} %{S:1027} %{S:1028} %{S:1029} \ %{S:1040} %{S:1041} %{S:1042} %{S:1043} %{S:1044} \ %{S:1045} %{S:1046} %{S:1047} %{S:1048} %{S:1049} \ %{S:1060} %{S:1061} %{S:1062} %{S:1063} %{S:1064} \ + %{S:1065} %{S:1066} %{S:1067} \ %{buildroot}%{_cross_unitdir} install -d %{buildroot}%{_cross_unitdir}/systemd-tmpfiles-setup.service.d @@ -192,6 +199,10 @@ install -d %{buildroot}%{_cross_unitdir}/systemd-networkd.service.d install -p -m 0644 %{S:1102} \ %{buildroot}%{_cross_unitdir}/systemd-networkd.service.d/00-env.conf +# Empty (but packaged) directory. The FIPS packages for kernels will add drop-ins to +# this directory to arrange for the right modules to be loaded before the check runs. +install -d %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d + LOWERPATH=$(systemd-escape --path %{_cross_sharedstatedir}/kernel-devel/.overlay/lower) sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1080} > ${LOWERPATH}.mount install -p -m 0644 ${LOWERPATH}.mount %{buildroot}%{_cross_unitdir} @@ -316,5 +327,11 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target %{_cross_tmpfilesdir}/release-fips.conf %{_cross_unitdir}/*-bin.mount %{_cross_unitdir}/*-libexec.mount +%{_cross_unitdir}/fipscheck.target +%{_cross_unitdir}/activate-preconfigured.service +%{_cross_unitdir}/check-kernel-integrity.service +%{_cross_unitdir}/check-fips-modules.service +%dir %{_cross_unitdir}/check-fips-modules.service.d +%{_cross_unitdir}/fips-modprobe@.service %changelog diff --git a/variants/Cargo.lock b/variants/Cargo.lock index e58ef1cb3c1..75a1575e78d 100644 --- a/variants/Cargo.lock +++ b/variants/Cargo.lock @@ -789,6 +789,13 @@ dependencies = [ "glibc", ] +[[package]] +name = "libkcapi" +version = "0.1.0" +dependencies = [ + "glibc", +] + [[package]] name = "libmnl" version = "0.1.0" @@ -1156,6 +1163,7 @@ dependencies = [ "keyutils", "libaudit", "libgcc", + "libkcapi", "libstd-rust", "makedumpfile", "oci-add-hooks", From 51982c6aa460f82eba219086cdb51e360f28d701 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sat, 6 Apr 2024 19:01:43 +0000 Subject: [PATCH 6/7] kernel-5.10, -5.15: conflict with FIPS image feature No FIPS certification is planned for the upstream Amazon Linux 5.10 and 5.15 kernels, so prevent them from being installed in the image when the FIPS image feature flag is enabled. Signed-off-by: Ben Cressey --- packages/kernel-5.10/kernel-5.10.spec | 3 +++ packages/kernel-5.15/kernel-5.15.spec | 3 +++ 2 files changed, 6 insertions(+) diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec index d616a5997cd..891289f1ff2 100644 --- a/packages/kernel-5.10/kernel-5.10.spec +++ b/packages/kernel-5.10/kernel-5.10.spec @@ -45,6 +45,9 @@ Requires: %{_cross_os}microcode-licenses Requires: %{name}-modules = %{version}-%{release} Requires: %{name}-devel = %{version}-%{release} +# The 5.10 kernel is not FIPS certified. +Conflicts: %{_cross_os}image-feature(fips) + %global kernel_sourcedir %{_cross_usrsrc}/kernels %global kernel_libdir %{_cross_libdir}/modules/%{version} diff --git a/packages/kernel-5.15/kernel-5.15.spec b/packages/kernel-5.15/kernel-5.15.spec index 26dad62ea2b..d2378ad0c58 100644 --- a/packages/kernel-5.15/kernel-5.15.spec +++ b/packages/kernel-5.15/kernel-5.15.spec @@ -40,6 +40,9 @@ Requires: %{_cross_os}microcode-licenses Requires: %{name}-modules = %{version}-%{release} Requires: %{name}-devel = %{version}-%{release} +# The 5.15 kernel is not FIPS certified. +Conflicts: %{_cross_os}image-feature(fips) + %global kernel_sourcedir %{_cross_usrsrc}/kernels %global kernel_libdir %{_cross_libdir}/modules/%{version} From d565225644ba90c6ebb665e2cb4503fa390171e2 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sat, 6 Apr 2024 19:04:55 +0000 Subject: [PATCH 7/7] kernel-6.1: add FIPS modules for crypto self-test Signed-off-by: Ben Cressey --- .../check-fips-modules.drop-in.conf.in | 3 ++ packages/kernel-6.1/fipsmodules-aarch64 | 52 +++++++++++++++++++ packages/kernel-6.1/fipsmodules-x86_64 | 44 ++++++++++++++++ packages/kernel-6.1/kernel-6.1.spec | 34 ++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 packages/kernel-6.1/check-fips-modules.drop-in.conf.in create mode 100644 packages/kernel-6.1/fipsmodules-aarch64 create mode 100644 packages/kernel-6.1/fipsmodules-x86_64 diff --git a/packages/kernel-6.1/check-fips-modules.drop-in.conf.in b/packages/kernel-6.1/check-fips-modules.drop-in.conf.in new file mode 100644 index 00000000000..c55854796c9 --- /dev/null +++ b/packages/kernel-6.1/check-fips-modules.drop-in.conf.in @@ -0,0 +1,3 @@ +[Unit] +Requires=fips-modprobe@__FIPS_MODULE__.service +After=fips-modprobe@__FIPS_MODULE__.service diff --git a/packages/kernel-6.1/fipsmodules-aarch64 b/packages/kernel-6.1/fipsmodules-aarch64 new file mode 100644 index 00000000000..16831394a07 --- /dev/null +++ b/packages/kernel-6.1/fipsmodules-aarch64 @@ -0,0 +1,52 @@ +sha1 +sha224 +sha256 +sha384 +sha512 +sha3-224 +sha3-256 +sha3-384 +sha3-512 +crc32c +crct10dif +ghash +xxhash64 +ghash-ce +sha1-ce +sha2-ce +sha256-arm64 +sha3-ce +sha512-arm64 +sha512-ce +cipher_null +des3_ede +aes +cfb +dh +ecdh +aes-arm64 +aes-ce-blk +aes-ce-ccm +aes-ce-cipher +aes-neon-blk +aes-neon-bs +ecb +cbc +ctr +xts +gcm +ccm +authenc +hmac +cmac +ofb +cts +lzo +essiv +seqiv +drbg +aead +cryptomgr +tcrypt +crypto_user +rsa diff --git a/packages/kernel-6.1/fipsmodules-x86_64 b/packages/kernel-6.1/fipsmodules-x86_64 new file mode 100644 index 00000000000..a674fe5726c --- /dev/null +++ b/packages/kernel-6.1/fipsmodules-x86_64 @@ -0,0 +1,44 @@ +sha1 +sha224 +sha256 +sha384 +sha512 +sha3-224 +sha3-256 +sha3-384 +sha3-512 +crc32c +crct10dif +ghash +xxhash64 +ghash_clmulni_intel +sha1-ssse3 +sha256-ssse3 +sha512-ssse3 +cipher_null +des3_ede +aes +cfb +dh +ecdh +aesni-intel +ecb +cbc +ctr +xts +gcm +ccm +authenc +hmac +cmac +ofb +cts +lzo +essiv +seqiv +drbg +aead +cryptomgr +tcrypt +crypto_user +rsa diff --git a/packages/kernel-6.1/kernel-6.1.spec b/packages/kernel-6.1/kernel-6.1.spec index 1ddb005a8e4..36fa01739b7 100644 --- a/packages/kernel-6.1/kernel-6.1.spec +++ b/packages/kernel-6.1/kernel-6.1.spec @@ -13,6 +13,12 @@ Source101: config-bottlerocket-aws Source102: config-bottlerocket-metal Source103: config-bottlerocket-vmware +# This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs +# after placing AL2023 in FIPS mode. +Source200: check-fips-modules.drop-in.conf.in +Source201: fipsmodules-x86_64 +Source202: fipsmodules-aarch64 + # Help out-of-tree module builds run `make prepare` automatically. Patch1001: 1001-Makefile-add-prepare-target-for-external-modules.patch # Expose tools/* targets for out-of-tree module builds. @@ -43,6 +49,9 @@ Requires: %{_cross_os}microcode-licenses Requires: %{name}-modules = %{version}-%{release} Requires: %{name}-devel = %{version}-%{release} +# Pull in FIPS-related files if needed. +Requires: (%{name}-fips if %{_cross_os}image-feature(fips)) + %global kernel_sourcedir %{_cross_usrsrc}/kernels %global kernel_libdir %{_cross_libdir}/modules/%{version} @@ -73,6 +82,14 @@ Summary: Header files for the Linux kernel for use by glibc %description headers %{summary}. +%package fips +Summary: FIPS related configuration for the Linux kernel +Requires: (%{_cross_os}image-feature(fips) and %{name}) +Conflicts: %{_cross_os}image-feature(no-fips) + +%description fips +%{summary}. + %prep rpm2cpio %{SOURCE0} | cpio -iu linux-%{version}.tar config-%{_cross_arch} "*.patch" tar -xof linux-%{version}.tar; rm linux-%{version}.tar @@ -233,6 +250,20 @@ rm -f %{buildroot}%{kernel_libdir}/build %{buildroot}%{kernel_libdir}/source ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/build ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source +# Ensure that each required FIPS module is loaded as a dependency of the +# check-fips-module.service. The list of FIPS modules is different across +# kernels but the check is consistent: it loads the "tcrypt" module after +# the other modules are loaded. +mkdir -p %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d +i=0 +for fipsmod in $(cat %{_sourcedir}/fipsmodules-%{_cross_arch}) ; do + [ "${fipsmod}" == "tcrypt" ] && continue + drop_in="$(printf "%03d\n" "${i}")-${fipsmod}.conf" + sed -e "s|__FIPS_MODULE__|${fipsmod}|g" %{S:200} \ + > %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d/"${drop_in}" + (( i+=1 )) +done + %files %license COPYING LICENSES/preferred/GPL-2.0 LICENSES/exceptions/Linux-syscall-note %{_cross_attribution_file} @@ -274,4 +305,7 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source %files archive %{_cross_datadir}/bottlerocket/kernel-devel.tar.xz +%files fips +%{_cross_unitdir}/check-fips-modules.service.d/*.conf + %changelog