add release-fips package for FIPS-related functionality

packages/kernel-5.10/kernel-5.10.spec

@@ -45,6 +45,9 @@ Requires: %{_cross_os}microcode-licenses
 Requires: %{name}-modules = %{version}-%{release}
 Requires: %{name}-devel = %{version}-%{release}
 
+# The 5.10 kernel is not FIPS certified.
+Conflicts: %{_cross_os}image-feature(fips)
+
 %global kernel_sourcedir %{_cross_usrsrc}/kernels
 %global kernel_libdir %{_cross_libdir}/modules/%{version}
 

packages/kernel-5.15/kernel-5.15.spec

@@ -40,6 +40,9 @@ Requires: %{_cross_os}microcode-licenses
 Requires: %{name}-modules = %{version}-%{release}
 Requires: %{name}-devel = %{version}-%{release}
 
+# The 5.15 kernel is not FIPS certified.
+Conflicts: %{_cross_os}image-feature(fips)
+
 %global kernel_sourcedir %{_cross_usrsrc}/kernels
 %global kernel_libdir %{_cross_libdir}/modules/%{version}
 

packages/kernel-6.1/check-fips-modules.drop-in.conf.in

@@ -0,0 +1,3 @@
+[Unit]
+Requires=fips-modprobe@__FIPS_MODULE__.service
+After=fips-modprobe@__FIPS_MODULE__.service

packages/kernel-6.1/fipsmodules-aarch64

@@ -0,0 +1,52 @@
+sha1
+sha224
+sha256
+sha384
+sha512
+sha3-224
+sha3-256
+sha3-384
+sha3-512
+crc32c
+crct10dif
+ghash
+xxhash64
+ghash-ce
+sha1-ce
+sha2-ce
+sha256-arm64
+sha3-ce
+sha512-arm64
+sha512-ce
+cipher_null
+des3_ede
+aes
+cfb
+dh
+ecdh
+aes-arm64
+aes-ce-blk
+aes-ce-ccm
+aes-ce-cipher
+aes-neon-blk
+aes-neon-bs
+ecb
+cbc
+ctr
+xts
+gcm
+ccm
+authenc
+hmac
+cmac
+ofb
+cts
+lzo
+essiv
+seqiv
+drbg
+aead
+cryptomgr
+tcrypt
+crypto_user
+rsa

packages/kernel-6.1/fipsmodules-x86_64

@@ -0,0 +1,44 @@
+sha1
+sha224
+sha256
+sha384
+sha512
+sha3-224
+sha3-256
+sha3-384
+sha3-512
+crc32c
+crct10dif
+ghash
+xxhash64
+ghash_clmulni_intel
+sha1-ssse3
+sha256-ssse3
+sha512-ssse3
+cipher_null
+des3_ede
+aes
+cfb
+dh
+ecdh
+aesni-intel
+ecb
+cbc
+ctr
+xts
+gcm
+ccm
+authenc
+hmac
+cmac
+ofb
+cts
+lzo
+essiv
+seqiv
+drbg
+aead
+cryptomgr
+tcrypt
+crypto_user
+rsa

packages/kernel-6.1/kernel-6.1.spec

@@ -13,6 +13,12 @@ Source101: config-bottlerocket-aws
 Source102: config-bottlerocket-metal
 Source103: config-bottlerocket-vmware
 
+# This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs
+# after placing AL2023 in FIPS mode.
+Source200: check-fips-modules.drop-in.conf.in
+Source201: fipsmodules-x86_64
+Source202: fipsmodules-aarch64
+
 # Help out-of-tree module builds run `make prepare` automatically.
 Patch1001: 1001-Makefile-add-prepare-target-for-external-modules.patch
 # Expose tools/* targets for out-of-tree module builds.
@@ -43,6 +49,9 @@ Requires: %{_cross_os}microcode-licenses
 Requires: %{name}-modules = %{version}-%{release}
 Requires: %{name}-devel = %{version}-%{release}
 
+# Pull in FIPS-related files if needed.
+Requires: (%{name}-fips if %{_cross_os}image-feature(fips))
+
 %global kernel_sourcedir %{_cross_usrsrc}/kernels
 %global kernel_libdir %{_cross_libdir}/modules/%{version}
 
@@ -73,6 +82,14 @@ Summary: Header files for the Linux kernel for use by glibc
 %description headers
 %{summary}.
 
+%package fips
+Summary: FIPS related configuration for the Linux kernel
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: %{_cross_os}image-feature(no-fips)
+
+%description fips
+%{summary}.
+
 %prep
 rpm2cpio %{SOURCE0} | cpio -iu linux-%{version}.tar config-%{_cross_arch} "*.patch"
 tar -xof linux-%{version}.tar; rm linux-%{version}.tar
@@ -233,6 +250,20 @@ rm -f %{buildroot}%{kernel_libdir}/build %{buildroot}%{kernel_libdir}/source
 ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/build
 ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source
 
+# Ensure that each required FIPS module is loaded as a dependency of the
+# check-fips-module.service. The list of FIPS modules is different across
+# kernels but the check is consistent: it loads the "tcrypt" module after
+# the other modules are loaded.
+mkdir -p %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
+i=0
+for fipsmod in $(cat %{_sourcedir}/fipsmodules-%{_cross_arch}) ; do
+  [ "${fipsmod}" == "tcrypt" ] && continue
+  drop_in="$(printf "%03d\n" "${i}")-${fipsmod}.conf"
+  sed -e "s|__FIPS_MODULE__|${fipsmod}|g" %{S:200} \
+    > %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d/"${drop_in}"
+  (( i+=1 ))
+done
+
 %files
 %license COPYING LICENSES/preferred/GPL-2.0 LICENSES/exceptions/Linux-syscall-note
 %{_cross_attribution_file}
@@ -274,4 +305,7 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source
 %files archive
 %{_cross_datadir}/bottlerocket/kernel-devel.tar.xz
 
+%files fips
+%{_cross_unitdir}/check-fips-modules.service.d/*.conf
+
 %changelog

packages/libkcapi/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "libkcapi"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+[lib]
+path = "../packages.rs"
+
+[package.metadata.build-package]
+releases-url = "https://github.com/smuellerDD/libkcapi/releases"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/smuellerDD/libkcapi/archive/v1.5.0/libkcapi-1.5.0.tar.gz"
+sha512 = "510d0606cdc9479a77ed07bd3ac59b07c3996402a85cee012e6836d0a31cb06f5b7f715cdb76f3745784aab3154595caec4537b4c774236a139ebfe6e1a8be9b"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/libkcapi/libkcapi.spec

@@ -0,0 +1,79 @@
+# libkcapi since 85bce6035b (1.5.0) uses sha512hmac with the same key for all
+# self-checks. Earlier versions used sha256hmac with a different key to check
+# the shared library.
+%global openssl_sha512_hmac openssl sha512 -hmac FIPS-FTW-RHT2009 -hex
+
+# We need to compute the HMAC after the binaries have been stripped.
+%define __spec_install_post\
+%{?__debug_package:%{__debug_install_post}}\
+%{__arch_install_post}\
+%{__os_install_post}\
+cd %{buildroot}/%{_cross_bindir}\
+%openssl_sha512_hmac kcapi-hasher\\\
+  | awk '{ print $2 }' > .kcapi-hasher.hmac\
+ln -s .kcapi-hasher.hmac .sha512hmac.hmac\
+cd %{buildroot}/%{_cross_libdir}\
+%openssl_sha512_hmac libkcapi.so.%{version}\\\
+  | awk '{ print $2 }' > .libkcapi.so.%{version}.hmac\
+ln -s .libkcapi.so.%{version}.hmac .libkcapi.so.1.hmac\
+%{nil}
+
+Name: %{_cross_os}libkcapi
+Version: 1.5.0
+Release: 1%{?dist}
+Summary: Library for kernel crypto API
+License: BSD-3-Clause OR GPL-2.0-only
+URL: https://www.chronox.de/libkcapi/html/index.html
+Source0: https://github.com/smuellerDD/libkcapi/archive/v%{version}/libkcapi-%{version}.tar.gz
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%package devel
+Summary: Files for development using the library for kernel crypto API
+Requires: %{name}
+
+%description devel
+%{summary}.
+
+%prep
+%autosetup -n libkcapi-%{version} -p1
+
+%build
+autoreconf -fi
+%cross_configure \
+  --enable-static \
+  --enable-shared \
+  --enable-kcapi-hasher \
+
+%force_disable_rpath
+
+%make_build
+
+%install
+%make_install
+
+ln -s kcapi-hasher %{buildroot}%{_cross_bindir}/sha512hmac
+find %{buildroot} -type f -name '*.hmac' -delete
+
+%files
+%license COPYING COPYING.bsd COPYING.gplv2
+%{_cross_attribution_file}
+%{_cross_libdir}/*.so.*
+%{_cross_libdir}/.*.so.*.hmac
+%{_cross_bindir}/kcapi-hasher
+%{_cross_bindir}/.kcapi-hasher.hmac
+%{_cross_bindir}/sha512hmac
+%{_cross_bindir}/.sha512hmac.hmac
+
+%exclude %{_cross_libexecdir}/libkcapi
+%exclude %{_cross_mandir}
+
+%files devel
+%{_cross_libdir}/*.a
+%{_cross_libdir}/*.so
+%{_cross_includedir}/kcapi.h
+%{_cross_pkgconfigdir}/*.pc
+
+%changelog

packages/release/Cargo.toml

@@ -37,6 +37,7 @@ kexec-tools = { path = "../../packages/kexec-tools" }
 keyutils = { path = "../keyutils" }
 libaudit = { path = "../libaudit" }
 libgcc = { path = "../libgcc" }
+libkcapi = { path = "../libkcapi" }
 libstd-rust = { path = "../libstd-rust" }
 makedumpfile = { path = "../../packages/makedumpfile" }
 os = { path = "../os" }

packages/release/activate-preconfigured.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Isolates preconfigured.target
+DefaultDependencies=no
+After=fipscheck.target
+Requires=fipscheck.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl set-default preconfigured
+ExecStart=/usr/bin/systemctl isolate default --no-block
+RemainAfterExit=true
+StandardOutput=tty
+StandardError=inherit
+
+[Install]
+WantedBy=fipscheck.target

packages/release/bootconfig-fips.conf

@@ -0,0 +1,2 @@
+kernel.fips = 1
+init.systemd.unit = fipscheck.target

packages/release/check-fips-modules.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Run FIPS crypto module check
+RefuseManualStart=true
+RefuseManualStop=true
+DefaultDependencies=no
+Before=fipscheck.target
+After=check-kernel-integrity.service
+Requires=check-kernel-integrity.service
+ConditionKernelCommandLine=fips=1
+ConditionPathExists=!/etc/.fips-module-check-passed
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/modprobe tcrypt
+ExecStart=/usr/bin/rmmod tcrypt
+ExecStart=/usr/bin/touch /etc/.fips-module-check-passed
+RemainAfterExit=true
+StandardOutput=tty
+StandardError=inherit
+
+[Install]
+RequiredBy=fipscheck.target

packages/release/check-kernel-integrity.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Run FIPS kernel integrity check
+RefuseManualStart=true
+RefuseManualStop=true
+DefaultDependencies=no
+Before=fipscheck.target
+After=prepare-boot.service
+Requires=prepare-boot.service
+ConditionKernelCommandLine=fips=1
+ConditionPathExists=!/etc/.fips-kernel-check-passed
+
+[Service]
+Type=oneshot
+WorkingDirectory=/boot
+ExecStart=/usr/bin/sha512hmac -q -c /boot/.vmlinuz.hmac
+ExecStart=/usr/bin/touch /etc/.fips-kernel-check-passed
+RemainAfterExit=true
+StandardOutput=tty
+StandardError=inherit
+
+[Install]
+RequiredBy=fipscheck.target

packages/release/fips-modprobe@.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Load FIPS crypto module %i
+RefuseManualStart=true
+RefuseManualStop=true
+DefaultDependencies=no
+Before=fipscheck.target
+After=check-kernel-integrity.service
+Requires=check-kernel-integrity.service
+StartLimitIntervalSec=0
+ConditionKernelCommandLine=fips=1
+ConditionPathExists=!/etc/.fips-module-check-passed
+
+[Service]
+Type=oneshot
+# Check if it's a generic algorithm the kernel provides. If so, don't continue.
+ExecCondition=/usr/bin/grep -qvzE '(name|driver)\\s+:\\s+%i\\s+' /proc/crypto
+# Otherwise, attempt to load the module.
+ExecStart=-/sbin/modprobe %i
+# Ensure that the stderr file exists. Otherwise, grep fails on an empty file.
+ExecStart=-/usr/bin/touch /.read-only.%i
+# Succeed unless there was a fatal error.
+ExecStart=/usr/bin/grep -Fqvzw FATAL /etc/.fips-modprobe.%i
+RemainAfterExit=true
+StandardOutput=tty
+StandardError=append:/etc/.fips-modprobe.%i

packages/release/fipscheck.target

@@ -0,0 +1,8 @@
+[Unit]
+Description=FIPS integrity check
+AllowIsolate=false
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Install]
+WantedBy=preconfigured.target