Skip to content

Commit

Permalink
[202305] Support FIPS for armhf (sonic-net#18283)
Browse files Browse the repository at this point in the history
* [Security] Fix the krb5 vulnerability issue (sonic-net#17914)

### Why I did it
Fix the krb5 vulnerable issue
CVE-2021-36222  allows remote attackers to cause a NULL pointer dereference and daemon crash
CVE-2021-37750  NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field
DSA 5286-1  remote code execution

##### Work item tracking
- Microsoft ADO **(number only)**: 26577929

#### How I did it
Upgrade the krb5 version to 1.18.3-6+deb11u14+fips.

* [Build] Fix krb5 package not found issue (sonic-net#17926)

Why I did it
Fix the build issue caused by the wrong version specified.

See the build error logs:

Try 4: /usr/bin/wget --retry-connrefused failed to get: -O
--2024-01-26 11:38:23--  https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb
Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131
Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected.
HTTP request sent, awaiting response... 404 The specified blob does not exist.
2024-01-26 11:38:23 ERROR 404: The specified blob does not exist..

Try 5: /usr/bin/wget --retry-connrefused failed to get: -O
make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8
make[1]: Leaving directory '/sonic/src/sonic-fips'
Work item tracking
Microsoft ADO (number only): 26577929
The package not installed but PR passed issue is traced in another issue sonic-net#17927

How I did it
Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure.
The package libzmq3-dev has dependency on the libkrb5-dev.

* [202305] Support FIPS for armhf

* Remove no use mirror

* Fix fips options issue
  • Loading branch information
xumia authored Mar 9, 2024
1 parent 524dea6 commit a6437d8
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 17 deletions.
9 changes: 3 additions & 6 deletions Makefile.work
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ rules/config.user:

include rules/config
-include rules/config.user
include rules/sonic-fips.mk

ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
Expand Down Expand Up @@ -177,12 +178,6 @@ endif
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)

# Support FIPS feature, armhf not supported yet
ifeq ($(PLATFORM_ARCH),armhf)
ENABLE_FIPS_FEATURE := n
ENABLE_FIPS := n
endif

ifeq ($(ENABLE_FIPS_FEATURE), n)
ifeq ($(ENABLE_FIPS), y)
$(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
Expand Down Expand Up @@ -216,6 +211,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
FIPS_VERSION=$(FIPS_VERSION) \
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)

$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
Expand Down
4 changes: 4 additions & 0 deletions platform/vs/docker-sonic-vs.mk
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ else
$(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP)
endif

ifeq ($(ENABLE_FIPS_FEATURE), y)
$(DOCKER_SONIC_VS)_DEPENDS += $(FIPS_KRB5_ALL)
endif

$(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \
$(ARP_UPDATE_SCRIPT) \
$(ARP_UPDATE_VARS_TEMPLATE) \
Expand Down
13 changes: 7 additions & 6 deletions platform/vs/docker-sonic-vs/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,6 @@ RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%s
ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install -y gnupg
COPY ["sonic-dev.gpg.key", "/etc/apt/"]
RUN apt-key add /etc/apt/sonic-dev.gpg.key
RUN echo "deb http://packages.microsoft.com/repos/sonic-dev/ jessie main" >> /etc/apt/sources.list
RUN apt-get update

RUN apt-get install -y net-tools \
arping \
Expand Down Expand Up @@ -42,7 +38,6 @@ RUN apt-get install -y net-tools \
iptables \
jq \
libzmq5 \
libzmq3-dev \
uuid-dev \
# For installing Python m2crypto package
# (these can be uninstalled after installation)
Expand All @@ -68,7 +63,11 @@ RUN apt-get install -y net-tools \
libasan6 \
{%- endif %}
dbus \
redis-server
redis-server \
# For libkrb5-dev
comerr-dev \
libgssrpc4 \
libkdb5-10

# For sonic-config-engine Python 3 package
# Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
Expand All @@ -92,6 +91,8 @@ COPY {%- for deb in docker_sonic_vs_debs.split(' ') %} debs/{{ deb }}{%- endfor
RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
{%- endif %}

RUN apt-get install -y libzmq3-dev

{% if docker_sonic_vs_pydebs.strip() -%}
# Copy locally-built Debian package dependencies
COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/
Expand Down
14 changes: 11 additions & 3 deletions rules/sonic-fips.mk
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# fips packages

FIPS_VERSION = 0.9
FIPS_VERSION = 0.11
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
FIPS_PYTHON_MAIN_VERSION = 3.9
FIPS_PYTHON_VERSION = 3.9.2-1+fips
FIPS_GOLANG_MAIN_VERSION = 1.15
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
FIPS_KRB5_VERSION = 1.18.3-6+deb11u1+fips
FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)

SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
Expand Down Expand Up @@ -40,7 +40,15 @@ FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)

FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_ALL = $(FIPS_KRB5)
FIPS_KRB5_SUPPORT0 = libkrb5support0_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_3 = libkrb5-3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBGSSAPI = libgssapi-krb5-2_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBKADM5CLNT = libkadm5clnt-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBKADM5SRV = libkadm5srv-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBGSSRPC4 = libgssrpc4_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_MULTIDEV = krb5-multidev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_DEV = libkrb5-dev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_ALL = $(FIPS_KRB5) $(FIPS_KRB5_SUPPORT0) $(FIPS_KRB5_3) $(FIPS_KRB5_LIBGSSAPI) $(FIPS_KRB5_LIBKADM5CLNT) $(FIPS_KRB5_LIBKADM5SRV) $(FIPS_KRB5_LIBGSSRPC4) $(FIPS_KRB5_MULTIDEV) $(FIPS_KRB5_DEV)

FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
Expand Down
4 changes: 2 additions & 2 deletions sonic-slave-bullseye/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -474,8 +474,8 @@ RUN apt-get install -y kernel-wedge
# For gobgp and telemetry build
RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
{%- if ENABLE_FIPS_FEATURE == "y" %}
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
&& rm golang-go.deb golang-src.deb
Expand Down

0 comments on commit a6437d8

Please sign in to comment.