From 184a5dcd352e8094c37ad9888c969be24e7b8713 Mon Sep 17 00:00:00 2001
From: Xuhui Miao <xumia@microsoft.com>
Date: Sat, 7 May 2022 12:26:24 +0800
Subject: [PATCH 1/3] Add the SONiC FIPS configure intruduction

---
 doc/fips/SONiC-OpenSSL-FIPS-140-3.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
index aa750592d5..cf84870478 100644
--- a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
+++ b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
@@ -5,6 +5,7 @@
 |  Rev  | Date       | Author     | Change Description |
 | :---: | :--------: | :--------: | ------------------ |
 |  0.1  | 2022-02-22 | Xuhui Miao | Initial version    |
+|  0.2  | 2022-05-07 | Xuhui Miao | Update Fips config |
 
 ## Table of Contents
 - [Abbreviation](#abbreviation)
@@ -126,14 +127,29 @@ For OpenSSH, Centos provides a [patch](https://git.centos.org/rpms/openssh/raw/c
 ## SONiC FIPS Configuration
 
 ### Enable FIPS on system level
-Add the Linux System parameter fips=1, in grub config, one of implemetation as below:
+Set the Linux System parameter sonic_fips=1, to validate if the FIPS is enabled:
+```
+grep 'sonic_fips=1' /proc/cmdline
+```
 
+There is another parameter fips=1 supported for SymCrypt OpenSSL to enable FIPS. The parameter will enable the Linux Kernel FIPS, but the Linux Kernel FIPS is not supported yet, and it is out of scope in this document. In future, when the FIPS is supported by SONiC Linux Kernel, and the parameter fips=1 has already set, it is not necessary to set sonic_fips=1.
+
+For grub, one of implemetation as below:
 cat /etc/grub.d/99-fips.cfg
 ```
-GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT sonic_fips=1"
+```
+
+For uboot, use fw_setenv to variable linuxargs to change the boot options.
+```
+OTHER_OPTIONS=$(fw_printenv linuxargs | sed 's/linuxargs=//')
+fw_setenv linuxargs "$OTHER_OPTIONS sonic_fips=1"
 ```
 
-To validate the FIPS enabled, grep 'fips=1' /proc/cmdline.
+For Aboot, add the config in /host/image-{version}/kernel-cmdline, example:
+```
+reboot=p console=ttyS0 acpi=on Aboot=Aboot-norcal7-7.2.0-pcie2x4-6128821 <other parameters...> sonic_fips=1
+```
 
 ### Enable FIPS on application level
 ```

From 23555cd573d1bd12701910e97c59012637dded21 Mon Sep 17 00:00:00 2001
From: Xuhui Miao <xumia@microsoft.com>
Date: Thu, 7 Jul 2022 22:24:51 +0800
Subject: [PATCH 2/3] Add fips cli

---
 doc/fips/SONiC-OpenSSL-FIPS-140-3.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
index cf84870478..9831679a5c 100644
--- a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
+++ b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
@@ -5,7 +5,7 @@
 |  Rev  | Date       | Author     | Change Description |
 | :---: | :--------: | :--------: | ------------------ |
 |  0.1  | 2022-02-22 | Xuhui Miao | Initial version    |
-|  0.2  | 2022-05-07 | Xuhui Miao | Update Fips config |
+|  0.2  | 2022-07-07 | Xuhui Miao | Update Fips config |
 
 ## Table of Contents
 - [Abbreviation](#abbreviation)
@@ -24,6 +24,7 @@
   * [Enable FIPS on system level](#Enable-FIPS-on-system-level)
   * [Enable FIPS on application level](#Enable-FIPS-on-application-level)
   * [SONiC Build Options](#SONiC-Build-Options)
+- [SONiC FIPS Command lines](#SONiC-FIPS-Command-lines)
 - [Q&A](#Q&A)
 
 
@@ -179,6 +180,16 @@ ENABLE_FIPS ?= n
 ```
 If the ENABLE_FIPS_FEATURE is not set, then the option ENABLE_FIPS is useless.
 
+## SONiC FIPS Command lines
+### The command line to enable or disable FIPS
+sonic-installer set-fips <image> [--enable-fips=[true|false]]
+
+### The command line to show FIPS status
+sonic-installer get-fips <image>
+
+Returns the following message: Fips is enabled/disabled.
+
+
 ## Q&A
 ### Does SymCrypt use Linux Kernel crypto module?
 SymCrypt on Linux does not rely on Kernel crypt for FIPS certification today.
\ No newline at end of file

From 4b811045718b2ac16ed2033414b117897483b482 Mon Sep 17 00:00:00 2001
From: Xuhui Miao <xumia@microsoft.com>
Date: Fri, 8 Jul 2022 09:22:21 +0800
Subject: [PATCH 3/3] Change the fips command line parameters

---
 doc/fips/SONiC-OpenSSL-FIPS-140-3.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
index 9831679a5c..642e0fbc38 100644
--- a/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
+++ b/doc/fips/SONiC-OpenSSL-FIPS-140-3.md
@@ -182,12 +182,16 @@ If the ENABLE_FIPS_FEATURE is not set, then the option ENABLE_FIPS is useless.
 
 ## SONiC FIPS Command lines
 ### The command line to enable or disable FIPS
-sonic-installer set-fips <image> [--enable-fips=[true|false]]
+sonic-installer set-fips <image> [--enable-fips|--disable-fips]
+
+If the image is not specified, the next boot image will be used.
+The default behavior is to enable FIPS, if none of the option --enable-fips or --disable-fips specified.
 
 ### The command line to show FIPS status
 sonic-installer get-fips <image>
 
-Returns the following message: Fips is enabled/disabled.
+Returns the following message: FIPS is enabled/disabled.
+If the image is not specified, the next boot image will be used.
 
 
 ## Q&A