Skip to content

Commit

Permalink
Support FIPS based on SymCrypt provider for bookworm
Browse files Browse the repository at this point in the history
  • Loading branch information
xumia committed Feb 7, 2024
1 parent c837142 commit 7d7e3a8
Show file tree
Hide file tree
Showing 7 changed files with 43 additions and 18 deletions.
9 changes: 3 additions & 6 deletions Makefile.work
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ rules/config.user:

include rules/config
-include rules/config.user
include rules/sonic-fips.mk

ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
Expand Down Expand Up @@ -190,12 +191,6 @@ INCLUDE_FIPS := n
ENABLE_FIPS := n
endif

# FIPS not yet available on Bookworm
ifeq ($(BLDENV),bookworm)
$(warning FIPS support not yet available on Bookworm)
INCLUDE_FIPS := n
endif

ifeq ($(INCLUDE_FIPS), n)
ifeq ($(ENABLE_FIPS), y)
$(error Cannot set fips config ENABLE_FIPS=y when INCLUDE_FIPS=n)
Expand Down Expand Up @@ -230,6 +225,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
FIPS_VERSION=$(FIPS_VERSION) \
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)

$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
Expand Down
3 changes: 2 additions & 1 deletion dockers/docker-base-bookworm/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ RUN apt update && \
jq \
# for sairedis zmq rpc channel
libzmq5 \
libwrap0
libwrap0 \
libatomic1

# Add a config file to allow pip to install packages outside of apt/the Debian repos
COPY ["pip.conf", "/etc/pip.conf"]
Expand Down
7 changes: 7 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -671,6 +671,13 @@ exit 101
EOF
sudo chmod a+x $FILESYSTEM_ROOT/usr/sbin/policy-rc.d

if [ "$INCLUDE_FIPS" == y ]; then
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libatomic1
# The package openssh-client 9.2 is conflict with FIPS, the line below can be removed when the openssh-client version>=9.4
# The package will be reinstalled when isntalling the FIPS packages
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove openssh-client
fi

{% if installer_debs.strip() -%}
{% for deb in installer_debs.strip().split(' ') -%}
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
Expand Down
28 changes: 25 additions & 3 deletions rules/sonic-fips.mk
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
# fips packages

ifeq ($(BLDENV), bookworm)
FIPS_VERSION = 1.0-preview
FIPS_OPENSSL_VERSION = 3.1.3-1+fips
FIPS_OPENSSH_VERSION = 9.4p1-1+fips
FIPS_PYTHON_MAIN_VERSION = 3.11
FIPS_PYTHON_VERSION = 3.11.2-6+fips
FIPS_GOLANG_MAIN_VERSION = 1.19
FIPS_GOLANG_VERSION = 1.19.8-2+fips
FIPS_KRB5_VERSION = 1.20.1-2+deb12u1+fips
endif

ifeq ($(BLDENV), bullseye)
FIPS_VERSION = 0.10
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
Expand All @@ -8,23 +20,29 @@ FIPS_PYTHON_VERSION = 3.9.2-1+fips
FIPS_GOLANG_MAIN_VERSION = 1.15
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
endif

FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)

SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
SYMCRYPT_OPENSSL = $(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).deb
$(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips

FIPS_OPENSSL = openssl_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
ifeq ($(BLDENV), bookworm)
FIPS_OPENSSL_LIBSSL = libssl3_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
else
FIPS_OPENSSL_LIBSSL = libssl1.1_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
endif
FIPS_OPENSSL_LIBSSL_DEV = libssl-dev_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSL_LIBSSL_DOC = libssl-doc_$(FIPS_OPENSSL_VERSION)_all.deb
FIPS_OPENSSL_ALL = $(FIPS_OPENSSL) $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL_LIBSSL_DOC)

FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_all.deb
FIPS_OPENSSH_CLIENT = openssh-client_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_SFTP_SERVER = openssh-sftp-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_SERVER = openssh-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_ALL = $(FIPS_SSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER)
FIPS_OPENSSH_ALL = $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_OPENSSH)

FIPS_PYTHON = python$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_PYTHON_MINIMAL = python$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
Expand All @@ -35,7 +53,11 @@ FIPS_PYTHON_ALL = $(FIPS_PYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_LIBPYTHON) $(FIPS

FIPS_GOLANG = golang-$(FIPS_GOLANG_MAIN_VERSION)_$(FIPS_GOLANG_VERSION)_all.deb
FIPS_GOLANG_GO = golang-$(FIPS_GOLANG_MAIN_VERSION)-go_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
ifeq ($(BLDENV), bookworm)
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_all.deb
else
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
endif
FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_all.deb
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)

Expand All @@ -56,6 +78,6 @@ FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
$(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package))))

ifeq ($(INCLUDE_FIPS), y)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL)
endif
2 changes: 1 addition & 1 deletion slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -443,7 +443,7 @@ $(info "INCLUDE_TEAMD" : "$(INCLUDE_TEAMD)")
$(info "INCLUDE_ROUTER_ADVERTISER" : "$(INCLUDE_ROUTER_ADVERTISER)")
$(info "INCLUDE_BOOTCHART : "$(INCLUDE_BOOTCHART)")
$(info "ENABLE_BOOTCHART : "$(ENABLE_BOOTCHART)")
$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)")
$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)")
$(info "ENABLE_TRANSLIB_WRITE" : "$(ENABLE_TRANSLIB_WRITE)")
$(info "ENABLE_NATIVE_WRITE" : "$(ENABLE_NATIVE_WRITE)")
$(info "ENABLE_DIALOUT" : "$(ENABLE_DIALOUT)")
Expand Down
8 changes: 3 additions & 5 deletions sonic-slave-bookworm/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -451,12 +451,10 @@ RUN apt-get install -y kernel-wedge
# For gobgp and telemetry build
RUN apt-get install -y golang
{%- if INCLUDE_FIPS == "y" %}
# FIPS not yet available
RUN false
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-src_{{ FIPS_GOLANG_VERSION }}_all.deb' \
&& dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
&& ln -sf /usr/lib/go-1.19 /usr/local/go \
&& rm golang-go.deb golang-src.deb
{%- else %}
RUN apt-get install -y golang-go \
Expand Down
4 changes: 2 additions & 2 deletions sonic-slave-bullseye/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -481,8 +481,8 @@ RUN eatmydata apt-get install -y kernel-wedge
# For gobgp and telemetry build
RUN eatmydata apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
{%- if INCLUDE_FIPS == "y" %}
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& eatmydata dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
&& rm golang-go.deb golang-src.deb
Expand Down

0 comments on commit 7d7e3a8

Please sign in to comment.