From 7d7e3a826fbe85f7ecba79e2461bd5d81d388304 Mon Sep 17 00:00:00 2001 From: xumia Date: Sun, 28 Jan 2024 12:08:05 +0000 Subject: [PATCH] Support FIPS based on SymCrypt provider for bookworm --- Makefile.work | 9 ++---- dockers/docker-base-bookworm/Dockerfile.j2 | 3 +- .../build_templates/sonic_debian_extension.j2 | 7 +++++ rules/sonic-fips.mk | 28 +++++++++++++++++-- slave.mk | 2 +- sonic-slave-bookworm/Dockerfile.j2 | 8 ++---- sonic-slave-bullseye/Dockerfile.j2 | 4 +-- 7 files changed, 43 insertions(+), 18 deletions(-) diff --git a/Makefile.work b/Makefile.work index a507439679e9..b949681930ff 100644 --- a/Makefile.work +++ b/Makefile.work @@ -144,6 +144,7 @@ rules/config.user: include rules/config -include rules/config.user +include rules/sonic-fips.mk ifneq ($(DEFAULT_CONTAINER_REGISTRY),) override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/ @@ -190,12 +191,6 @@ INCLUDE_FIPS := n ENABLE_FIPS := n endif -# FIPS not yet available on Bookworm -ifeq ($(BLDENV),bookworm) -$(warning FIPS support not yet available on Bookworm) -INCLUDE_FIPS := n -endif - ifeq ($(INCLUDE_FIPS), n) ifeq ($(ENABLE_FIPS), y) $(error Cannot set fips config ENABLE_FIPS=y when INCLUDE_FIPS=n) @@ -230,6 +225,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \ DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \ DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \ + FIPS_VERSION=$(FIPS_VERSION) \ + FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \ j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile) $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \ diff --git a/dockers/docker-base-bookworm/Dockerfile.j2 b/dockers/docker-base-bookworm/Dockerfile.j2 index e500259bb9ac..2a3388d770d5 100644 --- a/dockers/docker-base-bookworm/Dockerfile.j2 +++ b/dockers/docker-base-bookworm/Dockerfile.j2 @@ -60,7 +60,8 @@ RUN apt update && \ jq \ # for sairedis zmq rpc channel libzmq5 \ - libwrap0 + libwrap0 \ + libatomic1 # Add a config file to allow pip to install packages outside of apt/the Debian repos COPY ["pip.conf", "/etc/pip.conf"] diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 377c4116fabf..ca4d444ead3b 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -671,6 +671,13 @@ exit 101 EOF sudo chmod a+x $FILESYSTEM_ROOT/usr/sbin/policy-rc.d +if [ "$INCLUDE_FIPS" == y ]; then + sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libatomic1 + # The package openssh-client 9.2 is conflict with FIPS, the line below can be removed when the openssh-client version>=9.4 + # The package will be reinstalled when isntalling the FIPS packages + sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove openssh-client +fi + {% if installer_debs.strip() -%} {% for deb in installer_debs.strip().split(' ') -%} sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk index 3ce37224bf64..8bd805c692f9 100644 --- a/rules/sonic-fips.mk +++ b/rules/sonic-fips.mk @@ -1,5 +1,17 @@ # fips packages +ifeq ($(BLDENV), bookworm) +FIPS_VERSION = 1.0-preview +FIPS_OPENSSL_VERSION = 3.1.3-1+fips +FIPS_OPENSSH_VERSION = 9.4p1-1+fips +FIPS_PYTHON_MAIN_VERSION = 3.11 +FIPS_PYTHON_VERSION = 3.11.2-6+fips +FIPS_GOLANG_MAIN_VERSION = 1.19 +FIPS_GOLANG_VERSION = 1.19.8-2+fips +FIPS_KRB5_VERSION = 1.20.1-2+deb12u1+fips +endif + +ifeq ($(BLDENV), bullseye) FIPS_VERSION = 0.10 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips @@ -8,6 +20,8 @@ FIPS_PYTHON_VERSION = 3.9.2-1+fips FIPS_GOLANG_MAIN_VERSION = 1.15 FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips +endif + FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH) SYMCRYPT_OPENSSL_NAME = symcrypt-openssl @@ -15,16 +29,20 @@ SYMCRYPT_OPENSSL = $(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).d $(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips FIPS_OPENSSL = openssl_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb +ifeq ($(BLDENV), bookworm) +FIPS_OPENSSL_LIBSSL = libssl3_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb +else FIPS_OPENSSL_LIBSSL = libssl1.1_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb +endif FIPS_OPENSSL_LIBSSL_DEV = libssl-dev_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb FIPS_OPENSSL_LIBSSL_DOC = libssl-doc_$(FIPS_OPENSSL_VERSION)_all.deb FIPS_OPENSSL_ALL = $(FIPS_OPENSSL) $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL_LIBSSL_DOC) -FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb +FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_all.deb FIPS_OPENSSH_CLIENT = openssh-client_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb FIPS_OPENSSH_SFTP_SERVER = openssh-sftp-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb FIPS_OPENSSH_SERVER = openssh-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb -FIPS_OPENSSH_ALL = $(FIPS_SSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) +FIPS_OPENSSH_ALL = $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_OPENSSH) FIPS_PYTHON = python$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb FIPS_PYTHON_MINIMAL = python$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb @@ -35,7 +53,11 @@ FIPS_PYTHON_ALL = $(FIPS_PYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_LIBPYTHON) $(FIPS FIPS_GOLANG = golang-$(FIPS_GOLANG_MAIN_VERSION)_$(FIPS_GOLANG_VERSION)_all.deb FIPS_GOLANG_GO = golang-$(FIPS_GOLANG_MAIN_VERSION)-go_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb +ifeq ($(BLDENV), bookworm) +FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_all.deb +else FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb +endif FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_all.deb FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC) @@ -56,6 +78,6 @@ FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET) $(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package)))) ifeq ($(INCLUDE_FIPS), y) - FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5) + FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5) SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL) endif diff --git a/slave.mk b/slave.mk index 8473b2b3e7f4..5f03f4e82867 100644 --- a/slave.mk +++ b/slave.mk @@ -443,7 +443,7 @@ $(info "INCLUDE_TEAMD" : "$(INCLUDE_TEAMD)") $(info "INCLUDE_ROUTER_ADVERTISER" : "$(INCLUDE_ROUTER_ADVERTISER)") $(info "INCLUDE_BOOTCHART : "$(INCLUDE_BOOTCHART)") $(info "ENABLE_BOOTCHART : "$(ENABLE_BOOTCHART)") -$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)") +$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)") $(info "ENABLE_TRANSLIB_WRITE" : "$(ENABLE_TRANSLIB_WRITE)") $(info "ENABLE_NATIVE_WRITE" : "$(ENABLE_NATIVE_WRITE)") $(info "ENABLE_DIALOUT" : "$(ENABLE_DIALOUT)") diff --git a/sonic-slave-bookworm/Dockerfile.j2 b/sonic-slave-bookworm/Dockerfile.j2 index 6bf09c425cd1..aedacd066c7f 100644 --- a/sonic-slave-bookworm/Dockerfile.j2 +++ b/sonic-slave-bookworm/Dockerfile.j2 @@ -451,12 +451,10 @@ RUN apt-get install -y kernel-wedge # For gobgp and telemetry build RUN apt-get install -y golang {%- if INCLUDE_FIPS == "y" %} -# FIPS not yet available -RUN false -RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ - && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ +RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \ + && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-src_{{ FIPS_GOLANG_VERSION }}_all.deb' \ && dpkg -i golang-go.deb golang-src.deb \ - && ln -sf /usr/lib/go-1.15 /usr/local/go \ + && ln -sf /usr/lib/go-1.19 /usr/local/go \ && rm golang-go.deb golang-src.deb {%- else %} RUN apt-get install -y golang-go \ diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2 index 7bcf438cca82..b69e50b59cf8 100644 --- a/sonic-slave-bullseye/Dockerfile.j2 +++ b/sonic-slave-bullseye/Dockerfile.j2 @@ -481,8 +481,8 @@ RUN eatmydata apt-get install -y kernel-wedge # For gobgp and telemetry build RUN eatmydata apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go {%- if INCLUDE_FIPS == "y" %} -RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ - && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ +RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \ + && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \ && eatmydata dpkg -i golang-go.deb golang-src.deb \ && ln -sf /usr/lib/go-1.15 /usr/local/go \ && rm golang-go.deb golang-src.deb