Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support FIPS based on SymCrypt provider for bookworm #17893

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 3 additions & 12 deletions Makefile.work
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ rules/config.user:

include rules/config
-include rules/config.user
include rules/sonic-fips.mk

ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
Expand Down Expand Up @@ -184,18 +185,6 @@ endif
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)

# Support FIPS feature, armhf not supported yet
ifeq ($(PLATFORM_ARCH),armhf)
INCLUDE_FIPS := n
ENABLE_FIPS := n
endif

# FIPS not yet available on Bookworm
ifeq ($(BLDENV),bookworm)
$(warning FIPS support not yet available on Bookworm)
INCLUDE_FIPS := n
endif

ifeq ($(INCLUDE_FIPS), n)
ifeq ($(ENABLE_FIPS), y)
$(error Cannot set fips config ENABLE_FIPS=y when INCLUDE_FIPS=n)
Expand Down Expand Up @@ -230,6 +219,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
FIPS_VERSION=$(FIPS_VERSION) \
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)

$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
Expand Down
3 changes: 2 additions & 1 deletion dockers/docker-base-bookworm/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ RUN apt update && \
jq \
# for sairedis zmq rpc channel
libzmq5 \
libwrap0
libwrap0 \
libatomic1

# Add a config file to allow pip to install packages outside of apt/the Debian repos
COPY ["pip.conf", "/etc/pip.conf"]
Expand Down
7 changes: 7 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -671,6 +671,13 @@ exit 101
EOF
sudo chmod a+x $FILESYSTEM_ROOT/usr/sbin/policy-rc.d

if [ "$INCLUDE_FIPS" == y ]; then
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libatomic1
# The package openssh-client 9.2 is conflict with FIPS, the line below can be removed when the openssh-client version>=9.4
# The package will be reinstalled when isntalling the FIPS packages
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove openssh-client
fi

{% if installer_debs.strip() -%}
{% for deb in installer_debs.strip().split(' ') -%}
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
Expand Down
30 changes: 26 additions & 4 deletions rules/sonic-fips.mk
Original file line number Diff line number Diff line change
@@ -1,30 +1,48 @@
# fips packages

FIPS_VERSION = 0.10
ifeq ($(BLDENV), bookworm)
FIPS_VERSION = 1.0-preview
FIPS_OPENSSL_VERSION = 3.1.3-1+fips
FIPS_OPENSSH_VERSION = 9.4p1-1+fips
FIPS_PYTHON_MAIN_VERSION = 3.11
FIPS_PYTHON_VERSION = 3.11.2-6+fips
FIPS_GOLANG_MAIN_VERSION = 1.19
FIPS_GOLANG_VERSION = 1.19.8-2+fips
FIPS_KRB5_VERSION = 1.20.1-2+deb12u1+fips
endif

ifeq ($(BLDENV), bullseye)
FIPS_VERSION = 0.11-preview
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
FIPS_PYTHON_MAIN_VERSION = 3.9
FIPS_PYTHON_VERSION = 3.9.2-1+fips
FIPS_GOLANG_MAIN_VERSION = 1.15
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
endif

FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)

SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
SYMCRYPT_OPENSSL = $(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).deb
$(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips

FIPS_OPENSSL = openssl_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
ifeq ($(BLDENV), bookworm)
FIPS_OPENSSL_LIBSSL = libssl3_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
else
FIPS_OPENSSL_LIBSSL = libssl1.1_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
endif
FIPS_OPENSSL_LIBSSL_DEV = libssl-dev_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSL_LIBSSL_DOC = libssl-doc_$(FIPS_OPENSSL_VERSION)_all.deb
FIPS_OPENSSL_ALL = $(FIPS_OPENSSL) $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL_LIBSSL_DOC)

FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_all.deb
FIPS_OPENSSH_CLIENT = openssh-client_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_SFTP_SERVER = openssh-sftp-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_SERVER = openssh-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_OPENSSH_ALL = $(FIPS_SSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER)
FIPS_OPENSSH_ALL = $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_OPENSSH)

FIPS_PYTHON = python$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_PYTHON_MINIMAL = python$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
Expand All @@ -35,7 +53,11 @@ FIPS_PYTHON_ALL = $(FIPS_PYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_LIBPYTHON) $(FIPS

FIPS_GOLANG = golang-$(FIPS_GOLANG_MAIN_VERSION)_$(FIPS_GOLANG_VERSION)_all.deb
FIPS_GOLANG_GO = golang-$(FIPS_GOLANG_MAIN_VERSION)-go_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
ifeq ($(BLDENV), bookworm)
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_all.deb
else
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
endif
FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_all.deb
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)

Expand All @@ -56,6 +78,6 @@ FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
$(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package))))

ifeq ($(INCLUDE_FIPS), y)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL)
endif
2 changes: 1 addition & 1 deletion slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -443,7 +443,7 @@ $(info "INCLUDE_TEAMD" : "$(INCLUDE_TEAMD)")
$(info "INCLUDE_ROUTER_ADVERTISER" : "$(INCLUDE_ROUTER_ADVERTISER)")
$(info "INCLUDE_BOOTCHART : "$(INCLUDE_BOOTCHART)")
$(info "ENABLE_BOOTCHART : "$(ENABLE_BOOTCHART)")
$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)")
$(info "INCLUDE_FIPS" : "$(INCLUDE_FIPS)")
$(info "ENABLE_TRANSLIB_WRITE" : "$(ENABLE_TRANSLIB_WRITE)")
$(info "ENABLE_NATIVE_WRITE" : "$(ENABLE_NATIVE_WRITE)")
$(info "ENABLE_DIALOUT" : "$(ENABLE_DIALOUT)")
Expand Down
8 changes: 3 additions & 5 deletions sonic-slave-bookworm/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -451,12 +451,10 @@ RUN apt-get install -y kernel-wedge
# For gobgp and telemetry build
RUN apt-get install -y golang
{%- if INCLUDE_FIPS == "y" %}
# FIPS not yet available
RUN false
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-src_{{ FIPS_GOLANG_VERSION }}_all.deb' \
&& dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
&& ln -sf /usr/lib/go-1.19 /usr/local/go \
&& rm golang-go.deb golang-src.deb
{%- else %}
RUN apt-get install -y golang-go \
Expand Down
4 changes: 2 additions & 2 deletions sonic-slave-bullseye/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -481,8 +481,8 @@ RUN eatmydata apt-get install -y kernel-wedge
# For gobgp and telemetry build
RUN eatmydata apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
{%- if INCLUDE_FIPS == "y" %}
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& eatmydata dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
&& rm golang-go.deb golang-src.deb
Expand Down
Loading