[yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Mark Hatle
mark.hatle at kernel.crashing.org
Wed Sep 25 07:33:12 PDT 2019
On 9/25/19 2:23 AM, Hongxu Jia wrote:
> Changed in V1:
> - Follow Mark H's suggestions
>
> Hi Mark,
>
> Once openssh enables FIPS mode, openssh ptest will fail (mess of failure).
> It seems the test case of upstream openssh does not consider FIPS mode support.
> I search fedora, there is nothing about openssh `regress'(test suits) in
> FIPS mode support
>
> So I do not add additional cavs test to the ptest, just add a note
> to README.enable_fips
Ok, that is good to know. I suspect the issue is that many of the tests are
trying to use unapproved algorithms and should be skipped in FIPS mode.
Something for a future patch set. I don't think it's necessary to adjust now.
I did modify patch 4. We want to use the more generic IMAGE_POSTPROCESS_COMMAND
instead. But otherwise I've taken it as is. I'm currently running it through a
test pass, once that is complete I'll push the commits.
--Mark
> //Hongxu
>
> ====== Comments (indicate scope for each "y" above) ======
> * Git logs
> [meta-openssl102-fips]
> commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Wed Sep 25 15:03:24 2019 +0800
>
> README.enable_fips: openssh ptest failed in fips mode
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit f5b8a66c226541e73cc509a73452bbafc59f2555
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 22:40:56 2019 +0800
>
> README.openssh_cavstest: add CAVS tests for FIPS validation
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit bd5de039c60fd2ab89f7925d3801520d742ba09a
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 21:54:41 2019 +0800
>
> openssh: add CAVS tests for FIPS validation
>
> Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
> and SSH KDF CAVS test driver [2]
>
> [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
> [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
> (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit b40cef8f89461342da5c6a621d95cdb19a4d8cff
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 20:55:30 2019 +0800
>
> README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
>
> Refer RedHat/Fedora/SUSE/Oracle/IBM ways
>
> 1. Add `fips=1' to kernel option to enable FIPS mode in kernel
>
> 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
> currently openssh only
>
> Refer:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
> https://access.redhat.com/discussions/3293631
> https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
> https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
> https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 19:27:45 2019 +0800
>
> rng-tools: fix rngd failed in fips mode
>
> The FIPS test is something done on government or more secure organizations
> for extra security check.
> ...
> root at qemux86-64:~# systemctl status rngd
> Unit rngd-tools.service could not be found.
> root at qemux86-64:~# systemctl status rngd
> rngd.service - Hardware RNG Entropy Gatherer Daemon
> Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
> Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
> Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
> Main PID: 317 (code=exited, status=0/SUCCESS)
>
> Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
> Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
> Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
> ...
>
> From rngd manual, add `-i' to default
> ...
> -i, --ignorefail
> Ignore repeated fips failures
> ...
>
> After applying the fix
> ...
> rngd.service - Hardware RNG Entropy Gatherer Daemon
> Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
> Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
> Main PID: 121 (rngd)
> Tasks: 2
> Memory: 1.8M
> CGroup: /system.slice/rngd.service
> /usr/sbin/rngd -f -r /dev/hwrng -i
>
> Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
> ...
>
> Refer:
> https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit c3224883bec9155fb51686a908c59da31d9918f5
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 19:27:01 2019 +0800
>
> rng-tools bbappend: port a copy of default from oe-core
>
> Port it at the following commit in oe-core
> http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit aecc01c2e49825dcb2a78875e0562028b2636fab
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 18:48:08 2019 +0800
>
> openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
>
> Run sshd_check_keys failed:
> ...
> 2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key...
> 2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
> ...
>
> If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
> keys in FIPS mode
>
> Refers Fedora:
> https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
> https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit 67f47b09f427d9bb8e5db7a587ccc48a66351d13
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 18:43:03 2019 +0800
>
> openssh: port a copy of sshd_check_keys from oe-core
>
> Port it at the following commit in oe-core
> http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit ef9cbad4917c9327705a671a812da70659641b34
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 14:36:41 2019 +0800
>
> openssh: conditional enable fips mode
>
> Enable fips mode according to the existence of "/etc/system-fips"
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit f9a362a102afab48a58e35ca482395cb11ce2679
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sun Sep 22 12:18:02 2019 +0800
>
> kernel: workaround alg self-tests failure in fips mode
>
> While kernel enable fips mode, it start alg self-test, and there is
> a kernel panic at ecdh-generic
> ...
> [ 0.311313] alg: ecdh: test failed on vector 2, err=-14
> [ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
> ...
>
> Continue without Jitter RNG for fips to workaround alg self-tests failure,
> after applying the fix:
> ...
> [ 0.306633] DRBG: Continuing without Jitter RNG
> [ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed
> ...
>
> Refer: https://lore.kernel.org/patchwork/patch/568693/
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit ba498f76d6067ce5cf57be037deecde9bb7cf664
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sat Sep 21 14:43:28 2019 +0800
>
> add kernel fips mode support
>
> A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
> by specifying fips=1 as kernel parameter. [1][2]
>
> /proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
> modified version of OpenSSL.[3]
>
> [1] https://www.linux.org/docs/man8/fipscheck.html
> [2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
> [3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit 6ead6e738a7da55b123f6c55058259f3df214509
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sat Sep 21 14:24:51 2019 +0800
>
> openssh: add generation of HMAC checksums in pkg_postinst
>
> Refer https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
> (See __spec_install_post in openssh.spec for detail)
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit d9906e35fcdf60e773d2272117383e3ec7ca9bc0
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sat Sep 21 12:49:53 2019 +0800
>
> classes/image-enable-fips.bbclass: enable user space fips mode in image
>
> Refer Fedora/RedHat's way
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
>
> To enable user space fips mode in the image recipe as part of an
> 'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
> touch the file as a post image generation activity.
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit 2d4d0ad9655b5349815af9f8e6a19830fcf40f02
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Sat Sep 21 12:25:17 2019 +0800
>
> fipscheck: add generation of the checksums in pkg_postinst
>
> Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
> (* fipscheck.spec.in: Add generation of the checksums in __spec_install_post.)
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit d915bb67402e504ee8aa47ce988afcb07eb829a4
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Fri Sep 20 22:06:17 2019 +0800
>
> openssh_8.%.bbappend: support fips 140-2
>
> Port openssh-7.7p1-fips.patch from Fedora
> https://src.fedoraproject.org/rpms/openssh.git
> (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
> commit 0516bd7ba43434d8fafb92f5eb3801c726ce1d46
> Author: Hongxu Jia <hongxu.jia at windriver.com>
> Date: Fri Sep 20 15:43:44 2019 +0800
>
> fipscheck: add 1.5.0
>
> Port it from fedora:
> https://src.fedoraproject.org/rpms/fipscheck
> (as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
>
> It is required by openssh fips.
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>
>
>
> ====== Testing ======
> * Commands
> See README.build README.enable_fips README.openssh_cavstest
>
> * Expected Results
> See README.build README.enable_fips README.openssh_cavstest
>
> * Applicable to
> qemux86-64
>
More information about the yocto
mailing list