[yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Hongxu Jia
hongxu.jia at windriver.com
Wed Sep 25 19:22:49 PDT 2019
On 9/25/19 10:33 PM, Mark Hatle wrote:
>
> On 9/25/19 2:23 AM, Hongxu Jia wrote:
>> Changed in V1:
>> - Follow Mark H's suggestions
>>
>> Hi Mark,
>>
>> Once openssh enables FIPS mode, openssh ptest will fail (mess of failure).
>> It seems the test case of upstream openssh does not consider FIPS mode support.
>> I search fedora, there is nothing about openssh `regress'(test suits) in
>> FIPS mode support
>>
>> So I do not add additional cavs test to the ptest, just add a note
>> to README.enable_fips
> Ok, that is good to know. I suspect the issue is that many of the tests are
> trying to use unapproved algorithms and should be skipped in FIPS mode.
> Something for a future patch set. I don't think it's necessary to adjust now.
>
> I did modify patch 4. We want to use the more generic IMAGE_POSTPROCESS_COMMAND
> instead. But otherwise I've taken it as is. I'm currently running it through a
> test pass, once that is complete I'll push the commits.
Hi Mark,
I am afraid we have to use var-ROOTFS_POSTPROCESS_COMMAND to replace,
var-IMAGE_POSTPROCESS_COMMAND is used at do_image_complete,
we require it to run at do_rootfs
//Hongxu
> --Mark
>
>> //Hongxu
>>
>> ====== Comments (indicate scope for each "y" above) ======
>> * Git logs
>> [meta-openssl102-fips]
>> commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Wed Sep 25 15:03:24 2019 +0800
>>
>> README.enable_fips: openssh ptest failed in fips mode
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit f5b8a66c226541e73cc509a73452bbafc59f2555
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 22:40:56 2019 +0800
>>
>> README.openssh_cavstest: add CAVS tests for FIPS validation
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit bd5de039c60fd2ab89f7925d3801520d742ba09a
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 21:54:41 2019 +0800
>>
>> openssh: add CAVS tests for FIPS validation
>>
>> Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
>> and SSH KDF CAVS test driver [2]
>>
>> [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
>> [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
>> (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit b40cef8f89461342da5c6a621d95cdb19a4d8cff
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 20:55:30 2019 +0800
>>
>> README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
>>
>> Refer RedHat/Fedora/SUSE/Oracle/IBM ways
>>
>> 1. Add `fips=1' to kernel option to enable FIPS mode in kernel
>>
>> 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
>> currently openssh only
>>
>> Refer:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
>> https://access.redhat.com/discussions/3293631
>> https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
>> https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
>> https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 19:27:45 2019 +0800
>>
>> rng-tools: fix rngd failed in fips mode
>>
>> The FIPS test is something done on government or more secure organizations
>> for extra security check.
>> ...
>> root at qemux86-64:~# systemctl status rngd
>> Unit rngd-tools.service could not be found.
>> root at qemux86-64:~# systemctl status rngd
>> rngd.service - Hardware RNG Entropy Gatherer Daemon
>> Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
>> Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
>> Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
>> Main PID: 317 (code=exited, status=0/SUCCESS)
>>
>> Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
>> Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
>> Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
>> ...
>>
>> From rngd manual, add `-i' to default
>> ...
>> -i, --ignorefail
>> Ignore repeated fips failures
>> ...
>>
>> After applying the fix
>> ...
>> rngd.service - Hardware RNG Entropy Gatherer Daemon
>> Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
>> Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
>> Main PID: 121 (rngd)
>> Tasks: 2
>> Memory: 1.8M
>> CGroup: /system.slice/rngd.service
>> /usr/sbin/rngd -f -r /dev/hwrng -i
>>
>> Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
>> ...
>>
>> Refer:
>> https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit c3224883bec9155fb51686a908c59da31d9918f5
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 19:27:01 2019 +0800
>>
>> rng-tools bbappend: port a copy of default from oe-core
>>
>> Port it at the following commit in oe-core
>> http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit aecc01c2e49825dcb2a78875e0562028b2636fab
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 18:48:08 2019 +0800
>>
>> openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
>>
>> Run sshd_check_keys failed:
>> ...
>> 2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key...
>> 2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
>> ...
>>
>> If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
>> keys in FIPS mode
>>
>> Refers Fedora:
>> https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
>> https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit 67f47b09f427d9bb8e5db7a587ccc48a66351d13
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 18:43:03 2019 +0800
>>
>> openssh: port a copy of sshd_check_keys from oe-core
>>
>> Port it at the following commit in oe-core
>> http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit ef9cbad4917c9327705a671a812da70659641b34
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 14:36:41 2019 +0800
>>
>> openssh: conditional enable fips mode
>>
>> Enable fips mode according to the existence of "/etc/system-fips"
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit f9a362a102afab48a58e35ca482395cb11ce2679
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sun Sep 22 12:18:02 2019 +0800
>>
>> kernel: workaround alg self-tests failure in fips mode
>>
>> While kernel enable fips mode, it start alg self-test, and there is
>> a kernel panic at ecdh-generic
>> ...
>> [ 0.311313] alg: ecdh: test failed on vector 2, err=-14
>> [ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
>> ...
>>
>> Continue without Jitter RNG for fips to workaround alg self-tests failure,
>> after applying the fix:
>> ...
>> [ 0.306633] DRBG: Continuing without Jitter RNG
>> [ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed
>> ...
>>
>> Refer: https://lore.kernel.org/patchwork/patch/568693/
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit ba498f76d6067ce5cf57be037deecde9bb7cf664
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sat Sep 21 14:43:28 2019 +0800
>>
>> add kernel fips mode support
>>
>> A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
>> by specifying fips=1 as kernel parameter. [1][2]
>>
>> /proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
>> modified version of OpenSSL.[3]
>>
>> [1] https://www.linux.org/docs/man8/fipscheck.html
>> [2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
>> [3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit 6ead6e738a7da55b123f6c55058259f3df214509
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sat Sep 21 14:24:51 2019 +0800
>>
>> openssh: add generation of HMAC checksums in pkg_postinst
>>
>> Refer https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
>> (See __spec_install_post in openssh.spec for detail)
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit d9906e35fcdf60e773d2272117383e3ec7ca9bc0
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sat Sep 21 12:49:53 2019 +0800
>>
>> classes/image-enable-fips.bbclass: enable user space fips mode in image
>>
>> Refer Fedora/RedHat's way
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
>>
>> To enable user space fips mode in the image recipe as part of an
>> 'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
>> touch the file as a post image generation activity.
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit 2d4d0ad9655b5349815af9f8e6a19830fcf40f02
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Sat Sep 21 12:25:17 2019 +0800
>>
>> fipscheck: add generation of the checksums in pkg_postinst
>>
>> Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
>> (* fipscheck.spec.in: Add generation of the checksums in __spec_install_post.)
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit d915bb67402e504ee8aa47ce988afcb07eb829a4
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Fri Sep 20 22:06:17 2019 +0800
>>
>> openssh_8.%.bbappend: support fips 140-2
>>
>> Port openssh-7.7p1-fips.patch from Fedora
>> https://src.fedoraproject.org/rpms/openssh.git
>> (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>> commit 0516bd7ba43434d8fafb92f5eb3801c726ce1d46
>> Author: Hongxu Jia <hongxu.jia at windriver.com>
>> Date: Fri Sep 20 15:43:44 2019 +0800
>>
>> fipscheck: add 1.5.0
>>
>> Port it from fedora:
>> https://src.fedoraproject.org/rpms/fipscheck
>> (as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
>>
>> It is required by openssh fips.
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>
>>
>>
>> ====== Testing ======
>> * Commands
>> See README.build README.enable_fips README.openssh_cavstest
>>
>> * Expected Results
>> See README.build README.enable_fips README.openssh_cavstest
>>
>> * Applicable to
>> qemux86-64
>>
More information about the yocto
mailing list