Support SONiC OpenSSL FIPS 140-3 based on SymCrypt engine

[xumia]

Why I did it

Support OpenSSL FIPS 140-3, see design doc: https://github.com/Azure/SONiC/blob/master/doc/fips/SONiC-OpenSSL-FIPS-140-3.md.

How I did it

Install the fips packages.
To build the fips packages, see https://github.com/Azure/sonic-fips
Azure pipelines: https://dev.azure.com/mssonic/build/_build?definitionId=412

How to verify it

Validate the SymCrypt engine:

admin@sonic:~$ dpkg-query -W | grep openssl
openssl 1.1.1k-1+deb11u1+fips
symcrypt-openssl        0.1

admin@sonic:~$ openssl engine -v | grep -i symcrypt
(symcrypt) SCOSSL (SymCrypt engine for OpenSSL)
admin@sonic:~$ 

Install debug version of symcrypt and validate:

$ gdb --args openssl rand 10 
(gdb) b scossl_rand_bytes
(gdb) r
Starting program: /usr/bin/openssl rand 10

Breakpoint 1, scossl_rand_bytes (buf=0x7ffd81ce49f0 "200\024\t\300\004X\020\211\263!", num=10)
    at /src/SymCrypt-OpenSSL/SymCryptEngine/src/scossl_rand.c:23
23          SymCryptRandom(buf, num);

Test golang: when the fips is enabled, the test.go will call go boring api, call openssl api, and then call symcrypt api.

test.go:
import (
    "crypto/rand"
    "crypto/rsa"
)
func main() {
    rsa.GenerateKey(rand.Reader, 2048)
}

$ gdb test
(gdb) b scossl_rsa_keygen
(gdb) r
Thread 1 "test" hit Breakpoint 1, scossl_rsa_keygen (rsa=0x12299b0, bits=2048, e=0x122e490, cb=0x0) at /src/SymCrypt-OpenSSL/SymCryptEngine/src/scossl_rsa.c:638
638         PBYTE   ppbPrimes[2] = { 0 };

(gdb) bt
#0  scossl_rsa_keygen (rsa=0x12299b0, bits=2048, e=0x122e490, cb=0x0) at /src/SymCrypt-OpenSSL/SymCryptEngine/src/scossl_rsa.c:638
#1  0x00007f4e966a8446 in RSA_generate_key_ex (rsa=0x12299b0, bits=2048, e_value=0x122e490, cb=0x0) at ../crypto/rsa/rsa_gen.c:35
#2  0x00000000004025aa in crypto/internal/boring(.text) ()
...
#8  0x0000000000401c0e in _cgo_b67541c0c44c_Cfunc__goboringcrypto_RSA_generate_key_fips ()

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

[qiluo-msft]

sonic-fips

Do you want to add a new submodule in this PR? #Closed

[xumia]

No, we will use binaries only, it will take long time to build it.
And the module SymCryptDependencies is microsoft only (to test only), not available by public, see https://github.com/microsoft/SymCrypt/blob/0f83207858253be11f473dced88b146895004419/.gitmodules#L3
We do not have hard the dependency on the submodule, it can be skipped during the build. We will have a trouble if using it, cannot checkout code recursively.

[saiarcot895]

If these packages need to be updated (for fixing security issues, or features/functionality), is there an easy way to rebuild the FIPS packages?

[xumia]

Yes, see https://github.com/Azure/sonic-fips.
I will add the artifacts publish automation later, currently, copy the artifacts to storage container manually.

[qiluo-msft]

which storage? Do you mean FIPS_URL_PREFIX? I notice the name difference: sonic-fips vs fips.

[xumia]

Yes, the same some of the other artifacts, sonicstorage.

[qiluo-msft]

1.15

RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/golang-1.15-go_1.15.15-1~deb11u2%2Bfips_{{ CONFIGURED_ARCH }}.deb' \

---

Can we use the same version as in else branch? Ideally, we should share the version constant, and build any version specified with FIPS. #Closed

[xumia]

Change all to use 1.15 for bullseye, align to the default one in bullseye.
And change to use the debian packages, not to download from google web site.

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[xumia]

/azp run

[azure-pipelines]

You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list.

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[xumia]

@qiluo-msft , @saiarcot895 , could you please help review again?

[qiluo-msft]

Why move this statement? #Closed

[xumia]

When installing openssl/openssh for fips, the ssh key will be generated again, so moving the removal step after all installing steps are complete.

[qiluo-msft]

As my understanding, in original code, removal step is after all openssl/openssh installing steps.

If you have a good reason, is it a general bug fix?

[xumia]

It is not a bug, there is an additional installation step to install debian packages, the FIPS packages are installed in the step, see https://github.com/Azure/sonic-buildimage/blob/53e5fe6a93b051c8319d51e109d317beb5166e77/files/build_templates/sonic_debian_extension.j2#L598

We move the removal step, because the FIPS packages will generate the ssh keys again.

[qiluo-msft]

ONIE_PLATFORM_EXTRA_CMDLINE_LINUX

ONIE_PLATFORM_EXTRA_CMDLINE_LINUX="$ONIE_PLATFORM_EXTRA_CMDLINE_LINUX $extra_cmdline_linux"

---

Do not combine %%EXTRA_CMDLINE_LINUX%% with ONIE_PLATFORM_EXTRA_CMDLINE_LINUX. Just add %%EXTRA_CMDLINE_LINUX%% to below menuentry template. #Closed

[qiluo-msft]

Sorry, by semantics, GRUB_CMDLINE_LINUX should include %%EXTRA_CMDLINE_LINUX%%

[xumia]

Thanks, fixed, better to use GRUB_CMDLINE_LINUX .

[xumia]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[qiluo-msft]

LGTM. Please check with other reviewers.

[xumia]

@saiarcot895 , could you please help review it again? Thanks.