-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SONiC OpenSSL FIPS 140-3 based on SymCrypt engine #9573
Conversation
0ac0151
to
9e7189c
Compare
|
||
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl | ||
SYMCRYPT_OPENSSL = fips/$(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).deb | ||
$(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we will use binaries only, it will take long time to build it.
And the module SymCryptDependencies is microsoft only (to test only), not available by public, see https://github.com/microsoft/SymCrypt/blob/0f83207858253be11f473dced88b146895004419/.gitmodules#L3
We do not have hard the dependency on the submodule, it can be skipped during the build. We will have a trouble if using it, cannot checkout code recursively.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If these packages need to be updated (for fixing security issues, or features/functionality), is there an easy way to rebuild the FIPS packages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, see https://github.com/Azure/sonic-fips.
I will add the artifacts publish automation later, currently, copy the artifacts to storage container manually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which storage? Do you mean FIPS_URL_PREFIX? I notice the name difference: sonic-fips vs fips.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the same some of the other artifacts, sonicstorage.
sonic-slave-bullseye/Dockerfile.j2
Outdated
@@ -397,6 +397,13 @@ RUN sudo augtool --autosave "set /files/etc/dpkg/dpkg.cfg/force-confold" | |||
RUN apt-get -y build-dep linux | |||
|
|||
# For gobgp and telemetry build | |||
{%- if INCLUDE_FIPS == "y" %} | |||
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/golang-1.15-go_1.15.15-1~deb11u2%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/golang-1.15-go_1.15.15-1~deb11u2%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
Can we use the same version as in else
branch? Ideally, we should share the version constant, and build any version specified with FIPS. #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change all to use 1.15 for bullseye, align to the default one in bullseye.
And change to use the debian packages, not to download from google web site.
e62514f
to
5302bb5
Compare
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
706d421
to
0ef2083
Compare
/azp run |
You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list. |
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
e5e9ac3
to
1905773
Compare
1905773
to
91b6d03
Compare
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
1a76fd6
to
34d2e14
Compare
39bb11b
to
a970b1e
Compare
4619899
to
152115f
Compare
@qiluo-msft , @saiarcot895 , could you please help review again? |
# Remove sshd host keys, and will regenerate on first sshd start. This needs to be | ||
# done again here because our custom version of sshd is being installed, which | ||
# will regenerate the sshd host keys. | ||
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why move this statement? #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When installing openssl/openssh for fips, the ssh key will be generated again, so moving the removal step after all installing steps are complete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As my understanding, in original code, removal step is after all openssl/openssh installing steps.
If you have a good reason, is it a general bug fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not a bug, there is an additional installation step to install debian packages, the FIPS packages are installed in the step, see https://github.com/Azure/sonic-buildimage/blob/53e5fe6a93b051c8319d51e109d317beb5166e77/files/build_templates/sonic_debian_extension.j2#L598
We move the removal step, because the FIPS packages will generate the ssh keys again.
installer/x86_64/install.sh
Outdated
# Add extra linux command line | ||
extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%% | ||
echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux" | ||
ONIE_PLATFORM_EXTRA_CMDLINE_LINUX="$ONIE_PLATFORM_EXTRA_CMDLINE_LINUX $extra_cmdline_linux" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, by semantics, GRUB_CMDLINE_LINUX should include %%EXTRA_CMDLINE_LINUX%%
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed, better to use GRUB_CMDLINE_LINUX .
1. Fix type issue 2. Support build from source for fips 3. Use GRUB_CMDLINE_LINUX
152115f
to
e446ccc
Compare
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Please check with other reviewers.
@saiarcot895 , could you please help review it again? Thanks. |
…9573) Why I did it Support OpenSSL FIPS 140-3, see design doc: https://github.com/Azure/SONiC/blob/master/doc/fips/SONiC-OpenSSL-FIPS-140-3.md. How I did it Install the fips packages. To build the fips packages, see https://github.com/Azure/sonic-fips Azure pipelines: https://dev.azure.com/mssonic/build/_build?definitionId=412 How to verify it Validate the SymCrypt engine: admin@sonic:~$ dpkg-query -W | grep openssl openssl 1.1.1k-1+deb11u1+fips symcrypt-openssl 0.1 admin@sonic:~$ openssl engine -v | grep -i symcrypt (symcrypt) SCOSSL (SymCrypt engine for OpenSSL) admin@sonic:~$
Why I did it
Support OpenSSL FIPS 140-3, see design doc: https://github.com/Azure/SONiC/blob/master/doc/fips/SONiC-OpenSSL-FIPS-140-3.md.
How I did it
Install the fips packages.
To build the fips packages, see https://github.com/Azure/sonic-fips
Azure pipelines: https://dev.azure.com/mssonic/build/_build?definitionId=412
How to verify it
Validate the SymCrypt engine:
Install debug version of symcrypt and validate:
Test golang: when the fips is enabled, the test.go will call go boring api, call openssl api, and then call symcrypt api.
Which release branch to backport (provide reason below if selected)
Description for the changelog
A picture of a cute animal (not mandatory but encouraged)