action #161057
closed[BCI] Run FIPS tests for FIPS images on non-FIPS host
100%
Description
We have FIPS images (e.g. https://registry.suse.com/repositories/suse-ltss-sle15-3-bci-base-fips) that allow a container to run in FIPS mode even when the host is not in FIPS mode. Currently the FIPS test runs for those images are being skipped on non-FIPS hosts.
In short: For FIPS images we need to run the FIPS tests, even when those are running on non-FIPS hosts.
Currently the FIPS tests are skipped on non-FIPS hosts. We need to add an exception for the FIPS images in BCI-Tests.
Acceptance criteria¶
- Run the FIPS tests for FIPS images on non-FIPS hosts
Further references¶
Updated by ph03nix about 2 months ago
Maybe we need to introduce a new setting that tells BCI tests to not skip those tests. Just a suggestion.
Updated by pherranz about 2 months ago
- Status changed from Workable to In Progress
- Assignee set to pherranz
Updated by tjyrinki_suse about 2 months ago
Just adding that in order for the "FIPS container" to be acting in FIPS mode when not running on FIPS host, the container should have the following environment variables set in /etc/bash.bashrc or somewhere else:
export OPENSSL_FIPS=1
export OPENSSL_FORCE_FIPS_MODE=1
export LIBGCRYPT_FORCE_FIPS_MODE=1
export NSS_FIPS=1
export GnuTLS_FORCE_FIPS_MODE=1
This is likely already the case, but just wanting to make it clear in case the FIPS container would be only about "zypper install -t pattern fips" and not about supporting FIPS on non-FIPS host.
Updated by pherranz about 2 months ago
After talking to @amanzini, it seems that a proper and simple way to check if a system is FIPS compliant or not would be to verify if it's NOT allowed of use md5sum as this kind of algorith is not included in the allowed algorithms list.
Updated by amanzini about 2 months ago · Edited
@tjyrinki_suse the container image only have "custom" rpms for openssl and gcrypt , and the Dockerfile only sets ENV OPENSSL_FORCE_FIPS_MODE=1 , avoiding other env variables. Also the image documentation states that's only about OpenSSL.
This container image is a SUSE Linux Enterprise 15 SP3 base container image that includes the SLES 15 FIPS-140-2 certified OpenSSL module.
The FIPS-140-2 certified OpenSSL module is a cryptographic module that provides a FIPS-140-2 compliant cryptographic library. The module is certified by the National Institute of Standards and Technology (NIST).
The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the standard OpenSSL library. It provides the same functionality as the standard OpenSSL library, with additional security features to meet the FIPS-140-2 requirements.
The image is configured to enforce the use of FIPS-140 mode by default via the environment variable OPENSSL_FORCE_FIPS_MODE. This variable is set to 1 in the image. This means that all cryptographic operations performed by the OpenSSL library are done in FIPS-140-2 mode.
@pherranz md5 is a valid starting point; since we are speaking of U.S. government certification compliance, for a thorough test maybe it's a good idea to check all the algorithms :) please see
https://crypto.stackexchange.com/questions/3859/fips-140-2-compliant-algorithms
and openQA tests under tests/fips folder
Updated by pherranz about 2 months ago · Edited
After some manual testing, I've discovered that it's possible to do md5sum in the FIPS container:
❯ podman pull registry.suse.com/suse/ltss/sle15.3/bci-base-fips:15.3
Trying to pull registry.suse.com/suse/ltss/sle15.3/bci-base-fips:15.3...
Getting image source signatures
Checking if image destination supports signatures
Copying blob db076a5bd526 skipped: already exists
Copying blob f6025199994c skipped: already exists
Copying config 16572953da done |
Writing manifest to image destination
Storing signatures
16572953daeed914bc610c5494bee5762932528ca0b9220a06710f8161e04fc1
❯ podman run -it --rm bci-base-fips:15.3
02e0cdd6595f:/ # cd
02e0cdd6595f:~ # cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp3"
DOCUMENTATION_URL="https://documentation.suse.com/"
02e0cdd6595f:~ # echo "Hello World!" > test.txt
02e0cdd6595f:~ #
02e0cdd6595f:~ # md5sum test.txt
8ddd8be4b179a529afa5f2ffae4b9858 test.txt
02e0cdd6595f:~ #
02e0cdd6595f:~ # echo $OPENSSL_FORCE_FIPS_MODE
1
Updated by amanzini about 2 months ago · Edited
Probably md5sum binary does not use openSSL but has internal algorithms. While that is debatable to be "a FIPS compliant container" , if you need to properly test OpenSSL maybe you can use openssl md5:
susetest:~ # cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
ID="sles"
ID_LIKE="suse"
susetest:~ # sysctl -a | grep -i fips
crypto.fips_enabled = 0
susetest:~ # openssl md5 <<< "12345"
(stdin)= d577273ff885c3f84dadb8578bb41399
susetest:~ # env OPENSSL_FIPS=1 openssl md5 <<< "12345"
140715096840000:error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match:crypto/fips/fips.c:466:
Updated by pherranz about 1 month ago
The issue has come up in the BCI meeting today.
Meanwhile, I'm working with @dancermak in understanding and implementing a fix.
Updated by pherranz about 1 month ago
PR ready to review: https://github.com/SUSE/BCI-tests/pull/498