action #167260
closed[security] Do not require FIPS_ENABLED variable for FIPS install tests
100%
Description
Our FIPS install tests now, with a new logic, require FIPS_ENABLED variable set in order to execute fips_setup.pm cleanly. Having this variable on the install tests seems redundant though, since FIPS is not really enabled for the install jobs. Perhaps we could skip this requirement in this case.
If the logic gets changed, we should revert https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/295 to clean up unused vars.
Updated by emiler about 1 month ago
- Related to action #167206: [security][x86-64][15-sp{4-6}] test fails in fips_setup: missing FIPS_ENABLED=1 added
Updated by amanzini about 1 month ago
- Priority changed from Low to Normal
considering also https://suse.slack.com/archives/C044KDGKW58/p1727179296187759 I'm for dropping at least the first variable checks, if not both :)
before the fix, the check was (by mistake) basically a no-op, so a system with FIPS_ENABLED=1 and BOOT_HDD_IMAGE=0 would have FIPS installed. Now these checks prevents it for no real reason.
see also question at https://progress.opensuse.org/issues/167063#note-2
Updated by tjyrinki_suse about 1 month ago
- Status changed from New to Workable
Seems correct, as ensure_fips_enabled anyway checks if FIPS was correctly enabled, that failing will instruct enough whether one should allow fips_setup to do the enabling in one's tests or if one should specify FIPS_INSTALLATION parameter to skip the setup and only check FIPS was already enabled by the installation.
Updated by amanzini about 1 month ago
Updated by amanzini about 1 month ago
- Status changed from Feedback to Resolved
@emiler feel free to revert you MR if you prefer