Project

General

Profile

Actions
Copy link

action #167683

closed

[BCI] Implement FIPS Vendor affirmation tests

Added by ph03nix 3 months ago. Updated 25 days ago.

Status:
Resolved
Priority:
High
Assignee:
pherranz
Target version:
-
Start date:
2024-10-01
Due date:
% Done:

100%

Estimated time:
Tags:
containers

Description

We need to support the QE Security squad with their vendor affirmation test runs. The test specifications are documented in https://confluence.suse.com/x/-ID3Ww, Section Specification of Execution Steps and need to be added to the BCI-Tests.

In https://github.com/SUSE/BCI-tests/blob/main/tests/test_fips.py there are already some FIPS tests. We need to add the missing ones. By default, all tests should run on all hosts/containers, if we run into failures we can limit the failing tests only to the required hosts.

Acceptance criteria

  • All document tests from the Confluence page are present in the FIPS tests of BCI-Tests

Further details

Actions
Copy link
 #1

Updated by ph03nix 3 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by ph03nix 3 months ago

  • Description updated (diff)
  • Status changed from Blocked to Workable
  • Priority changed from Normal to High
Actions
Copy link
 #3

Updated by pherranz 3 months ago

  • Status changed from Workable to In Progress
  • Assignee set to pherranz
Actions
Copy link
 #4

Updated by ph03nix 3 months ago

  • Parent task set to #166640
Actions
Copy link
 #5

Updated by tjyrinki_suse 3 months ago

OpenJDK part of the execution steps used to be "TBD", now it has content but also does not need to be done for BCI because BCI runs only in environment variable mode currently and OpenJDK does not support that.

Actions
Copy link
 #6

Updated by ph03nix 3 months ago

  • Tags set to containers
Actions
Copy link
 #7

Updated by ph03nix 3 months ago

  • Subject changed from Implement FIPS Vendor affirmation tests to [BCI] Implement FIPS Vendor affirmation tests
Actions
Copy link
 #8

Updated by pherranz 3 months ago

Actions
Copy link
 #9

Updated by pherranz 3 months ago

Actions
Copy link
 #10

Updated by pherranz about 2 months ago

The openJDK security provider test ready to review and merge: https://github.com/SUSE/BCI-tests/pull/674

Actions
Copy link
 #11

Updated by pherranz about 1 month ago

openJDK tests are ready to merge: https://github.com/SUSE/BCI-tests/pull/674

Working on gnuTLS now: https://github.com/SUSE/BCI-tests/pull/678

Actions
Copy link
 #12

Updated by pherranz about 1 month ago

GNUTLS is ready to be merged: https://github.com/SUSE/BCI-tests/pull/679

Actions
Copy link
 #13

Updated by pherranz about 1 month ago

GNU merged, starting to work on gcrypt.

Actions
Copy link
 #14

Updated by pherranz about 1 month ago

I've asked in the #discuss-qe-security about the openSSL tests:

Dennis Knorr:
  openssl111 and 3 in sp6. at latest starting with sl*16 only openssl3
  about sp7 i am not sure, but we will not do fips /vendor affirm for sp7, so basically after sp6 you can skip openssl111 for us, if you want
Actions
Copy link
 #16

Updated by pherranz 27 days ago · Edited

  • Status changed from In Progress to Blocked

I'm currently stuck at implementing the "openSSL 3 & openssl 1.1" test according to https://confluence.suse.com/display/qasle/15-SP6+FIPS+Vendor+Affirmation because the openssl1.1 package is not found in the zypper repos of the 15.6 and 15.7 containers. On the opposite, openssl3 is not found in 15.3:

❯ podman run --rm -it bci-base-fips:15.7
383ecec260c9:/ # openssl version
OpenSSL 3.2.3 3 Sep 2024 (Library: OpenSSL 3.2.3 3 Sep 2024)
383ecec260c9:/ # zypper in openssl1.1
Refreshing service 'container-suseconnect-zypp'.
Retrieving repository 'SLE_BCI' metadata .....................................................................[done]
Building repository 'SLE_BCI' cache ..........................................................................[done]
Loading repository data...
Reading installed packages...
'openssl1.1' not found in package names. Trying capabilities.
No provider of 'openssl1.1' found.
Resolving package dependencies...
Nothing to do.

❯ podman run --rm -it bci-base-fips:15.6
80eb950d3a6b:/ # openssl version
OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
80eb950d3a6b:/ # zypper in openssl1.1
Refreshing service 'container-suseconnect-zypp'.
Retrieving repository 'SLE_BCI' metadata .....................................................................[done]
Building repository 'SLE_BCI' cache ..........................................................................[done]
Loading repository data...
Reading installed packages...
'openssl1.1' not found in package names. Trying capabilities.
No provider of 'openssl1.1' found.
Resolving package dependencies...
Nothing to do.

❯ podman run --rm -it bci-base-fips:15.3
97480d654458:/ # openssl version
OpenSSL 1.1.1d 10 Sep 2019
97480d654458:/ # zypper in openssl3
Refreshing service 'container-suseconnect-zypp'.
Loading repository data...
Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed.
Reading installed packages...
'openssl3' not found in package names. Trying capabilities.
No provider of 'openssl3' found.
Resolving package dependencies...
Nothing to do.

Actions
Copy link
 #17

Updated by pherranz 25 days ago

  • Status changed from Blocked to Resolved
  • % Done changed from 0 to 100

After discussing with qe-security-team in this Slack thread, the tests that are being passed right now seem sufficient.

Marcus Meissner approves to test openssl1.1 in 15sp3 and openssl3.x in >15sp6.

Actions
Copy link

Also available in: Atom PDF