diff --git a/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile b/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile index a3e24b3a39..404b6be51a 100644 --- a/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile +++ b/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile @@ -16,7 +16,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH # - OpenShift Mirror Beta previous minor version repository for MicroShift dependencies # Install MicroShift, few helper utilities and cleanup RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \ - dnf install -y vi firewalld microshift && \ + dnf install -y vi firewalld microshift microshift-release-info && \ systemctl enable microshift && \ ${REPO_CONFIG_SCRIPT} -delete && \ rm -f ${REPO_CONFIG_SCRIPT} && \ diff --git a/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile b/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile index 6b84b689eb..3d3611234c 100644 --- a/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile +++ b/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile @@ -17,7 +17,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH # Install MicroShift, test agent, a few helper utilities and cleanup RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \ awk 'FNR==1 {print "=== " FILENAME " ==="} {print}' /etc/yum.repos.d/*.repo && \ - dnf install -y vi firewalld microshift microshift-test-agent && \ + dnf install -y vi firewalld microshift microshift-release-info microshift-test-agent && \ systemctl enable microshift microshift-test-agent && \ ${REPO_CONFIG_SCRIPT} -delete && \ rm -f ${REPO_CONFIG_SCRIPT} && \ diff --git a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile new file mode 100644 index 0000000000..06158491df --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile @@ -0,0 +1,13 @@ +FROM localhost/cos9-bootc-source:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all diff --git a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile new file mode 100644 index 0000000000..a01b87820d --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile @@ -0,0 +1,13 @@ +FROM localhost/rhel94-bootc-source:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all diff --git a/test/kickstart-templates/includes/post-fips.cfg b/test/kickstart-templates/includes/post-fips.cfg index 451eecc04c..484b000f9a 100644 --- a/test/kickstart-templates/includes/post-fips.cfg +++ b/test/kickstart-templates/includes/post-fips.cfg @@ -1,6 +1,9 @@ # The --no-bootcfg option disables boot loader reconfiguration, which does not work on ostree-based systems. # However, this is not necessary because 'fips=1' option is already present in the kernel command line when # the virtual machine is created. +# +# NOTE: Do not use this command to enable FIPS in bootc images. +# This utility will be deprecated in RHEL 10. if REPLACE_FIPS_ENABLED ; then fips-mode-setup --enable --no-bootcfg fi diff --git a/test/scenarios-bootc/periodics/cos9-src@fips.sh b/test/scenarios-bootc/periodics/cos9-src@fips.sh new file mode 100644 index 0000000000..3ed008afe6 --- /dev/null +++ b/test/scenarios-bootc/periodics/cos9-src@fips.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + check_platform + + prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-fips true + launch_vm host1 centos9-bootc "" "" "" "" "" "1" "1" +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} diff --git a/test/scenarios-bootc/periodics/cos9-src@greenboot.sh b/test/scenarios-bootc/periodics/cos9-src@greenboot.sh index c82630c7ab..ae66d4a7ef 100644 --- a/test/scenarios-bootc/periodics/cos9-src@greenboot.sh +++ b/test/scenarios-bootc/periodics/cos9-src@greenboot.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Sourced from cleanup_scenario.sh and uses functions defined there. +# Sourced from scenario.sh and uses functions defined there. scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source diff --git a/test/scenarios-bootc/periodics/el94-src@fips.sh.disabled b/test/scenarios-bootc/periodics/el94-src@fips.sh.disabled new file mode 100644 index 0000000000..3fdde25106 --- /dev/null +++ b/test/scenarios-bootc/periodics/el94-src@fips.sh.disabled @@ -0,0 +1,29 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + check_platform + + prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-fips true + launch_vm host1 rhel94-bootc "" "" "" "" "" "1" "1" +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} diff --git a/test/scenarios-bootc/periodics/el94-src@greenboot.sh b/test/scenarios-bootc/periodics/el94-src@greenboot.sh index cacb1c345e..aec18e2186 100644 --- a/test/scenarios-bootc/periodics/el94-src@greenboot.sh +++ b/test/scenarios-bootc/periodics/el94-src@greenboot.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Sourced from cleanup_scenario.sh and uses functions defined there. +# Sourced from scenario.sh and uses functions defined there. scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source diff --git a/test/suites/fips/validate-fips.robot b/test/suites/fips/validate-fips.robot index 8d6ecc4bec..148a223626 100644 --- a/test/suites/fips/validate-fips.robot +++ b/test/suites/fips/validate-fips.robot @@ -4,6 +4,7 @@ Documentation Tests related to FIPS Validation Resource ../../resources/ostree-health.resource Resource ../../resources/common.resource Resource ../../resources/selinux.resource +Resource ../../resources/microshift-host.resource Resource ../../resources/microshift-process.resource Library Collections @@ -23,7 +24,12 @@ ${PULL_SECRET_PATH} /etc/crio/openshift-pull-secret *** Test Cases *** Verify Host Is FIPS Enabled [Documentation] Performs a FIPS validation against the host - Fips Should Be Enabled + ${is_bootc}= Is System Bootc + IF ${is_bootc} + Fips Should Be Enabled Bootc + ELSE + Fips Should Be Enabled Non-Bootc + END Verify Binary Is FIPS Compliant [Documentation] Performs a FIPS validation against the Microshift binary @@ -101,14 +107,37 @@ Microshift Binary Should Dynamically Link FIPS Ossl Module ... sudo=False return_rc=True Should Be Equal As Integers 0 ${rc} -Fips Should Be Enabled - [Documentation] Check if FIPS is enabled on RHEL. +Fips Should Be Enabled Non-Bootc + [Documentation] Check if FIPS is enabled on a non-bootc RHEL ${stdout} ${stderr} ${rc}= Execute Command ... bash -x fips-mode-setup --check ... sudo=True return_rc=True return_stdout=True return_stderr=True Should Be Equal As Integers 0 ${rc} Should Match ${stdout} FIPS mode is enabled. +Fips Should Be Enabled Bootc + [Documentation] Check if FIPS is enabled on a bootc RHEL + + # Verify FIPS crypto flag is enabled in the system + ${stdout} ${stderr} ${rc}= Execute Command + ... cat /proc/sys/crypto/fips_enabled + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Should Be Equal As Strings ${stdout.strip()} 1 + + # Verify crypto policies are set to FIPS + ${stdout} ${stderr} ${rc}= Execute Command + ... update-crypto-policies --show + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Should Be Equal As Strings ${stdout.strip()} FIPS + + # Verify initramfs FIPS module presence + ${stdout} ${stderr} ${rc}= Execute Command + ... bash -c 'lsinitrd -m 2>/dev/null | grep -Fxq fips' + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Get Images From Release File [Documentation] Obtains list of Images from Release. ${stdout} ${stderr} ${rc}= Execute Command