From d398a47e4bb9ad15863943bebef00cf017e2e869 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 1 Sep 2024 16:35:16 +0000 Subject: [PATCH 1/3] Add bootc FIPS tests to MicroShift periodics CI --- .../group1/cos9-bootc-source.containerfile | 2 +- .../group1/rhel94-bootc-source.containerfile | 2 +- .../cos9-bootc-source-fips.containerfile | 13 +++++++++ .../rhel94-bootc-source-fips.containerfile | 13 +++++++++ .../periodics/cos9-src@fips.sh | 29 +++++++++++++++++++ .../periodics/cos9-src@greenboot.sh | 2 +- .../periodics/el94-src@fips.sh | 29 +++++++++++++++++++ .../periodics/el94-src@greenboot.sh | 2 +- 8 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile create mode 100644 test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile create mode 100644 test/scenarios-bootc/periodics/cos9-src@fips.sh create mode 100644 test/scenarios-bootc/periodics/el94-src@fips.sh diff --git a/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile b/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile index a3e24b3a39..404b6be51a 100644 --- a/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile +++ b/test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile @@ -16,7 +16,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH # - OpenShift Mirror Beta previous minor version repository for MicroShift dependencies # Install MicroShift, few helper utilities and cleanup RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \ - dnf install -y vi firewalld microshift && \ + dnf install -y vi firewalld microshift microshift-release-info && \ systemctl enable microshift && \ ${REPO_CONFIG_SCRIPT} -delete && \ rm -f ${REPO_CONFIG_SCRIPT} && \ diff --git a/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile b/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile index 6b84b689eb..3d3611234c 100644 --- a/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile +++ b/test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile @@ -17,7 +17,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH # Install MicroShift, test agent, a few helper utilities and cleanup RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \ awk 'FNR==1 {print "=== " FILENAME " ==="} {print}' /etc/yum.repos.d/*.repo && \ - dnf install -y vi firewalld microshift microshift-test-agent && \ + dnf install -y vi firewalld microshift microshift-release-info microshift-test-agent && \ systemctl enable microshift microshift-test-agent && \ ${REPO_CONFIG_SCRIPT} -delete && \ rm -f ${REPO_CONFIG_SCRIPT} && \ diff --git a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile new file mode 100644 index 0000000000..06158491df --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile @@ -0,0 +1,13 @@ +FROM localhost/cos9-bootc-source:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all diff --git a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile new file mode 100644 index 0000000000..a01b87820d --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile @@ -0,0 +1,13 @@ +FROM localhost/rhel94-bootc-source:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all diff --git a/test/scenarios-bootc/periodics/cos9-src@fips.sh b/test/scenarios-bootc/periodics/cos9-src@fips.sh new file mode 100644 index 0000000000..3ed008afe6 --- /dev/null +++ b/test/scenarios-bootc/periodics/cos9-src@fips.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + check_platform + + prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-fips true + launch_vm host1 centos9-bootc "" "" "" "" "" "1" "1" +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} diff --git a/test/scenarios-bootc/periodics/cos9-src@greenboot.sh b/test/scenarios-bootc/periodics/cos9-src@greenboot.sh index c82630c7ab..ae66d4a7ef 100644 --- a/test/scenarios-bootc/periodics/cos9-src@greenboot.sh +++ b/test/scenarios-bootc/periodics/cos9-src@greenboot.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Sourced from cleanup_scenario.sh and uses functions defined there. +# Sourced from scenario.sh and uses functions defined there. scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source diff --git a/test/scenarios-bootc/periodics/el94-src@fips.sh b/test/scenarios-bootc/periodics/el94-src@fips.sh new file mode 100644 index 0000000000..25b2c59a9a --- /dev/null +++ b/test/scenarios-bootc/periodics/el94-src@fips.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + check_platform + + prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-fips true + launch_vm host1 rhel-9.4-bootc "" "" "" "" "" "1" "1" +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} diff --git a/test/scenarios-bootc/periodics/el94-src@greenboot.sh b/test/scenarios-bootc/periodics/el94-src@greenboot.sh index cacb1c345e..aec18e2186 100644 --- a/test/scenarios-bootc/periodics/el94-src@greenboot.sh +++ b/test/scenarios-bootc/periodics/el94-src@greenboot.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Sourced from cleanup_scenario.sh and uses functions defined there. +# Sourced from scenario.sh and uses functions defined there. scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source From 192a82e72731008a531bb76dd9cb1b144e0d53ed Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Wed, 4 Sep 2024 19:04:41 +0300 Subject: [PATCH 2/3] Add bootc-specific FIPS test --- .../includes/post-fips.cfg | 3 ++ .../periodics/el94-src@fips.sh | 2 +- test/suites/fips/validate-fips.robot | 35 +++++++++++++++++-- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/test/kickstart-templates/includes/post-fips.cfg b/test/kickstart-templates/includes/post-fips.cfg index 451eecc04c..484b000f9a 100644 --- a/test/kickstart-templates/includes/post-fips.cfg +++ b/test/kickstart-templates/includes/post-fips.cfg @@ -1,6 +1,9 @@ # The --no-bootcfg option disables boot loader reconfiguration, which does not work on ostree-based systems. # However, this is not necessary because 'fips=1' option is already present in the kernel command line when # the virtual machine is created. +# +# NOTE: Do not use this command to enable FIPS in bootc images. +# This utility will be deprecated in RHEL 10. if REPLACE_FIPS_ENABLED ; then fips-mode-setup --enable --no-bootcfg fi diff --git a/test/scenarios-bootc/periodics/el94-src@fips.sh b/test/scenarios-bootc/periodics/el94-src@fips.sh index 25b2c59a9a..3fdde25106 100644 --- a/test/scenarios-bootc/periodics/el94-src@fips.sh +++ b/test/scenarios-bootc/periodics/el94-src@fips.sh @@ -13,7 +13,7 @@ scenario_create_vms() { check_platform prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-fips true - launch_vm host1 rhel-9.4-bootc "" "" "" "" "" "1" "1" + launch_vm host1 rhel94-bootc "" "" "" "" "" "1" "1" } scenario_remove_vms() { diff --git a/test/suites/fips/validate-fips.robot b/test/suites/fips/validate-fips.robot index 8d6ecc4bec..148a223626 100644 --- a/test/suites/fips/validate-fips.robot +++ b/test/suites/fips/validate-fips.robot @@ -4,6 +4,7 @@ Documentation Tests related to FIPS Validation Resource ../../resources/ostree-health.resource Resource ../../resources/common.resource Resource ../../resources/selinux.resource +Resource ../../resources/microshift-host.resource Resource ../../resources/microshift-process.resource Library Collections @@ -23,7 +24,12 @@ ${PULL_SECRET_PATH} /etc/crio/openshift-pull-secret *** Test Cases *** Verify Host Is FIPS Enabled [Documentation] Performs a FIPS validation against the host - Fips Should Be Enabled + ${is_bootc}= Is System Bootc + IF ${is_bootc} + Fips Should Be Enabled Bootc + ELSE + Fips Should Be Enabled Non-Bootc + END Verify Binary Is FIPS Compliant [Documentation] Performs a FIPS validation against the Microshift binary @@ -101,14 +107,37 @@ Microshift Binary Should Dynamically Link FIPS Ossl Module ... sudo=False return_rc=True Should Be Equal As Integers 0 ${rc} -Fips Should Be Enabled - [Documentation] Check if FIPS is enabled on RHEL. +Fips Should Be Enabled Non-Bootc + [Documentation] Check if FIPS is enabled on a non-bootc RHEL ${stdout} ${stderr} ${rc}= Execute Command ... bash -x fips-mode-setup --check ... sudo=True return_rc=True return_stdout=True return_stderr=True Should Be Equal As Integers 0 ${rc} Should Match ${stdout} FIPS mode is enabled. +Fips Should Be Enabled Bootc + [Documentation] Check if FIPS is enabled on a bootc RHEL + + # Verify FIPS crypto flag is enabled in the system + ${stdout} ${stderr} ${rc}= Execute Command + ... cat /proc/sys/crypto/fips_enabled + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Should Be Equal As Strings ${stdout.strip()} 1 + + # Verify crypto policies are set to FIPS + ${stdout} ${stderr} ${rc}= Execute Command + ... update-crypto-policies --show + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Should Be Equal As Strings ${stdout.strip()} FIPS + + # Verify initramfs FIPS module presence + ${stdout} ${stderr} ${rc}= Execute Command + ... bash -c 'lsinitrd -m 2>/dev/null | grep -Fxq fips' + ... sudo=False return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers 0 ${rc} + Get Images From Release File [Documentation] Obtains list of Images from Release. ${stdout} ${stderr} ${rc}= Execute Command From a5c846e2148e710014264dbe8671afc203ca54ee Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Thu, 5 Sep 2024 07:45:44 +0300 Subject: [PATCH 3/3] Disable el94-src@fips.sh until bootc support is introduced in RHEL 9.4.z --- .../periodics/{el94-src@fips.sh => el94-src@fips.sh.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename test/scenarios-bootc/periodics/{el94-src@fips.sh => el94-src@fips.sh.disabled} (100%) diff --git a/test/scenarios-bootc/periodics/el94-src@fips.sh b/test/scenarios-bootc/periodics/el94-src@fips.sh.disabled similarity index 100% rename from test/scenarios-bootc/periodics/el94-src@fips.sh rename to test/scenarios-bootc/periodics/el94-src@fips.sh.disabled