USHIFT-4119: Add bootc FIPS tests to MicroShift periodics CI on CentOS 9 Stream

test/image-blueprints/layer5-bootc/group1/cos9-bootc-source.containerfile

@@ -16,7 +16,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH
 # - OpenShift Mirror Beta previous minor version repository for MicroShift dependencies
 # Install MicroShift, few helper utilities and cleanup
 RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \
-    dnf install -y vi firewalld microshift && \
+    dnf install -y vi firewalld microshift microshift-release-info && \
     systemctl enable microshift && \
     ${REPO_CONFIG_SCRIPT} -delete && \
     rm -f ${REPO_CONFIG_SCRIPT} && \

test/image-blueprints/layer5-bootc/group1/rhel94-bootc-source.containerfile

@@ -17,7 +17,7 @@ COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH
 # Install MicroShift, test agent, a few helper utilities and cleanup
 RUN ${REPO_CONFIG_SCRIPT} -create ${USHIFT_RPM_REPO_PATH} && \
     awk 'FNR==1 {print "=== " FILENAME " ==="} {print}' /etc/yum.repos.d/*.repo && \
-    dnf install -y vi firewalld microshift microshift-test-agent && \
+    dnf install -y vi firewalld microshift microshift-release-info microshift-test-agent && \
     systemctl enable microshift microshift-test-agent && \
     ${REPO_CONFIG_SCRIPT} -delete && \
     rm -f ${REPO_CONFIG_SCRIPT} && \

test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-fips.containerfile

@@ -0,0 +1,13 @@
+FROM localhost/cos9-bootc-source:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all

test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-fips.containerfile

@@ -0,0 +1,13 @@
+FROM localhost/rhel94-bootc-source:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all

test/kickstart-templates/includes/post-fips.cfg

@@ -1,6 +1,9 @@
 # The --no-bootcfg option disables boot loader reconfiguration, which does not work on ostree-based systems.
 # However, this is not necessary because 'fips=1' option is already present in the kernel command line when
 # the virtual machine is created.
+#
+# NOTE: Do not use this command to enable FIPS in bootc images.
+# This utility will be deprecated in RHEL 10.
 if REPLACE_FIPS_ENABLED ; then
     fips-mode-setup --enable --no-bootcfg
 fi

test/scenarios-bootc/periodics/cos9-src@fips.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there. 
+
+check_platform() {
+    if [[ "${UNAME_M}" =~ aarch64 ]] ; then 
+        record_junit "setup" "scenario_create_vms" "SKIPPED"
+        exit 0
+    fi
+}
+
+scenario_create_vms() {
+    check_platform
+
+    prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-fips true
+    launch_vm host1 centos9-bootc "" "" "" "" "" "1" "1"
+}
+
+scenario_remove_vms() {
+    check_platform
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    check_platform
+
+    run_tests host1 suites/fips/
+}

test/scenarios-bootc/periodics/cos9-src@greenboot.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Sourced from cleanup_scenario.sh and uses functions defined there.
+# Sourced from scenario.sh and uses functions defined there.
 
 scenario_create_vms() {
     prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source

test/scenarios-bootc/periodics/el94-src@fips.sh.disabled

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there. 
+
+check_platform() {
+    if [[ "${UNAME_M}" =~ aarch64 ]] ; then 
+        record_junit "setup" "scenario_create_vms" "SKIPPED"
+        exit 0
+    fi
+}
+
+scenario_create_vms() {
+    check_platform
+
+    prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-fips true
+    launch_vm host1 rhel94-bootc "" "" "" "" "" "1" "1"
+}
+
+scenario_remove_vms() {
+    check_platform
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    check_platform
+
+    run_tests host1 suites/fips/
+}

test/scenarios-bootc/periodics/el94-src@greenboot.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Sourced from cleanup_scenario.sh and uses functions defined there.
+# Sourced from scenario.sh and uses functions defined there.
 
 scenario_create_vms() {
     prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source

test/suites/fips/validate-fips.robot

@@ -4,6 +4,7 @@ Documentation       Tests related to FIPS Validation
 Resource            ../../resources/ostree-health.resource
 Resource            ../../resources/common.resource
 Resource            ../../resources/selinux.resource
+Resource            ../../resources/microshift-host.resource
 Resource            ../../resources/microshift-process.resource
 Library             Collections
 
@@ -23,7 +24,12 @@ ${PULL_SECRET_PATH}         /etc/crio/openshift-pull-secret
 *** Test Cases ***
 Verify Host Is FIPS Enabled
     [Documentation]    Performs a FIPS validation against the host
-    Fips Should Be Enabled
+    ${is_bootc}=    Is System Bootc
+    IF    ${is_bootc}
+        Fips Should Be Enabled Bootc
+    ELSE
+        Fips Should Be Enabled Non-Bootc
+    END
 
 Verify Binary Is FIPS Compliant
     [Documentation]    Performs a FIPS validation against the Microshift binary
@@ -101,14 +107,37 @@ Microshift Binary Should Dynamically Link FIPS Ossl Module
     ...    sudo=False    return_rc=True
     Should Be Equal As Integers    0    ${rc}
 
-Fips Should Be Enabled
-    [Documentation]    Check if FIPS is enabled on RHEL.
+Fips Should Be Enabled Non-Bootc
+    [Documentation]    Check if FIPS is enabled on a non-bootc RHEL
     ${stdout}    ${stderr}    ${rc}=    Execute Command
     ...    bash -x fips-mode-setup --check
     ...    sudo=True    return_rc=True    return_stdout=True    return_stderr=True
     Should Be Equal As Integers    0    ${rc}
     Should Match    ${stdout}    FIPS mode is enabled.
 
+Fips Should Be Enabled Bootc
+    [Documentation]    Check if FIPS is enabled on a bootc RHEL
+
+    # Verify FIPS crypto flag is enabled in the system
+    ${stdout}    ${stderr}    ${rc}=    Execute Command
+    ...    cat /proc/sys/crypto/fips_enabled
+    ...    sudo=False    return_rc=True    return_stdout=True    return_stderr=True
+    Should Be Equal As Integers    0    ${rc}
+    Should Be Equal As Strings    ${stdout.strip()}    1
+
+    # Verify crypto policies are set to FIPS
+    ${stdout}    ${stderr}    ${rc}=    Execute Command
+    ...    update-crypto-policies --show
+    ...    sudo=False    return_rc=True    return_stdout=True    return_stderr=True
+    Should Be Equal As Integers    0    ${rc}
+    Should Be Equal As Strings    ${stdout.strip()}    FIPS
+
+    # Verify initramfs FIPS module presence
+    ${stdout}    ${stderr}    ${rc}=    Execute Command
+    ...    bash -c 'lsinitrd -m 2>/dev/null | grep -Fxq fips'
+    ...    sudo=False    return_rc=True    return_stdout=True    return_stderr=True
+    Should Be Equal As Integers    0    ${rc}
+
 Get Images From Release File
     [Documentation]    Obtains list of Images from Release.
     ${stdout}    ${stderr}    ${rc}=    Execute Command