From 33ee8da1e288e8afb878a973912446ca20af565d Mon Sep 17 00:00:00 2001 From: Riccardo Pittau Date: Tue, 6 Aug 2024 11:04:16 +0200 Subject: [PATCH] Enable FIPS mode for IPA if system is in FIPS mode If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the /proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled. Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled. Note: Upstream commit changed to only set fips= when the value is 1 https://issues.redhat.com//browse/OCPBUGS-39536 Signed-off-by: Riccardo Pittau --- ironic-config/ironic.conf.j2 | 10 ++++++---- scripts/configure-ironic.sh | 5 +++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2 index f2cf873c6..2df43905d 100644 --- a/ironic-config/ironic.conf.j2 +++ b/ironic-config/ironic.conf.j2 @@ -213,7 +213,9 @@ images_path = /shared/html/tmp instance_master_path = /shared/html/master_images tftp_master_path = /shared/tftpboot/master_images tftp_root = /shared/tftpboot -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +# https://issues.redhat.com//browse/OCPBUGS-39536 +# fips= is only applied it the value is 1 (see below also) +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes # This makes networking boot templates generated even for nodes using local # boot (the default), ensuring that they boot correctly even if they start # netbooting for some reason (e.g. with the noop management interface). @@ -226,14 +228,14 @@ ipxe_config_template = /tmp/ipxe_config.template [redfish] use_swift = false -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes [ilo] -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes use_web_server_for_images = true [irmc] -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes [service_catalog] endpoint_override = {{ env.IRONIC_BASE_URL }} diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh index 3a5fc49ef..588ebe026 100755 --- a/scripts/configure-ironic.sh +++ b/scripts/configure-ironic.sh @@ -88,6 +88,11 @@ configure_json_rpc_auth . /bin/coreos-ipa-common.sh +if [[ -f /proc/sys/crypto/fips_enabled ]]; then + ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled) + export ENABLE_FIPS_IPA +fi + # The original ironic.conf is empty, and can be found in ironic.conf_orig render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf