Skip to content

Commit

Permalink
kernel-6.1: add FIPS modules for crypto self-test
Browse files Browse the repository at this point in the history
Signed-off-by: Ben Cressey <[email protected]>
  • Loading branch information
bcressey committed Apr 12, 2024
1 parent 51982c6 commit 4c7e196
Show file tree
Hide file tree
Showing 3 changed files with 132 additions and 0 deletions.
52 changes: 52 additions & 0 deletions packages/kernel-6.1/fipsmodules-aarch64
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
sha1
sha224
sha256
sha384
sha512
sha3-224
sha3-256
sha3-384
sha3-512
crc32c
crct10dif
ghash
xxhash64
ghash-ce
sha1-ce
sha2-ce
sha256-arm64
sha3-ce
sha512-arm64
sha512-ce
cipher_null
des3_ede
aes
cfb
dh
ecdh
aes-arm64
aes-ce-blk
aes-ce-ccm
aes-ce-cipher
aes-neon-blk
aes-neon-bs
ecb
cbc
ctr
xts
gcm
ccm
authenc
hmac
cmac
ofb
cts
lzo
essiv
seqiv
drbg
aead
cryptomgr
tcrypt
crypto_user
rsa
44 changes: 44 additions & 0 deletions packages/kernel-6.1/fipsmodules-x86_64
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
sha1
sha224
sha256
sha384
sha512
sha3-224
sha3-256
sha3-384
sha3-512
crc32c
crct10dif
ghash
xxhash64
ghash_clmulni_intel
sha1-ssse3
sha256-ssse3
sha512-ssse3
cipher_null
des3_ede
aes
cfb
dh
ecdh
aesni-intel
ecb
cbc
ctr
xts
gcm
ccm
authenc
hmac
cmac
ofb
cts
lzo
essiv
seqiv
drbg
aead
cryptomgr
tcrypt
crypto_user
rsa
36 changes: 36 additions & 0 deletions packages/kernel-6.1/kernel-6.1.spec
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ Source101: config-bottlerocket-aws
Source102: config-bottlerocket-metal
Source103: config-bottlerocket-vmware

# This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs
# after placing AL2023 in FIPS mode.
Source200: fipsmodules-x86_64
Source201: fipsmodules-aarch64

# Help out-of-tree module builds run `make prepare` automatically.
Patch1001: 1001-Makefile-add-prepare-target-for-external-modules.patch
# Expose tools/* targets for out-of-tree module builds.
Expand Down Expand Up @@ -43,6 +48,9 @@ Requires: %{_cross_os}microcode-licenses
Requires: %{name}-modules = %{version}-%{release}
Requires: %{name}-devel = %{version}-%{release}

# Pull in FIPS-related files if needed.
Requires: (%{name}-fips if %{_cross_os}image-feature(fips))

%global kernel_sourcedir %{_cross_usrsrc}/kernels
%global kernel_libdir %{_cross_libdir}/modules/%{version}

Expand Down Expand Up @@ -73,6 +81,14 @@ Summary: Header files for the Linux kernel for use by glibc
%description headers
%{summary}.

%package fips
Summary: FIPS related configuration for the Linux kernel
Requires: (%{_cross_os}image-feature(fips) and %{name})
Conflicts: %{_cross_os}image-feature(no-fips)

%description fips
%{summary}.

%prep
rpm2cpio %{SOURCE0} | cpio -iu linux-%{version}.tar config-%{_cross_arch} "*.patch"
tar -xof linux-%{version}.tar; rm linux-%{version}.tar
Expand Down Expand Up @@ -233,6 +249,23 @@ rm -f %{buildroot}%{kernel_libdir}/build %{buildroot}%{kernel_libdir}/source
ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/build
ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source

# Ensure that each required FIPS module is loaded as a dependency of the
# check-fips-module.service. The list of FIPS modules is different across
# kernels but the check is consistent: it loads the "tcrypt" module after
# the other modules are loaded.
mkdir -p %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
i=0
for fipsmod in $(cat %{_sourcedir}/fipsmodules-%{_cross_arch}) ; do
[ "${fipsmod}" == "tcrypt" ] && continue
drop_in="$(printf "%03d\n" "${i}")-${fipsmod}.conf"
cat <<EOF > %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d/"${drop_in}"
[Unit]
Requires=fips-modprobe@${fipsmod}.service
After=fips-modprobe@${fipsmod}.service
EOF
(( i+=1 ))
done

%files
%license COPYING LICENSES/preferred/GPL-2.0 LICENSES/exceptions/Linux-syscall-note
%{_cross_attribution_file}
Expand Down Expand Up @@ -274,4 +307,7 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source
%files archive
%{_cross_datadir}/bottlerocket/kernel-devel.tar.xz

%files fips
%{_cross_unitdir}/check-fips-modules.service.d/*.conf

%changelog

0 comments on commit 4c7e196

Please sign in to comment.