Re: [yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
On 9/25/19 10:33 PM, Mark Hatle wrote: On 9/25/19 2:23 AM, Hongxu Jia wrote: Changed in V1: - Follow Mark H's suggestions Hi Mark, Once openssh enables FIPS mode, openssh ptest will fail (mess of failure). It seems the test case of upstream openssh does not consider FIPS mode support. I search fedora, there is nothing about openssh `regress'(test suits) in FIPS mode support So I do not add additional cavs test to the ptest, just add a note to README.enable_fips Ok, that is good to know. I suspect the issue is that many of the tests are trying to use unapproved algorithms and should be skipped in FIPS mode. Something for a future patch set. I don't think it's necessary to adjust now. I did modify patch 4. We want to use the more generic IMAGE_POSTPROCESS_COMMAND instead. But otherwise I've taken it as is. I'm currently running it through a test pass, once that is complete I'll push the commits. Hi Mark, I am afraid we have to use var-ROOTFS_POSTPROCESS_COMMAND to replace, var-IMAGE_POSTPROCESS_COMMAND is used at do_image_complete, we require it to run at do_rootfs //Hongxu --Mark //Hongxu == Comments (indicate scope for each "y" above) == * Git logs [meta-openssl102-fips] commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6 Author: Hongxu Jia Date: Wed Sep 25 15:03:24 2019 +0800 README.enable_fips: openssh ptest failed in fips mode Signed-off-by: Hongxu Jia commit f5b8a66c226541e73cc509a73452bbafc59f2555 Author: Hongxu Jia Date: Sun Sep 22 22:40:56 2019 +0800 README.openssh_cavstest: add CAVS tests for FIPS validation Signed-off-by: Hongxu Jia commit bd5de039c60fd2ab89f7925d3801520d742ba09a Author: Hongxu Jia Date: Sun Sep 22 21:54:41 2019 +0800 openssh: add CAVS tests for FIPS validation Refer the latest Fedora to add cavs test binary for the aes-ctr [1] and SSH KDF CAVS test driver [2] [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) Signed-off-by: Hongxu Jia commit b40cef8f89461342da5c6a621d95cdb19a4d8cff Author: Hongxu Jia Date: Sun Sep 22 20:55:30 2019 +0800 README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3 Author: Hongxu Jia Date: Sun Sep 22 19:27:45 2019 +0800 rng-tools: fix rngd failed in fips mode The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not
Re: [yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
On 9/25/19 2:23 AM, Hongxu Jia wrote: > Changed in V1: > - Follow Mark H's suggestions > > Hi Mark, > > Once openssh enables FIPS mode, openssh ptest will fail (mess of failure). > It seems the test case of upstream openssh does not consider FIPS mode > support. > I search fedora, there is nothing about openssh `regress'(test suits) in > FIPS mode support > > So I do not add additional cavs test to the ptest, just add a note > to README.enable_fips Ok, that is good to know. I suspect the issue is that many of the tests are trying to use unapproved algorithms and should be skipped in FIPS mode. Something for a future patch set. I don't think it's necessary to adjust now. I did modify patch 4. We want to use the more generic IMAGE_POSTPROCESS_COMMAND instead. But otherwise I've taken it as is. I'm currently running it through a test pass, once that is complete I'll push the commits. --Mark > //Hongxu > > == Comments (indicate scope for each "y" above) == > * Git logs > [meta-openssl102-fips] > commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6 > Author: Hongxu Jia > Date: Wed Sep 25 15:03:24 2019 +0800 > > README.enable_fips: openssh ptest failed in fips mode > > Signed-off-by: Hongxu Jia > > commit f5b8a66c226541e73cc509a73452bbafc59f2555 > Author: Hongxu Jia > Date: Sun Sep 22 22:40:56 2019 +0800 > > README.openssh_cavstest: add CAVS tests for FIPS validation > > Signed-off-by: Hongxu Jia > > commit bd5de039c60fd2ab89f7925d3801520d742ba09a > Author: Hongxu Jia > Date: Sun Sep 22 21:54:41 2019 +0800 > > openssh: add CAVS tests for FIPS validation > > Refer the latest Fedora to add cavs test binary for the aes-ctr [1] > and SSH KDF CAVS test driver [2] > > [1] > http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch > [2] > http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch > (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) > > Signed-off-by: Hongxu Jia > > commit b40cef8f89461342da5c6a621d95cdb19a4d8cff > Author: Hongxu Jia > Date: Sun Sep 22 20:55:30 2019 +0800 > > README.enable_fips: add steps to turn system (kernel and user space) into > FIPS mode > > Refer RedHat/Fedora/SUSE/Oracle/IBM ways > > 1. Add `fips=1' to kernel option to enable FIPS mode in kernel > > 2. File /etc/system-fips to determine if a FIPS mode is enabled in user > space, > currently openssh only > > Refer: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard > https://access.redhat.com/discussions/3293631 > > https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html > > https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html > > https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html > > Signed-off-by: Hongxu Jia > > commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3 > Author: Hongxu Jia > Date: Sun Sep 22 19:27:45 2019 +0800 > > rng-tools: fix rngd failed in fips mode > > The FIPS test is something done on government or more secure organizations > for extra security check. > ... > root@qemux86-64:~# systemctl status rngd > Unit rngd-tools.service could not be found. > root@qemux86-64:~# systemctl status rngd > rngd.service - Hardware RNG Entropy Gatherer Daemon >Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor > preset: enabled) >Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago > Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, > status=0/SUCCESS) > Main PID: 317 (code=exited, status=0/SUCCESS) > > Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not > permitted > Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not > permitted > Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling > entropy source > ... > > From rngd manual, add `-i' to default > ... > -i, --ignorefail > Ignore repeated fips failures > ... > > After applying the fix > ... > rngd.service - Hardware RNG Entropy Gatherer Daemon >Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor > preset: enabled) >Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s > ago > Main PID: 121 (rngd) > Tasks: 2 >Memory: 1.8M >CGroup: /system.slice/rngd.service >/usr/sbin/rngd -f -r /dev/hwrng -i > > Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not > permitted > ... > > Refer: > >
[yocto] Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH
Changed in V1: - Follow Mark H's suggestions Hi Mark, Once openssh enables FIPS mode, openssh ptest will fail (mess of failure). It seems the test case of upstream openssh does not consider FIPS mode support. I search fedora, there is nothing about openssh `regress'(test suits) in FIPS mode support So I do not add additional cavs test to the ptest, just add a note to README.enable_fips //Hongxu == Comments (indicate scope for each "y" above) == * Git logs [meta-openssl102-fips] commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6 Author: Hongxu Jia Date: Wed Sep 25 15:03:24 2019 +0800 README.enable_fips: openssh ptest failed in fips mode Signed-off-by: Hongxu Jia commit f5b8a66c226541e73cc509a73452bbafc59f2555 Author: Hongxu Jia Date: Sun Sep 22 22:40:56 2019 +0800 README.openssh_cavstest: add CAVS tests for FIPS validation Signed-off-by: Hongxu Jia commit bd5de039c60fd2ab89f7925d3801520d742ba09a Author: Hongxu Jia Date: Sun Sep 22 21:54:41 2019 +0800 openssh: add CAVS tests for FIPS validation Refer the latest Fedora to add cavs test binary for the aes-ctr [1] and SSH KDF CAVS test driver [2] [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce) Signed-off-by: Hongxu Jia commit b40cef8f89461342da5c6a621d95cdb19a4d8cff Author: Hongxu Jia Date: Sun Sep 22 20:55:30 2019 +0800 README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel 2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3 Author: Hongxu Jia Date: Sun Sep 22 19:27:45 2019 +0800 rng-tools: fix rngd failed in fips mode The FIPS test is something done on government or more secure organizations for extra security check. ... root@qemux86-64:~# systemctl status rngd Unit rngd-tools.service could not be found. root@qemux86-64:~# systemctl status rngd rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS) Main PID: 317 (code=exited, status=0/SUCCESS) Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source ... From rngd manual, add `-i' to default ... -i, --ignorefail Ignore repeated fips failures ... After applying the fix ... rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago Main PID: 121 (rngd) Tasks: 2 Memory: 1.8M CGroup: /system.slice/rngd.service /usr/sbin/rngd -f -r /dev/hwrng -i Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted ... Refer: https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html Signed-off-by: Hongxu Jia commit c3224883bec9155fb51686a908c59da31d9918f5 Author: Hongxu Jia Date: Sun Sep 22 19:27:01 2019 +0800 rng-tools bbappend: port a copy of default from oe-core Port it at the following commit in oe-core http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91 Signed-off-by: Hongxu Jia commit aecc01c2e49825dcb2a78875e0562028b2636fab Author: Hongxu Jia Date: Sun Sep 22 18:48:08 2019 +0800 openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode Run sshd_check_keys failed: ... 2019-09-22T09:59:10.878738+00:00 qemux86-64