Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic FIPS mode bind-mounts rely on the presence of deprecated /etc/system-fips #2130

Closed
neverpanic opened this issue Aug 21, 2024 · 0 comments · Fixed by #2174
Closed

Automatic FIPS mode bind-mounts rely on the presence of deprecated /etc/system-fips #2130

neverpanic opened this issue Aug 21, 2024 · 0 comments · Fixed by #2174

Comments

@neverpanic
Copy link
Contributor

neverpanic commented Aug 21, 2024
edited
Loading

The MountsWithUIDGID function in pkg/subscriptions/subscriptions.go tests for the presence of /etc/system-fips on the host. It calls addFIPSModeSubscription, which creates /etc/system-fips inside of the container at pkg/subscriptions/subscriptions.go#L327-L335.

/etc/system-fips is deprecated and was removed on current Fedora and in CentOS 10 Stream. See https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111 and https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#JIRA-RHELPLAN-103232. containers/common should instead check the contents of /proc/sys/crypto/fips_enabled, which works on all systems down to RHEL 6.10, and contains 1\n if the system is in FIPS mode.

containers/common should not create the /etc/system-fips file on systems >= CentOS 10 Stream (although I'm not sure how to implement this in a container-agnostic way).

Additionally, as a simplification and with better user space tooling support, the crypto-policies package will start shipping /usr/share/crypto-policies/default-fips-config, which can replace manual creation of the file to be bind-mounted over /etc/crypto-policies/config (see pkg/subscriptions/subscriptions.go#L367-L383) in c10s and beyond. The update-crypto-policies user space tooling has also been improved to detect these two bind mounts and undo them if users choose to manually change the active crypto-policy, something that has previously failed in podman containers on FIPS hosts, because the bind-mount over the config file was always read-only. As a cautionary measure, update-crypto-policies --set will only unmount bind-mounts if they match exactly in both the source and target, so you would have to switch to /usr/share/crypto-policies/default-fips-config as source for the mount over /etc/crypto-policies/config to enable this improved user experience. We will also make sure that installing a crypto-policies package update does not incorrectly overwrite the bind-mounted files, something which currently still happens with the way the bind mounts are set up.
neverpanic added a commit to neverpanic/containers-common that referenced this issue Sep 25, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
47c3951 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does not contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Sep 25, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
fada40b 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
@neverpanic neverpanic mentioned this issue Sep 25, 2024
Merged
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 22, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
affa37c 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 24, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
7e169c6 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 24, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
649f1c5 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 25, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
e2b56b5 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 30, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
3f4818e 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
neverpanic added a commit to neverpanic/containers-common that referenced this issue Oct 30, 2024
@neverpanic
pkg/subscriptions: Modernize FIPS mounts
1b8afdf 
/etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pkg/subscriptions: Modernize FIPS mounts neverpanic/containers-common
1 participant
@neverpanic