Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg/subscriptions: Modernize FIPS mounts #2174

Merged
merged 1 commit into from
Nov 7, 2024
Merged

pkg/subscriptions: Modernize FIPS mounts #2174

merged 1 commit into from
Nov 7, 2024

Commits on Oct 31, 2024

  1. pkg/subscriptions: Modernize FIPS mounts 

    /etc/system-fips is deprecated in CentOS Stream 9 and has been removed
from CentOS Stream 10. UBI8 containers still contain /etc/system-fips ->
/run/secrets/system-fips, but UBI9 containers do not, so creating
/run/secrets/system-fips on UBI9 (or later) does not serve a useful
purpose. See [1, 2].

Instead of checking /etc/system-fips to determine whether FIPS mode is
enabled on the host, read /proc/sys/crypto/fips_enabled, which works for
all supported RHEL versions and likely even earlier.

In CentOS 10 Stream, the crypto-policies package does now contain
/usr/share/crypto-policies/default-fips-config, which is meant to serve
as a file to bind-mount over /etc/crypto-policies/config when in FIPS
mode [3]. Manual creation of this file is thus no longer required in
containers/common for modern containers. Using this file as a source
also enables improvements in crypto-policies tooling which will now
 - unmount the two bind mounts when a user manually changes the policy
   using update-crypto-policies --set, something which was previously
   broken in containers because /etc/crypto-policies/config was
   a read-only bind-mount, and
 - unmount and restore the two bind-mounts when the crypto-policies
   package is updated.
The crypto-policies package will only do these steps if the the bind
mounts for crypto-policies use the
  /usr/share/crypto-policies/default-fips-config
file as source, so it makes sense for containers/common to switch to
that.

[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111
[2]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security
[3]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/04ceadccfc07e5946b08157d06ca5c0d5a229d92

Closes: containers#2130
Related: https://issues.redhat.com/browse/CRYPTO-13556
Signed-off-by: Clemens Lang <[email protected]>
    @neverpanic
    neverpanic committed Oct 31, 2024
    Configuration menu
    Copy the full SHA
    abf2f6b View commit details
    Browse the repository at this point in the history