Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SONIC OpenSSL FIPS 140-3 HLD #955

Merged
merged 5 commits into from
Apr 12, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 168 additions & 0 deletions doc/fips/SONiC-OpenSSL-FIPS-140-3.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
# SONIC OpenSSL FIPS 140-3 HLD

## Revision

| Rev | Date | Author | Change Description |
| :---: | :--------: | :--------: | ------------------ |
| 0.1 | 2022-02-22 | Xuhui Miao | Initial version |

## Table of Contents
- [Abbreviation](#abbreviation)
- [Requirement](#requirement)
- [The cryptographic modules in SONiC](#the-cryptographic-modules-in-SONiC)
- [OpenSSL FIPS 140-3](#OpenSSL-FIPS-140-3)
* [OpenSSL Engine](#OpenSSL-Engine)
* [SymCrypt OpenSSL Engine](#symCrypt-openSSL-engine)
* [OpenSSL configuration for SymCrypt Engine](#OpenSSL-configuration-for-SymCrypt-Engine)
* [OpenSSL configuration enhancement](#OpenSSL-configuration-enhancement)
* [SymCrypt OpenSSL Engine debian package](#SymCrypt-OpenSSL-Engine-debian-package)
- [Kerberos Cryptographic Module](#Kerberos-Cryptographic-Module)
- [Golang Cryptographic Module](#Golang-Cryptographic-Module)
- [Application Impact](#Application-Impact)
- [SONiC FIPS Configuration](#SONiC-FIPS-Configuration)
* [Enable FIPS on system level](#Enable-FIPS-on-system-level)
* [Enable FIPS on application level](#Enable-FIPS-on-application-level)
* [SONiC Build Options](#SONiC-Build-Options)
- [Q&A](#Q&A)


## Abbreviation

| Abbreviation | Description |
| ------------ | -------------------------------------------- |
| CAVP | Cryptographic Algorithm Validation Program |
| CST | Cryptographic and Security Test |
| CMVP | Cryptographic Module Validation Program |
| FIPS | Federal Information Processing Standard |

## Requirement
SONiC only uses cryptographic modules validated by FIPS 140-3, Make SONiC compliant with FIPS 140-3.

## The cryptographic modules in SONiC

| Module | Use Scenarios | Description |
| -------------------- | --------------- | -------------------------------------------- |
| OpenSSL | Python, OpenSSH | Cyptography and SSL/TLS ToolKit |
| Kerberos | OpenSSH | Kerboros contains builtin crypto module |
| Golang | sonic-restapi | Golang contains builtin crypto module |
| Libgcrypto | GPG | A general purpose cryptographic library originally based on code from GnuPG |
| Kernel Crypto | -- | Linux crypto kernel module |

## Scopes:
In Scopes:
1. OpenSSL
2. Kerberos
3. Golang

Out of Scopes:
1. Linux Kernel
2. Libgcrypt


## OpenSSL FIPS 140-3

![FIPS Overview](images/fips-overview.png)

### OpenSSL Engine
OpenSSL supports engine cryptographic modules in the form of engine objects, and provides a reference-counted mechanism to allow them to be dynamically loaded in and out of the running application. An engine object can implement one or all cryptographic algorithms.

### SymCrypt OpenSSL Engine
The [SymCrypt engine for OpenSSL (SCOSSL)](https://github.com/microsoft/SymCrypt-OpenSSL) allows the use of OpenSSL with [SymCrypt](https://github.com/microsoft/SymCrypt) as the provider for core cryptographic operations. It leverages the OpenSSL engine interface to override the cryptographic implementations in OpenSSL's libcrypto. The primary motivation for this is to support FIPS certification, as OpenSSL 1.1.1 does not have a FIPS-certified cryptographic module. Microsoft will submit the FIPS 140-3 reports for SymCrypt to CMVP.

The SymCrypt Engine is one of the implementation to support FIPS, The [wolfSSL engine](https://github.com/wolfSSL/wolfEngine) is another option.

### OpenSSL configuration for SymCrypt Engine

/usr/lib/ssl/openssl-fips.cnf
```
openssl_conf = openssl_init
[ openssl_init ]
engines = engine_section

[ engine_section ]
symcrypt = symcrypt_section

[ symcrypt_section ]
engine_id = symcrypt
dynamic_path = /usr/lib/x86_64-linux-gnu/libsymcryptengine.so
default_algorithms = ALL
```

### OpenSSL configuration enhancement
When fips=1 is set in /proc/cmdline, the OpenSSL default config file is changed to "/usr/lib/ssl/openssl-fips.cnf", otherwise, the config file "/usr/lib/ssl/openssl.cnf" is used.

### SymCrypt OpenSSL Engine debian package
Provide SymCrypt OpenSSL debian package.
Package name: symcrypt-openssl
Current version: 0.1

Package file name example: symcrypt-openssl_0.1_amd64.deb
Files in the packages:
```
/usr/lib/ssl/openssl.cnf
/usr/lib/ssl/openssl-fips.cnf
/usr/lib/x86_64-linux-gnu/libsymcrypt.so
/usr/lib/x86_64-linux-gnu/libsymcryptengine.so
```

## Kerberos Cryptographic Module
Kerberos will use the builtin cryptographic module by default, but it allows to change the build option to use OpenSSl, see [MIT Kerberos features](https://web.mit.edu/kerberos/krb5-1.13/doc/mitK5features.html). SONiC will change the build option to use OpenSSL instead of the builtin one. It is not configurable to use the Kerberos builtin cryptographic module when OpenSSL used.

## Golang Cryptographic Module
Golang has its own cryptographic module (see [crypto](https://github.com/golang/go/tree/master/src/crypto)) without FIPS supports. There are some branches with branch name starting with "dev.boringcrypto" (see [golang branches](https://github.com/golang/go/branches/all?query=dev.boringcrypto)), changing the Golang cryptographic APIs' referenece to use [BoringSSL](https://github.com/google/boringssl). Although BoringSSL is an open source project, but it used by Google only, not intened for general use.

To support FIPS for Golang, RedHat offers an alternative solution (see [here](https://developers.redhat.com/blog/2019/06/24/go-and-fips-140-2-on-red-hat-enterprise-linux)), it builds on top of the Golang's dev.bringcrypt branches, has ability to call into OpenSSL, not BoringSSL. SONiC can reuse the RedHat sulotion, one difference is that RedHat supports FIPS for OpenSSL directly, SONiC uses OpenSSL Engine.

How OpenSSL Engine works in Golang?
![Golang API](images/golang-api.png)

When FIPS enabled, both of the BoringSSL Enable Option and the SymCrypt Enabled option will be set.


## Application Impact
Some of functions of a application might be broken when using the cryptographic algorithms that are not FIPS compliant. It is relied on the tests of the applications to detect all the impact functions.
For OpenSSH, Centos provides a [patch](https://git.centos.org/rpms/openssh/raw/c8/f/SOURCES/openssh-7.7p1-fips.patch) which is compiant with FIPS 140-2. We can apply the patch and verify if it can pass all the OpenSSH test cases when FIPS enabled.

## SONiC FIPS Configuration

### Enable FIPS on system level
Add the Linux System parameter fips=1, in grub config, one of implemetation as below:

cat /etc/grub.d/99-fips.cfg
```
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
```
xumia marked this conversation as resolved.
Show resolved Hide resolved

To validate the FIPS enabled, grep 'fips=1' /proc/cmdline.

### Enable FIPS on application level
```
export ENABLE_FIPS=1
```

Alternative option for the golang applications only:
```
export GOLANG_FIPS=1
xumia marked this conversation as resolved.
Show resolved Hide resolved
```

Alternative option for the OpenSSL applications only:

see https://www.openssl.org/docs/manmaster/man7/openssl-env.html
```
export OPENSSL_CONFIG=/usr/lib/ssl/openssl-fips.cnf
```

### SONiC Build Options
Support to enable/disable the FIPS feature, the feature is enabled by default in rules/config as below.
```
ENABLE_FIPS_FEATURE ?= y
```
Support to enable/disable FIPS config, the flage is disabled by default. IF the option is set, then the fips is enabled by default in the image, not necesary to do the config in system level or application level.
```
ENABLE_FIPS ?= n
```
If the ENABLE_FIPS_FEATURE is not set, then the option ENABLE_FIPS is useless.

## Q&A
### Does SymCrypt use Linux Kernel crypto module?
SymCrypt on Linux does not rely on Kernel crypt for FIPS certification today.
Binary file added doc/fips/images/fips-overview.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added doc/fips/images/golang-api.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.