Re: Review request V2 0/16: [meta-openssl102-fips] Enable FIPS mode in Kernel and OpenSSH

[Mark Hatle <mark.hatle@kernel.crashing.org>]

On 9/25/19 2:23 AM, Hongxu Jia wrote:
> Changed in V1:
> - Follow Mark H's suggestions
> 
> Hi Mark,
> 
> Once openssh enables FIPS mode, openssh ptest will fail (mess of failure).
> It seems the test case of upstream openssh does not consider FIPS mode support.
> I search fedora, there is nothing about openssh `regress'(test suits) in
> FIPS mode support
> 
> So I do not add additional cavs test to the ptest, just add a note
> to README.enable_fips

Ok, that is good to know.  I suspect the issue is that many of the tests are
trying to use unapproved algorithms and should be skipped in FIPS mode.
Something for a future patch set.  I don't think it's necessary to adjust now.

I did modify patch 4.  We want to use the more generic IMAGE_POSTPROCESS_COMMAND
instead.  But otherwise I've taken it as is.  I'm currently running it through a
test pass, once that is complete I'll push the commits.

--Mark

> //Hongxu
> 
> ====== Comments (indicate scope for each "y" above) ======
> * Git logs
> [meta-openssl102-fips]
> commit 38849c1c52ae04eb2a3931624cd2d1446ab389d6
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Wed Sep 25 15:03:24 2019 +0800
> 
>     README.enable_fips: openssh ptest failed in fips mode
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit f5b8a66c226541e73cc509a73452bbafc59f2555
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 22:40:56 2019 +0800
> 
>     README.openssh_cavstest: add CAVS tests for FIPS validation
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit bd5de039c60fd2ab89f7925d3801520d742ba09a
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 21:54:41 2019 +0800
> 
>     openssh: add CAVS tests for FIPS validation
>     
>     Refer the latest Fedora to add cavs test binary for the aes-ctr [1]
>     and SSH KDF CAVS test driver [2]
>     
>     [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.6p1-ctr-cavstest.patch
>     [2] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-6.7p1-kdf-cavs.patch
>     (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit b40cef8f89461342da5c6a621d95cdb19a4d8cff
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 20:55:30 2019 +0800
> 
>     README.enable_fips: add steps to turn system (kernel and user space) into FIPS mode
>     
>     Refer RedHat/Fedora/SUSE/Oracle/IBM ways
>     
>     1. Add `fips=1' to kernel option to enable FIPS mode in kernel
>     
>     2. File /etc/system-fips to determine if a FIPS mode is enabled in user space,
>     currently openssh only
>     
>     Refer:
>     https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
>     https://access.redhat.com/discussions/3293631
>     https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html
>     https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html
>     https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit a4e3e55688b7a3666bcec95c342dab7984e7e0a3
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 19:27:45 2019 +0800
> 
>     rng-tools: fix rngd failed in fips mode
>     
>     The FIPS test is something done on government or more secure organizations
>     for extra security check.
>     ...
>     root@qemux86-64:~# systemctl status rngd
>     Unit rngd-tools.service could not be found.
>     root@qemux86-64:~# systemctl status rngd
>     rngd.service - Hardware RNG Entropy Gatherer Daemon
>        Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
>        Active: inactive (dead) since Sun 2019-09-22 11:10:41 UTC; 18min ago
>       Process: 317 ExecStart=/usr/sbin/rngd -f $EXTRA_ARGS (code=exited, status=0/SUCCESS)
>      Main PID: 317 (code=exited, status=0/SUCCESS)
>     
>     Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
>     Sep 22 11:10:37 qemux86-64 rngd[317]: RNDADDENTROPY failed: Operation not permitted
>     Sep 22 11:10:37 qemux86-64 rngd[317]: too many FIPS failures, disabling entropy source
>     ...
>     
>     From rngd manual, add `-i' to default
>     ...
>     -i, --ignorefail
>       Ignore repeated fips failures
>     ...
>     
>     After applying the fix
>     ...
>     rngd.service - Hardware RNG Entropy Gatherer Daemon
>        Loaded: loaded (/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
>        Active: active (running) since Sun 2019-09-22 12:18:31 UTC; 4min 35s ago
>      Main PID: 121 (rngd)
>         Tasks: 2
>        Memory: 1.8M
>        CGroup: /system.slice/rngd.service
>                /usr/sbin/rngd -f -r /dev/hwrng -i
>     
>     Sep 22 12:23:06 qemux86-64 rngd[121]: RNDADDENTROPY failed: Operation not permitted
>     ...
>     
>     Refer:
>     https://www.unix.com/unix-for-advanced-and-expert-users/265510-rngd-failed-fips-test.html
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit c3224883bec9155fb51686a908c59da31d9918f5
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 19:27:01 2019 +0800
> 
>     rng-tools bbappend: port a copy of default from oe-core
>     
>     Port it at the following commit in oe-core
>     http://cgit.openembedded.org/openembedded-core/commit/?id=16ced1a253c74c01ca414db2f1a010c083213b91
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit aecc01c2e49825dcb2a78875e0562028b2636fab
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 18:48:08 2019 +0800
> 
>     openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
>     
>     Run sshd_check_keys failed:
>     ...
>     2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]:   generating ssh ED25519 host key...
>     2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
>     ...
>     
>     If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
>     keys in FIPS mode
>     
>     Refers Fedora:
>     https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
>     https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit 67f47b09f427d9bb8e5db7a587ccc48a66351d13
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 18:43:03 2019 +0800
> 
>     openssh: port a copy of sshd_check_keys from oe-core
>     
>     Port it at the following commit in oe-core
>     http://cgit.openembedded.org/openembedded-core/commit/?id=2303d795ae96f1a60caf145a0ddf100e89c4b5b0
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit ef9cbad4917c9327705a671a812da70659641b34
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 14:36:41 2019 +0800
> 
>     openssh: conditional enable fips mode
>     
>     Enable fips mode according to the existence of "/etc/system-fips"
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit f9a362a102afab48a58e35ca482395cb11ce2679
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sun Sep 22 12:18:02 2019 +0800
> 
>     kernel: workaround alg self-tests failure in fips mode
>     
>     While kernel enable fips mode, it start alg self-test, and there is
>     a kernel panic at ecdh-generic
>     ...
>     [    0.311313] alg: ecdh: test failed on vector 2, err=-14
>     [    0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
>     ...
>     
>     Continue without Jitter RNG for fips to workaround alg self-tests failure,
>     after applying the fix:
>     ...
>     [    0.306633] DRBG: Continuing without Jitter RNG
>     [    0.310550] alg: self-tests for ecdh-generic (ecdh) passed
>     ...
>     
>     Refer: https://lore.kernel.org/patchwork/patch/568693/
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit ba498f76d6067ce5cf57be037deecde9bb7cf664
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sat Sep 21 14:43:28 2019 +0800
> 
>     add kernel fips mode support
>     
>     A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
>     by specifying fips=1 as kernel parameter. [1][2]
>     
>     /proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
>     modified version of OpenSSL.[3]
>     
>     [1] https://www.linux.org/docs/man8/fipscheck.html
>     [2] https://cateee.net/lkddb/web-lkddb/CRYPTO_FIPS.html
>     [3] https://mta.openssl.org/pipermail/openssl-users/2017-May/005840.html
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit 6ead6e738a7da55b123f6c55058259f3df214509
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sat Sep 21 14:24:51 2019 +0800
> 
>     openssh: add generation of HMAC checksums in pkg_postinst
>     
>     Refer https://src.fedoraproject.org/rpms/openssh/c/13fa787ecc35d6c9eea9e64c1f42f49e2ee978ce
>     (See __spec_install_post in openssh.spec for detail)
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit d9906e35fcdf60e773d2272117383e3ec7ca9bc0
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sat Sep 21 12:49:53 2019 +0800
> 
>     classes/image-enable-fips.bbclass: enable user space fips mode in image
>     
>     Refer Fedora/RedHat's way
>     https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_technical_notes/dracut
>     
>     To enable user space fips mode in the image recipe as part of an
>     'IMAGE_CLASSES'. Basically if FIPS-140-2 is enabled, then we can
>     touch the file as a post image generation activity.
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit 2d4d0ad9655b5349815af9f8e6a19830fcf40f02
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Sat Sep 21 12:25:17 2019 +0800
> 
>     fipscheck: add generation of the checksums in pkg_postinst
>     
>     Refer https://pagure.io/fipscheck/c/489bc3ab3f73707e12b6c2644d80af5ff6fbbf70
>     (* fipscheck.spec.in: Add generation of the checksums in　__spec_install_post.)
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit d915bb67402e504ee8aa47ce988afcb07eb829a4
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Fri Sep 20 22:06:17 2019 +0800
> 
>     openssh_8.%.bbappend: support fips 140-2
>     
>     Port openssh-7.7p1-fips.patch from Fedora
>     https://src.fedoraproject.org/rpms/openssh.git
>     (as of commit 0ca1614ae221578b6b57c61d18fda6cc970a19ce)
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> commit 0516bd7ba43434d8fafb92f5eb3801c726ce1d46
> Author: Hongxu Jia <hongxu.jia@windriver.com>
> Date:   Fri Sep 20 15:43:44 2019 +0800
> 
>     fipscheck: add 1.5.0
>     
>     Port it from fedora:
>     https://src.fedoraproject.org/rpms/fipscheck
>     (as of commit 7e44bec705fb2b3263734f30a05c2245738cf01a)
>     
>     It is required by openssh fips.
>     
>     Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> 
> 
> 
> ====== Testing ======
> * Commands
> See README.build  README.enable_fips  README.openssh_cavstest
> 
> * Expected Results
> See README.build  README.enable_fips  README.openssh_cavstest
> 
> * Applicable to
> qemux86-64
>