Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the SONiC FIPS configure introduction #997

Merged
merged 3 commits into from
Jul 8, 2022
Merged

Add the SONiC FIPS configure introduction #997

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
184a5dc
Add the SONiC FIPS configure intruduction
xumia May 7, 2022
23555cd
Add fips cli
xumia Jul 7, 2022
4b81104
Change the fips command line parameters
xumia Jul 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 34 additions & 3 deletions doc/fips/SONiC-OpenSSL-FIPS-140-3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
| Rev | Date | Author | Change Description |
| :---: | :--------: | :--------: | ------------------ |
| 0.1 | 2022-02-22 | Xuhui Miao | Initial version |
| 0.2 | 2022-07-07 | Xuhui Miao | Update Fips config |

## Table of Contents
- [Abbreviation](#abbreviation)
Expand All @@ -23,6 +24,7 @@
* [Enable FIPS on system level](#Enable-FIPS-on-system-level)
* [Enable FIPS on application level](#Enable-FIPS-on-application-level)
* [SONiC Build Options](#SONiC-Build-Options)
- [SONiC FIPS Command lines](#SONiC-FIPS-Command-lines)
- [Q&A](#Q&A)


Expand Down Expand Up @@ -126,14 +128,29 @@ For OpenSSH, Centos provides a [patch](https://git.centos.org/rpms/openssh/raw/c
## SONiC FIPS Configuration

### Enable FIPS on system level
Add the Linux System parameter fips=1, in grub config, one of implemetation as below:
Set the Linux System parameter sonic_fips=1, to validate if the FIPS is enabled:
```
grep 'sonic_fips=1' /proc/cmdline
```

There is another parameter fips=1 supported for SymCrypt OpenSSL to enable FIPS. The parameter will enable the Linux Kernel FIPS, but the Linux Kernel FIPS is not supported yet, and it is out of scope in this document. In future, when the FIPS is supported by SONiC Linux Kernel, and the parameter fips=1 has already set, it is not necessary to set sonic_fips=1.

For grub, one of implemetation as below:
cat /etc/grub.d/99-fips.cfg
```
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT sonic_fips=1"
```

To validate the FIPS enabled, grep 'fips=1' /proc/cmdline.
For uboot, use fw_setenv to variable linuxargs to change the boot options.
```
OTHER_OPTIONS=$(fw_printenv linuxargs | sed 's/linuxargs=//')
fw_setenv linuxargs "$OTHER_OPTIONS sonic_fips=1"
```

For Aboot, add the config in /host/image-{version}/kernel-cmdline, example:
```
reboot=p console=ttyS0 acpi=on Aboot=Aboot-norcal7-7.2.0-pcie2x4-6128821 <other parameters...> sonic_fips=1
```

### Enable FIPS on application level
```
Expand Down Expand Up @@ -163,6 +180,20 @@ ENABLE_FIPS ?= n
```
If the ENABLE_FIPS_FEATURE is not set, then the option ENABLE_FIPS is useless.

## SONiC FIPS Command lines
### The command line to enable or disable FIPS
sonic-installer set-fips <image> [--enable-fips|--disable-fips]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

set-fips --enable-fips feels redundant compared to just set-fips --enable but this is just nitpicking.
If the plan is to have future knobs to this set-fips command then it's probably better to keep it the way you currently have it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Staphylo , thanks for your comment.
The option --enable-fips can be skipped, the option --enable-fips is not necessary.
To enable it:

sonic-installer set-fips

To disable it:

sonic-installer set-fips --disable-fips


If the image is not specified, the next boot image will be used.
The default behavior is to enable FIPS, if none of the option --enable-fips or --disable-fips specified.

### The command line to show FIPS status
sonic-installer get-fips <image>

Returns the following message: FIPS is enabled/disabled.
If the image is not specified, the next boot image will be used.


## Q&A
### Does SymCrypt use Linux Kernel crypto module?
SymCrypt on Linux does not rely on Kernel crypt for FIPS certification today.