common icon indicating copy to clipboard operation
common copied to clipboard

Published 20 hours ago verified publisher icon containers

Automatic FIPS mode bind-mounts rely on the presence of deprecated /etc/system-fips

Open neverpanic opened this issue 6 months ago • 0 comments

The MountsWithUIDGID function in pkg/subscriptions/subscriptions.go tests for the presence of /etc/system-fips on the host. It calls addFIPSModeSubscription, which creates /etc/system-fips inside of the container at pkg/subscriptions/subscriptions.go#L327-L335.

/etc/system-fips is deprecated and was removed on current Fedora and in CentOS 10 Stream. See https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/111 and https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#JIRA-RHELPLAN-103232. containers/common should instead check the contents of /proc/sys/crypto/fips_enabled, which works on all systems down to RHEL 6.10, and contains 1\n if the system is in FIPS mode.

containers/common should not create the /etc/system-fips file on systems >= CentOS 10 Stream (although I'm not sure how to implement this in a container-agnostic way).

Additionally, as a simplification and with better user space tooling support, the crypto-policies package will start shipping /usr/share/crypto-policies/default-fips-config, which can replace manual creation of the file to be bind-mounted over /etc/crypto-policies/config (see pkg/subscriptions/subscriptions.go#L367-L383) in c10s and beyond. The update-crypto-policies user space tooling has also been improved to detect these two bind mounts and undo them if users choose to manually change the active crypto-policy, something that has previously failed in podman containers on FIPS hosts, because the bind-mount over the config file was always read-only. As a cautionary measure, update-crypto-policies --set will only unmount bind-mounts if they match exactly in both the source and target, so you would have to switch to /usr/share/crypto-policies/default-fips-config as source for the mount over /etc/crypto-policies/config to enable this improved user experience. We will also make sure that installing a crypto-policies package update does not incorrectly overwrite the bind-mounted files, something which currently still happens with the way the bind mounts are set up.

neverpanic avatar Aug 21 '24 11:08 neverpanic