Skip to content

Commit 69d3047

Browse files
xumiaxumia
committed
Support OpenSSL 3.0 SymCrypt provider for bookworm
1 parent 518c3bc commit 69d3047

File tree

7 files changed

+44
-25
lines changed

7 files changed

+44
-25
lines changed

Makefile.work

+3-12
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ rules/config.user:
141141

142142
include rules/config
143143
-include rules/config.user
144+
include rules/sonic-fips.mk
144145

145146
ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
146147
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
@@ -177,18 +178,6 @@ endif
177178
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
178179
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)
179180

180-
# Support FIPS feature, armhf not supported yet
181-
ifeq ($(PLATFORM_ARCH),armhf)
182-
INCLUDE_FIPS := n
183-
ENABLE_FIPS := n
184-
endif
185-
186-
# FIPS not yet available on Bookworm
187-
ifeq ($(BLDENV),bookworm)
188-
$(warning FIPS support not yet available on Bookworm)
189-
INCLUDE_FIPS := n
190-
endif
191-
192181
ifeq ($(INCLUDE_FIPS), n)
193182
ifeq ($(ENABLE_FIPS), y)
194183
$(error Cannot set fips config ENABLE_FIPS=y when INCLUDE_FIPS=n)
@@ -222,6 +211,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
222211
INCLUDE_FIPS=$(INCLUDE_FIPS) \
223212
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
224213
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
214+
FIPS_VERSION=$(FIPS_VERSION) \
215+
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
225216
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
226217

227218
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \

azure-pipelines.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ variables:
4242
- name: CACHE_MODE
4343
value: rcache
4444
- name: ENABLE_FIPS
45-
value: n
45+
value: y
4646
- name: BUILD_BRANCH
4747
${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
4848
value: $(System.PullRequest.TargetBranch)

dockers/docker-base-bookworm/Dockerfile.j2

+2-1
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,8 @@ RUN apt update && \
6060
jq \
6161
# for sairedis zmq rpc channel
6262
libzmq5 \
63-
libwrap0
63+
libwrap0 \
64+
libatomic1
6465

6566
# Add a config file to allow pip to install packages outside of apt/the Debian repos
6667
COPY ["pip.conf", "/etc/pip.conf"]

files/build_templates/sonic_debian_extension.j2

+7
Original file line numberDiff line numberDiff line change
@@ -727,6 +727,13 @@ exit 101
727727
EOF
728728
sudo chmod a+x $FILESYSTEM_ROOT/usr/sbin/policy-rc.d
729729

730+
if [ "$INCLUDE_FIPS" == y ]; then
731+
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libatomic1
732+
# The package openssh-client 9.2 is conflict with FIPS, the line below can be removed when the openssh-client version>=9.4
733+
# The package will be reinstalled when isntalling the FIPS packages
734+
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove openssh-client
735+
fi
736+
730737
{% if installer_debs.strip() -%}
731738
{% for deb in installer_debs.strip().split(' ') -%}
732739
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

rules/sonic-fips.mk

+26-4
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,48 @@
11
# fips packages
22

3-
FIPS_VERSION = 0.10
3+
ifeq ($(BLDENV), bookworm)
4+
FIPS_VERSION = 1.4.3-preview
5+
FIPS_OPENSSL_VERSION = 3.0.11-1~deb12u2+fips
6+
FIPS_OPENSSH_VERSION = 9.2p1-2+deb12u2+fips
7+
FIPS_PYTHON_MAIN_VERSION = 3.11
8+
FIPS_PYTHON_VERSION = 3.11.2-6+fips
9+
FIPS_GOLANG_MAIN_VERSION = 1.19
10+
FIPS_GOLANG_VERSION = 1.19.8-2+fips
11+
FIPS_KRB5_VERSION = 1.20.1-2+deb12u1+fips
12+
endif
13+
14+
ifeq ($(BLDENV), bullseye)
15+
FIPS_VERSION = 0.12
416
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
517
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
618
FIPS_PYTHON_MAIN_VERSION = 3.9
719
FIPS_PYTHON_VERSION = 3.9.2-1+fips
820
FIPS_GOLANG_MAIN_VERSION = 1.15
921
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
1022
FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
23+
endif
24+
1125
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
1226

1327
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
1428
SYMCRYPT_OPENSSL = $(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).deb
1529
$(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips
1630

1731
FIPS_OPENSSL = openssl_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
32+
ifeq ($(BLDENV), bookworm)
33+
FIPS_OPENSSL_LIBSSL = libssl3_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
34+
else
1835
FIPS_OPENSSL_LIBSSL = libssl1.1_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
36+
endif
1937
FIPS_OPENSSL_LIBSSL_DEV = libssl-dev_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
2038
FIPS_OPENSSL_LIBSSL_DOC = libssl-doc_$(FIPS_OPENSSL_VERSION)_all.deb
2139
FIPS_OPENSSL_ALL = $(FIPS_OPENSSL) $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL_LIBSSL_DOC)
2240

23-
FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
41+
FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_all.deb
2442
FIPS_OPENSSH_CLIENT = openssh-client_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
2543
FIPS_OPENSSH_SFTP_SERVER = openssh-sftp-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
2644
FIPS_OPENSSH_SERVER = openssh-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
27-
FIPS_OPENSSH_ALL = $(FIPS_SSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER)
45+
FIPS_OPENSSH_ALL = $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_OPENSSH)
2846

2947
FIPS_PYTHON = python$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
3048
FIPS_PYTHON_MINIMAL = python$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
@@ -35,7 +53,11 @@ FIPS_PYTHON_ALL = $(FIPS_PYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_LIBPYTHON) $(FIPS
3553

3654
FIPS_GOLANG = golang-$(FIPS_GOLANG_MAIN_VERSION)_$(FIPS_GOLANG_VERSION)_all.deb
3755
FIPS_GOLANG_GO = golang-$(FIPS_GOLANG_MAIN_VERSION)-go_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
56+
ifeq ($(BLDENV), bookworm)
57+
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_all.deb
58+
else
3859
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
60+
endif
3961
FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_all.deb
4062
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
4163

@@ -55,7 +77,7 @@ FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
5577

5678

5779
ifeq ($(INCLUDE_FIPS), y)
58-
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
80+
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
5981
SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL)
6082

6183
$(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package))))

sonic-slave-bookworm/Dockerfile.j2

+3-5
Original file line numberDiff line numberDiff line change
@@ -507,12 +507,10 @@ RUN apt-get install -y kernel-wedge
507507
# For gobgp and telemetry build
508508
RUN apt-get install -y golang
509509
{%- if INCLUDE_FIPS == "y" %}
510-
# FIPS not yet available
511-
RUN false
512-
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
513-
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
510+
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
511+
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bookworm/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.19-src_{{ FIPS_GOLANG_VERSION }}_all.deb' \
514512
&& dpkg -i golang-go.deb golang-src.deb \
515-
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
513+
&& ln -sf /usr/lib/go-1.19 /usr/local/go \
516514
&& rm golang-go.deb golang-src.deb
517515
{%- else %}
518516
RUN apt-get install -y golang-go \

sonic-slave-bullseye/Dockerfile.j2

+2-2
Original file line numberDiff line numberDiff line change
@@ -514,8 +514,8 @@ RUN eatmydata apt-get install -y kernel-wedge
514514
# For gobgp and telemetry build
515515
RUN eatmydata apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
516516
{%- if INCLUDE_FIPS == "y" %}
517-
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
518-
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
517+
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
518+
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
519519
&& eatmydata dpkg -i golang-go.deb golang-src.deb \
520520
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
521521
&& rm golang-go.deb golang-src.deb

0 commit comments

Comments
 (0)