feat: Enable FIPS customization for Fedora

Enable FIPS customization for Fedora images. Signed-off-by: Miguel Martín <[email protected]>
osbuild · Dec 11, 2023 · 3f0d627 · 3f0d627
1 parent 3426c73
commit 3f0d627
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/pkg/distro/fedora/distro.go b/pkg/distro/fedora/distro.go
@@ -122,6 +122,7 @@ var (
 		},
 		defaultImageConfig: &distro.ImageConfig{
 			EnabledServices: iotServices,
+			DracutConf:      []*osbuild.DracutConfStageOptions{osbuild.FIPSDracutConfStageOptions},
 		},
 		rpmOstree:        true,
 		image:            iotCommitImage,
@@ -143,6 +144,7 @@ var (
 		},
 		defaultImageConfig: &distro.ImageConfig{
 			EnabledServices: iotServices,
+			DracutConf:      []*osbuild.DracutConfStageOptions{osbuild.FIPSDracutConfStageOptions},
 		},
 		rpmOstree:        true,
 		bootISO:          false,

diff --git a/pkg/distro/fedora/distro_test.go b/pkg/distro/fedora/distro_test.go
@@ -492,11 +492,11 @@ func TestDistro_ManifestError(t *testing.T) {
 				} else if imgTypeName == "iot-installer" || imgTypeName == "iot-simplified-installer" {
 					assert.EqualError(t, err, fmt.Sprintf("boot ISO image type \"%s\" requires specifying a URL from which to retrieve the OSTree commit", imgTypeName))
 				} else if imgTypeName == "image-installer" {
-					assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for boot ISO image type \"%s\": (allowed: User, Group)", imgTypeName))
+					assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for boot ISO image type \"%s\": (allowed: User, Group, FIPS)", imgTypeName))
 				} else if imgTypeName == "live-installer" {
 					assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for boot ISO image type \"%s\": (allowed: None)", imgTypeName))
 				} else if imgTypeName == "iot-raw-image" || imgTypeName == "iot-qcow2-image" {
-					assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services)", imgTypeName))
+					assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services, FIPS)", imgTypeName))
 				} else {
 					assert.NoError(t, err)
 				}
@@ -672,7 +672,7 @@ func TestDistro_CustomFileSystemManifestError(t *testing.T) {
 			if imgTypeName == "iot-commit" || imgTypeName == "iot-container" {
 				assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
 			} else if imgTypeName == "iot-raw-image" || imgTypeName == "iot-qcow2-image" {
-				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services)", imgTypeName))
+				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services, FIPS)", imgTypeName))
 			} else if imgTypeName == "iot-installer" || imgTypeName == "iot-simplified-installer" || imgTypeName == "image-installer" {
 				continue
 			} else if imgTypeName == "live-installer" {
@@ -704,7 +704,7 @@ func TestDistro_TestRootMountPoint(t *testing.T) {
 			if imgTypeName == "iot-commit" || imgTypeName == "iot-container" {
 				assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
 			} else if imgTypeName == "iot-raw-image" || imgTypeName == "iot-qcow2-image" {
-				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services)", imgTypeName))
+				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services, FIPS)", imgTypeName))
 			} else if imgTypeName == "iot-installer" || imgTypeName == "iot-simplified-installer" || imgTypeName == "image-installer" {
 				continue
 			} else if imgTypeName == "live-installer" {
@@ -844,7 +844,7 @@ func TestDistro_CustomUsrPartitionNotLargeEnough(t *testing.T) {
 			if imgTypeName == "iot-commit" || imgTypeName == "iot-container" {
 				assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
 			} else if imgTypeName == "iot-raw-image" || imgTypeName == "iot-qcow2-image" {
-				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services)", imgTypeName))
+				assert.EqualError(t, err, fmt.Sprintf("unsupported blueprint customizations found for image type %q: (allowed: User, Group, Directories, Files, Services, FIPS)", imgTypeName))
 			} else if imgTypeName == "iot-installer" || imgTypeName == "iot-simplified-installer" || imgTypeName == "image-installer" {
 				continue
 			} else if imgTypeName == "live-installer" {

diff --git a/pkg/distro/fedora/images.go b/pkg/distro/fedora/images.go
@@ -47,6 +47,8 @@ func osCustomizations(
 		osc.KernelOptionsAppend = kernelOptions
 	}
 
+	osc.FIPS = c.GetFIPS()
+
 	osc.ExtraBasePackages = osPackageSet.Include
 	osc.ExcludeBasePackages = osPackageSet.Exclude
 	osc.ExtraBaseRepos = osPackageSet.Repositories
@@ -467,6 +469,7 @@ func iotInstallerImage(workload workload.Workload,
 	img := image.NewAnacondaOSTreeInstaller(commit)
 
 	customizations := bp.Customizations
+	img.FIPS = customizations.GetFIPS()
 	img.Platform = t.platform
 	img.ExtraBasePackages = packageSets[installerPkgsKey]
 	img.Users = users.UsersFromBP(customizations.GetUsers())
@@ -508,6 +511,7 @@ func iotImage(workload workload.Workload,
 	distro := t.Arch().Distro()
 
 	customizations := bp.Customizations
+	img.FIPS = customizations.GetFIPS()
 	img.Users = users.UsersFromBP(customizations.GetUsers())
 	img.Groups = users.GroupsFromBP(customizations.GetGroups())
 
@@ -581,6 +585,7 @@ func iotSimplifiedInstallerImage(workload workload.Workload,
 	rawImg := image.NewOSTreeDiskImageFromCommit(commit)
 
 	customizations := bp.Customizations
+	rawImg.FIPS = customizations.GetFIPS()
 	rawImg.Users = users.UsersFromBP(customizations.GetUsers())
 	rawImg.Groups = users.GroupsFromBP(customizations.GetGroups())
 

diff --git a/pkg/distro/fedora/imagetype.go b/pkg/distro/fedora/imagetype.go
@@ -270,7 +270,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 	}
 
 	if t.name == "iot-raw-image" || t.name == "iot-qcow2-image" {
-		allowed := []string{"User", "Group", "Directories", "Files", "Services"}
+		allowed := []string{"User", "Group", "Directories", "Files", "Services", "FIPS"}
 		if err := customizations.CheckAllowed(allowed...); err != nil {
 			return nil, fmt.Errorf("unsupported blueprint customizations found for image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 		}
@@ -281,7 +281,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 	// TODO: Support kernel name selection for image-installer
 	if t.bootISO {
 		if t.name == "iot-simplified-installer" {
-			allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group"}
+			allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS"}
 			if err := customizations.CheckAllowed(allowed...); err != nil {
 				return nil, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 			}
@@ -319,7 +319,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 				}
 			}
 		} else if t.name == "iot-installer" || t.name == "image-installer" {
-			allowed := []string{"User", "Group"}
+			allowed := []string{"User", "Group", "FIPS"}
 			if err := customizations.CheckAllowed(allowed...); err != nil {
 				return nil, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 			}