Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync FIPS detection with the PE installer #310

Merged
merged 1 commit into from
Dec 1, 2022
Merged

Sync FIPS detection with the PE installer #310

merged 1 commit into from
Dec 1, 2022

Conversation

Sharpie
Copy link
Member

@Sharpie Sharpie commented Nov 29, 2022
edited
Loading

Prior to this commit, peadm used the fips-mode-setup --is-enabled command to detect whether FIPS mode was enabled. Unfortunately, this command does not produce a meaningful exit code. It exits with success on RHEL 8 where the --is-enabled flag is invalid:

$ fips-mode-setup --is-enabled
Check, enable, or disable the system FIPS mode.
usage: /usr/bin/fips-mode-setup --enable|--disable [--no-bootcfg]
usage: /usr/bin/fips-mode-setup --check

$ echo $?
0

And exits with success when FIPS mode is disabled:

$ fips-mode-setup --check
Installation of FIPS modules is not completed.
FIPS mode is disabled.

$ echo $?
0

The end result is that if the crypto-policies-scripts package happens to be installed on a RHEL node, peadm will assume the node is in FIPS mode and download the wrong PE installer package.

This commit updates peadm to use the same method for detecting
FIPS as the PE installer: cat /proc/sys/crypto/fips_enabled

@Sharpie Sharpie requested a review from a team as a code owner November 29, 2022 22:26
@Sharpie
Sync FIPS detection with the PE installer
8376f8a 
Prior to this commit, `peadm` used the `fips-mode-setup --is-enabled`
command to detect whether FIPS mode was enabled. Unfortunately,
this command does not produce a meaningful exit code. It exits
with success on RHEL 8 where the `--is-enabled` flag is invalid:

```
$ fips-mode-setup --is-enabled
Check, enable, or disable the system FIPS mode.
usage: /usr/bin/fips-mode-setup --enable|--disable [--no-bootcfg]
usage: /usr/bin/fips-mode-setup --check

$ echo $?
0
```

And exits with success when FIPS mode is disabled:

```
$ fips-mode-setup --check
Installation of FIPS modules is not completed.
FIPS mode is disabled.

$ echo $?
0
```

The end result is that if the `crypto-policies-scripts` package
happens to be installed on a RHEL node, `peadm` will assume the
node is in FIPS mode and download the wrong PE installer package.

This commit updates `peadm` to use the same method for detecting
FIPS as the PE installer: `cat /proc/sys/crypto/fips_enabled`
@Sharpie Sharpie force-pushed the use-procfs-to-detect-fips branch from 66ed667 to 8376f8a Compare November 29, 2022 22:28
timidri
timidri approved these changes Dec 1, 2022
View reviewed changes
Copy link
Contributor

@timidri timidri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@timidri timidri merged commit e90c8ed into puppetlabs:main Dec 1, 2022
@Sharpie Sharpie deleted the use-procfs-to-detect-fips branch January 10, 2023 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timidri timidri timidri approved these changes

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Sharpie @timidri @davidsandilands