Support FIPS DB configuration (#15632)
Why I did it Support FIPS DB configuration Design Doc: sonic-net/SONiC#1372 Work item tracking Microsoft ADO (number only): 24411148 How I did it Add the FIPS Yang model to make FIPS configurable in ConfigDB. How to verify it See TestPlan: sonic-net/sonic-mgmt#9092 Build the image and run the tests: sonic-net/sonic-mgmt#9091
This commit is contained in:
parent
1908a04fdf
commit
288ebd5dd3
@ -636,6 +636,10 @@ then
|
||||
|
||||
fi
|
||||
|
||||
## Set FIPS runtime default option
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/fips"
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable"
|
||||
|
||||
# #################
|
||||
# secure boot
|
||||
# #################
|
||||
|
@ -596,6 +596,7 @@ start() {
|
||||
-v /usr/share/sonic/device/$PLATFORM/$HWSKU/$DEV:/usr/share/sonic/hwsku:ro \
|
||||
{%- endif %}
|
||||
$REDIS_MNT \
|
||||
-v /etc/fips/fips_enable:/etc/fips/fips_enable:ro \
|
||||
-v /usr/share/sonic/device/$PLATFORM:/usr/share/sonic/platform:ro \
|
||||
-v /usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro \
|
||||
{%- if sonic_asic_platform != "mellanox" %}
|
||||
|
@ -243,6 +243,11 @@ fi
|
||||
echo "ONIE_IMAGE_PART_SIZE=$demo_part_size"
|
||||
|
||||
extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%%
|
||||
# Inherit the FIPS option, so not necessary to do another reboot after upgraded
|
||||
if grep -q '\bsonic_fips=1\b' /proc/cmdline && echo " $extra_cmdline_linux" | grep -qv '\bsonic_fips=.\b'; then
|
||||
extra_cmdline_linux="$extra_cmdline_linux sonic_fips=1"
|
||||
fi
|
||||
|
||||
echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
|
||||
|
||||
# Update Bootloader Menu with installed image
|
||||
|
@ -2423,6 +2423,21 @@ The DNS_NAMESERVER table introduces static DNS nameservers configuration.
|
||||
}
|
||||
```
|
||||
|
||||
### FIPS
|
||||
|
||||
The FIPS table introduces FIPS configuration.
|
||||
|
||||
```json
|
||||
{
|
||||
"FIPS": {
|
||||
"global" : {
|
||||
"enable": "true",
|
||||
"enforce": "false"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
#### 5.2.3 Update value directly in db memory
|
||||
|
||||
For Developers
|
||||
|
@ -120,6 +120,7 @@ setup(
|
||||
'./yang-models/sonic-flex_counter.yang',
|
||||
'./yang-models/sonic-fine-grained-ecmp.yang',
|
||||
'./yang-models/sonic-feature.yang',
|
||||
'./yang-models/sonic-fips.yang',
|
||||
'./yang-models/sonic-hash.yang',
|
||||
'./yang-models/sonic-system-defaults.yang',
|
||||
'./yang-models/sonic-interface.yang',
|
||||
@ -212,6 +213,7 @@ setup(
|
||||
'./cvlyang-models/sonic-flex_counter.yang',
|
||||
'./cvlyang-models/sonic-feature.yang',
|
||||
'./cvlyang-models/sonic-fine-grained-ecmp.yang',
|
||||
'./cvlyang-models/sonic-fips.yang',
|
||||
'./cvlyang-models/sonic-hash.yang',
|
||||
'./cvlyang-models/sonic-system-defaults.yang',
|
||||
'./cvlyang-models/sonic-interface.yang',
|
||||
|
@ -2410,6 +2410,12 @@
|
||||
"FG_NHG": "nhg2"
|
||||
}
|
||||
},
|
||||
"FIPS":{
|
||||
"global": {
|
||||
"enable": "true",
|
||||
"enforce": "true"
|
||||
}
|
||||
},
|
||||
"FG_NHG_MEMBER": {
|
||||
"192.168.1.1": {
|
||||
"FG_NHG": "nhg1",
|
||||
|
10
src/sonic-yang-models/tests/yang_model_tests/tests/fips.json
Normal file
10
src/sonic-yang-models/tests/yang_model_tests/tests/fips.json
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
"FIPS_WITH_CORRECT_VALUES_ENABLE": {
|
||||
"desc": "CONFIG FIPS TABLE WITH ALL THE CORRECT VALUES"
|
||||
},
|
||||
"FIPS_WITH_INVALID_VALUES_ENABLE" : {
|
||||
"desc": "Configure invalid mode in fips.",
|
||||
"eStrKey": "Pattern",
|
||||
"eStr": ["false|true|False|True"]
|
||||
}
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
{
|
||||
"FIPS_WITH_CORRECT_VALUES_ENABLE": {
|
||||
"sonic-fips:sonic-fips": {
|
||||
"sonic-fips:FIPS": {
|
||||
"sonic-fips:global": {
|
||||
"enable": "true",
|
||||
"enforce": "false"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"FIPS_WITH_INVALID_VALUES_ENABLE": {
|
||||
"sonic-fips:sonic-fips": {
|
||||
"sonic-fips:FIPS": {
|
||||
"sonic-fips:global": {
|
||||
"enable": "Invalid"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
45
src/sonic-yang-models/yang-models/sonic-fips.yang
Normal file
45
src/sonic-yang-models/yang-models/sonic-fips.yang
Normal file
@ -0,0 +1,45 @@
|
||||
module sonic-fips {
|
||||
|
||||
yang-version 1.1;
|
||||
|
||||
namespace "http://github.com/sonic-net/sonic-fips";
|
||||
|
||||
prefix sonic-fips;
|
||||
|
||||
import sonic-types {
|
||||
prefix stypes;
|
||||
}
|
||||
|
||||
description "FIPS YANG Module for SONiC OS";
|
||||
|
||||
revision 2023-06-20 {
|
||||
description "First Revision";
|
||||
}
|
||||
|
||||
container sonic-fips {
|
||||
|
||||
container FIPS {
|
||||
|
||||
description "FIPS part of config_db.json";
|
||||
|
||||
container global {
|
||||
|
||||
leaf enable {
|
||||
description "This configuration identicates whether enable fips";
|
||||
type stypes:boolean_type;
|
||||
default "false";
|
||||
}
|
||||
|
||||
leaf enforce {
|
||||
description "This configuration identicates whether enforce fips";
|
||||
type stypes:boolean_type;
|
||||
default "false";
|
||||
}
|
||||
}
|
||||
/* end of container global */
|
||||
}
|
||||
/* end of container FIPS */
|
||||
}
|
||||
/* end of top level container */
|
||||
}
|
||||
/* end of module sonic-fips */
|
Loading…
Reference in New Issue
Block a user