From 288ebd5dd337f975345a1f994c4a63f36dad0f08 Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:54:02 +0800 Subject: [PATCH] Support FIPS DB configuration (#15632) Why I did it Support FIPS DB configuration Design Doc: sonic-net/SONiC#1372 Work item tracking Microsoft ADO (number only): 24411148 How I did it Add the FIPS Yang model to make FIPS configurable in ConfigDB. How to verify it See TestPlan: sonic-net/sonic-mgmt#9092 Build the image and run the tests: sonic-net/sonic-mgmt#9091 --- build_debian.sh | 4 ++ files/build_templates/docker_image_ctl.j2 | 1 + installer/install.sh | 5 +++ src/sonic-yang-models/doc/Configuration.md | 15 +++++++ src/sonic-yang-models/setup.py | 2 + .../tests/files/sample_config_db.json | 6 +++ .../tests/yang_model_tests/tests/fips.json | 10 +++++ .../yang_model_tests/tests_config/fips.json | 21 +++++++++ .../yang-models/sonic-fips.yang | 45 +++++++++++++++++++ 9 files changed, 109 insertions(+) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/fips.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/fips.json create mode 100644 src/sonic-yang-models/yang-models/sonic-fips.yang diff --git a/build_debian.sh b/build_debian.sh index b7a2884782..3ee1ea14ac 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -636,6 +636,10 @@ then fi +## Set FIPS runtime default option +sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/fips" +sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable" + # ################# # secure boot # ################# diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 7fa33f670c..546eb24cb6 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -596,6 +596,7 @@ start() { -v /usr/share/sonic/device/$PLATFORM/$HWSKU/$DEV:/usr/share/sonic/hwsku:ro \ {%- endif %} $REDIS_MNT \ + -v /etc/fips/fips_enable:/etc/fips/fips_enable:ro \ -v /usr/share/sonic/device/$PLATFORM:/usr/share/sonic/platform:ro \ -v /usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro \ {%- if sonic_asic_platform != "mellanox" %} diff --git a/installer/install.sh b/installer/install.sh index 51b5a75eb5..7f3feae42b 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -243,6 +243,11 @@ fi echo "ONIE_IMAGE_PART_SIZE=$demo_part_size" extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%% +# Inherit the FIPS option, so not necessary to do another reboot after upgraded +if grep -q '\bsonic_fips=1\b' /proc/cmdline && echo " $extra_cmdline_linux" | grep -qv '\bsonic_fips=.\b'; then + extra_cmdline_linux="$extra_cmdline_linux sonic_fips=1" +fi + echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux" # Update Bootloader Menu with installed image diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index 2ee1d19003..046c38e9d9 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -2423,6 +2423,21 @@ The DNS_NAMESERVER table introduces static DNS nameservers configuration. } ``` +### FIPS + +The FIPS table introduces FIPS configuration. + +```json +{ + "FIPS": { + "global" : { + "enable": "true", + "enforce": "false" + } + } +} +``` + #### 5.2.3 Update value directly in db memory For Developers diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index d6aeb3e0d8..8ba2951a7a 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -120,6 +120,7 @@ setup( './yang-models/sonic-flex_counter.yang', './yang-models/sonic-fine-grained-ecmp.yang', './yang-models/sonic-feature.yang', + './yang-models/sonic-fips.yang', './yang-models/sonic-hash.yang', './yang-models/sonic-system-defaults.yang', './yang-models/sonic-interface.yang', @@ -212,6 +213,7 @@ setup( './cvlyang-models/sonic-flex_counter.yang', './cvlyang-models/sonic-feature.yang', './cvlyang-models/sonic-fine-grained-ecmp.yang', + './cvlyang-models/sonic-fips.yang', './cvlyang-models/sonic-hash.yang', './cvlyang-models/sonic-system-defaults.yang', './cvlyang-models/sonic-interface.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 503ccb72af..1bccc1792b 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2410,6 +2410,12 @@ "FG_NHG": "nhg2" } }, + "FIPS":{ + "global": { + "enable": "true", + "enforce": "true" + } + }, "FG_NHG_MEMBER": { "192.168.1.1": { "FG_NHG": "nhg1", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/fips.json b/src/sonic-yang-models/tests/yang_model_tests/tests/fips.json new file mode 100644 index 0000000000..74b1d386de --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/fips.json @@ -0,0 +1,10 @@ +{ + "FIPS_WITH_CORRECT_VALUES_ENABLE": { + "desc": "CONFIG FIPS TABLE WITH ALL THE CORRECT VALUES" + }, + "FIPS_WITH_INVALID_VALUES_ENABLE" : { + "desc": "Configure invalid mode in fips.", + "eStrKey": "Pattern", + "eStr": ["false|true|False|True"] + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/fips.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/fips.json new file mode 100644 index 0000000000..8c7b989aee --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/fips.json @@ -0,0 +1,21 @@ +{ + "FIPS_WITH_CORRECT_VALUES_ENABLE": { + "sonic-fips:sonic-fips": { + "sonic-fips:FIPS": { + "sonic-fips:global": { + "enable": "true", + "enforce": "false" + } + } + } + }, + "FIPS_WITH_INVALID_VALUES_ENABLE": { + "sonic-fips:sonic-fips": { + "sonic-fips:FIPS": { + "sonic-fips:global": { + "enable": "Invalid" + } + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-fips.yang b/src/sonic-yang-models/yang-models/sonic-fips.yang new file mode 100644 index 0000000000..0bf96f7b0f --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-fips.yang @@ -0,0 +1,45 @@ +module sonic-fips { + + yang-version 1.1; + + namespace "http://github.com/sonic-net/sonic-fips"; + + prefix sonic-fips; + + import sonic-types { + prefix stypes; + } + + description "FIPS YANG Module for SONiC OS"; + + revision 2023-06-20 { + description "First Revision"; + } + + container sonic-fips { + + container FIPS { + + description "FIPS part of config_db.json"; + + container global { + + leaf enable { + description "This configuration identicates whether enable fips"; + type stypes:boolean_type; + default "false"; + } + + leaf enforce { + description "This configuration identicates whether enforce fips"; + type stypes:boolean_type; + default "false"; + } + } + /* end of container global */ + } + /* end of container FIPS */ + } + /* end of top level container */ +} +/* end of module sonic-fips */