Support FIPS DB configuration (#15632)

Why I did it
Support FIPS DB configuration
Design Doc: sonic-net/SONiC#1372

Work item tracking
Microsoft ADO (number only): 24411148
How I did it
Add the FIPS Yang model to make FIPS configurable in ConfigDB.

How to verify it
See TestPlan: sonic-net/sonic-mgmt#9092
Build the image and run the tests: sonic-net/sonic-mgmt#9091
This commit is contained in:
xumia 2023-07-28 16:54:02 +08:00 committed by mssonicbld
parent 1908a04fdf
commit 288ebd5dd3
9 changed files with 109 additions and 0 deletions

View File

@ -636,6 +636,10 @@ then
fi fi
## Set FIPS runtime default option
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/fips"
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 0 > /etc/fips/fips_enable"
# ################# # #################
# secure boot # secure boot
# ################# # #################

View File

@ -596,6 +596,7 @@ start() {
-v /usr/share/sonic/device/$PLATFORM/$HWSKU/$DEV:/usr/share/sonic/hwsku:ro \ -v /usr/share/sonic/device/$PLATFORM/$HWSKU/$DEV:/usr/share/sonic/hwsku:ro \
{%- endif %} {%- endif %}
$REDIS_MNT \ $REDIS_MNT \
-v /etc/fips/fips_enable:/etc/fips/fips_enable:ro \
-v /usr/share/sonic/device/$PLATFORM:/usr/share/sonic/platform:ro \ -v /usr/share/sonic/device/$PLATFORM:/usr/share/sonic/platform:ro \
-v /usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro \ -v /usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro \
{%- if sonic_asic_platform != "mellanox" %} {%- if sonic_asic_platform != "mellanox" %}

View File

@ -243,6 +243,11 @@ fi
echo "ONIE_IMAGE_PART_SIZE=$demo_part_size" echo "ONIE_IMAGE_PART_SIZE=$demo_part_size"
extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%% extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%%
# Inherit the FIPS option, so not necessary to do another reboot after upgraded
if grep -q '\bsonic_fips=1\b' /proc/cmdline && echo " $extra_cmdline_linux" | grep -qv '\bsonic_fips=.\b'; then
extra_cmdline_linux="$extra_cmdline_linux sonic_fips=1"
fi
echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux" echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
# Update Bootloader Menu with installed image # Update Bootloader Menu with installed image

View File

@ -2423,6 +2423,21 @@ The DNS_NAMESERVER table introduces static DNS nameservers configuration.
} }
``` ```
### FIPS
The FIPS table introduces FIPS configuration.
```json
{
"FIPS": {
"global" : {
"enable": "true",
"enforce": "false"
}
}
}
```
#### 5.2.3 Update value directly in db memory #### 5.2.3 Update value directly in db memory
For Developers For Developers

View File

@ -120,6 +120,7 @@ setup(
'./yang-models/sonic-flex_counter.yang', './yang-models/sonic-flex_counter.yang',
'./yang-models/sonic-fine-grained-ecmp.yang', './yang-models/sonic-fine-grained-ecmp.yang',
'./yang-models/sonic-feature.yang', './yang-models/sonic-feature.yang',
'./yang-models/sonic-fips.yang',
'./yang-models/sonic-hash.yang', './yang-models/sonic-hash.yang',
'./yang-models/sonic-system-defaults.yang', './yang-models/sonic-system-defaults.yang',
'./yang-models/sonic-interface.yang', './yang-models/sonic-interface.yang',
@ -212,6 +213,7 @@ setup(
'./cvlyang-models/sonic-flex_counter.yang', './cvlyang-models/sonic-flex_counter.yang',
'./cvlyang-models/sonic-feature.yang', './cvlyang-models/sonic-feature.yang',
'./cvlyang-models/sonic-fine-grained-ecmp.yang', './cvlyang-models/sonic-fine-grained-ecmp.yang',
'./cvlyang-models/sonic-fips.yang',
'./cvlyang-models/sonic-hash.yang', './cvlyang-models/sonic-hash.yang',
'./cvlyang-models/sonic-system-defaults.yang', './cvlyang-models/sonic-system-defaults.yang',
'./cvlyang-models/sonic-interface.yang', './cvlyang-models/sonic-interface.yang',

View File

@ -2410,6 +2410,12 @@
"FG_NHG": "nhg2" "FG_NHG": "nhg2"
} }
}, },
"FIPS":{
"global": {
"enable": "true",
"enforce": "true"
}
},
"FG_NHG_MEMBER": { "FG_NHG_MEMBER": {
"192.168.1.1": { "192.168.1.1": {
"FG_NHG": "nhg1", "FG_NHG": "nhg1",

View File

@ -0,0 +1,10 @@
{
"FIPS_WITH_CORRECT_VALUES_ENABLE": {
"desc": "CONFIG FIPS TABLE WITH ALL THE CORRECT VALUES"
},
"FIPS_WITH_INVALID_VALUES_ENABLE" : {
"desc": "Configure invalid mode in fips.",
"eStrKey": "Pattern",
"eStr": ["false|true|False|True"]
}
}

View File

@ -0,0 +1,21 @@
{
"FIPS_WITH_CORRECT_VALUES_ENABLE": {
"sonic-fips:sonic-fips": {
"sonic-fips:FIPS": {
"sonic-fips:global": {
"enable": "true",
"enforce": "false"
}
}
}
},
"FIPS_WITH_INVALID_VALUES_ENABLE": {
"sonic-fips:sonic-fips": {
"sonic-fips:FIPS": {
"sonic-fips:global": {
"enable": "Invalid"
}
}
}
}
}

View File

@ -0,0 +1,45 @@
module sonic-fips {
yang-version 1.1;
namespace "http://github.com/sonic-net/sonic-fips";
prefix sonic-fips;
import sonic-types {
prefix stypes;
}
description "FIPS YANG Module for SONiC OS";
revision 2023-06-20 {
description "First Revision";
}
container sonic-fips {
container FIPS {
description "FIPS part of config_db.json";
container global {
leaf enable {
description "This configuration identicates whether enable fips";
type stypes:boolean_type;
default "false";
}
leaf enforce {
description "This configuration identicates whether enforce fips";
type stypes:boolean_type;
default "false";
}
}
/* end of container global */
}
/* end of container FIPS */
}
/* end of top level container */
}
/* end of module sonic-fips */