Support SONiC OpenSSL FIPS 140-3 based on SymCrypt engine (#9573)
Why I did it Support OpenSSL FIPS 140-3, see design doc: https://github.com/Azure/SONiC/blob/master/doc/fips/SONiC-OpenSSL-FIPS-140-3.md. How I did it Install the fips packages. To build the fips packages, see https://github.com/Azure/sonic-fips Azure pipelines: https://dev.azure.com/mssonic/build/_build?definitionId=412 How to verify it Validate the SymCrypt engine: admin@sonic:~$ dpkg-query -W | grep openssl openssl 1.1.1k-1+deb11u1+fips symcrypt-openssl 0.1 admin@sonic:~$ openssl engine -v | grep -i symcrypt (symcrypt) SCOSSL (SymCrypt engine for OpenSSL) admin@sonic:~$
This commit is contained in:
parent
681c24878b
commit
8ec8900d31
@ -138,13 +138,25 @@ endif
|
||||
endif
|
||||
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
|
||||
|
||||
# Support FIPS feature, armhf not supported yet
|
||||
ifeq ($(PLATFORM_ARCH),armhf)
|
||||
ENABLE_FIPS_FEATURE := n
|
||||
ENABLE_FIPS := n
|
||||
endif
|
||||
|
||||
ifeq ($(ENABLE_FIPS_FEATURE), n)
|
||||
ifeq ($(ENABLE_FIPS), y)
|
||||
$(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
|
||||
endif
|
||||
endif
|
||||
|
||||
# Generate the version control build info
|
||||
$(shell SONIC_VERSION_CONTROL_COMPONENTS=$(SONIC_VERSION_CONTROL_COMPONENTS) \
|
||||
TRUSTED_GPG_URLS=$(TRUSTED_GPG_URLS) PACKAGE_URL_PREFIX=$(PACKAGE_URL_PREFIX) \
|
||||
scripts/generate_buildinfo_config.sh)
|
||||
|
||||
# Generate the slave Dockerfile, and prepare build info for it
|
||||
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
|
||||
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) ENABLE_FIPS_FEATURE=$(ENABLE_FIPS_FEATURE) DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
|
||||
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) j2 $(SLAVE_DIR)/Dockerfile.user.j2 > $(SLAVE_DIR)/Dockerfile.user)
|
||||
$(shell BUILD_SLAVE=y DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) scripts/prepare_docker_buildinfo.sh $(SLAVE_BASE_IMAGE) $(SLAVE_DIR)/Dockerfile $(CONFIGURED_ARCH) "" $(BLDENV))
|
||||
|
||||
@ -355,6 +367,8 @@ SONIC_BUILD_INSTRUCTION := make \
|
||||
ENABLE_AUTO_TECH_SUPPORT=$(ENABLE_AUTO_TECH_SUPPORT) \
|
||||
BUILD_MULTIASIC_KVM=$(BUILD_MULTIASIC_KVM) \
|
||||
ENABLE_ASAN=$(ENABLE_ASAN) \
|
||||
ENABLE_FIPS_FEATURE=$(ENABLE_FIPS_FEATURE) \
|
||||
ENABLE_FIPS=$(ENABLE_FIPS) \
|
||||
$(SONIC_OVERRIDE_BUILD_VARS)
|
||||
|
||||
.PHONY: sonic-slave-build sonic-slave-bash init reset
|
||||
|
@ -44,6 +44,8 @@ variables:
|
||||
- template: .azure-pipelines/template-variables.yml@buildimage
|
||||
- name: CACHE_MODE
|
||||
value: rcache
|
||||
- name: ENABLE_FIPS
|
||||
value: y
|
||||
|
||||
stages:
|
||||
- stage: BuildVS
|
||||
|
@ -62,7 +62,8 @@ RUN apt-get update && \
|
||||
# for processing/handling json files in bash environment
|
||||
jq \
|
||||
# for sairedis zmq rpc channel
|
||||
libzmq5
|
||||
libzmq5 \
|
||||
libwrap0
|
||||
|
||||
# Upgrade pip via PyPI and uninstall the Debian version
|
||||
RUN pip3 install --upgrade pip
|
||||
|
@ -330,12 +330,7 @@ sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/restart_service
|
||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install smartmontools=7.2-1
|
||||
|
||||
# Install custom-built openssh sshd
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb
|
||||
|
||||
# Remove sshd host keys, and will regenerate on first sshd start. This needs to be
|
||||
# done again here because our custom version of sshd is being installed, which
|
||||
# will regenerate the sshd host keys.
|
||||
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
|
||||
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_${OPENSSH_VERSION}_*.deb
|
||||
|
||||
{% if sonic_asic_platform == 'broadcom' %}
|
||||
# Install custom-built flashrom
|
||||
@ -625,6 +620,11 @@ sudo dpkg --root=$FILESYSTEM_ROOT -P {{ debname }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Remove sshd host keys, and will regenerate on first sshd start. This needs to be
|
||||
# done again here because our custom version of sshd is being installed, which
|
||||
# will regenerate the sshd host keys.
|
||||
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
|
||||
|
||||
sudo rm -f $FILESYSTEM_ROOT/usr/sbin/policy-rc.d
|
||||
|
||||
# Copy fstrim service and timer file, enable fstrim timer
|
||||
|
@ -666,6 +666,11 @@ else # install_env = "onie"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add extra linux command line
|
||||
extra_cmdline_linux=%%EXTRA_CMDLINE_LINUX%%
|
||||
echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
|
||||
|
||||
cat <<EOF >> $grub_cfg
|
||||
menuentry '$demo_grub_entry' {
|
||||
search --no-floppy --label --set=root $demo_volume_label
|
||||
|
@ -79,6 +79,11 @@ cp -r $installer_dir/$arch/* $tmp_installdir || clean_up 1
|
||||
cp onie-image.conf $tmp_installdir
|
||||
cp onie-image-*.conf $tmp_installdir
|
||||
|
||||
# Set sonic fips config for the installer script
|
||||
if [ "$ENABLE_FIPS" = "y" ]; then
|
||||
EXTRA_CMDLINE_LINUX="$EXTRA_CMDLINE_LINUX sonic_fips=1"
|
||||
fi
|
||||
|
||||
# Escape special chars in the user provide kernel cmdline string for use in
|
||||
# sed. Special chars are: \ / &
|
||||
EXTRA_CMDLINE_LINUX=`echo $EXTRA_CMDLINE_LINUX | sed -e 's/[\/&]/\\\&/g'`
|
||||
|
@ -224,3 +224,8 @@ ENABLE_ASAN ?= n
|
||||
|
||||
# reset default container registry from dockerhub to other
|
||||
DEFAULT_CONTAINER_REGISTRY ?=
|
||||
|
||||
# ENABLE_FIPS_FEATURE - support FIPS feature, only for amd64 or arm64, armhf not supported yet
|
||||
# ENABLE_FIPS - support FIPS flag, if enabled, no additional config requred for the image to support FIPS
|
||||
ENABLE_FIPS_FEATURE ?= y
|
||||
ENABLE_FIPS ?= n
|
||||
|
@ -11,6 +11,11 @@ VIM = vim
|
||||
OPENSSH = openssh-client
|
||||
SSHPASS = sshpass
|
||||
STRACE = strace
|
||||
|
||||
ifeq ($(ENABLE_FIPS_FEATURE), y)
|
||||
$(DOCKER_BASE_BULLSEYE)_DEPENDS += $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_KRB5)
|
||||
endif
|
||||
|
||||
$(DOCKER_BASE_BULLSEYE)_DBG_IMAGE_PACKAGES += $(GDB) $(GDBSERVER) $(VIM) $(OPENSSH) $(SSHPASS) $(STRACE)
|
||||
|
||||
SONIC_DOCKER_IMAGES += $(DOCKER_BASE_BULLSEYE)
|
||||
|
10
rules/sonic-fips.dep
Normal file
10
rules/sonic-fips.dep
Normal file
@ -0,0 +1,10 @@
|
||||
SPATH := $($(SYMCRYPT_OPENSSL)_SRC_PATH)
|
||||
DEP_FILES := $(SONIC_COMMON_FILES_LIST) rules/sonic-fips.mk rules/sonic-fips.dep
|
||||
DEP_FILES += $(SONIC_COMMON_BASE_FILES_LIST)
|
||||
SMDEP_FILES := $(addprefix $(SPATH)/,$(shell cd $(SPATH) && git ls-files))
|
||||
|
||||
$(SYMCRYPT_OPENSSL)_CACHE_MODE := GIT_CONTENT_SHA
|
||||
$(SYMCRYPT_OPENSSL)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
|
||||
$(SYMCRYPT_OPENSSL)_DEP_FILES := $(DEP_FILES)
|
||||
$(SYMCRYPT_OPENSSL)_SMDEP_FILES := $(SMDEP_FILES)
|
||||
$(SYMCRYPT_OPENSSL)_SMDEP_PATHS := $(SPATH)
|
53
rules/sonic-fips.mk
Normal file
53
rules/sonic-fips.mk
Normal file
@ -0,0 +1,53 @@
|
||||
# fips packages
|
||||
|
||||
FIPS_VERSION = 0.1
|
||||
FIPS_OPENSSL_VERSION = 1.1.1k-1+deb11u1+fips
|
||||
FIPS_OPENSSH_VERSION = 8.4p1-5+fips
|
||||
FIPS_PYTHON_MAIN_VERSION = 3.9
|
||||
FIPS_PYTHON_VERSION = 3.9.2-1+fips
|
||||
FIPS_GOLANG_MAIN_VERSION = 1.15
|
||||
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
|
||||
FIPS_KRB5_VERSION = 1.18.3-6+deb11u1+fips
|
||||
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
|
||||
|
||||
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
|
||||
SYMCRYPT_OPENSSL = $(SYMCRYPT_OPENSSL_NAME)_$(FIPS_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
$(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/sonic-fips
|
||||
|
||||
FIPS_OPENSSL = openssl_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSL_LIBSSL = libssl1.1_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSL_LIBSSL_DEV = libssl-dev_$(FIPS_OPENSSL_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSL_LIBSSL_DOC = libssl-doc_$(FIPS_OPENSSL_VERSION)_all.deb
|
||||
FIPS_OPENSSL_ALL = $(FIPS_OPENSSL) $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL_LIBSSL_DOC)
|
||||
|
||||
FIPS_OPENSSH = ssh_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSH_CLIENT = openssh-client_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSH_SFTP_SERVER = openssh-sftp-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSH_SERVER = openssh-server_$(FIPS_OPENSSH_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_OPENSSH_ALL = $(FIPS_SSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER)
|
||||
|
||||
FIPS_PYTHON = python$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_PYTHON_MINIMAL = python$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_LIBPYTHON = libpython$(FIPS_PYTHON_MAIN_VERSION)_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_LIBPYTHON_MINIMAL = libpython$(FIPS_PYTHON_MAIN_VERSION)-minimal_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_LIBPYTHON_STDLIB = libpython$(FIPS_PYTHON_MAIN_VERSION)-stdlib_$(FIPS_PYTHON_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_PYTHON_ALL = $(FIPS_PYTHON) $(FIPS_PYTHON_MINIMAL) $(FIPS_LIBPYTHON) $(FIPS_LIBPYTHON_MINIMAL) $(FIPS_LIBPYTHON_STDLIB)
|
||||
|
||||
FIPS_GOLANG = golang-$(FIPS_GOLANG_MAIN_VERSION)_$(FIPS_GOLANG_VERSION)_all.deb
|
||||
FIPS_GOLANG_GO = golang-$(FIPS_GOLANG_MAIN_VERSION)-go_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_GOLANG_SRC = golang-$(FIPS_GOLANG_MAIN_VERSION)-src_$(FIPS_GOLANG_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_all.deb
|
||||
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
|
||||
|
||||
FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
FIPS_KRB5_ALL = $(FIPS_KRB5)
|
||||
|
||||
FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
|
||||
FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
|
||||
|
||||
$(foreach package,$(FIPS_DERIVED_TARGET),$(eval $(call add_extra_package,$(SYMCRYPT_OPENSSL),$(package))))
|
||||
|
||||
ifeq ($(ENABLE_FIPS_FEATURE), y)
|
||||
FIPS_BASEIMAGE_INSTALLERS = $(FIPS_OPENSSL_LIBSSL) $(FIPS_OPENSSL_LIBSSL_DEV) $(FIPS_OPENSSL) $(SYMCRYPT_OPENSSL) $(FIPS_OPENSSH) $(FIPS_OPENSSH_CLIENT) $(FIPS_OPENSSH_SFTP_SERVER) $(FIPS_OPENSSH_SERVER) $(FIPS_KRB5)
|
||||
SONIC_MAKE_DEBS += $(SYMCRYPT_OPENSSL)
|
||||
endif
|
8
slave.mk
8
slave.mk
@ -80,6 +80,7 @@ export IMAGE_DISTRO
|
||||
export IMAGE_DISTRO_DEBS_PATH
|
||||
export MULTIARCH_QEMU_ENVIRON
|
||||
export DOCKER_BASE_ARCH
|
||||
export BLDENV
|
||||
|
||||
###############################################################################
|
||||
## Utility rules
|
||||
@ -93,7 +94,6 @@ ifneq ($(CONFIGURED_PLATFORM),generic)
|
||||
endif
|
||||
|
||||
configure :
|
||||
@mkdir -p $(DEBS_PATH)
|
||||
@mkdir -p $(JESSIE_DEBS_PATH)
|
||||
@mkdir -p $(STRETCH_DEBS_PATH)
|
||||
@mkdir -p $(BUSTER_DEBS_PATH)
|
||||
@ -271,6 +271,8 @@ endif
|
||||
export SONIC_ROUTING_STACK
|
||||
export FRR_USER_UID
|
||||
export FRR_USER_GID
|
||||
export ENABLE_FIPS_FEATURE
|
||||
export ENABLE_FIPS
|
||||
|
||||
###############################################################################
|
||||
## Build Options
|
||||
@ -332,6 +334,7 @@ $(info "INCLUDE_P4RT" : "$(INCLUDE_P4RT)")
|
||||
$(info "INCLUDE_KUBERNETES" : "$(INCLUDE_KUBERNETES)")
|
||||
$(info "INCLUDE_MACSEC" : "$(INCLUDE_MACSEC)")
|
||||
$(info "INCLUDE_MUX" : "$(INCLUDE_MUX)")
|
||||
$(info "ENABLE_FIPS_FEATURE" : "$(ENABLE_FIPS_FEATURE)")
|
||||
$(info "TELEMETRY_WRITABLE" : "$(TELEMETRY_WRITABLE)")
|
||||
$(info "ENABLE_AUTO_TECH_SUPPORT" : "$(ENABLE_AUTO_TECH_SUPPORT)")
|
||||
$(info "PDDF_SUPPORT" : "$(PDDF_SUPPORT)")
|
||||
@ -1054,6 +1057,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
$$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \
|
||||
$(addsuffix -install,$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(DEBOOTSTRAP))) \
|
||||
$(if $(findstring y,$(ENABLE_ZTP)),$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(SONIC_ZTP))) \
|
||||
$(if $(findstring y,$(ENABLE_FIPS_FEATURE)),$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(SYMCRYPT_OPENSSL))) \
|
||||
$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_UTILITIES_PY3)) \
|
||||
$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_PY_COMMON_PY2)) \
|
||||
$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_PY_COMMON_PY3)) \
|
||||
@ -1106,7 +1110,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
export include_kubernetes="$(INCLUDE_KUBERNETES)"
|
||||
export kube_docker_proxy="$(KUBE_DOCKER_PROXY)"
|
||||
export enable_pfcwd_on_start="$(ENABLE_PFCWD_ON_START)"
|
||||
export installer_debs="$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$($*_INSTALLS))"
|
||||
export installer_debs="$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$($*_INSTALLS) $(FIPS_BASEIMAGE_INSTALLERS))"
|
||||
export lazy_installer_debs="$(foreach deb, $($*_LAZY_INSTALLS),$(foreach device, $($(deb)_PLATFORM),$(addprefix $(device)@, $(IMAGE_DISTRO_DEBS_PATH)/$(deb))))"
|
||||
export lazy_build_installer_debs="$(foreach deb, $($*_LAZY_BUILD_INSTALLS), $(addprefix $($(deb)_MACHINE)|,$(deb)))"
|
||||
export installer_images="$(foreach docker, $($*_DOCKERS),\
|
||||
|
@ -397,20 +397,14 @@ RUN sudo augtool --autosave "set /files/etc/dpkg/dpkg.cfg/force-confold"
|
||||
RUN apt-get -y build-dep linux
|
||||
|
||||
# For gobgp and telemetry build
|
||||
RUN export VERSION=1.14.2 \
|
||||
{%- if CONFIGURED_ARCH == "armhf" %}
|
||||
&& wget https://storage.googleapis.com/golang/go$VERSION.linux-armv6l.tar.gz \
|
||||
&& tar -C /usr/local -xzf go$VERSION.linux-armv6l.tar.gz \
|
||||
{%- elif CONFIGURED_ARCH == "arm64" %}
|
||||
&& wget https://storage.googleapis.com/golang/go$VERSION.linux-arm64.tar.gz \
|
||||
&& tar -C /usr/local -xzf go$VERSION.linux-arm64.tar.gz \
|
||||
{%- else %}
|
||||
&& wget https://storage.googleapis.com/golang/go$VERSION.linux-amd64.tar.gz \
|
||||
&& tar -C /usr/local -xzf go$VERSION.linux-amd64.tar.gz \
|
||||
RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
|
||||
{%- if ENABLE_FIPS_FEATURE == "y" %}
|
||||
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
|
||||
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
|
||||
&& dpkg -i golang-go.deb golang-src.deb \
|
||||
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
|
||||
&& rm golang-go.deb golang-src.deb
|
||||
{%- endif %}
|
||||
&& echo 'export GOROOT=/usr/local/go' >> /etc/bash.bashrc \
|
||||
&& echo 'export PATH=$PATH:$GOROOT/bin' >> /etc/bash.bashrc \
|
||||
&& rm go$VERSION.linux-*.tar.gz
|
||||
|
||||
RUN pip3 install --upgrade pip
|
||||
RUN apt-get purge -y python3-pip python3-yaml
|
||||
|
1
src/sonic-fips/.gitignore
vendored
Normal file
1
src/sonic-fips/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
sonic-fips
|
29
src/sonic-fips/Makefile
Normal file
29
src/sonic-fips/Makefile
Normal file
@ -0,0 +1,29 @@
|
||||
.ONESHELL:
|
||||
SHELL = /bin/bash
|
||||
.SHELLFLAGS += -e
|
||||
|
||||
SONIC_FIPS_BUILD_FROM_SOURCE =? n
|
||||
|
||||
include ../../rules/sonic-fips.mk
|
||||
|
||||
MAIN_TARGET = $(SYMCRYPT_OPENSSL)
|
||||
|
||||
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
||||
if [ "$(SONIC_FIPS_BUILD_FROM_SOURCE)" == "y" ]; then
|
||||
git clone -b "$(FIPS_VERSION)" https://github.com/Azure/sonic-fips
|
||||
push sonic-fips
|
||||
git submodule update --init
|
||||
push src/SymCrypt; git submodule update --init -- jitterentropy-library; pop
|
||||
make all
|
||||
pop
|
||||
cp sonic-fips/target/*.deb $(DEST)/
|
||||
exit 0
|
||||
fi
|
||||
for target in $(FIPS_PACKAGE_ALL); do
|
||||
filename=$$(basename $$target)
|
||||
url=$(FIPS_URL_PREFIX)/$$filename
|
||||
mkdir -p "$$(dirname $(DEST)/$$target)"
|
||||
wget -O "$(DEST)/$$target" "$$url"
|
||||
done
|
||||
|
||||
$(addprefix $(DEST)/, $(FIPS_DERIVED_TARGET)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
|
Loading…
Reference in New Issue
Block a user