[202305] Support FIPS for armhf (#18283)
* [Security] Fix the krb5 vulnerability issue (#17914) ### Why I did it Fix the krb5 vulnerable issue CVE-2021-36222 allows remote attackers to cause a NULL pointer dereference and daemon crash CVE-2021-37750 NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field DSA 5286-1 remote code execution ##### Work item tracking - Microsoft ADO **(number only)**: 26577929 #### How I did it Upgrade the krb5 version to 1.18.3-6+deb11u14+fips. * [Build] Fix krb5 package not found issue (#17926) Why I did it Fix the build issue caused by the wrong version specified. See the build error logs: Try 4: /usr/bin/wget --retry-connrefused failed to get: -O --2024-01-26 11:38:23-- https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131 Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected. HTTP request sent, awaiting response... 404 The specified blob does not exist. 2024-01-26 11:38:23 ERROR 404: The specified blob does not exist.. Try 5: /usr/bin/wget --retry-connrefused failed to get: -O make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8 make[1]: Leaving directory '/sonic/src/sonic-fips' Work item tracking Microsoft ADO (number only): 26577929 The package not installed but PR passed issue is traced in another issue #17927 How I did it Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure. The package libzmq3-dev has dependency on the libkrb5-dev. * [202305] Support FIPS for armhf * Remove no use mirror * Fix fips options issue
This commit is contained in:
parent
524dea665a
commit
a6437d8ab6
@ -141,6 +141,7 @@ rules/config.user:
|
|||||||
|
|
||||||
include rules/config
|
include rules/config
|
||||||
-include rules/config.user
|
-include rules/config.user
|
||||||
|
include rules/sonic-fips.mk
|
||||||
|
|
||||||
ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
|
ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
|
||||||
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
|
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
|
||||||
@ -177,12 +178,6 @@ endif
|
|||||||
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
|
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
|
||||||
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)
|
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)
|
||||||
|
|
||||||
# Support FIPS feature, armhf not supported yet
|
|
||||||
ifeq ($(PLATFORM_ARCH),armhf)
|
|
||||||
ENABLE_FIPS_FEATURE := n
|
|
||||||
ENABLE_FIPS := n
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(ENABLE_FIPS_FEATURE), n)
|
ifeq ($(ENABLE_FIPS_FEATURE), n)
|
||||||
ifeq ($(ENABLE_FIPS), y)
|
ifeq ($(ENABLE_FIPS), y)
|
||||||
$(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
|
$(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
|
||||||
@ -216,6 +211,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
|
|||||||
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
|
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
|
||||||
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
|
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
|
||||||
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
|
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
|
||||||
|
FIPS_VERSION=$(FIPS_VERSION) \
|
||||||
|
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
|
||||||
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
|
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
|
||||||
|
|
||||||
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
|
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
|
||||||
|
@ -34,6 +34,10 @@ else
|
|||||||
$(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP)
|
$(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifeq ($(ENABLE_FIPS_FEATURE), y)
|
||||||
|
$(DOCKER_SONIC_VS)_DEPENDS += $(FIPS_KRB5_ALL)
|
||||||
|
endif
|
||||||
|
|
||||||
$(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \
|
$(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \
|
||||||
$(ARP_UPDATE_SCRIPT) \
|
$(ARP_UPDATE_SCRIPT) \
|
||||||
$(ARP_UPDATE_VARS_TEMPLATE) \
|
$(ARP_UPDATE_VARS_TEMPLATE) \
|
||||||
|
@ -9,10 +9,6 @@ RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%s
|
|||||||
ENV DEBIAN_FRONTEND=noninteractive
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y gnupg
|
RUN apt-get update && apt-get install -y gnupg
|
||||||
COPY ["sonic-dev.gpg.key", "/etc/apt/"]
|
|
||||||
RUN apt-key add /etc/apt/sonic-dev.gpg.key
|
|
||||||
RUN echo "deb http://packages.microsoft.com/repos/sonic-dev/ jessie main" >> /etc/apt/sources.list
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
RUN apt-get install -y net-tools \
|
RUN apt-get install -y net-tools \
|
||||||
arping \
|
arping \
|
||||||
@ -42,7 +38,6 @@ RUN apt-get install -y net-tools \
|
|||||||
iptables \
|
iptables \
|
||||||
jq \
|
jq \
|
||||||
libzmq5 \
|
libzmq5 \
|
||||||
libzmq3-dev \
|
|
||||||
uuid-dev \
|
uuid-dev \
|
||||||
# For installing Python m2crypto package
|
# For installing Python m2crypto package
|
||||||
# (these can be uninstalled after installation)
|
# (these can be uninstalled after installation)
|
||||||
@ -68,7 +63,11 @@ RUN apt-get install -y net-tools \
|
|||||||
libasan6 \
|
libasan6 \
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
dbus \
|
dbus \
|
||||||
redis-server
|
redis-server \
|
||||||
|
# For libkrb5-dev
|
||||||
|
comerr-dev \
|
||||||
|
libgssrpc4 \
|
||||||
|
libkdb5-10
|
||||||
|
|
||||||
# For sonic-config-engine Python 3 package
|
# For sonic-config-engine Python 3 package
|
||||||
# Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
|
# Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
|
||||||
@ -92,6 +91,8 @@ COPY {%- for deb in docker_sonic_vs_debs.split(' ') %} debs/{{ deb }}{%- endfor
|
|||||||
RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
|
RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
|
RUN apt-get install -y libzmq3-dev
|
||||||
|
|
||||||
{% if docker_sonic_vs_pydebs.strip() -%}
|
{% if docker_sonic_vs_pydebs.strip() -%}
|
||||||
# Copy locally-built Debian package dependencies
|
# Copy locally-built Debian package dependencies
|
||||||
COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/
|
COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
# fips packages
|
# fips packages
|
||||||
|
|
||||||
FIPS_VERSION = 0.9
|
FIPS_VERSION = 0.11
|
||||||
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
|
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
|
||||||
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
|
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
|
||||||
FIPS_PYTHON_MAIN_VERSION = 3.9
|
FIPS_PYTHON_MAIN_VERSION = 3.9
|
||||||
FIPS_PYTHON_VERSION = 3.9.2-1+fips
|
FIPS_PYTHON_VERSION = 3.9.2-1+fips
|
||||||
FIPS_GOLANG_MAIN_VERSION = 1.15
|
FIPS_GOLANG_MAIN_VERSION = 1.15
|
||||||
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
|
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
|
||||||
FIPS_KRB5_VERSION = 1.18.3-6+deb11u1+fips
|
FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
|
||||||
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
|
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
|
||||||
|
|
||||||
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
|
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
|
||||||
@ -40,7 +40,15 @@ FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_
|
|||||||
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
|
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
|
||||||
|
|
||||||
FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
FIPS_KRB5_ALL = $(FIPS_KRB5)
|
FIPS_KRB5_SUPPORT0 = libkrb5support0_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_3 = libkrb5-3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_LIBGSSAPI = libgssapi-krb5-2_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_LIBKADM5CLNT = libkadm5clnt-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_LIBKADM5SRV = libkadm5srv-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_LIBGSSRPC4 = libgssrpc4_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_MULTIDEV = krb5-multidev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_DEV = libkrb5-dev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
|
||||||
|
FIPS_KRB5_ALL = $(FIPS_KRB5) $(FIPS_KRB5_SUPPORT0) $(FIPS_KRB5_3) $(FIPS_KRB5_LIBGSSAPI) $(FIPS_KRB5_LIBKADM5CLNT) $(FIPS_KRB5_LIBKADM5SRV) $(FIPS_KRB5_LIBGSSRPC4) $(FIPS_KRB5_MULTIDEV) $(FIPS_KRB5_DEV)
|
||||||
|
|
||||||
FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
|
FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
|
||||||
FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
|
FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)
|
||||||
|
@ -474,8 +474,8 @@ RUN apt-get install -y kernel-wedge
|
|||||||
# For gobgp and telemetry build
|
# For gobgp and telemetry build
|
||||||
RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
|
RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
|
||||||
{%- if ENABLE_FIPS_FEATURE == "y" %}
|
{%- if ENABLE_FIPS_FEATURE == "y" %}
|
||||||
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
|
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
|
||||||
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
|
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
|
||||||
&& dpkg -i golang-go.deb golang-src.deb \
|
&& dpkg -i golang-go.deb golang-src.deb \
|
||||||
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
|
&& ln -sf /usr/lib/go-1.15 /usr/local/go \
|
||||||
&& rm golang-go.deb golang-src.deb
|
&& rm golang-go.deb golang-src.deb
|
||||||
|
Loading…
Reference in New Issue
Block a user