[202305] Support FIPS for armhf (#18283)

* [Security] Fix the krb5 vulnerability issue (#17914)

### Why I did it
Fix the krb5 vulnerable issue
CVE-2021-36222  allows remote attackers to cause a NULL pointer dereference and daemon crash
CVE-2021-37750  NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field
DSA 5286-1  remote code execution

##### Work item tracking
- Microsoft ADO **(number only)**: 26577929

#### How I did it
Upgrade the krb5 version to 1.18.3-6+deb11u14+fips.

* [Build] Fix krb5 package not found issue (#17926)

Why I did it
Fix the build issue caused by the wrong version specified.

See the build error logs:

Try 4: /usr/bin/wget --retry-connrefused failed to get: -O
--2024-01-26 11:38:23--  https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb
Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131
Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected.
HTTP request sent, awaiting response... 404 The specified blob does not exist.
2024-01-26 11:38:23 ERROR 404: The specified blob does not exist..

Try 5: /usr/bin/wget --retry-connrefused failed to get: -O
make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8
make[1]: Leaving directory '/sonic/src/sonic-fips'
Work item tracking
Microsoft ADO (number only): 26577929
The package not installed but PR passed issue is traced in another issue #17927

How I did it
Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure.
The package libzmq3-dev has dependency on the libkrb5-dev.

* [202305] Support FIPS for armhf

* Remove no use mirror

* Fix fips options issue
This commit is contained in:
xumia 2024-03-09 11:39:12 +08:00 committed by GitHub
parent 524dea665a
commit a6437d8ab6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 27 additions and 17 deletions

View File

@ -141,6 +141,7 @@ rules/config.user:
include rules/config include rules/config
-include rules/config.user -include rules/config.user
include rules/sonic-fips.mk
ifneq ($(DEFAULT_CONTAINER_REGISTRY),) ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/ override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
@ -177,12 +178,6 @@ endif
SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC) SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV) DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)
# Support FIPS feature, armhf not supported yet
ifeq ($(PLATFORM_ARCH),armhf)
ENABLE_FIPS_FEATURE := n
ENABLE_FIPS := n
endif
ifeq ($(ENABLE_FIPS_FEATURE), n) ifeq ($(ENABLE_FIPS_FEATURE), n)
ifeq ($(ENABLE_FIPS), y) ifeq ($(ENABLE_FIPS), y)
$(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n) $(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
@ -216,6 +211,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \ DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \ DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \ GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
FIPS_VERSION=$(FIPS_VERSION) \
FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile) j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
$(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \

View File

@ -34,6 +34,10 @@ else
$(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP) $(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP)
endif endif
ifeq ($(ENABLE_FIPS_FEATURE), y)
$(DOCKER_SONIC_VS)_DEPENDS += $(FIPS_KRB5_ALL)
endif
$(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \ $(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \
$(ARP_UPDATE_SCRIPT) \ $(ARP_UPDATE_SCRIPT) \
$(ARP_UPDATE_VARS_TEMPLATE) \ $(ARP_UPDATE_VARS_TEMPLATE) \

View File

@ -9,10 +9,6 @@ RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%s
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y gnupg RUN apt-get update && apt-get install -y gnupg
COPY ["sonic-dev.gpg.key", "/etc/apt/"]
RUN apt-key add /etc/apt/sonic-dev.gpg.key
RUN echo "deb http://packages.microsoft.com/repos/sonic-dev/ jessie main" >> /etc/apt/sources.list
RUN apt-get update
RUN apt-get install -y net-tools \ RUN apt-get install -y net-tools \
arping \ arping \
@ -42,7 +38,6 @@ RUN apt-get install -y net-tools \
iptables \ iptables \
jq \ jq \
libzmq5 \ libzmq5 \
libzmq3-dev \
uuid-dev \ uuid-dev \
# For installing Python m2crypto package # For installing Python m2crypto package
# (these can be uninstalled after installation) # (these can be uninstalled after installation)
@ -68,7 +63,11 @@ RUN apt-get install -y net-tools \
libasan6 \ libasan6 \
{%- endif %} {%- endif %}
dbus \ dbus \
redis-server redis-server \
# For libkrb5-dev
comerr-dev \
libgssrpc4 \
libkdb5-10
# For sonic-config-engine Python 3 package # For sonic-config-engine Python 3 package
# Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed. # Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
@ -92,6 +91,8 @@ COPY {%- for deb in docker_sonic_vs_debs.split(' ') %} debs/{{ deb }}{%- endfor
RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %} RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
{%- endif %} {%- endif %}
RUN apt-get install -y libzmq3-dev
{% if docker_sonic_vs_pydebs.strip() -%} {% if docker_sonic_vs_pydebs.strip() -%}
# Copy locally-built Debian package dependencies # Copy locally-built Debian package dependencies
COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/ COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/

View File

@ -1,13 +1,13 @@
# fips packages # fips packages
FIPS_VERSION = 0.9 FIPS_VERSION = 0.11
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
FIPS_PYTHON_MAIN_VERSION = 3.9 FIPS_PYTHON_MAIN_VERSION = 3.9
FIPS_PYTHON_VERSION = 3.9.2-1+fips FIPS_PYTHON_VERSION = 3.9.2-1+fips
FIPS_GOLANG_MAIN_VERSION = 1.15 FIPS_GOLANG_MAIN_VERSION = 1.15
FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
FIPS_KRB5_VERSION = 1.18.3-6+deb11u1+fips FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH) FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
SYMCRYPT_OPENSSL_NAME = symcrypt-openssl SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
@ -40,7 +40,15 @@ FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_
FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC) FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_ALL = $(FIPS_KRB5) FIPS_KRB5_SUPPORT0 = libkrb5support0_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_3 = libkrb5-3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBGSSAPI = libgssapi-krb5-2_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBKADM5CLNT = libkadm5clnt-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBKADM5SRV = libkadm5srv-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_LIBGSSRPC4 = libgssrpc4_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_MULTIDEV = krb5-multidev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_DEV = libkrb5-dev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
FIPS_KRB5_ALL = $(FIPS_KRB5) $(FIPS_KRB5_SUPPORT0) $(FIPS_KRB5_3) $(FIPS_KRB5_LIBGSSAPI) $(FIPS_KRB5_LIBKADM5CLNT) $(FIPS_KRB5_LIBKADM5SRV) $(FIPS_KRB5_LIBGSSRPC4) $(FIPS_KRB5_MULTIDEV) $(FIPS_KRB5_DEV)
FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL) FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET) FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)

View File

@ -474,8 +474,8 @@ RUN apt-get install -y kernel-wedge
# For gobgp and telemetry build # For gobgp and telemetry build
RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
{%- if ENABLE_FIPS_FEATURE == "y" %} {%- if ENABLE_FIPS_FEATURE == "y" %}
RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \ && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
&& dpkg -i golang-go.deb golang-src.deb \ && dpkg -i golang-go.deb golang-src.deb \
&& ln -sf /usr/lib/go-1.15 /usr/local/go \ && ln -sf /usr/lib/go-1.15 /usr/local/go \
&& rm golang-go.deb golang-src.deb && rm golang-go.deb golang-src.deb