-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The FIPS enabled environment for developers #601
Comments
@junaruga Can we mix FIPS mode and normal(?) mode in one VM instance? |
@hsbt This is a good point! We can save the infra resource if we can run both FIPS mode and non-FIPS mode on one VM instance. I am not sure about it. Let me confirm it to my colleagues who know more about it. I will let you know here. Thanks! |
@hsbt I asked it my colleagues, collected the info from them, and I also experimented some things by myself. However, I couldn't find a way to mix the FIPS mode and non-FIPS mode (we can call it as "normal" mode) without rebooting OS in our case. The reason is because below are the actual steps to switch the system to the FIPS mode written at the RHEL 9 document - 3.4. Switching the system to FIPS mode.
And if you see the
In my testing RHEL 9.1 environment with FIPS mode enabled, I see the
Here the command to see the current running kernel and installed kernel packages.
Switching the system to FIPS or non-FIPS modeWhen we cannot mix the FIPS and non-FIPS mode in one state in our case, we may be able to switch when we want to do it. You can see the following options in the manual of the
MAYBE the process to switch the system to non-FIPS mode again is below. But note the
According to the
Or we may just be able to back up the RHEL 9 non-FIPS (normal) mode VM instance image. Changing the VM instance to the smaller oneIf we still want to keep both RHEL 9 FIPS mode and non-FIPS mode, but we want to save the infra cost, perhaps, we may be able to think about changing the VM instance size to smaller and cheaper one. |
Oh wait! I just got a new information from one of my colleagues! Perhaps, this makes mix both FIPS and non-FIPS without rebooting OS in our case! |
I don't find a way to mix the FIPS and non-FIPS mode for example on the process level. However, I was told that OpenSSL only depends on the content of the |
I was able to enable/disable a part of the FIPS mode temporarily that is need to test with OpenSSL without rebooting OS! Here is the repository. |
@rhenium, can you access Linux servers used in Ruby CI by SSH? If you don't know about it, you can ask on the maintainers Slack. |
Note: I only see that my script above only works on RHEL 9 in my testing. I am testing it on Fedora 37. But I see one issue, and it doesn't work on Fedora 37. (junaruga/fips-mode-user-space#4) I also checked it on Ubuntu 22.10. Ubuntu even doesn't have the |
OpenSSL maintainers, I was able to disable/enable the kernel FIPS flag by using my script on the RHEL 9.1 server used in Ruby CI. and I was reproduce the error #603 on the on the environment with the kernel FIPS flag enabled. Below are the steps to work on the kernel FIPS mode enabled on the RHEL 9 server. Steps to work on the FIPS mode enabled.Login to the RHEL 9 server by SSH. Comment out a command running the test in a CI user's crontab. Run the Check the current environment.
Enable the kernel FIPS flag.
Work (debug, test and etc) on the environment. Disable (undo) the kernel FIPS mode flag again.
Remove a command running the test in a CI user's crontab again. That's all. |
I would close this ticket, as we can provide the FIPS mode enabled environment in the Ruby project. Let me know when you have questions. Thanks. |
A very good news! You don't even run the script
This comes from a Fedora stream line specific patch Fedora. But I cannot reproduce it on Fedora. I am not sure why. |
I was able to create the FIPS mode enabled environment from the source-built OpenSSL. See #608. |
Dear Maintainers, we found a FIPS mode specific issue for ruby/openssl on RHEL 9. And I am thinking how to report it. Do you have FIPS mode enabled Linux machines to test? I can see the FIPS mode specific logic on the files below.
ext/openssl/ossl.c
test/openssl/test_fips.rb
As a reference, below are how to enable the FIPS mode for RHEL and Ubuntu.
Fedora (It's not official document. I just found it.)It seems the document is old.The text was updated successfully, but these errors were encountered: