test: enable FIPS testing; configurable LUKS cipher

linux-system-roles / storage

Ansible role for linux storage management

https://linux-system-roles.github.io/storage/

MIT License

101 stars 58 forks source link

test: enable FIPS testing; configurable LUKS cipher #361

Closed richm closed 1 year ago

richm commented 1 year ago

Can test with FIPS by setting the environment variable SYSTEM_ROLES_TEST_FIPS=true before running the LUKS tests. Can set the LUKS cipher with SYSTEM_ROLES_LUKS_CIPHER - the default is aes-xts-plain64 Signed-off-by: Rich Megginson rmeggins@redhat.com

codecov[bot] commented 1 year ago

Codecov Report

Patch and project coverage have no change.

Comparison is base (bdb5b3d) 13.90% compared to head (8d5eea3) 13.90%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #361 +/- ## ======================================= Coverage 13.90% 13.90% ======================================= Files 8 8 Lines 1705 1705 Branches 71 71 ======================================= Hits 237 237 Misses 1468 1468 ``` | Flag | Coverage Δ | | |---|---|---| | sanity | `16.54% <ø> (ø)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=linux-system-roles#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

richm commented 1 year ago

@vojtechtrefny I could not get rhel7 to work in FIPS mode - I got this error from blivet:

Failed to commit changes to disk: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

not sure if it is due to using aes-xts-plain64, but that works fine with FIPS in rhel 8 and 9 and fedora, and works fine without FIPS on all platforms.

richm commented 1 year ago

[citest]

vojtechtrefny commented 1 year ago

This is actually not related to LUKS. Full traceback looks like this:

  File "/usr/lib/python2.7/site-packages/blivet3/formats/fs.py", line 488, in system_mountpoint
    getattr(self, "subvolspec", None))[-1]
  File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 109, in get_mountpoints
    self._cache_check()
  File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 171, in _cache_check
    md5hash = util.md5_file("/proc/mounts")
  File "/usr/lib/python2.7/site-packages/blivet3/util.py", line 567, in md5_file
    md5 = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

MD5 is not available in FIPS mode and we used to use hashlib.md5 in blivet, we fixed this few years ago (see https://github.com/storaged-project/blivet/pull/825), but the fix is available only in blivet 3.1.7 and newer and we have only 3.1.3 in RHEL 7.

richm commented 1 year ago

This is actually not related to LUKS. Full traceback looks like this:
  File "/usr/lib/python2.7/site-packages/blivet3/formats/fs.py", line 488, in system_mountpoint
    getattr(self, "subvolspec", None))[-1]
  File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 109, in get_mountpoints
    self._cache_check()
  File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 171, in _cache_check
    md5hash = util.md5_file("/proc/mounts")
  File "/usr/lib/python2.7/site-packages/blivet3/util.py", line 567, in md5_file
    md5 = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
MD5 is not available in FIPS mode and we used to use hashlib.md5 in blivet, we fixed this few years ago (see storaged-project/blivet#825), but the fix is available only in blivet 3.1.7 and newer and we have only 3.1.3 in RHEL 7.

ok - then is this proposed fix ok?