search

sonic-net / sonic-fips

SONiC FIPS module
Other
0 stars 9 forks source link

readme

sonic-fips builds:

main build

SONiC: Software for Open Networking in the Cloud

sonic-fips

Support Federal Information Processing Standards (FIPS) for SONiC

To Build

  1. Setup build env

    It can be built in the docker container of the image debian:bullseye. To install the build tools, you can simply copy and run the installing script.

  2. Show build targets

    $ make list
target/python3.9_3.9.2-1+fips_amd64.deb
target/openssh-server_8.4p1-5+deb11u1+fips_amd64.deb
target/openssl_1.1.1n-0+deb11u3+fips_amd64.deb
target/symcrypt-openssl_0.3_amd64.deb
target/golang-1.15_1.15.15-1~deb11u4+fips_all.deb
target/libk5crypto3_1.18.3-6+deb11u1+fips_amd64.deb

  3. Build

    Make a target as list in step 2

    make target/symcrypt-openssl_0.3_amd64.deb
make target/openssl_1.1.1n-0+deb11u3+fips_amd64.deb

    To build the symcrypt debian packages and openssl packages, it can be simplified to:

    make symcrypt
make openssl

    To make all targets:

    make all

    To test

  4. Setup kvm env

    wget 'https://sonic-build.azurewebsites.net/api/sonic/artifacts?branchName=master&platform=vs&target=target%2Fsonic-vs.img.gz' -O sonic-vs.img.gz
gunzip sonic-vs.img.gz
virt-install \
--name test01 \
--ram 4096 \
--disk path=/projects/test/test-kvm-3/sonic-vs.img \
--vcpus 2 \
--os-type linux \
--os-variant debian11 \
--network bridge=virbr0 \
--graphics vnc,port=5900,listen=0.0.0.0 \
--console pty,target_type=serial \
--force --debug --boot hd
virsh console test01

  5. Download the fips packages

    Skip the step if you want to use you own build packages.

    wget 'https://sonic-build.azurewebsites.net/api/sonic/artifacts?branchName=main&definitionId=412&artifactName=fips-symcrypt-amd64&format=zip&target=/' -O target.zip
unzip target.zip

    You can list all the artifacts: https://sonic-build.azurewebsites.net/ui/sonic/pipelines/412/builds?branchName=main

  6. Install the fips packages

    sudo dpkg -i symcyprt*.deb
sudo dpkg -i libssl*.deb
sudo dpkg -i openssl*.deb

  7. Enable FIPS in kvm

    admin@sonic:~$ sudo sonic-installer set-fips --enable-fips
Done
Set FIPS for the image successfully

    Reboot is requried if the fip option changed. You can verify if the symcrypt engine enabled.

    admin@sonic:~$ openssl engine -vv | grep symcrypt
(symcrypt) SCOSSL (SymCrypt engine for OpenSSL)
admin@sonic:~$