tripleo

FIPS 140-2 compliant Kernel

Bug #1640235 reported by Luke Hinds
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Expired
Undecided
Unassigned

Bug Description

Operators are often required to run a FIPS 140-2 compliant kernel that is needed for AES-NI crypto operations.

This requires some new packages including dracut-fips, dracut-fips-aesni and a new additional argument passed to grub `fips=1`

Full manual steps are outlined here: https://lukehinds.github.io/static/fips-kernel.html

It is expected that this will be achieved using tripleo-heat-templates, puppet-modules, although some steps may require cross project work with disc-imagebuilder.

Luke Hinds (lhinds)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
Steven Hardy (shardy) wrote :

I think the steps for TripleO may look a little different, e.g we want the changes to files to happen inside the image, then we want Ironic to deploy the required kernel (ideally we really don't want to install a new kernel and reboot after the initial deploy as this can be really slow on some bare-metal platforms)

Changed in tripleo:
status: New → Triaged
Luke Hinds (lhinds)
Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Yolanda Robla (yolanda.robla)
Changed in tripleo:
assignee: Luke Hinds (lhinds) → Yolanda Robla (yolanda.robla)
Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

It is blocked because OpenStack does not work with FIPS enabled

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

Blocked by https://bugs.launchpad.net/tripleo/+bug/1641556

Luke Hinds (lhinds)
Changed in tripleo:
milestone: ocata-3 → none
Revision history for this message
Emilien Macchi (emilienm) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in tripleo:
status: In Progress → Triaged
assignee: Yolanda Robla (yolanda.robla) → nobody
Revision history for this message
Alex Schultz (alex-schultz) wrote :

I've set https://bugs.launchpad.net/tripleo/+bug/1641556 to incomplete as we've upgraded to puppet 4.8.2 which is what seemed to be the last problem. Is this bug still blocked?

Revision history for this message
Emilien Macchi (emilienm) wrote : Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
  Only still supported release names are valid (FUTURE, PIKE, QUEENS, ROCKY, STEIN).
  Valid example: CONFIRMED FOR: FUTURE

Changed in tripleo:
importance: High → Undecided
status: Triaged → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.