Details
-
Feature
-
Resolution: Done
-
Critical
-
None
-
False
-
-
False
-
-
100
-
100%
-
0
-
0
-
Program Call
Description
Feature Overview (aka. Goal Summary)
Ensure MicroShift is compliant with FIPS 140-3
Goals (aka. expected user outcomes)
MicroShift is a layered/derived product based on RHEL 9.x and OpenShift V4.x - both base products are either FIPS certified already, or in the process of (see linked JIRAs).
RHEL 9.0/9.2 are currently in the FIPS certification process. The goal of this feature is that on the day RHEL certification is completed, we can claim the MicroShift is FIPS compliant, because it is using only those certified crypto libs.
The goal of this feature is to determine and complete the necessary work so that MicroShift can be sold / used to/by US Public Sector accounts as FIPS 140-3 validated cryptographic modules in order to meet legal requirements for deploying IT solutions.
Requirements (aka. Acceptance Criteria):
MicroShift can be installed and operated in a way that only FIPS compliant crypto libraries are used.
Questions to Answer (Optional):
What needs to be actually done on MicroShift side? e.g. add a config switch "fips_enabled=true", or can we inherit this from the OS?
How can we test/validate e.g. workload containers are also running in fips enabled mode?
Out of Scope
The actual FIPS crypt libraries certification is done by RHEL.
Background
Helpful links:
- FIPS checks for OCP
- FIPS Compliant Compilation
- https://gitlab.cee.redhat.com/cpaas-midstream/osc-operator/-/blob/osc-1.5-rhel-9/distgit/containers/osc-cloud-api-adaptor/Dockerfile.in
- General FAQ for OpenShift and FIPS compliance
- CVE-2023-3089 Information
- https://gitlab.cee.redhat.com/istio/cpaas/containers-midstream/-/blob/rhossm-2.4-rhel-8/distgit/containers/openshift-istio-operator/Dockerfile.in#L6
Customer Considerations
After refinement, we should validate with NAPS customers to ensure that our plans suit their needs.
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. Initial completion during Refinement status.
Provide documenation how to install and operator MicroShift in FIPS compliant way. Can point to RHEL docs for OS installation, then add whatever is necessary for MicroShift
Interoperability Considerations
Which other projects and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
Attachments
Issue Links
- depends on
-
-
- New
-
-
-
- Closed
-
- is related to
-
OCPSTRAT-853 Address remaining items required for OCP & layered products FIPS compliance
-
- New
-
- relates to
-
-
- Closed
-
