Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-48590

Change update-crypto-policies to detect bootc

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • crypto-policies-20241126-1.gitd63f008.el10
    • None
    • Low
    • 2
    • rhel-security-crypto
    • ssg_security
    • 1
    • False
    • False
    • No
    • Crypto24Q3, Crypto24Q4
    • Hide

      AC1) There is no warning printed-out when switching policy to FIPS on bootc system 

      Show
      AC1) There is no warning printed-out when switching policy to FIPS on bootc system 
    • Pass
    • Not Needed
    • Manual
    • Release Note Not Required
    • None

      Split out of RHELBU-2798

      In a nutshell because the goal for RHEL10 is to get away from fips-mode-setup, we need to support explicitly invoking `update-crypto-policies --set=FIPS` as that's what we'll be guiding customers to do as part of a container build.

      A few options:

      • Add `update-crypto-policies --set=FIPS --ack-fips-karg-is-set` (bikeshed naming) where the admin just acks the need for a separate karg
      • Teach `update-crypto-policies` to detect a bootc container and not emit the warning

      Of these I kind of like the former the most, as it works in other image build environments too.

              asosedki@redhat.com Alexander Sosedkin
              walters@redhat.com Colin Walters
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: