diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index 414944d0ae6..bb6490d7dbd 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -141,6 +141,14 @@ parameters: displayName: Build Azure Container Linux ARM64 TL Gen2 type: boolean default: true + - name: buildaclfipstlgen2 + displayName: Build Azure Container Linux FIPS TL Gen2 + type: boolean + default: true + - name: buildaclarm64fipstlgen2 + displayName: Build Azure Container Linux ARM64 FIPS TL Gen2 + type: boolean + default: true variables: - name: MODE @@ -904,6 +912,56 @@ stages: useOverrides: ${{ parameters.useOverrides }} overrideBranch: ${{ parameters.overrideBranch }} artifactName: acl-arm64-tl-gen2 + - job: buildaclfipstlgen2 + condition: eq('${{ parameters.buildaclfipstlgen2 }}', true) + dependsOn: [ ] + timeoutInMinutes: 360 + steps: + - bash: | + echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux' + echo '##vso[task.setvariable variable=OS_VERSION]acl' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' + echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' + echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True' + echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + useOverrides: ${{ parameters.useOverrides }} + overrideBranch: ${{ parameters.overrideBranch }} + artifactName: acl-fips-tl-gen2 + - job: buildaclarm64fipstlgen2 + condition: eq('${{ parameters.buildaclarm64fipstlgen2 }}', true) + dependsOn: [ ] + timeoutInMinutes: 360 + steps: + - bash: | + echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux' + echo '##vso[task.setvariable variable=OS_VERSION]acl' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' + echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' + echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=ARCHITECTURE]ARM64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True' + echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + useOverrides: ${{ parameters.useOverrides }} + overrideBranch: ${{ parameters.overrideBranch }} + artifactName: acl-arm64-fips-tl-gen2 - job: build2404arm64gb200gen2containerd condition: eq('${{ parameters.build2404arm64gb200gen2containerd }}', true) dependsOn: [ ] diff --git a/.pipelines/.vsts-vhd-builder.yaml b/.pipelines/.vsts-vhd-builder.yaml index 51665652bdd..535c39ca8e3 100644 --- a/.pipelines/.vsts-vhd-builder.yaml +++ b/.pipelines/.vsts-vhd-builder.yaml @@ -247,6 +247,50 @@ stages: parameters: artifactName: acl-arm64-tl-gen2 + - job: buildaclfipstlgen2 + timeoutInMinutes: 360 + steps: + - bash: | + echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux' + echo '##vso[task.setvariable variable=OS_VERSION]acl' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' + echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' + echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True' + echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + artifactName: acl-fips-tl-gen2 + + - job: buildaclarm64fipstlgen2 + timeoutInMinutes: 360 + steps: + - bash: | + echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux' + echo '##vso[task.setvariable variable=OS_VERSION]acl' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' + echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' + echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260506.01' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=ARCHITECTURE]ARM64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True' + echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + artifactName: acl-arm64-fips-tl-gen2 + - stage: e2e dependsOn: build condition: and(succeeded(), ne(variables.SKIP_E2E_TESTS, 'true')) diff --git a/e2e/config/vhd.go b/e2e/config/vhd.go index f23b1430a0f..621f2f82287 100644 --- a/e2e/config/vhd.go +++ b/e2e/config/vhd.go @@ -238,6 +238,32 @@ var ( OSDiskSizeGB: 60, } + VHDACLGen2FIPSTL = &Image{ + Name: "aclgen2fipsTL", + OS: OSACL, + Arch: "amd64", + Distro: datamodel.AKSACLGen2FIPSTL, + Gallery: imageGalleryLinux, + Flatcar: true, + OSDiskSizeGB: 60, + UnsupportedLocalDns: true, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } + + VHDACLArm64Gen2FIPSTL = &Image{ + Name: "aclgen2arm64fipsTL", + OS: OSACL, + Arch: "arm64", + Distro: datamodel.AKSACLArm64Gen2FIPSTL, + Gallery: imageGalleryLinux, + Flatcar: true, + OSDiskSizeGB: 60, + UnsupportedLocalDns: true, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } + VHDWindows2022Containerd = &Image{ Name: "windows-2022-containerd", OS: "windows", diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go index 66f0514535f..1ff774cf356 100644 --- a/e2e/scenario_test.go +++ b/e2e/scenario_test.go @@ -243,6 +243,28 @@ func Test_ACL_ARM64(t *testing.T) { }) } +func Test_ACLGen2FIPSTL(t *testing.T) { + RunScenario(t, &Scenario{ + Description: "Tests that a node using the ACL FIPS TrustedLaunch Gen2 VHD can be properly bootstrapped and FIPS is active at runtime", + Config: Config{ + Cluster: ClusterKubenet, + VHD: config.VHDACLGen2FIPSTL, + BootstrapConfigMutator: func(_ *Cluster, nbc *datamodel.NodeBootstrappingConfiguration) { + // LocalDNS isn't currently supported on FIPS-enabled VHDs; mirror Test_AzureLinux3OSGuard. + nbc.AgentPoolProfile.LocalDNSProfile = nil + }, + VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) { + vmss.Properties = addTrustedLaunchToVMSS(vmss.Properties) + }, + Validator: func(ctx context.Context, s *Scenario) { + ValidateFileHasContent(ctx, s, "/etc/os-release", "ID=azurelinux") + ValidateFileHasContent(ctx, s, "/etc/os-release", "VARIANT_ID=azurecontainerlinux") + ValidateACLFIPSEnabled(ctx, s) + }, + }, + }) +} + func Test_ACL_Scriptless(t *testing.T) { RunScenario(t, &Scenario{ Description: "Tests that a node using ACL and the self-contained installer can be properly bootstrapped", diff --git a/e2e/validators.go b/e2e/validators.go index 6fdddb5ab9b..96597ada092 100644 --- a/e2e/validators.go +++ b/e2e/validators.go @@ -486,6 +486,18 @@ func ValidateFileExists(ctx context.Context, s *Scenario, fileName string) { } } +func ValidateACLFIPSEnabled(ctx context.Context, s *Scenario) { + s.T.Helper() + ValidateFileExists(ctx, s, "/etc/system-fips") + execScriptOnVMForScenarioValidateExitCode( + ctx, + s, + `test "$(cat /proc/sys/crypto/fips_enabled)" = "1"`, + 0, + "expected /proc/sys/crypto/fips_enabled to be 1", + ) +} + func ValidateFileDoesNotExist(ctx context.Context, s *Scenario, fileName string) { s.T.Helper() if fileExist(ctx, s, fileName) { @@ -2788,7 +2800,7 @@ func ValidateCollectWindowsLogsScript(ctx context.Context, s *Scenario) { func ValidateVulnerableKernelModulesDisabled(ctx context.Context, s *Scenario) { s.T.Helper() - if s.VHD.Flatcar { + if s.VHD.Flatcar && s.VHD.OS != config.OSACL { s.T.Log("Skipping vulnerable kernel module validation: not applicable for Flatcar") return } diff --git a/pkg/agent/bakerapi_test.go b/pkg/agent/bakerapi_test.go index 5b3f7203201..b7a13cc306a 100644 --- a/pkg/agent/bakerapi_test.go +++ b/pkg/agent/bakerapi_test.go @@ -365,6 +365,8 @@ var _ = Describe("AgentBaker API implementation tests", func() { aclDistros = []datamodel.Distro{ datamodel.AKSACLGen2TL, datamodel.AKSACLArm64Gen2TL, + datamodel.AKSACLGen2FIPSTL, + datamodel.AKSACLArm64Gen2FIPSTL, } allLinuxDistros = append(allLinuxDistros, ubuntuDistros...) diff --git a/pkg/agent/datamodel/sig_config.go b/pkg/agent/datamodel/sig_config.go index 00c629b589b..ffdc3632d15 100644 --- a/pkg/agent/datamodel/sig_config.go +++ b/pkg/agent/datamodel/sig_config.go @@ -119,6 +119,8 @@ var AvailableContainerdDistros = []Distro{ AKSFlatcarArm64Gen2, AKSACLGen2TL, AKSACLArm64Gen2TL, + AKSACLGen2FIPSTL, + AKSACLArm64Gen2FIPSTL, AKSCBLMarinerV1, AKSCBLMarinerV2, AKSAzureLinuxV2, @@ -182,6 +184,8 @@ var AvailableGen2Distros = []Distro{ AKSFlatcarArm64Gen2, AKSACLGen2TL, AKSACLArm64Gen2TL, + AKSACLGen2FIPSTL, + AKSACLArm64Gen2FIPSTL, AKSCBLMarinerV2Gen2, AKSAzureLinuxV2Gen2, AKSAzureLinuxV3Gen2, @@ -270,6 +274,8 @@ var AvailableFlatcarDistros = []Distro{ var AvailableACLDistros = []Distro{ AKSACLGen2TL, AKSACLArm64Gen2TL, + AKSACLGen2FIPSTL, + AKSACLArm64Gen2FIPSTL, } // IsContainerdSKU returns true if distro type is containerd-enabled. @@ -763,6 +769,20 @@ var ( Version: LinuxSIGImageVersion, } + SIGACLGen2FIPSTLImageConfigTemplate = SigImageConfigTemplate{ + ResourceGroup: AKSAzureLinuxResourceGroup, + Gallery: AKSAzureLinuxGalleryName, + Definition: "aclgen2fipsTL", + Version: LinuxSIGImageVersion, + } + + SIGACLArm64Gen2FIPSTLImageConfigTemplate = SigImageConfigTemplate{ + ResourceGroup: AKSAzureLinuxResourceGroup, + Gallery: AKSAzureLinuxGalleryName, + Definition: "aclgen2arm64fipsTL", + Version: LinuxSIGImageVersion, + } + SIGWindows2019ImageConfigTemplate = SigImageConfigTemplate{ ResourceGroup: AKSWindowsResourceGroup, Gallery: AKSWindowsGalleryName, @@ -859,7 +879,6 @@ func GetMaintainedLinuxSIGImageConfigMap() map[Distro]SigImageConfig { return maintained } -//nolint:dupl // each distro family needs its own map, structural similarity is expected. func getSigUbuntuImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig { return map[Distro]SigImageConfig{ AKSUbuntuFipsContainerd2004: SIGUbuntuFipsContainerd2004ImageConfigTemplate.WithOptions(opts...), @@ -898,7 +917,6 @@ func getSigCBLMarinerImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr } } -//nolint:dupl // each distro family needs its own map, structural similarity is expected. func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig { return map[Distro]SigImageConfig{ AKSAzureLinuxV2: SIGAzureLinuxV2Gen1ImageConfigTemplate.WithOptions(opts...), @@ -920,6 +938,8 @@ func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr AKSAzureLinuxV3OSGuardGen2FIPSTL: SIGAzureLinuxV3OSGuardGen2FIPSTLImageConfigTemplate.WithOptions(opts...), AKSACLGen2TL: SIGACLGen2TLImageConfigTemplate.WithOptions(opts...), AKSACLArm64Gen2TL: SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(opts...), + AKSACLGen2FIPSTL: SIGACLGen2FIPSTLImageConfigTemplate.WithOptions(opts...), + AKSACLArm64Gen2FIPSTL: SIGACLArm64Gen2FIPSTLImageConfigTemplate.WithOptions(opts...), } } diff --git a/pkg/agent/datamodel/sig_config_test.go b/pkg/agent/datamodel/sig_config_test.go index 48a686d87da..6a1aa7067fe 100644 --- a/pkg/agent/datamodel/sig_config_test.go +++ b/pkg/agent/datamodel/sig_config_test.go @@ -38,6 +38,8 @@ var _ = Describe("GetMaintainedLinuxSIGImageConfigMap", func() { AKSFlatcarArm64Gen2: SIGFlatcarArm64Gen2ImageConfigTemplate.WithOptions(), AKSACLGen2TL: SIGACLGen2TLImageConfigTemplate.WithOptions(), AKSACLArm64Gen2TL: SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(), + AKSACLGen2FIPSTL: SIGACLGen2FIPSTLImageConfigTemplate.WithOptions(), + AKSACLArm64Gen2FIPSTL: SIGACLArm64Gen2FIPSTLImageConfigTemplate.WithOptions(), } actual := GetMaintainedLinuxSIGImageConfigMap() for distro, config := range expected { @@ -105,7 +107,7 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() { Expect(mariner.Definition).To(Equal("V1")) Expect(mariner.Version).To(Equal(FrozenCBLMarinerV1SIGImageVersionForDeprecation)) - Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(19)) + Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(21)) azurelinuxV2 := sigConfig.SigAzureLinuxImageConfig[AKSAzureLinuxV2] Expect(azurelinuxV2.ResourceGroup).To(Equal("resourcegroup")) @@ -386,5 +388,17 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() { Expect(aclArm64Gen2.Gallery).To(Equal("aksazurelinux")) Expect(aclArm64Gen2.Definition).To(Equal("aclgen2arm64TL")) Expect(aclArm64Gen2.Version).To(Equal(LinuxSIGImageVersion)) + + aclGen2FIPS := sigConfig.SigAzureLinuxImageConfig[AKSACLGen2FIPSTL] + Expect(aclGen2FIPS.ResourceGroup).To(Equal("resourcegroup")) + Expect(aclGen2FIPS.Gallery).To(Equal("aksazurelinux")) + Expect(aclGen2FIPS.Definition).To(Equal("aclgen2fipsTL")) + Expect(aclGen2FIPS.Version).To(Equal(LinuxSIGImageVersion)) + + aclArm64Gen2FIPS := sigConfig.SigAzureLinuxImageConfig[AKSACLArm64Gen2FIPSTL] + Expect(aclArm64Gen2FIPS.ResourceGroup).To(Equal("resourcegroup")) + Expect(aclArm64Gen2FIPS.Gallery).To(Equal("aksazurelinux")) + Expect(aclArm64Gen2FIPS.Definition).To(Equal("aclgen2arm64fipsTL")) + Expect(aclArm64Gen2FIPS.Version).To(Equal(LinuxSIGImageVersion)) }) }) diff --git a/pkg/agent/datamodel/types.go b/pkg/agent/datamodel/types.go index 0b0f633607c..61ef460608b 100644 --- a/pkg/agent/datamodel/types.go +++ b/pkg/agent/datamodel/types.go @@ -194,6 +194,8 @@ const ( AKSFlatcarArm64Gen2 Distro = "aks-flatcar-arm64-gen2" AKSACLGen2TL Distro = "aks-acl-gen2-tl" AKSACLArm64Gen2TL Distro = "aks-acl-arm64-gen2-tl" + AKSACLGen2FIPSTL Distro = "aks-acl-gen2-fips-tl" + AKSACLArm64Gen2FIPSTL Distro = "aks-acl-arm64-gen2-fips-tl" // Windows string const. // AKSWindows2019 stands for distro of windows server 2019 SIG image with docker. @@ -277,6 +279,8 @@ var AKSDistrosAvailableOnVHD = []Distro{ AKSFlatcarArm64Gen2, AKSACLGen2TL, AKSACLArm64Gen2TL, + AKSACLGen2FIPSTL, + AKSACLArm64Gen2FIPSTL, } type CustomConfigurationComponent string diff --git a/pkg/agent/datamodel/types_test.go b/pkg/agent/datamodel/types_test.go index a0605aabd47..282472ca3ee 100644 --- a/pkg/agent/datamodel/types_test.go +++ b/pkg/agent/datamodel/types_test.go @@ -1252,6 +1252,20 @@ func TestAgentPoolProfileIsACL(t *testing.T) { }, expected: true, }, + { + name: "ACL FIPS distro", + ap: AgentPoolProfile{ + Distro: AKSACLGen2FIPSTL, + }, + expected: true, + }, + { + name: "ACL ARM64 FIPS distro", + ap: AgentPoolProfile{ + Distro: AKSACLArm64Gen2FIPSTL, + }, + expected: true, + }, { name: "Flatcar distro is not ACL", ap: AgentPoolProfile{ @@ -1411,6 +1425,44 @@ func TestNodeBootstrappingConfigurationIsACL(t *testing.T) { }, expected: true, }, + { + name: "ACL FIPS distro without OSSKU", + nbc: NodeBootstrappingConfiguration{ + ContainerService: &ContainerService{ + Properties: &Properties{ + AgentPoolProfiles: []*AgentPoolProfile{ + { + Distro: AKSACLGen2FIPSTL, + }, + }, + }, + }, + AgentPoolProfile: &AgentPoolProfile{ + Distro: AKSACLGen2FIPSTL, + }, + OSSKU: "", + }, + expected: true, + }, + { + name: "ACL ARM64 FIPS distro without OSSKU", + nbc: NodeBootstrappingConfiguration{ + ContainerService: &ContainerService{ + Properties: &Properties{ + AgentPoolProfiles: []*AgentPoolProfile{ + { + Distro: AKSACLArm64Gen2FIPSTL, + }, + }, + }, + }, + AgentPoolProfile: &AgentPoolProfile{ + Distro: AKSACLArm64Gen2FIPSTL, + }, + OSSKU: "", + }, + expected: true, + }, { name: "ACL OSSKU with custom distro", nbc: NodeBootstrappingConfiguration{ diff --git a/spec/vhdbuilder/packer/ensure_sig_image_name_linux_spec.sh b/spec/vhdbuilder/packer/ensure_sig_image_name_linux_spec.sh index 6dcd5087ab7..01a9e956a6c 100644 --- a/spec/vhdbuilder/packer/ensure_sig_image_name_linux_spec.sh +++ b/spec/vhdbuilder/packer/ensure_sig_image_name_linux_spec.sh @@ -556,4 +556,28 @@ Describe 'ensure_sig_image_name_linux function' The output should be present End End + + Describe 'ACL FIPS scenarios' + It 'should use ACL FIPS TL Gen2 SKU name as SIG image name' + SIG_IMAGE_NAME="" + SKU_NAME="aclgen2fipsTL" + OS_SKU="AzureContainerLinux" + ENABLE_CGROUPV2="True" + When call ensure_sig_image_name_linux + The status should be success + The variable SIG_IMAGE_NAME should eq "aclgen2fipsTL" + The output should be present + End + + It 'should use ACL ARM64 FIPS TL Gen2 SKU name as SIG image name' + SIG_IMAGE_NAME="" + SKU_NAME="aclgen2arm64fipsTL" + OS_SKU="AzureContainerLinux" + ENABLE_CGROUPV2="True" + When call ensure_sig_image_name_linux + The status should be success + The variable SIG_IMAGE_NAME should eq "aclgen2arm64fipsTL" + The output should be present + End + End End diff --git a/vhdbuilder/packer/pre-install-dependencies.sh b/vhdbuilder/packer/pre-install-dependencies.sh index b8efac75b87..f5a5fd816fe 100644 --- a/vhdbuilder/packer/pre-install-dependencies.sh +++ b/vhdbuilder/packer/pre-install-dependencies.sh @@ -89,6 +89,11 @@ if isMarinerOrAzureLinux "$OS"; then echo "Install FIPS for Mariner SKU" installFIPS fi +elif isACL "$OS" "$OS_VARIANT"; then + if [ "${ENABLE_FIPS,,}" = "true" ]; then + echo "Install FIPS for AzureContainerLinux SKU" + installFIPS + fi else # Enable ESM only for 20.04, and FIPS if [ "${UBUNTU_RELEASE}" = "20.04" ] || [ "${ENABLE_FIPS,,}" = "true" ]; then diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh index c972c533834..9d538ec7c06 100644 --- a/vhdbuilder/packer/test/linux-vhd-content-test.sh +++ b/vhdbuilder/packer/test/linux-vhd-content-test.sh @@ -595,7 +595,7 @@ testFips() { enable_fips=$2 # shellcheck disable=SC3010 - if [[ (${os_version} == "20.04" || ${os_version} == "22.04" || ${os_version} == "V2") && ${enable_fips,,} == "true" ]]; then + if [[ (${os_version} == "20.04" || ${os_version} == "22.04" || ${os_version} == "V2" || ${os_version} == "acl") && ${enable_fips,,} == "true" ]]; then kernel=$(uname -r) if [ -f /proc/sys/crypto/fips_enabled ]; then fips_enabled=$(cat /proc/sys/crypto/fips_enabled) @@ -615,6 +615,19 @@ testFips() { err $test "fips header files don't exist." fi fi + + if [ ${os_version} = "acl" ]; then + if [ -f /etc/system-fips ]; then + echo "/etc/system-fips marker file exists." + else + err $test "/etc/system-fips marker file does not exist." + fi + if [ -f /boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi ]; then + echo "ACL FIPS UKI addon file exists in active ESP location." + else + err $test "ACL FIPS UKI addon file does not exist in active ESP location." + fi + fi fi echo "$test:Finish" diff --git a/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh b/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh index 0f82ea4371e..84393439014 100644 --- a/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh +++ b/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh @@ -28,3 +28,20 @@ disableNtpAndTimesyncdInstallChrony() { systemctlEnableAndStart chronyd 30 || exit $ERR_SYSTEMCTL_START_FAIL } + +installFIPS() { + echo "Installing FIPS..." + + local fips_addon_src="/boot/acl/uki-addons/fips.addon.efi" + local fips_addon_dst="/boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi" + + if [ ! -f "${fips_addon_src}" ]; then + echo "FIPS addon not found at ${fips_addon_src}" >&2 + exit 1 + fi + + install -D -m 0644 "${fips_addon_src}" "${fips_addon_dst}" + + touch /etc/system-fips + chmod 644 /etc/system-fips +}