From e0efdad5bd9207c94dbbbe2fd45fe2a1f82a2419 Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Thu, 15 Feb 2024 14:18:58 +1300 Subject: [PATCH 1/2] Revert "Enable FIPS for just the RHEL image" A different approach will be taken for fips images. This reverts commit a4600b71a1a4df61bd12ba41520497adffd817e9. --- images/edpm-hardened-uefi-rhel-9.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/images/edpm-hardened-uefi-rhel-9.yaml b/images/edpm-hardened-uefi-rhel-9.yaml index 9e0be6b..cb8e0c4 100644 --- a/images/edpm-hardened-uefi-rhel-9.yaml +++ b/images/edpm-hardened-uefi-rhel-9.yaml @@ -11,7 +11,6 @@ - modprobe - disable-nouveau - reset-bls-entries - - fips # edpm-image-builder elements - edpm-base - edpm-partition-uefi From 9fc32885f0c4edce3a2e1b85eb65e615e4ecdd04 Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Thu, 15 Feb 2024 14:29:38 +1300 Subject: [PATCH 2/2] Add separate yaml files just to enable the fips element This simply allows a FIPS image to be created or not, rather than images being FIPS by default. --- README.rst | 5 +++++ images/edpm-hardened-uefi-fips.yaml | 4 ++++ images/ironic-python-agent-fips.yaml | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 images/edpm-hardened-uefi-fips.yaml create mode 100644 images/ironic-python-agent-fips.yaml diff --git a/README.rst b/README.rst index a9fa048..91e7dfe 100644 --- a/README.rst +++ b/README.rst @@ -26,6 +26,11 @@ master branch ``current-podified`` by running:: diskimage-builder ./images/edpm-hardened-uefi-centos-9-stream.yaml +To create a FIPS enabled image, add ``edpm-hardened-uefi-fips.yaml`` to +include the ``fips`` element:: + + diskimage-builder ./images/edpm-hardened-uefi-centos-9-stream.yaml ./images/edpm-hardened-uefi-fips.yaml + See dib/repo-setup/README.md for environment variables to control which RDO repositories to configure. diff --git a/images/edpm-hardened-uefi-fips.yaml b/images/edpm-hardened-uefi-fips.yaml new file mode 100644 index 0000000..a5da92b --- /dev/null +++ b/images/edpm-hardened-uefi-fips.yaml @@ -0,0 +1,4 @@ +- imagename: edpm-hardened-uefi + elements: + # Additional element to enable fips for other image defintion + - fips \ No newline at end of file diff --git a/images/ironic-python-agent-fips.yaml b/images/ironic-python-agent-fips.yaml new file mode 100644 index 0000000..0fb8ac8 --- /dev/null +++ b/images/ironic-python-agent-fips.yaml @@ -0,0 +1,4 @@ +- imagename: ironic-python-agent + elements: + # Additional element to enable fips for other image defintion + - fips \ No newline at end of file