image: add support for FIPS customization to BootcDiskImage

This commit is a followup for osbuild/bootc-image-builder#709 and adds support for FIPS to the `BootcDiskImage` image type. One open question is if this should be done at this level or if the container itself should set the kernel cmdline to FIPS and bib would not bother.
osbuild · Nov 12, 2024 · f63e313 · f63e313
1 parent 4897f61
commit f63e313
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/pkg/image/bootc_disk.go b/pkg/image/bootc_disk.go
@@ -25,6 +25,7 @@ type BootcDiskImage struct {
 
 	// Customizations
 	KernelOptionsAppend []string
+	FIPS                bool
 
 	// The users to put into the image, note that /etc/paswd (and friends)
 	// will become unmanaged state by bootc when used
@@ -61,6 +62,9 @@ func (img *BootcDiskImage) InstantiateManifestFromContainers(m *manifest.Manifes
 	rawImage.Groups = img.Groups
 	rawImage.KernelOptionsAppend = img.KernelOptionsAppend
 	rawImage.SELinux = img.SELinux
+	if img.FIPS {
+		rawImage.KernelOptionsAppend = append(rawImage.KernelOptionsAppend, "fips=1")
+	}
 
 	// In BIB, we export multiple images from the same pipeline so we use the
 	// filename as the basename for each export and set the extensions based on

diff --git a/pkg/image/bootc_disk_test.go b/pkg/image/bootc_disk_test.go
@@ -42,6 +42,7 @@ type bootcDiskImageTestOpts struct {
 	SELinux     string
 	Users       []users.User
 	Groups      []users.Group
+	FIPS        bool
 
 	KernelOptionsAppend []string
 }
@@ -77,6 +78,7 @@ func makeBootcDiskImageOsbuildManifest(t *testing.T, opts *bootcDiskImageTestOpt
 	img.Users = opts.Users
 	img.Groups = opts.Groups
 	img.SELinux = opts.SELinux
+	img.FIPS = opts.FIPS
 
 	m := &manifest.Manifest{}
 	runi := &runner.Fedora{}
@@ -263,3 +265,19 @@ func TestBootcDiskImageInstantiateGroups(t *testing.T) {
 		}
 	}
 }
+
+func TestBootcDiskImageEnablesFIPS(t *testing.T) {
+	for _, withFIPS := range []bool{true, false} {
+		opts := &bootcDiskImageTestOpts{FIPS: withFIPS}
+		osbuildManifest := makeBootcDiskImageOsbuildManifest(t, opts)
+		imagePipeline := findPipelineFromOsbuildManifest(t, osbuildManifest, "image")
+		require.NotNil(t, imagePipeline)
+		bootcStage := findStageFromOsbuildPipeline(t, imagePipeline, "org.osbuild.bootc.install-to-filesystem")
+		kernelArgs := bootcStage["options"].(map[string]interface{})["kernel-args"]
+		if withFIPS {
+			assert.Contains(t, kernelArgs, "fips=1")
+		} else {
+			assert.Nil(t, kernelArgs)
+		}
+	}
+}