@@ -23,6 +23,12 @@ Source100: config-bottlerocket
2323Source101: config-bottlerocket-x86_64
2424Source102: config-bottlerocket-aarch64
2525
26+ # This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs
27+ # after placing AL2023 in FIPS mode.
28+ Source200: check-fips-modules.drop-in.conf.in
29+ Source201: fipsmodules-x86_64
30+ Source202: fipsmodules-aarch64
31+
2632# Adjust kernel-devel mount behavior if not squashfs.
2733Source210: var-lib-kernel-devel-lower.mount.drop-in.conf.in
2834
@@ -90,6 +96,9 @@ Requires: (%{name}-modules-neuron if (%{_cross_os}variant-platform(aws) without
9096
9197Requires: %{_cross_os }kmod-6.18-efa
9298
99+ # Pull in FIPS-related files if needed.
100+ Requires: (%{name }-fips if %{_cross_os }image-feature(fips))
101+
93102%global _cross_ksrcdir %{_cross_usrsrc }/kernels/%{version }
94103%global _cross_kmoddir %{_cross_libdir }/modules/%{version }
95104
@@ -145,6 +154,14 @@ Summary: Header files for the Linux kernel for use by glibc
145154%description headers
146155%{summary }.
147156
157+ %package fips
158+ Summary: FIPS related configuration for the Linux kernel
159+ Requires: (%{_cross_os }image-feature(fips) and %{name })
160+ Conflicts: %{_cross_os }image-feature(no-fips)
161+
162+ %description fips
163+ %{summary }.
164+
148165%prep
149166%if " %{_cross_arch}" == " aarch64"
150167%global _cross_kimage vmlinuz.efi
@@ -370,6 +387,20 @@ sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:210} \
370387mkdir -p %{buildroot }%{_cross_datadir }/xfsprogs/mkfs
371388ln -s lts_6.12.conf %{buildroot }%{_cross_datadir }/xfsprogs/mkfs/default.conf
372389
390+ # Ensure that each required FIPS module is loaded as a dependency of the
391+ # check-fips-module.service. The list of FIPS modules is different across
392+ # kernels but the check is consistent: it loads the "tcrypt" module after
393+ # the other modules are loaded.
394+ mkdir -p %{buildroot }%{_cross_unitdir }/check-fips-modules.service.d
395+ i= 0
396+ for fipsmod in $(cat %{_sourcedir }/fipsmodules-%{_cross_arch }) ; do
397+ [ "${fipsmod}" == "tcrypt" ] && continue
398+ drop_in= "$(printf "%03d\n" "${i}")-${fipsmod}.conf"
399+ sed -e "s|__FIPS_MODULE__|${fipsmod}|g" %{S:200 } \
400+ > %{buildroot }%{_cross_unitdir }/check-fips-modules.service.d/"${drop_in}"
401+ (( i+= 1 ))
402+ done
403+
373404%if "%{_cross_arch }" == "x86_64 "
374405# Add Neuron-related configuration files to load the module when the hardware is present.
375406install -d 0644 %{buildroot }%{_cross_tmpfilesdir }
@@ -448,6 +479,9 @@ install -p -m 0644 %{S:301} %{buildroot}%{_cross_bootconfigdir}/05-vmware.conf
448479%{_cross_kmoddir }/build
449480%attr(775, root, builder) %{_cross_ksrcdir }/scripts/*
450481
482+ %files fips
483+ %{_cross_unitdir }/check-fips-modules.service.d/* .conf
484+
451485%files bootconfig-aws
452486%{_cross_bootconfigdir }/05-aws.conf
453487
0 commit comments