[skip ci] kernel-6.18: Add FIPS support

Signed-off-by: Gaurav Sharma <mgsharm@amazon.com>

Author: mgsharm

packages/kernel-6.18/check-fips-modules.drop-in.conf.in

@@ -0,0 +1,3 @@
+[Unit]
+Requires=fips-modprobe@__FIPS_MODULE__.service
+After=fips-modprobe@__FIPS_MODULE__.service

packages/kernel-6.18/fipsmodules-aarch64

@@ -0,0 +1,44 @@
+sha1
+sha224
+sha256
+sha384
+sha512
+sha3-224
+sha3-256
+sha3-384
+sha3-512
+crc32c
+ghash
+xxhash64
+ghash-ce
+sha3-ce
+cipher_null
+des3_ede
+aes
+dh
+ecdh
+aes-arm64
+aes-ce-blk
+aes-ce-ccm
+aes-ce-cipher
+aes-neon-blk
+aes-neon-bs
+ecb
+cbc
+ctr
+xts
+gcm
+ccm
+authenc
+hmac
+cmac
+cts
+lzo
+essiv
+seqiv
+drbg
+aead
+cryptomgr
+tcrypt
+crypto_user
+rsa

packages/kernel-6.18/fipsmodules-x86_64

@@ -0,0 +1,38 @@
+sha1
+sha224
+sha256
+sha384
+sha512
+sha3-224
+sha3-256
+sha3-384
+sha3-512
+crc32c
+ghash
+xxhash64
+ghash_clmulni_intel
+cipher_null
+des3_ede
+aes
+dh
+ecdh
+aesni-intel
+ecb
+cbc
+ctr
+xts
+gcm
+ccm
+authenc
+hmac
+cmac
+cts
+lzo
+essiv
+seqiv
+drbg
+aead
+cryptomgr
+tcrypt
+crypto_user
+rsa

packages/kernel-6.18/kernel-6.18.spec

@@ -23,6 +23,12 @@ Source100: config-bottlerocket
 Source101: config-bottlerocket-x86_64
 Source102: config-bottlerocket-aarch64
 
+# This list of FIPS modules is extracted from /etc/fipsmodules in the initramfs
+# after placing AL2023 in FIPS mode.
+Source200: check-fips-modules.drop-in.conf.in
+Source201: fipsmodules-x86_64
+Source202: fipsmodules-aarch64
+
 # Adjust kernel-devel mount behavior if not squashfs.
 Source210: var-lib-kernel-devel-lower.mount.drop-in.conf.in
 
@@ -90,6 +96,9 @@ Requires: (%{name}-modules-neuron if (%{_cross_os}variant-platform(aws) without
 
 Requires: %{_cross_os}kmod-6.18-efa
 
+# Pull in FIPS-related files if needed.
+Requires: (%{name}-fips if %{_cross_os}image-feature(fips))
+
 %global _cross_ksrcdir %{_cross_usrsrc}/kernels/%{version}
 %global _cross_kmoddir %{_cross_libdir}/modules/%{version}
 
@@ -145,6 +154,14 @@ Summary: Header files for the Linux kernel for use by glibc
 %description headers
 %{summary}.
 
+%package fips
+Summary: FIPS related configuration for the Linux kernel
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: %{_cross_os}image-feature(no-fips)
+
+%description fips
+%{summary}.
+
 %prep
 %if "%{_cross_arch}" == "aarch64"
 %global _cross_kimage vmlinuz.efi
@@ -370,6 +387,20 @@ sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:210} \
 mkdir -p %{buildroot}%{_cross_datadir}/xfsprogs/mkfs
 ln -s lts_6.12.conf %{buildroot}%{_cross_datadir}/xfsprogs/mkfs/default.conf
 
+# Ensure that each required FIPS module is loaded as a dependency of the
+# check-fips-module.service. The list of FIPS modules is different across
+# kernels but the check is consistent: it loads the "tcrypt" module after
+# the other modules are loaded.
+mkdir -p %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
+i=0
+for fipsmod in $(cat %{_sourcedir}/fipsmodules-%{_cross_arch}) ; do
+  [ "${fipsmod}" == "tcrypt" ] && continue
+  drop_in="$(printf "%03d\n" "${i}")-${fipsmod}.conf"
+  sed -e "s|__FIPS_MODULE__|${fipsmod}|g" %{S:200} \
+    > %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d/"${drop_in}"
+  (( i+=1 ))
+done
+
 %if "%{_cross_arch}" == "x86_64"
 # Add Neuron-related configuration files to load the module when the hardware is present.
 install -d 0644 %{buildroot}%{_cross_tmpfilesdir}
@@ -448,6 +479,9 @@ install -p -m 0644 %{S:301} %{buildroot}%{_cross_bootconfigdir}/05-vmware.conf
 %{_cross_kmoddir}/build
 %attr(775, root, builder) %{_cross_ksrcdir}/scripts/*
 
+%files fips
+%{_cross_unitdir}/check-fips-modules.service.d/*.conf
+
 %files bootconfig-aws
 %{_cross_bootconfigdir}/05-aws.conf