Merge pull request #74 from slagle/bootc-fips

slagle · web-flow · commit c5641a0db630 · 2025-07-08T07:06:58.000-04:00
Conditionally enable fips in bootc image
diff --git a/bootc/01-fips.toml b/bootc/01-fips.toml
@@ -0,0 +1,2 @@
+# Enable FIPS
+kargs = ["fips=1"]
diff --git a/bootc/Containerfile b/bootc/Containerfile
@@ -141,6 +141,18 @@ RUN /var/tmp/rhsm-script.sh && \
     (subscription-manager unregister || true) && \
     systemctl enable $ENABLE_UNITS
 
+
+# Configure FIPS
+ARG FIPS=1
+RUN if [ "${FIPS}" = "1" ] ; \
+    then \
+        # Enable the FIPS crypto policy
+        update-crypto-policies --no-reload --set FIPS ; \
+        touch /etc/system-fips ; \
+        mkdir -p /usr/lib/bootc/kargs.d ; \
+        echo -e "# Enable FIPS\nkargs = [\"fips=1\"]\n" > /usr/lib/bootc/kargs.d/01-fips.toml ; \
+    fi
+
 # Drop Ansible fact into place
 COPY ansible-facts/bootc.fact /etc/ansible/facts.d/bootc.fact
 RUN chmod +x /etc/ansible/facts.d/bootc.fact
diff --git a/bootc/Makefile b/bootc/Makefile
@@ -8,6 +8,7 @@ EDPM_QCOW2_IMAGE ?= ${EDPM_BOOTC_REPO}:${EDPM_BOOTC_TAG}-qcow2
 BUILDER_IMAGE ?= quay.io/centos-bootc/bootc-image-builder:latest
 HOST_PACKAGES ?= podman osbuild-selinux https://download.devel.redhat.com/rcm-guest/puddles/OpenStack/rhos-release/rhos-release-latest.noarch.rpm
 RHSM_SCRIPT ?= empty.sh
+FIPS ?= 1
 
 .ONESHELL:
 
@@ -33,6 +34,7 @@ build: output/yum.repos.d
 	sudo buildah bud \
 		--build-arg EDPM_BASE_IMAGE=${EDPM_BASE_IMAGE} \
 		--build-arg RHSM_SCRIPT=${RHSM_SCRIPT} \
+		--build-arg FIPS=${FIPS} \
 		--volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro,Z \
 		--volume $(shell pwd)/output/yum.repos.d:/etc/yum.repos.d:rw,Z \
 		-f ${EDPM_CONTAINERFILE} \

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Enable FIPS`
	`2`	`+kargs = ["fips=1"]`