Add FIPS testing_manifest.yaml
ACTION REQUIRED by April 14th, 2025 to retain “fips” in the name of this repository. See instructions below.
WHAT:
Ironbank now supports automated FIPS readiness testing in repo1 containers. The tests run automatically in the container pipeline. Any failure stops the pipeline and highlights the issue. The tests will be run on kernel hosts with FIPS enabled (see the section below for adding FIPS variables to the settings).
Using FIPS-ready containers is the first step toward building fully compliant FIPS systems. Once running a full cluster, customers can do their own FIPS compliance testing with more confidence since they started with FIPS Ready containers from Ironbank.
WHEN:
FIPS readiness testing is live in Ironbank’s pipelines—you can enable it in your vendor repositories today.
Repositories with 'fips' in the name must implement these tests by April 14, 2025. By doing so, the Ironbank repositories will be allowed to keep “-fips” in the name of the repository/image. In the near future, the Ironbank Frond End (IBFE) will mark images with successful FIPS testing as “FIPS Ready” to make it easy for customers to find them.
HOW:
Enable FIPS testing in two steps:
STEP 1:
Create or update testing_manifest.yaml in the repo root (next to hardening_manifest.yaml). This file defines the commands to verify FIPS is enabled in the container. Below is an example file which does two checks. You should use these two checks, and add any others to verify FIPS is configured and running as desired in the container.
In the below example, the first test reads /proc/cmdline and checks for fips=1 in the output. Part of the output is required to have fips=1 in it, or the test will fail (expected output must appear somewhere in the output of the command being run).
The second test checks /proc/sys/crypto/fips_enabled for a 1.
You can add other tests similar to this in order to verify FIPS is configured for your container, and is enabled. If you create a test script or program that checks FIPS, you can have it be part of the container, and run from here as well.
NOTE that the output from these tests will appear in the pipeline logs under the Pipeline’s “scan” stage in “functional-testing-amd64-fips” and/or “functional-testing-arm64-fips”.
testing_manifest.yaml:
docker:
- name: cat /proc/cmdline
description: See kernel cmdline parameters. Should see fips=1
commands:
- command: cat /proc/cmdline
timeout_seconds: 60
expected_output: "fips=1"
- name: /proc/sys/crypto/fips_enabled
description: checking for fips enabled. file should exist and contain a "1"
commands:
- command: cat /proc/sys/crypto/fips_enabled
timeout_seconds: 60
expected_output: "1"Step 2:
Add pipeline variables to the repository. These variables instruct the Ironbank pipeline to use a FIPS-enabled kernel for testing.
2a) With permissions, go to the repository’s project -> Settings -> CI/CD -> Variables section, and Add Variable (you will do this once for each variable)
2b) Uncheck “Protect variable” so the testing will happen on all branches in the repo
2c) Key:
2d) Value: true
2e) Add variable (back to 2a for 2nd variable)
ENABLE_FUNCTIONAL_TEST_AMD64_FIPS true
ENABLE_FUNCTIONAL_TEST_ARM64_FIPS trueRemove these existing variables if present:
ENABLE_FUNCTIONAL_TEST_AMD64
ENABLE_FUNCTIONAL_TEST_ARM64With the above successfully in place and committed to repo1, any time you run its pipeline, you will see results in the scan stage. As stated previously, the tests must pass, or all further parts of the pipeline will be skipped. This is the assurance that only images which pass the FIPS tests are uploaded during the ‘publish’ stage.