Skip to content

bloodhound: move FIPS checks to all variants with runtime detection#937

Open
sky1122 wants to merge 1 commit into
bottlerocket-os:developfrom
sky1122:runtime-fips-check
Open

bloodhound: move FIPS checks to all variants with runtime detection#937
sky1122 wants to merge 1 commit into
bottlerocket-os:developfrom
sky1122:runtime-fips-check

Conversation

@sky1122

@sky1122 sky1122 commented May 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description of changes:
The FIPS compliance checks were previously packaged separately and only installed on FIPS-specific variants. This prevented runtime FIPS detection on standard variants where FIPS may be enabled at boot via the kernel flag.

delete fips01030000 in the os.spec since there is no fips01030000 check

Testing done:
Testing with #918

  • before the fips turn on on a non fips variant
{
  "os": {
    "arch": "x86_64",
    "build_id": "f0dfc999-dirty",
    "pretty_name": "Bottlerocket OS 1.58.0 (aws-k8s-1.33)",
    "variant_id": "aws-k8s-1.33",
    "version_id": "1.58.0"
  }
}

Benchmark name:  FIPS Security Policy
Version:         v1.0.0
Reference:       https://csrc.nist.gov/
Benchmark level: 1
Start time:      2026-06-04T18:03:24.108321406Z

[FAIL] 1.0       FIPS mode is enabled. (Automatic)
[FAIL] 1.1       FIPS module is Amazon Linux 2023 Kernel Cryptographic API. (Automatic)
[FAIL] 1.2       FIPS self-tests passed. (Automatic)

Passed:          0
Failed:          3
Skipped:         0
Total checks:    3

Compliance check result: FAIL
  • after the fips turn on
{
  "os": {
    "arch": "x86_64",
    "build_id": "f0dfc999-dirty",
    "pretty_name": "Bottlerocket OS 1.58.0 (aws-k8s-1.33)",
    "variant_id": "aws-k8s-1.33",
    "version_id": "1.58.0"
  }
}
Benchmark name:  FIPS Security Policy
Version:         v1.0.0
Reference:       https://csrc.nist.gov/
Benchmark level: 1
Start time:      2026-06-04T18:06:56.263566247Z

[PASS] 1.0       FIPS mode is enabled. (Automatic)
[PASS] 1.1       FIPS module is Amazon Linux 2023 Kernel Cryptographic API. (Automatic)
[PASS] 1.2       FIPS self-tests passed. (Automatic)

Passed:          3
Failed:          0
Skipped:         0
Total checks:    3
  • fips variant
{
  "os": {
    "arch": "x86_64",
    "build_id": "f0dfc999-dirty",
    "pretty_name": "Bottlerocket OS 1.58.0 (aws-k8s-1.33-fips)",
    "variant_id": "aws-k8s-1.33-fips",
    "version_id": "1.58.0"
  }
}

Benchmark name:  FIPS Security Policy
Version:         v1.0.0
Reference:       https://csrc.nist.gov/
Benchmark level: 1
Start time:      2026-06-04T18:11:05.078407866Z

[PASS] 1.0       FIPS mode is enabled. (Automatic)
[PASS] 1.1       FIPS module is Amazon Linux 2023 Kernel Cryptographic API. (Automatic)
[PASS] 1.2       FIPS self-tests passed. (Automatic)

Passed:          3
Failed:          0
Skipped:         0
Total checks:    3

Compliance check result: PASS

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

arnaldo2792
arnaldo2792 reviewed Jun 3, 2026
View reviewed changes
Comment thread sources/bloodhound/src/bin/bottlerocket-fips-checks/checks.rs Outdated
/// Returns a SKIP result indicating FIPS is not enabled on this system.
fn skip_fips_not_enabled() -> CheckerResult {
CheckerResult {
status: CheckStatus::SKIP,

@arnaldo2792 arnaldo2792 Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of skipping, lets make the check fail in a non-fips host because that's actually correct - the host is not in FIPS mode so the check is expected to fail.

@sky1122
bloodhound: move FIPS checks to all variants with runtime detection
8f4e7b7 
The FIPS compliance checks were previously packaged separately and only
installed on FIPS-specific variants. This prevented runtime FIPS
detection on standard variants where FIPS may be enabled at boot via
the kernel flag.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122 sky1122 force-pushed the runtime-fips-check branch from 6c28894 to 8f4e7b7 Compare June 4, 2026 18:12
@sky1122

sky1122 commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

force pushed to rebase and address the feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@ginglis13 ginglis13 ginglis13 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sky1122 @arnaldo2792 @ginglis13