diff --git a/.gitignore b/.gitignore index 1c132b7..63abe58 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/ignition-2.22.0.tar.gz +SOURCES/ignition-2.23.0.tar.gz SOURCES/ignition-edge-b8d1b7a.tar.gz diff --git a/.ignition.metadata b/.ignition.metadata index 2fcbb34..2f48e65 100644 --- a/.ignition.metadata +++ b/.ignition.metadata @@ -1,2 +1,2 @@ -0e0e0229c4d32ca50d19df8c0adca27d28c4a9b9 SOURCES/ignition-2.22.0.tar.gz +8ba7d5f2ecddde15159bde59e0ebca3553e03bb3 SOURCES/ignition-2.23.0.tar.gz 0069b62bce8673f82ac6a4b9959ec8db4ffed8ad SOURCES/ignition-edge-b8d1b7a.tar.gz diff --git a/SOURCES/0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch b/SOURCES/0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch new file mode 100644 index 0000000..1861289 --- /dev/null +++ b/SOURCES/0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch @@ -0,0 +1,95 @@ +From a33a8402a215f008c22ac52c885606117adba6c5 Mon Sep 17 00:00:00 2001 +From: Tiago Bueno +Date: Mon, 17 Nov 2025 21:44:24 -0300 +Subject: [PATCH] OCPBUGS-65684: Fix invalid random source in FIPS 140-only + mode in FIPS mode + +When igntion is compiled with GOEXPERIMENT=strictfipsruntime and +running in a computer with FIPS enabled, the random source is invalid. + +When FIPS is enabled, instead of use a custom random on TLS config, +do not set a random source at all as it will use crypto/rand.Reader by +default + +Co-authored-by: Steven Presti <47181335+prestist@users.noreply.github.com> +Co-authored-by: Dusty Mabe + +Signed-off-by: Tiago Bueno +--- + internal/resource/http.go | 49 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 44 insertions(+), 6 deletions(-) + +diff --git a/internal/resource/http.go b/internal/resource/http.go +index 197f5731..aae40e90 100644 +--- a/internal/resource/http.go ++++ b/internal/resource/http.go +@@ -25,6 +25,7 @@ import ( + "net" + "net/http" + "net/url" ++ "os" + "strings" + "time" + +@@ -218,16 +219,52 @@ func (f *Fetcher) RewriteCAsWithDataUrls(cas []types.Resource) error { + return nil + } + +-// DefaultHTTPClient builds the default `http.client` for Ignition. +-func defaultHTTPClient() (*http.Client, error) { +- urand, err := earlyrand.UrandomReader() ++func isFIPSEnabled() bool { ++ data, err := os.ReadFile("/proc/sys/crypto/fips_enabled") + if err != nil { +- return nil, err ++ // If the file doesn't exist or can't be read, assume FIPS is not enabled ++ return false + } ++ // Check if the content is "1" (with or without trailing newline) ++ return len(data) > 0 && data[0] == '1' ++} + +- tlsConfig := tls.Config{ +- Rand: urand, ++// DefaultHTTPClient builds the default `http.client` for Ignition. ++func defaultHTTPClient() (*http.Client, error) { ++ var tlsConfig tls.Config ++ ++ if isFIPSEnabled() { ++ // In FIPS mode (GOEXPERIMENT=strictfipsruntime), we can't set a random source. ++ // Setting a custom random source like /dev/urandom causes the error: ++ // "crypto/ecdh: invalid random source in FIPS 140-only mode" ++ tlsConfig = tls.Config{} ++ } else { ++ // In non-FIPS mode let's use the `earlyrand.UrandomReader()` ++ // this source reads from `/dev/urandom` (`man urandom`) rather ++ // than calling the `getrandom` API (`man getrandom`). ++ // ++ // > When read, the /dev/urandom device returns random bytes ++ // > using a pseudorandom number generator seeded from the entropy ++ // > pool. Reads from this device do not block (i.e., the CPU is ++ // > not yielded) ++ // ++ // This is a tradeoff to not block early boot because: ++ // ++ // > When read during early boot time, /dev/urandom may return ++ // > data prior to the entropy pool being initialized. If this ++ // > is of concern in your application, use getrandom(2) or ++ // > /dev/random instead. ++ // ++ // See https://github.com/coreos/ignition/issues/645 ++ urand, err := earlyrand.UrandomReader() ++ if err != nil { ++ return nil, err ++ } ++ tlsConfig = tls.Config{ ++ Rand: urand, ++ } + } ++ + transport := http.Transport{ + ResponseHeaderTimeout: time.Duration(defaultHttpResponseHeaderTimeout) * time.Second, + Dial: (&net.Dialer{ +-- +2.50.1 (Apple Git-155) + diff --git a/SPECS/ignition.spec b/SPECS/ignition.spec index 6bf0ba9..4498e56 100644 --- a/SPECS/ignition.spec +++ b/SPECS/ignition.spec @@ -13,7 +13,7 @@ # https://github.com/coreos/ignition %global goipath github.com/coreos/ignition %global gomodulesmode GO111MODULE=on -Version: 2.22.0 +Version: 2.23.0 %gometa @@ -31,6 +31,10 @@ URL: %{gourl} Source0: %{gosource} Source1: https://github.com/fedora-iot/ignition-edge/archive/%{ignedgecommit}/ignition-edge-%{ignedgeshortcommit}.tar.gz +# Fix invalid random source in FIPS 140-only mode in FIPS mode +# ([#2159](https://github.com/coreos/ignition/pull/2159)) +Patch1: 0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch + BuildRequires: libblkid-devel BuildRequires: systemd-rpm-macros @@ -284,7 +288,7 @@ LDFLAGS+=' -compressdwarf=false ' export GOFLAGS="-mod=vendor" echo "Building ignition..." -%gobuild -o ./ignition internal/main.go +GOEXPERIMENT=strictfipsruntime %gobuild -o ./ignition internal/main.go echo "Building ignition-validate..." %gobuild -o ./ignition-validate validate/main.go @@ -294,17 +298,17 @@ echo "Building ignition-validate..." %if 0%{?fedora} echo "Building statically-linked Linux ignition-validate..." -CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go -CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go -CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go -CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go +GOEXPERIMENT= CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go +GOEXPERIMENT= CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go +GOEXPERIMENT= CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go +GOEXPERIMENT= CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go echo "Building macOS ignition-validate..." -GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go -GOARCH=arm64 GOOS=darwin %gocrossbuild -o ./ignition-validate-aarch64-apple-darwin validate/main.go +GOEXPERIMENT= GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go +GOEXPERIMENT= GOARCH=arm64 GOOS=darwin %gocrossbuild -o ./ignition-validate-aarch64-apple-darwin validate/main.go echo "Building Windows ignition-validate..." -GOARCH=amd64 GOOS=windows %gocrossbuild -o ./ignition-validate-x86_64-pc-windows-gnu.exe validate/main.go +GOEXPERIMENT= GOARCH=amd64 GOOS=windows %gocrossbuild -o ./ignition-validate-x86_64-pc-windows-gnu.exe validate/main.go %endif %install @@ -397,6 +401,14 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition %endif %changelog +* Tue Nov 18 2025 Steven Presti - 2.23.0-2 +- Build Ignition with GOEXPERIMENT=strictfipsruntime + Ignition-validate non-FIPS +- Backport https://github.com/coreos/ignition/pull/2159 + +* Wed Sep 17 2025 Yasmin Valim - 2.23.0-1 +- New release + * Wed Jul 16 2025 Tiago Bueno - 2.22.0-1 - New release