Add FIPS building support

Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips_mode` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips_mode` to `true` when building.
AlexSchultz-clumio · Oct 6, 2023 · a01c36f · a01c36f
1 parent 79c0b64
commit a01c36f
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 13 deletions.
diff --git a/Makefile b/Makefile
@@ -31,13 +31,20 @@ ifneq (,$(findstring al2023, $(PACKER_TEMPLATE_FILE)))
 	OS=-al2023
 endif
 
+FIPS=
+ENABLE_FIPS=
+ifneq ($(origin fips), undefined)
+	FIPS=-fips
+	ENABLE_FIPS=enable_fips_mode=true
+endif
+
 arch ?= x86_64
 ifeq ($(arch), arm64)
 	instance_type ?= m6g.large
-	ami_name ?= amazon-eks-arm64-node$(OS)-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d')
+	ami_name ?= amazon-eks-arm64-node$(OS)-$(K8S_VERSION_MINOR)$(FIPS)-v$(shell date +'%Y%m%d')
 else
 	instance_type ?= m5.large
-	ami_name ?= amazon-eks-node$(OS)-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d')
+	ami_name ?= amazon-eks-node$(OS)-$(K8S_VERSION_MINOR)$(FIPS)-v$(shell date +'%Y%m%d')
 endif
 
 ifeq ($(aws_region), cn-northwest-1)
@@ -110,30 +117,31 @@ k8s: validate ## Build default K8s version of EKS Optimized AL2 AMI
 	$(PACKER_BINARY) build -timestamp-ui -color=false $(PACKER_VAR_FLAGS) $(PACKER_TEMPLATE_FILE)
 
 # Build dates and versions taken from https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html
+K8S_BUILD_DATE=2023-09-14
 
 .PHONY: 1.23
 1.23: ## Build EKS Optimized AL2 AMI - K8s 1.23
-	$(MAKE) k8s kubernetes_version=1.23.17 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.23.17 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: 1.24
 1.24: ## Build EKS Optimized AL2 AMI - K8s 1.24
-	$(MAKE) k8s kubernetes_version=1.24.17 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.24.17 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: 1.25
 1.25: ## Build EKS Optimized AL2 AMI - K8s 1.25
-	$(MAKE) k8s kubernetes_version=1.25.13 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.25.13 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: 1.26
 1.26: ## Build EKS Optimized AL2 AMI - K8s 1.26
-	$(MAKE) k8s kubernetes_version=1.26.8 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.26.8 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: 1.27
 1.27: ## Build EKS Optimized AL2 AMI - K8s 1.27
-	$(MAKE) k8s kubernetes_version=1.27.5 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.27.5 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: 1.28
 1.28: ## Build EKS Optimized AL2 AMI - K8s 1.28
-	$(MAKE) k8s kubernetes_version=1.28.1 kubernetes_build_date=2023-09-14
+	$(MAKE) k8s kubernetes_version=1.28.1 kubernetes_build_date=$(K8S_BUILD_DATE) $(ENABLE_FIPS)
 
 .PHONY: lint-docs
 lint-docs: ## Lint the docs

diff --git a/README.md b/README.md
@@ -34,6 +34,13 @@ make
 
 # build an AMI with a specific Kubernetes version
 make 1.25
+
+# build an AMI with FIPS mode enabled
+make fips=true
+
+# build an AMI with a specific Kubernetes version and FIPS mode
+
+make 1.25 fips=true
 ```
 
 The Makefile chooses a particular kubelet binary to use per Kubernetes version which you can [view here](Makefile).

diff --git a/eks-worker-al2-variables.json b/eks-worker-al2-variables.json
@@ -16,6 +16,7 @@
     "containerd_version": "1.6.*",
     "creator": "{{env `USER`}}",
     "docker_version": "20.10.23-1.amzn2.0.1",
+    "enable_fips_mode": "false",
     "encrypted": "false",
     "kernel_version": "",
     "kms_key_id": "",

diff --git a/eks-worker-al2.json b/eks-worker-al2.json
@@ -21,6 +21,7 @@
     "creator": null,
     "docker_version": null,
     "encrypted": null,
+    "enable_fips_mode": null,
     "instance_type": null,
     "kernel_version": null,
     "kms_key_id": null,
@@ -152,14 +153,26 @@
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",
-      "expect_disconnect": true,
-      "pause_after": "90s",
       "script": "{{template_dir}}/scripts/upgrade_kernel.sh",
       "environment_vars": [
         "KUBERNETES_VERSION={{user `kubernetes_version`}}",
         "KERNEL_VERSION={{user `kernel_version`}}"
       ]
     },
+    {
+      "type": "shell",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "script": "{{template_dir}}/scripts/enable_fips.sh",
+      "environment_vars": [
+        "ENABLE_FIPS_MODE={{user `enable_fips_mode`}}"
+      ]
+    },
+    {
+      "type": "shell",
+      "inline": ["sudo reboot"],
+      "expect_disconnect": true,
+      "pause_after": "90s"
+    },
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",

diff --git a/files/get-ecr-uri.sh b/files/get-ecr-uri.sh
@@ -69,4 +69,10 @@ else
   esac
 fi
 
-echo "${acct}.dkr.ecr.${region}.${aws_domain}"
+AWS_ECR_SUBDOMAIN="ecr"
+# if FIPS is enabled on the machine, use the FIPS endpoint.
+if [[ "$(sysctl -n crypto.fips_enabled)" == 1 ]]; then
+    AWS_ECR_SUBDOMAIN="ecr-fips"
+fi
+
+echo "${acct}.dkr.${AWS_ECR_SUBDOMAIN}.${region}.${aws_domain}"
diff --git a/scripts/enable_fips.sh b/scripts/enable_fips.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/
+if [[ "$ENABLE_FIPS_MODE" == "true" ]]; then
+  # install and enable fips modules
+  sudo yum install -y dracut-fips openssl
+  sudo dracut -f
+
+  # enable fips in the boot command
+  sudo /sbin/grubby --update-kernel=ALL --args="fips=1"
+  sudo sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=.*\)"$/\1 fips=1"/' /etc/default/grub
+
+  # rebuild grub
+  sudo grub2-mkconfig -o /etc/grub2.cfg
+fi
diff --git a/scripts/upgrade_kernel.sh b/scripts/upgrade_kernel.sh
@@ -31,5 +31,3 @@ sudo grubby \
 sudo grubby \
   --update-kernel=ALL \
   --args="clocksource=tsc tsc=reliable"
-
-sudo reboot