Drop `40rhcos-fips` dracut module

[jlebon]

See https://fedoraproject.org/wiki/Changes/RemoveFipsModeSetup. The idea there is that the fips=1 karg becomes the source of truth. This is something that should work in image-mode RHEL/CentOS Stream already and we just inherit from that. On the MCO side, long-term on-cluster layering should do the equivalent of https://gitlab.com/fedora/bootc/examples/-/blob/main/fips/Containerfile?ref_type=heads to enable it at layering time. Short-term, at the very least, we should be able to get rid of this bit since calling fips-mode-setup should no longer be necessary. See also conversation in coreos/ignition#1323.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[dustymabe]

Is this something we should try to prioritize?

[jlebon]

We'll have to do this as part of the c10s/RHEL 10 work.

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[jbtrystram]

We'll have to do this as part of the c10s/RHEL 10 work.

Yeah, the fips tests fail on c10s builds.
The enable-fips-mode is no longer present on el10.

cc @jcapiitao

[joelcapitao]

We'll have to do this as part of the c10s/RHEL 10 work.

Yeah, the fips tests fail on c10s builds. The enable-fips-mode is no longer present on el10.

cc @jcapiitao

+1 the change [1] is targeting F42 but the commit implementing it was already backported to EL10 (branched from F40) [2].

[1] https://fedoraproject.org/wiki/Changes/RemoveFipsModeSetup
[2] https://gitlab.com/redhat/centos-stream/rpms/crypto-policies/-/commit/67e22dbc3721d1d17505bff85228b465cd5ca225

[joelcapitao]

I think we should drop

os/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh

Lines 83 to 87 in 48a1891

	# This is analogous to Anaconda's `chroot /sysroot fips-mode-setup`. Though
	# of course, since our approach is "Ignition replaces Anaconda", we have to
	# do it on firstboot ourselves. The key part here is that we do this
	# *before* the initial switch root.
	sysroot_bwrap fips-mode-setup --enable --no-bootcfg

which does not have any effect now IIUC

[jbtrystram]

/lifecycle frozen

[joelcapitao]

See https://fedoraproject.org/wiki/Changes/RemoveFipsModeSetup. The idea there is that the fips=1 karg becomes the source of truth. This is something that should work in image-mode RHEL/CentOS Stream already and we just inherit from that. On the MCO side, long-term on-cluster layering should do the equivalent of https://gitlab.com/fedora/bootc/examples/-/blob/main/fips/Containerfile?ref_type=heads to enable it at layering time. Short-term, at the very least, we should be able to get rid of this bit since calling fips-mode-setup should no longer be necessary. See also conversation in coreos/ignition#1323.

I implemented the short-term solution with joelcapitao@f721665 . It does work for EL10 but breaks EL9.

[core@cosa-devsh ~]$ cat /proc/sys/crypto/fips_enabled
1
[core@cosa-devsh ~]$ update-crypto-policies --show
DEFAULT

but should be FIPS as per [1].

I'll proceed with a postprocess script by just removing the code

os/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh

Lines 83 to 87 in 48a1891

	# This is analogous to Anaconda's `chroot /sysroot fips-mode-setup`. Though
	# of course, since our approach is "Ignition replaces Anaconda", we have to
	# do it on firstboot ourselves. The key part here is that we do this
	# *before* the initial switch root.
	sysroot_bwrap fips-mode-setup --enable --no-bootcfg

only for EL10 (tested and ok for both EL9 and EL10)

[1] https://github.com/coreos/coreos-assembler/blob/86b95ba31f950bcecf4e82f7e341d8beff08e522/mantle/kola/tests/fips/fips.go#L138