[AI Generated] BugFix: Add Debian/Ubuntu FIPS enablement support in verify_fips_enablement#4530
Open
johnsongeorge-w wants to merge 1 commit into
Open
[AI Generated] BugFix: Add Debian/Ubuntu FIPS enablement support in verify_fips_enablement#4530johnsongeorge-w wants to merge 1 commit into
johnsongeorge-w wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the FipsTests.verify_fips_enablement security test to handle Debian-based distros (Ubuntu/Debian) by detecting FIPS kernels and enabling FIPS via GRUB boot parameters when needed, instead of relying on fips-mode-setup paths intended for other distros.
Changes:
- Adds a Debian-based verification path (
_verify_fips_enablement_debian) that checks/proc/sys/crypto/fips_enabled, detects FIPS kernels viauname -r, and enablesfips=1via GRUB when required. - Narrows/clarifies non-supported distro behavior by skipping cleanly with a targeted message instead of probing for
fips-mode-setup. - Updates the
verify_fips_enablementOS requirement to include Debian/Ubuntu alongside CBL-Mariner.
✅ AI Test Selection — PASSED3 test case(s) selected (view run) Marketplace image: microsoftcblmariner azure-linux-3 azure-linux-3 latest
Test case details
|
…erify_fips_enablement
johnsongeorge-w
force-pushed
the
bugfix/fips-ubuntu-skip_110626_160630
branch
from
dc91769 to
072f0bd
Compare
✅ AI Test Selection — PASSED3 test case(s) selected (view run) Marketplace image: microsoftcblmariner azure-linux-3 azure-linux-3 latest
Test case details
|
johnsongeorge-w
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add Debian/Ubuntu support to
verify_fips_enablementtest, which previously only handled CBL-Mariner. Ubuntu FIPS images were incorrectly skipped.Changes
_verify_fips_enablement_debian()method that:uname -rfor 'fips' in name/proc/sys/crypto/fips_enabledis 1GrubConfig.set_kernel_cmdline_arg(), reboots, and verifiessupported_os=[CBLMariner, Ubuntu]requirement toverify_fips_enablementfips-mode-setuppath — other distros now skip cleanlyTesting
pro-fips-22_04(marketplace, x64)jammy_linux-image-azure-fips(shared gallery, ARM64)