crypto: implement FIPS 140-2 compliance support

Add FIPS 140-2 cryptographic module support to ensure compliance with federal security standards. The change includes FIPS-approved algorithms and proper key management to meet certification requirements.

Signed-off-by: Maher Homsi <[email protected]>

Author: maherthomsi

Dockerfile

@@ -70,6 +70,7 @@ LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
 
 RUN dnf update -y \
     && dnf install -y \
+        crypto-policies-scripts \
         ec2-instance-connect \
         jq \
         openssh-server \

start_admin.sh

@@ -11,6 +11,9 @@ declare -r SSH_HOST_KEY_DIR="${PERSISTENT_STORAGE_BASE_DIR}/etc/ssh"
 declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data"
 declare -r HOST_CERTS="/.bottlerocket/certs"
 
+#shellcheck disable=SC2155  # If not set then we'll treat it as 0
+declare -r FIPS_MODE_FLAG=$(cat '/proc/sys/crypto/fips_enabled' 2>/dev/null || echo 0)
+
 if [ ! -s "${USER_DATA}" ]; then
   log "Admin host-container user-data is empty, going to sleep forever"
   exec sleep infinity
@@ -45,6 +48,16 @@ link_host_certs() {
   update-ca-trust
 }
 
+# Update crypto policies to FIPS if FIPS is enabled
+if [[ ${FIPS_MODE_FLAG} -eq 1 ]]; then
+  update-crypto-policies --set FIPS 2>/dev/null
+  if [[ "$(cat '/etc/crypto-policies/config')" != "FIPS" ]]; then
+    log "Failed to validate FIPS configuration"
+    exit 1
+  fi
+fi
+
+
 get_user_data_keys() {
     # Extract the keys from user-data json
     local raw_keys
@@ -207,7 +220,13 @@ fi
 
 # Generate the server keys
 mkdir -p "${SSH_HOST_KEY_DIR}"
-for key_alg in rsa ecdsa ed25519; do
+# Skip ED25519 in FIPS mode as it's not allowed
+key_algorithms=(rsa ecdsa)
+if [[ "${FIPS_MODE_FLAG}" -ne 1 ]]; then
+  key_algorithms+=(ed25519)
+fi
+
+for key_alg in "${key_algorithms[@]}"; do
   # If both of the keys exist, don't overwrite them
   if [[ -s "${SSH_HOST_KEY_DIR}/ssh_host_${key_alg}_key" ]] \
   && [[ -s "${SSH_HOST_KEY_DIR}/ssh_host_${key_alg}_key.pub" ]]; then