Skip to content

Rebase to Amazon Linux 2023 and enable FIPS #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: develop
Choose a base branch
from
Draft

Rebase to Amazon Linux 2023 and enable FIPS #125

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5c48a4b
base: update to Amazon Linux 2023
maherthomsi Nov 13, 2025
3043588
feat: match cgroups between host system and container
maherthomsi Nov 13, 2025
e331812
Update bash to 5.2.15
maherthomsi Nov 13, 2025
b053194
crypto: implement FIPS 140-2 compliance support
maherthomsi Nov 13, 2025
0b10ea1
motd: update to show Amazon Linux 2023
maherthomsi Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"

RUN dnf update -y \
&& dnf install -y \
crypto-policies-scripts \
ec2-instance-connect \
jq \
openssh-server \
Expand Down
21 changes: 20 additions & 1 deletion start_admin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ declare -r SSH_HOST_KEY_DIR="${PERSISTENT_STORAGE_BASE_DIR}/etc/ssh"
declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data"
declare -r HOST_CERTS="/.bottlerocket/certs"

#shellcheck disable=SC2155 # If not set then we'll treat it as 0
declare -r FIPS_MODE_FLAG=$(cat '/proc/sys/crypto/fips_enabled' 2>/dev/null || echo 0)

if [ ! -s "${USER_DATA}" ]; then
log "Admin host-container user-data is empty, going to sleep forever"
exec sleep infinity
Expand Down Expand Up @@ -45,6 +48,16 @@ link_host_certs() {
update-ca-trust
}

# Update crypto policies to FIPS if FIPS is enabled
if [[ ${FIPS_MODE_FLAG} -eq 1 ]]; then
update-crypto-policies --set FIPS 2>/dev/null
if [[ "$(cat '/etc/crypto-policies/config')" != "FIPS" ]]; then
log "Failed to validate FIPS configuration"
exit 1
fi
fi


get_user_data_keys() {
# Extract the keys from user-data json
local raw_keys
Expand Down Expand Up @@ -207,7 +220,13 @@ fi

# Generate the server keys
mkdir -p "${SSH_HOST_KEY_DIR}"
for key_alg in rsa ecdsa ed25519; do
# Skip ED25519 in FIPS mode as it's not allowed
key_algorithms=(rsa ecdsa)
Copy link
Contributor

@arnaldo2792 arnaldo2792 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the default size of the RSA key? It must be >= 2048 bits. And for ECDSA, make sure you use FIPS curve.

Copy link
Member

@jpculp jpculp Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like for RSA its 3072 bits (changed from 2048 in OpenSSH 8.2). ECSDA defaults to P-256 which is a FIPS curve. Of course if we wanted to be extra sure we could set these explicitly to avoid changes in behavior.

if [[ "${FIPS_MODE_FLAG}" -ne 1 ]]; then
key_algorithms+=(ed25519)
fi

for key_alg in "${key_algorithms[@]}"; do
# If both of the keys exist, don't overwrite them
if [[ -s "${SSH_HOST_KEY_DIR}/ssh_host_${key_alg}_key" ]] \
&& [[ -s "${SSH_HOST_KEY_DIR}/ssh_host_${key_alg}_key.pub" ]]; then
Expand Down