1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
summary: Check whether snapd works in FIPS mode
details: |
Check whether snapd works correctly in a FIPS enabled system.
systems:
- ubuntu-2*
- ubuntu-fips-*
debug: |
tests.exec is-skipped && exit 0
cat snapd-map-fips.out || true
cat snapd-map-non-fips.out || true
execute: |
tests.exec is-skipped && exit 0
# In this scenario, the keys from the snapd pkg are used
if [ "$TRUST_TEST_KEYS" = "false" ]; then
tests.exec skip-test "This test needs test keys to be trusted" && exit 0
fi
pmap -p "$(pidof snapd)" > snapd-map.out
case "$SPREAD_SYSTEM" in
ubuntu-fips-*)
# this is checked in spread prepare, but let's be sure
[ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]
# depending on whether the binary is run from the snapd snap or the
# snapd deb, the locations of mapped libraries will be different
case "$SPREAD_VARIANT" in
deb)
# libcrypto is loaded at runtime, this is what we're trying to
# match:
# 00007fc16068d000 712K r---- /usr/lib/x86_64-linux-gnu/libcrypto.so.3
MATCH ' /usr/lib/.*/libcrypto.*\.so.*' < snapd-map.out
if os.query is-ubuntu-ge 22.04; then
# since 22.04 openssl 3.x uses a separate fips.so runtime
# module:
# 00007fc160532000 96K r---- /usr/lib/x86_64-linux-gnu/ossl-modules-3/fips.so
MATCH ' /usr/lib/.*/ossl-modules-3/fips.so' < snapd-map.out
fi
;;
snap)
# 00007f9400c05000 712K r---- /snap/snapd/x1/usr/lib/x86_64-linux-gnu/libcrypto.so.3
MATCH ' /snap/snapd/.*/usr/lib/.*/libcrypto.*\.so.*' < snapd-map.out
if os.query is-ubuntu-ge 22.04; then
# 00007f9400aaa000 96K r---- /snap/snapd/x1/usr/lib/x86_64-linux-gnu/ossl-modules-3/fips.so
MATCH ' /snap/snapd/.*/usr/lib/.*/ossl-modules-3/fips.so' < snapd-map.out
fi
;;
*)
echo "unexpected test variant on FIPS enabled $SPREAD_SYSTEM"
exit 1
;;
esac
;;
ubuntu-*)
# no libcrypto, pure Go stack
NOMATCH 'libcrypto.*\.so.*' < snapd-map.out
;;
esac
|
