Test build for #1092

Author: SUSE Update Bot

.obs/workflows.yml

@@ -1,6 +1,10 @@
 ---
 staging_build:
   steps:
+    - branch_package:
+        source_project: home:defolos:BCI:CR:SLE-15-SP4
+        source_package: base-fips-image
+        target_project: home:defolos:BCI:CR:SLE-15-SP4:Staging
   filters:
     event: pull_request
 
@@ -18,6 +22,9 @@ refresh_staging_project:
 
 refresh_devel_BCI:
   steps:
+    - trigger_services:
+        project: devel:BCI:SLE-15-SP4
+        package: base-fips-image
   filters:
     event: push
     branches:

base-fips-image/Dockerfile

@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: MIT
+
+#     Copyright (c) 2024 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!ExclusiveArch: x86_64
+#!BuildTag: suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%
+#!BuildTag: suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%
+#!BuildName: suse-ltss-sle15.4-bci-base-fips-%OS_VERSION_ID_SP%
+#!BuildVersion: 15.4
+FROM suse/ltss/sle15.4/sle15:15.4
+
+RUN set -euo pipefail; zypper -n in --no-recommends sles-ltss-release crypto-policies-scripts; zypper -n clean; rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2}
+
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.sle.base-fips
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE LTSS BCI 15 SP4 FIPS-140-3"
+LABEL org.opencontainers.image.description="15 SP4 FIPS-140-3 container based on the SLE LTSS Base Container Image."
+LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%.%RELEASE%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/long-term-service-pack-support/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%.%RELEASE%"
+LABEL org.opensuse.reference="registry.suse.com/suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel.until="2026-12-31"
+LABEL com.suse.eula="sle-eula"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle#suse-linux-enterprise-server-15"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="%SOURCEURL%/README.md"
+LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
+#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/openssl-1_1-1.1.1l-150400.7.28.1.x86_64.rpm
+COPY openssl-1_1-1.1.1l-150400.7.28.1.x86_64.rpm .
+#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/libopenssl1_1-1.1.1l-150400.7.28.1.x86_64.rpm
+COPY libopenssl1_1-1.1.1l-150400.7.28.1.x86_64.rpm .
+#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/libopenssl1_1-hmac-1.1.1l-150400.7.28.1.x86_64.rpm
+COPY libopenssl1_1-hmac-1.1.1l-150400.7.28.1.x86_64.rpm .
+#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/libgcrypt.28151/libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm
+COPY libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm .
+#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/libgcrypt.28151/libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm
+COPY libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm .
+RUN set -euo pipefail; \
+    [ $(LC_ALL=C rpm --checksig -v *rpm | \
+        grep -c -E "^ *V3.*key ID 39db7c82: OK") = 5 ] \
+    && rpm -Uvh --oldpackage --force *.rpm \
+    && rm -vf *.rpm \
+    && rpmqpack | grep -E '(openssl|libgcrypt)' | xargs zypper -n addlock
+RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS
+
+ENV OPENSSL_FIPS=1
+ENV OPENSSL_FORCE_FIPS_MODE=1
+ENV LIBGCRYPT_FORCE_FIPS_MODE=1
+ENV GNUTLS_FORCE_FIPS_MODE=1

base-fips-image/README.md

@@ -0,0 +1,106 @@
+
+# The SUSE Linux Enterprise 15 SP4 LTSS FIPS-140-3 container image
+
+![Access Protected](https://img.shields.io/badge/Requires_login_for_access-orange)
+![Long Term Service Pack Support](https://img.shields.io/badge/LTSS-Yes-orange)
+[![SLSA](https://img.shields.io/badge/SLSA_(v0.1)-Level_4-Green)](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/)
+[![Provenance: Available](https://img.shields.io/badge/Provenance-Available-Green)](https://documentation.suse.com/container/all/html/Container-guide/index.html#container-verify)
+
+## Description
+
+
+This SUSE Linux Enterprise 15 SP4 LTSS-based container image includes the
+OpenSSL and libgcrypt modules that have been interim validated to FIPS 140-3.
+
+The [FIPS 140-3 certified OpenSSL module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4725.pdf)
+is a cryptographic module that provides a FIPS 140-3 compliant cryptographic
+library. The module is designed to provide the same functionality as the
+standard OpenSSL library, with additional security features to meet the FIPS
+140-3 requirements. [An interim validation has been issued](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4725)
+by NIST.
+
+Similarly, the [FIPS 140-3 certified libgcrypt module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4722.pdf)
+is designed to provide the same functionality as the standard libgcrypt
+library, with additional security features enforced to meet the FIPS 140-3
+requirements. [An interim validation has been issued](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4722)
+by NIST.
+
+
+
+## Usage
+The image is configured to enforce the use of FIPS mode by default,
+independent of the host environment setup by specifying the following
+environment variables:
+* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode
+* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel
+* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing
+
+Below is a list of other environment variables that can be used to configure the OpenSSL library:
+
+* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate
+the acceptable key sizes of RSA.
+## Accessing the container image
+
+Accessing this container image requires a valid SUSE subscription. In order
+to access the container image, you must login to the SUSE Registry with your credentials.
+There are three ways to do that which are described below. The first two methods
+leverage the system registration of your host system, while the third method
+requires you to obtain the organisation SCC mirroring credentials.
+
+### Use the system registration of your host system
+
+If the host system you are using to build or run a container is already registered with
+the correct subscription required for accessing the LTSS container images, you can use
+the registration information from the host to log in to the registry.
+
+The file `/etc/zypp/credentials.d/SCCcredentials` contains a username and a password.
+These credentials allow you to access any container that is available under the
+subscription of the respective host system. You can use these credentials to log
+in to SUSE Registry using the following commands
+(use the leading space before the echo command to avoid storing the credentials in the
+shell history):
+
+```ShellSession
+set +o history
+ echo PASSWORD | podman login -u USERNAME --password-stdin registry.suse.com
+set -o history
+```
+
+### Use a separate SUSE Customer Center registration code
+
+If the host system is not registered with SUSE Customer Center, you can use a valid
+SUSE Customer Center registration code to log in to the registry:
+
+```ShellSession
+set +o history
+ echo SCC_REGISTRATION_CODE | podman login -u "regcode" --password-stdin registry.suse.com
+set -o history
+```
+The user parameter in this case is the verbatim string `regcode`, and
+`SCC_REGISTRATION_CODE` is the actual registration code obtained from SUSE.
+
+### Use the organization mirroring credentials
+
+You can also use the organization mirroring credentials to log in to the
+SUSE Registry:
+
+```ShellSession
+set +o history
+ echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com
+set -o history
+```
+
+These credentials give you access to all subscriptions the organization owns,
+including those related to container images in the SUSE Registry.
+The credentials are highly privileged and should be preferably used for
+a private mirroring registry only.
+## Licensing
+
+`SPDX-License-Identifier: MIT`
+
+This documentation and the build recipe are licensed as MIT.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is based on [SUSE Linux Enterprise Server](https://www.suse.com/products/server/), a reliable,
+secure, and scalable server operating system built to power mission-critical workloads in physical and virtual environments.

base-fips-image/_service

@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+</services>

base-fips-image/base-fips-image.changes

@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Sep 03 09:35:30 UTC 2024 - SUSE Update Bot <[email protected]>
+
+- First version of the 15 SP4 FIPS-140-3 BCI