ISS-3102 FIPS POST validation for MACsec control plane crypto.

[vikram-nexthop]

What I did

• Query control plane (wpa_supplicant) crypto POST status check in macsecmgrd main, when FIPS mode is enabled
• Record status in FIPS_MACSEC_POST_TABLE.
• Implemented fail-secure behavior where macsecmgrd is forced to get into an infinite loop, if the POST validation fails.

Why I did it
MACsec control plane FIPS POST validation is required to ensure the cryptographic backend has passed self-tests before enabling MACsec operations. This is to ensure MACsec control plane fails securely if crypto backend POST validation fails in FIPS environments.

How I verified it
Enabled MACsec service with and without SymCrypt FIPS provider.

Details if related
related PR: sonic-net/sonic-wpa-supplicant#99

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wumiaont]

LGTM

[vikram-nexthop]

@prsunny Could you please review this PR for approval when convenient? All the review comments have been addressed.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[vikram-nexthop]

@prsunny Could you please review this PR for approval when convenient? All the review comments have been addressed.

gentle reminder to complete the review.

[judyjoseph]

@vikram-nexthop we already stop the configs in macsecmgrd in PR : #3836 , macsecmgrd. Please share more details on this PR

[vikram-nexthop]

@judyjoseph PR #3836 handles the data plane POST (SAI/hardware crypto engines), while this PR addresses control plane POST (wpa_supplicant crypto module for MKA protocol). Both are separate cryptographic modules and therefore require independent FIPS validation.

Complete MACsec FIPS compliance requires both POST validations to pass. So, both POST validations must pass before enabling MACsec configuration processing.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).