Description
What's the problem
The script that is used to generate the kernel parameters table doesn't consider boot configs. This results in the wrong kernel parameters for the FIPS variants, as they should have listed fips=1.
See release.spec
Potential solution
This is going to be tricky to automate since the boot config could change depending on the variant. The script could iterate through all the variants, fetch the .img.lz4 files from the TUF repository, mount them and inspect the private partition for bootconfig.data. If the file exists, read it and include the contents in the table. An example of the contents is as follows:
[root@admin]# cat /.bottlerocket/rootfs/var/lib/bottlerocket/bootconfig.data
kernel.initcall_blacklist = "vmd_drv_init", "megasas_init", "mpt3sas_init", "pqi_init"
kernel.fips = "1"
kernel.module_blacklist = "i8042"
init.systemd.unit = "fipscheck.target"
{=#BOOTCONFIG
The problem is the offset that has to be specified to mount the file, as it could change depending on the variant being built. To figure out the offset, one can use sfdisk and grep for BOTTLEROCKET-PRIVATE:
└─> ❯ sfdisk bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img --list -o +Name
Disk bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img: 2 GiB, 2147483648 bytes, 4194304 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: F394D8C0-276E-44F6-8526-D2ED5BF62CFA
Device Start End Sectors Size Type Name
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img1 2048 10239 8192 4M BIOS boot BIOS-BOOT
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img2 10240 20479 10240 5M EFI System EFI-SYSTEM
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img3 20480 102399 81920 40M unknown BOTTLEROCKET-BOOT-A
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img4 102400 1986559 1884160 920M unknown BOTTLEROCKET-ROOT-A
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img5 1986560 2007039 20480 10M unknown BOTTLEROCKET-HASH-A
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img6 2007040 2058239 51200 25M unknown BOTTLEROCKET-RESERVED-A
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img7 2058240 2068479 10240 5M unknown EFI-BACKUP
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img8 2068480 2150399 81920 40M unknown BOTTLEROCKET-BOOT-B
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img9 2150400 4034559 1884160 920M unknown BOTTLEROCKET-ROOT-B
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img10 4034560 4055039 20480 10M unknown BOTTLEROCKET-HASH-B
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img11 4055040 4106239 51200 25M unknown BOTTLEROCKET-RESERVED-B
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img12 4106240 4190207 83968 41M unknown BOTTLEROCKET-PRIVATE
bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img13 4190208 4192255 2048 1M unknown
┌───────────────────> ~ on FedoraIn this disk, the data partition was bottlerocket-aws-ecs-2-fips-x86_64-v1.27.0.img12
Expected values for the FIPS variant:
console=tty0
console=ttyS0,115200n8
net.ifnames=0
netdog.default-interface=eth0:dhcp4,dhcp6?
quiet
kernel.fips = 1
init.systemd.unit = fipscheck.target