[BUG] FIPS Mode Isn't REALLY Disabled When --no-fips Flag Is Set #57
Description
Describe the bug
While doing:
$ cat /proc/sys/crypto/fips_enabled
On an EC2 built from an AMI created using the --no-fips flag will correctly result in a 0 output, executing:
update-crypto-policies --show
Will still show:
FIPS
Note: This issue was uncovered after using the Cross-Distro Bootstrap instructions to produce an OL8 AMI. Packer's (current) inability to negotiate SSH connections on FIPS-enabled instances was on full display when attempting to provision the resulting EC2.
Severity
- Completely Broken (No work-around evident)
- Severely Broken (Work-around possible but difficult)
- Moderately Broken (Trivial work-around)
- Nuisance (Functions but untrapped errors can slip through)
To Reproduce
Steps to reproduce the behavior:
- Create an AMI using the
PostBuild.shscript's--no-fipsflag - Launch an EC2 from the resulting AMI
- Login to the EC2
- Execute FIPS-mode steps as described above to see the incorrect/inconsistent FIPS-state
Expected behavior
FIPS is fully and completely disabled within EC2s launched from AMIs built by passing the --no-fips flag to the PostBuild.sh script
Deviance Description
FIPS is only partially disabled (see opening bug description) within EC2s launched from AMIs built by passing the --no-fips flag to the PostBuild.sh script
Screenshots
Additional context
Fix Suggestions
Ensure that the PostBuild.sh script's --no-fips logic includes an execution of:
update-crypto-policies --set DEFAULT