From 32deab72581c61d580b3d7c623ed95780c9bcbd0 Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: May 28 2020 12:05:17 +0000
Subject: Set up FIPS in the installation environment (#1800697)


Add the systemd service anaconda-fips that will set up the FIPS mode in stage2
if there is fips=1 on the kernel cmdline. It should run before network.target.

Resolves: rhbz#1800697

---

diff --git a/anaconda.spec.in b/anaconda.spec.in
index d6164ae..3ecb47d 100644
--- a/anaconda.spec.in
+++ b/anaconda.spec.in
@@ -124,6 +124,9 @@ Requires: systemd
 Requires: python3-pid
 Requires: python3-ordered-set >= 2.0.0
 
+# Required by the systemd service anaconda-fips.
+Requires: crypto-policies
+
 # required because of the rescue mode and VNC question
 Requires: anaconda-tui = %{version}-%{release}
 
diff --git a/data/systemd/Makefile.am b/data/systemd/Makefile.am
index 2f8edc7..04531cd 100644
--- a/data/systemd/Makefile.am
+++ b/data/systemd/Makefile.am
@@ -28,6 +28,7 @@ dist_systemd_DATA = anaconda.service \
                     anaconda-sshd.service \
                     anaconda-nm-config.service \
                     anaconda-pre.service \
+                    anaconda-fips.service \
                     zram.service
 
 dist_generator_SCRIPTS = anaconda-generator
diff --git a/data/systemd/anaconda-fips.service b/data/systemd/anaconda-fips.service
new file mode 100644
index 0000000..bf32687
--- /dev/null
+++ b/data/systemd/anaconda-fips.service
@@ -0,0 +1,10 @@
+[Unit]
+# This service sets up the FIPS mode in the installation environment.
+Description=Anaconda FIPS service
+ConditionKernelCommandLine=fips=1
+Before=network.target
+Before=NetworkManager.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/update-crypto-policies --set FIPS
diff --git a/data/systemd/anaconda.target b/data/systemd/anaconda.target
index b871666..7412f61 100644
--- a/data/systemd/anaconda.target
+++ b/data/systemd/anaconda.target
@@ -11,6 +11,7 @@ Wants=plymouth-quit.service plymouth-quit-wait.service
 Wants=anaconda-direct.service anaconda.service
 Wants=anaconda-sshd.service
 Wants=anaconda-pre.service
+Wants=anaconda-fips.service
 Wants=zram.service
 Wants=systemd-logind.service
 Wants=rhsm.service