tests: enable testing with snapd snap FIPS variant

.github/workflows/test.yaml

@@ -855,15 +855,27 @@ jobs:
 
     - name: Download built snap
       uses: actions/download-artifact@v3
+      if: "!endsWith(matrix.group, '-fips')"
       with:
         name: snap-files-default-test
+        # eg. snapd_1337.2.65.1+git97.gd35b459_amd64.snap
         pattern: snapd_1337.*.snap
         path: "${{ github.workspace }}/built-snap"
 
+    - name: Download built FIPS snap
+      uses: actions/download-artifact@v3
+      # eg. ubuntu-fips
+      if: "endsWith(matrix.group, '-fips')"
+      with:
+        name: snap-files-FIPS-test
+        # eg. snapd_1337.2.65.1+git97.gd35b459-fips_amd64.snap
+        pattern: snapd_1337.*-fips_*.snap
+        path: "${{ github.workspace }}/built-snap"
+
     - name: Rename imported snap
       run: |
         for snap in built-snap/snapd_1337.*.snap; do
-          mv "${snap}" "${snap}.keep"
+          mv -v "${snap}" "${snap}.keep"
         done
 
     - name: Run spread tests

build-aux/snap/snapcraft.yaml

@@ -203,10 +203,23 @@ parts:
       craftctl default
       # set version, this needs dpkg-parsechangelog (from dpkg-dev) and git
       VERSION="$(./mkversion.sh --output-only)"
-      if [ -f fips-build ] ; then
-          echo "-- appending FIPS tag to version $VERSION"
-          VERSION="$VERSION-fips"
+      if [ "${VERSION/+fips/}" != "$VERSION" ] ; then
+          # we have a '+fips' element in the version, which may be coming from
+          # debian/changelog or git tag
+          echo "-- detected FIPS build"
+          touch fips-build
       fi
+      # TODO detect when doing a FIPS snap build on LP
+
+      if [ -f fips-build ]; then
+          if [ "${VERSION/+fips/}" = "$VERSION" ] ; then
+              # we have a fips-build marker, but fips tag isn't yet part of the
+              # snap version, let's add it
+              echo "-- appending FIPS tag to version $VERSION"
+              VERSION="$VERSION+fips"
+          fi
+      fi
+
       if [ -f test-build ]; then
           VERSION="1337.${VERSION}"
       fi
@@ -216,12 +229,17 @@ parts:
     override-build: |
       # this should be passed through build environment, but we're already
       # anchoring dynamic linker env variables
-      GO_TOOLCHAIN_FIPS_CHANNEL="1.18-fips/stable"
+      GO_TOOLCHAIN_FIPS_CHANNEL="1.21-fips/stable"
 
       VERSION="$(craftctl get version)"
       if [ -f fips-build ] ; then
           # use the fips channel of Go
           snap refresh --channel "$GO_TOOLCHAIN_FIPS_CHANNEL" go
+          # make sure it is really the Go FIPS toolchain
+          if ! test -f /snap/go/current/src/crypto/internal/backend/openssl_linux.go; then
+              echo "Go 1.21 FIPS toolchain not found"
+              exit 1
+          fi
       fi
       # make sure to set the version we declared in pull
       ./mkversion.sh "$VERSION"

mkversion.sh

@@ -90,7 +90,7 @@ fi
 # and append the git revno and commit hash. A simpler approach would be
 # to git tag all pre/rc releases.
 if [ -z "$version_from_user" ] && [ "$version_from_git" != "" ] && \
-       [ -n "$version_from_changelog" ] && [ "$version_from_git" != "$version_from_changelog" ]; then
+       [ -n "$version_from_changelog" ] && [ "$version_from_git" != "${version_from_changelog%+fips}" ]; then
     # if the changelog version has "git" in it and we also have a git version
     # directly, that is a bad changelog version, so fail, otherwise the below
     # code will produce a duplicated git info

packaging/ubuntu-16.04/rules

@@ -30,7 +30,8 @@ export PATH:=${PATH}:${CURDIR}
 export PATH:=/usr/lib/go-1.18/bin:${PATH}
 ifeq (${FIPSBUILD},1)
 	# when building with FIPS, use Go 1.21 which is also declared in build
-	# dependencies
+	# dependencies; during testing it is manually installed, but during LP builds
+	# it should be pulled in as a build dependency
 	export PATH:=/usr/lib/go-1.21/bin:${PATH}
 endif
 # GOCACHE is needed by go-1.13+
@@ -110,8 +111,8 @@ endif
 
 ifeq (${FIPSBUILD},1)
   # if enabled also enable bootloader assets testing and fault injection
-	_TAGS := $(_TAGS),goexperiment.opensslcrypto
-	_SNAP_TAGS := $(_SNAP_TAGS),goexperiment.opensslcrypto
+	_TAGS := $(_TAGS),goexperiment.opensslcrypto,snapdfips
+	_SNAP_TAGS := $(_SNAP_TAGS),goexperiment.opensslcrypto,snapdfips
 endif
 
 TAGS=-tags "$(_TAGS)"
@@ -197,6 +198,15 @@ override_dh_clean:
 	(cd c-vendor/squashfuse && rm -f snapfuse && make distclean || true )
 
 override_dh_auto_build:
+	# very ugly test for FIPS variant of a toolchain
+	# see https://warthogs.atlassian.net/browse/FR-8860
+ifeq (${FIPSBUILD},1)
+	if ! test -f /usr/lib/go-1.21/src/crypto/internal/backend/openssl_linux.go; then \
+		echo "Go 1.21 FIPS toolchain not found"; \
+		exit 1; \
+	fi
+endif
+
 	# generate dh-golang does not copy modules.txt
 	cp -a vendor/modules.txt _build/src/$(DH_GOPKG)/vendor
 	# usually done via `go generate` but that is not supported on powerpc

snapdtool/fips_linux.go

@@ -119,7 +119,7 @@ func MaybeSetupFIPS() error {
 		"GOFIPS=1",
 	}...)
 
-	// need we need to set up environment such that the FIPS library module
+	// now we need to set up environment such that the FIPS library module
 	// will be picked up at startup, however this is only relevant in the
 	// following cases:
 	// - on classic, when reexecuted from the snapd snap

spread.yaml

@@ -1404,9 +1404,10 @@ suites:
         systems:
           - ubuntu-fips-*
         environment:
-          # TODO add snap variant
           # disable reexec so that the tests run with deb
           SNAP_REEXEC/deb: "0"
+          # but keep it enabled when using the snap
+          SNAP_REEXEC/snap: "1"
         prepare: |
             "$TESTSLIB"/prepare-restore.sh --prepare-suite
         prepare-each: |

tests/main/fips/task.yaml

@@ -17,18 +17,34 @@ execute: |
             # this is checked in spread prepare, but let's be sure
             [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]
 
-            # TODO when executing with FIPS snapd snap, the paths shall come
-            # from the snapd snap
-            # libcrypto is loaded at runtime, this is what we're trying to
-            # match:
-            # 00007fc16068d000    712K r---- /usr/lib/x86_64-linux-gnu/libcrypto.so.3
-            MATCH ' /usr/lib/.*/libcrypto.*\.so.*' < snapd-map.out
-            if os.query is-ubuntu-ge 22.04; then
-                # since 22.04 openssl 3.x uses a separate fips.so runtime
-                # module:
-                # 00007fc160532000     96K r---- /usr/lib/x86_64-linux-gnu/ossl-modules-3/fips.so
-                MATCH ' /usr/lib/.*/ossl-modules-3/fips.so' < snapd-map.out
-            fi
+            # depending on whether the binary is run from the snapd snap or the
+            # snapd deb, the locations of mapped libraries will be different
+            case "$SPREAD_VARIANT" in
+                deb)
+                    # libcrypto is loaded at runtime, this is what we're trying to
+                    # match:
+                    # 00007fc16068d000    712K r---- /usr/lib/x86_64-linux-gnu/libcrypto.so.3
+                    MATCH ' /usr/lib/.*/libcrypto.*\.so.*' < snapd-map.out
+                    if os.query is-ubuntu-ge 22.04; then
+                        # since 22.04 openssl 3.x uses a separate fips.so runtime
+                        # module:
+                        # 00007fc160532000     96K r---- /usr/lib/x86_64-linux-gnu/ossl-modules-3/fips.so
+                        MATCH ' /usr/lib/.*/ossl-modules-3/fips.so' < snapd-map.out
+                    fi
+                    ;;
+                snap)
+                    # 00007f9400c05000    712K r---- /snap/snapd/x1/usr/lib/x86_64-linux-gnu/libcrypto.so.3
+                    MATCH ' /snap/snapd/.*/usr/lib/.*/libcrypto.*\.so.*' < snapd-map.out
+                    if os.query is-ubuntu-ge 22.04; then
+                        # 00007f9400aaa000     96K r---- /snap/snapd/x1/usr/lib/x86_64-linux-gnu/ossl-modules-3/fips.so
+                        MATCH ' /snap/snapd/.*/usr/lib/.*/ossl-modules-3/fips.so' < snapd-map.out
+                    fi
+                    ;;
+                *)
+                    echo "unexpected test variant on FIPS enabled $SPREAD_SYSTEM"
+                    exit 1
+                    ;;
+            esac
             ;;
         ubuntu-*)
             # no libcrypto, pure Go stack