Enable fips mode with flag and simplify trusted flag

Signed-off-by: Itxaka <[email protected]>
kairos-io · Jan 31, 2025 · bb9c921 · bb9c921
1 parent d15ec10
commit bb9c921
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 13 deletions.
diff --git a/main.go b/main.go
@@ -11,20 +11,19 @@ import (
 	"github.com/mudler/yip/pkg/schema"
 	"github.com/sanity-io/litter"
 	"os"
-	"strings"
 )
 
 func main() {
-	var trusted string
 	var validate bool
 	flag.StringVar(&config.DefaultConfig.Level, "l", "info", "set the log level")
 	flag.StringVar(&config.DefaultConfig.Stage, "s", "all", "set the stage to run")
 	flag.StringVar(&config.DefaultConfig.Model, "m", "generic", "model to build for, like generic or rpi4")
 	flag.StringVar(&config.DefaultConfig.Variant, "v", "core", "variant to build (core or standard for k3s flavor) (shorthand: -v)")
 	flag.StringVar(&config.DefaultConfig.Registry, "r", "quay.io/kairos", "registry and org where the image is gonna be pushed. This is mainly used on upgrades to search for available images to upgrade to")
-	flag.StringVar(&trusted, "t", "false", "init the system for Trusted Boot, changes bootloader to systemd")
+	flag.BoolVar(&config.DefaultConfig.TrustedBoot, "t", false, "init the system for Trusted Boot, changes bootloader to systemd")
 	flag.StringVar(&config.DefaultConfig.FrameworkVersion, "f", values.GetFrameworkVersion(), "set the framework version to use")
 	flag.BoolVar(&validate, "validate", false, "validate the running os to see if it all the pieces are in place")
+	flag.BoolVar(&config.DefaultConfig.Fips, "fips", false, "use fips framework. For FIPS 140-2 compliance images")
 	showHelp := flag.Bool("help", false, "show help")
 
 	// Custom usage function
@@ -39,11 +38,6 @@ func main() {
 
 	flag.Parse()
 
-	// Set the trusted boot flag to true
-	if strings.ToLower(trusted) == "true" || strings.ToLower(trusted) == "1" {
-		config.DefaultConfig.TrustedBoot = true
-	}
-
 	if *showHelp {
 		flag.Usage()
 		os.Exit(0)
@@ -63,7 +57,6 @@ func main() {
 		{"m", config.DefaultConfig.Model},
 		{"v", config.DefaultConfig.Variant},
 		{"r", config.DefaultConfig.Registry},
-		{"t", trusted},
 		{"f", config.DefaultConfig.FrameworkVersion},
 	}
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -10,6 +10,7 @@ type Config struct {
 	Variant          string
 	Registry         string
 	TrustedBoot      bool
+	Fips             bool
 }
 
 var DefaultConfig = Config{}
diff --git a/pkg/stages/stages.go b/pkg/stages/stages.go
@@ -323,6 +323,10 @@ func GetCleanupStage(_ values.System, _ types.KairosLogger) []schema.Stage {
 }
 
 func GetInstallFrameworkStage(_ values.System, _ types.KairosLogger) []schema.Stage {
+	framework := config.DefaultConfig.FrameworkVersion
+	if config.DefaultConfig.Fips {
+		framework = fmt.Sprintf("%s-fips", framework)
+	}
 	return []schema.Stage{
 		{
 			Name: "Create kairos directory",
@@ -338,7 +342,7 @@ func GetInstallFrameworkStage(_ values.System, _ types.KairosLogger) []schema.St
 			Name: "Install framework",
 			UnpackImages: []schema.UnpackImageConf{
 				{
-					Source: fmt.Sprintf("quay.io/kairos/framework:%s", config.DefaultConfig.FrameworkVersion),
+					Source: fmt.Sprintf("quay.io/kairos/framework:%s", framework),
 					Target: "/",
 				},
 			},

diff --git a/pkg/validation/validate.go b/pkg/validation/validate.go
@@ -35,9 +35,12 @@ func (v *Validator) Validate() error {
 		"kcrypt-discovery-challenger",
 	}
 
-	if config.DefaultConfig.Variant == "standard" {
-		binaries = append(binaries, "k3s", "agent-provider-kairos", "kairos")
-	}
+	// Not yet as we dont install the k3s stuff ourselves
+	/*
+		if config.DefaultConfig.Variant == "standard" {
+			binaries = append(binaries, "k3s", "agent-provider-kairos", "kairos")
+		}
+	*/
 
 	// Alter path to include our providers path
 	originalPath := os.Getenv("PATH")