From 38a01288e1c025d7a8effde3acfb2d8cd05f8f01 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 31 Jan 2022 14:58:06 +0100
Subject: [PATCH] sys-kernel: allow fips mode to be enabled

With this kernel config, users can boot with fips=1 set in
`/usr/share/oem/grub.cfg`:
```
set linux_append="fips=1"
```

Which triggers various behaviors, for FIPS 200 certification.

with this config compiled in, and that boot parameter, users can can
that fips is enabled with:
```
flatcar ~ # cat /proc/sys/crypto/fips_enabled
1
```
---
 .../changelog/changes/2022-01-31-enable-fips-kernel.md           | 1 +
 .../sys-kernel/coreos-modules/files/commonconfig-5.15            | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-01-31-enable-fips-kernel.md

diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-01-31-enable-fips-kernel.md b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-01-31-enable-fips-kernel.md
new file mode 100644
index 0000000000..bdb227d25c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-01-31-enable-fips-kernel.md
@@ -0,0 +1 @@
+- Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in `grub.cfg` (check it taking effect with `cat /proc/sys/crypto/fips_enabled`) ([PR#1602](https://github.com/flatcar-linux/coreos-overlay/pull/1602))
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
index 204e311191..75da094317 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.15
@@ -126,6 +126,7 @@ CONFIG_CPU_FREQ_GOV_USERSPACE=m
 CONFIG_CPU_FREQ_STAT=y
 # CONFIG_CROSS_MEMORY_ATTACH is not set
 CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_FIPS=y
 CONFIG_CRYPTO_GCM=m
 CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_LZO=m