[code sync] Merge code from sonic-net/sonic-buildimage:202305 to 202305

Makefile.work

@@ -141,6 +141,7 @@ rules/config.user:
 
 include rules/config
 -include rules/config.user
+include rules/sonic-fips.mk
 
 ifneq ($(DEFAULT_CONTAINER_REGISTRY),)
 override DEFAULT_CONTAINER_REGISTRY := $(DEFAULT_CONTAINER_REGISTRY)/
@@ -177,12 +178,6 @@ endif
 SLAVE_IMAGE = $(SLAVE_BASE_IMAGE)-$(USER_LC)
 DOCKER_ROOT = $(PWD)/fsroot.docker.$(BLDENV)
 
-# Support FIPS feature, armhf not supported yet
-ifeq ($(PLATFORM_ARCH),armhf)
-ENABLE_FIPS_FEATURE := n
-ENABLE_FIPS := n
-endif
-
 ifeq ($(ENABLE_FIPS_FEATURE), n)
 ifeq ($(ENABLE_FIPS), y)
     $(error Cannot set fips config ENABLE_FIPS=y when ENABLE_FIPS_FEATURE=n)
@@ -216,6 +211,8 @@ $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \
 	DOCKER_EXTRA_OPTS=$(DOCKER_EXTRA_OPTS) \
 	DEFAULT_CONTAINER_REGISTRY=$(DEFAULT_CONTAINER_REGISTRY) \
 	GZ_COMPRESS_PROGRAM=$(GZ_COMPRESS_PROGRAM) \
+	FIPS_VERSION=$(FIPS_VERSION) \
+	FIPS_GOLANG_VERSION=$(FIPS_GOLANG_VERSION) \
 	j2 $(SLAVE_DIR)/Dockerfile.j2 > $(SLAVE_DIR)/Dockerfile)
 
 $(shell CONFIGURED_ARCH=$(CONFIGURED_ARCH) \

platform/vs/docker-sonic-vs.mk

@@ -34,6 +34,10 @@ else
 $(DOCKER_SONIC_VS)_DEPENDS += $(GOBGP)
 endif
 
+ifeq ($(ENABLE_FIPS_FEATURE), y)
+$(DOCKER_SONIC_VS)_DEPENDS += $(FIPS_KRB5_ALL)
+endif
+
 $(DOCKER_SONIC_VS)_FILES += $(CONFIGDB_LOAD_SCRIPT) \
                             $(ARP_UPDATE_SCRIPT) \
                             $(ARP_UPDATE_VARS_TEMPLATE) \

platform/vs/docker-sonic-vs/Dockerfile.j2

@@ -9,10 +9,6 @@ RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%s
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y gnupg
-COPY ["sonic-dev.gpg.key", "/etc/apt/"]
-RUN apt-key add /etc/apt/sonic-dev.gpg.key
-RUN echo "deb http://packages.microsoft.com/repos/sonic-dev/ jessie main" >> /etc/apt/sources.list
-RUN apt-get update
 
 RUN apt-get install -y net-tools \
                        arping \
@@ -42,7 +38,6 @@ RUN apt-get install -y net-tools \
                        iptables \
                        jq \
                        libzmq5 \
-                       libzmq3-dev \
                        uuid-dev \
                        # For installing Python m2crypto package
                        # (these can be uninstalled after installation)
@@ -68,7 +63,11 @@ RUN apt-get install -y net-tools \
                        libasan6 \
                        {%- endif %}
                        dbus \
-                       redis-server
+                       redis-server \
+                       # For libkrb5-dev
+                       comerr-dev \
+                       libgssrpc4 \
+                       libkdb5-10
 
 # For sonic-config-engine Python 3 package
 # Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
@@ -92,6 +91,8 @@ COPY {%- for deb in docker_sonic_vs_debs.split(' ') %} debs/{{ deb }}{%- endfor
 RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
 {%- endif %}
 
+RUN apt-get install -y libzmq3-dev
+
 {% if docker_sonic_vs_pydebs.strip() -%}
 # Copy locally-built Debian package dependencies
 COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/

rules/sonic-fips.mk

@@ -1,13 +1,13 @@
 # fips packages
 
-FIPS_VERSION = 0.9
+FIPS_VERSION = 0.11
 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
 FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
 FIPS_PYTHON_MAIN_VERSION = 3.9
 FIPS_PYTHON_VERSION = 3.9.2-1+fips
 FIPS_GOLANG_MAIN_VERSION = 1.15
 FIPS_GOLANG_VERSION = 1.15.15-1~deb11u4+fips
-FIPS_KRB5_VERSION = 1.18.3-6+deb11u1+fips
+FIPS_KRB5_VERSION = 1.18.3-6+deb11u4+fips
 FIPS_URL_PREFIX = https://sonicstorage.blob.core.windows.net/public/fips/$(BLDENV)/$(FIPS_VERSION)/$(CONFIGURED_ARCH)
 
 SYMCRYPT_OPENSSL_NAME = symcrypt-openssl
@@ -40,7 +40,15 @@ FIPS_GOLANG_DOC = golang-$(FIPS_GOLANG_MAIN_VERSION)-doc_$(FIPS_GOLANG_VERSION)_
 FIPS_GOLANG_ALL = $(FIPS_GOLANG) $(FIPS_GOLANG_GO) $(FIPS_GOLANG_SRC) $(FIPS_GOLANG_DOC)
 
 FIPS_KRB5 = libk5crypto3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
-FIPS_KRB5_ALL = $(FIPS_KRB5)
+FIPS_KRB5_SUPPORT0 = libkrb5support0_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_3 = libkrb5-3_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_LIBGSSAPI = libgssapi-krb5-2_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_LIBKADM5CLNT = libkadm5clnt-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_LIBKADM5SRV = libkadm5srv-mit12_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_LIBGSSRPC4 = libgssrpc4_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_MULTIDEV = krb5-multidev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_DEV = libkrb5-dev_$(FIPS_KRB5_VERSION)_$(CONFIGURED_ARCH).deb
+FIPS_KRB5_ALL = $(FIPS_KRB5) $(FIPS_KRB5_SUPPORT0) $(FIPS_KRB5_3) $(FIPS_KRB5_LIBGSSAPI) $(FIPS_KRB5_LIBKADM5CLNT) $(FIPS_KRB5_LIBKADM5SRV) $(FIPS_KRB5_LIBGSSRPC4) $(FIPS_KRB5_MULTIDEV) $(FIPS_KRB5_DEV)
 
 FIPS_DERIVED_TARGET = $(FIPS_OPENSSL_ALL) $(FIPS_OPENSSH_ALL) $(FIPS_GOLANG_ALL) $(FIPS_PYTHON_ALL) $(FIPS_KRB5_ALL)
 FIPS_PACKAGE_ALL = $(SYMCRYPT_OPENSSL) $(FIPS_DERIVED_TARGET)

sonic-slave-bullseye/Dockerfile.j2

@@ -474,8 +474,8 @@ RUN apt-get install -y kernel-wedge
 # For gobgp and telemetry build
 RUN apt-get install -y golang-1.15 && ln -s /usr/lib/go-1.15 /usr/local/go
 {%- if ENABLE_FIPS_FEATURE == "y" %}
-RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-go_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
- && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.1/{{ CONFIGURED_ARCH }}/golang-1.15-src_1.15.15-1~deb11u4%2Bfips_{{ CONFIGURED_ARCH }}.deb' \
+RUN wget -O golang-go.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-go_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
+ && wget -O golang-src.deb 'https://sonicstorage.blob.core.windows.net/public/fips/bullseye/{{ FIPS_VERSION }}/{{ CONFIGURED_ARCH }}/golang-1.15-src_{{ FIPS_GOLANG_VERSION }}_{{ CONFIGURED_ARCH }}.deb' \
  && dpkg -i golang-go.deb golang-src.deb \
  && ln -sf /usr/lib/go-1.15 /usr/local/go \
  && rm golang-go.deb golang-src.deb