FIPS: Add cli command to display macsec fips module#24493
FIPS: Add cli command to display macsec fips module#24493rlhui merged 15 commits intosonic-net:masterfrom
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Commenter does not have sufficient privileges for PR 24493 in repo sonic-net/sonic-buildimage |
wumiaont
changed the title
|
@vmittal-msft would you help on this PR build? thanks. |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
judyjoseph
left a comment
judyjoseph
left a comment
There was a problem hiding this comment.
@wumiaont can you clarify benefit of adding this in show output. Does each vendor need to define fips module name in platform file.
@judyjoseph FIPS certificate will list the macsec FIPS module name on the certificate. FIPS lab required SONiC to have a CLI command to display the macsec FIPS module name so security officer in the data center can check the deployed system is running the same module as FIPS certificate shows. Yes. This FIPS module name is vendor specific. Each vendor can provide this name in the vendor specific platform.json and this CLI will display it. If vendor doesn't provide it will have no output for this command. |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sure, so so this name "Nokia-SONiC-MACsec-Version 1.0" signify something? (like a particular version of SAI macsec library, ssl library etc ) |
Nokia-SONiC-MACsec-Version 1.0 is the name for the FIPS module on Nokia chassis. This includes software (BCOM SDK 6.5.34 FIPS module) + hardware (BCOM J2c+ 88852 chip). This name will be put in the certificate and future security officer uses this CLI command to check chassis to make sure it runs with the exact FIPS module. |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@vmittal-msft @judyjoseph The sanity check passed. Can you help to merge it to master? We need this for 202511. |
* Add cli command to display macsec fips module * Pull latest. Signed-off-by: Wu Miao<[email protected]> Signed-off-by: Xincun Li <[email protected]>
* Add cli command to display macsec fips module * Pull latest. Signed-off-by: Wu Miao<[email protected]> Signed-off-by: Feng Pan <[email protected]>
* Add cli command to display macsec fips module * Pull latest. Signed-off-by: Wu Miao<[email protected]> Signed-off-by: dprital <[email protected]>
7 participants
Why I did it
FIPS lab requires SONiC to have cli support to display MACSEC FIPS module. The output will be in the coming FIPS certificate to indicate the MACSEC module been certified.
Data center security officer will use this CLI command to check the FIPS module output and compare with what is in the certificate to make sure the MACsec module is the certified one.
Work item tracking
How I did it
Add cli support "show macsec --fips-module". Output is vendor specific. Each vendor should update their platform.json to have fips_module defined there.
How to verify it
Have implemented unit test code to verify the code works.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Test with master.
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)