From c92c9ae180790b773ee3fb3484efa6c966a091e6 Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Mon, 26 Jun 2023 13:28:31 +0300
Subject: [PATCH 1/2] Add a section on how to create a fips compliant image
 from scratch

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 .../en/docs/Reference/build-from-scratch.md   | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/Reference/build-from-scratch.md b/content/en/docs/Reference/build-from-scratch.md
index c1777464..406bae21 100644
--- a/content/en/docs/Reference/build-from-scratch.md
+++ b/content/en/docs/Reference/build-from-scratch.md
@@ -52,7 +52,7 @@ FROM fedora:36
 # Note we need to install _at least_ the minimum required packages for Kairos to work:
 # - An init system (systemd)
 # - Grub
-# - kernel/initramfs 
+# - kernel/initramfs
 RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf
 
 RUN dnf install -y \
@@ -86,7 +86,7 @@ RUN dnf install -y \
     polkit \
     rsync \
     shim-x64 \
-    squashfs-tools \ 
+    squashfs-tools \
     sudo \
     systemd \
     systemd-networkd \
@@ -147,7 +147,7 @@ docker run -v "$PWD"/build:/tmp/auroraboot \
              --set "state_dir=/tmp/auroraboot"
 # 2:45PM INF Pulling container image 'test-byoi' to '/tmp/auroraboot/temp-rootfs' (local: true)
 # 2:45PM INF Generating iso 'kairos' from '/tmp/auroraboot/temp-rootfs' to '/tmp/auroraboot/iso'
-# $ sudo ls -liah build/iso 
+# $ sudo ls -liah build/iso
 # total 449M
 # 35142520 drwx------ 2 root root 4.0K Mar  7 15:46 .
 # 35142517 drwxr-xr-x 5 root root 4.0K Mar  7 15:42 ..
@@ -179,4 +179,30 @@ docker run -v --net host \
 {{% /tab %}}
 {{< /tabpane >}}
 
-This example is available in the `examples/byoi/fedora` directory of the [Kairos repository](https://github.com/kairos-io/kairos/tree/master/examples/byoi/fedora), where you can run `build.sh` to reproduce it.
\ No newline at end of file
+This example is available in the `examples/byoi/fedora` directory of the [Kairos repository](https://github.com/kairos-io/kairos/tree/master/examples/byoi/fedora), where you can run `build.sh` to reproduce it.
+
+## FIPSs compliant flavors
+
+To build a [FIPS](https://www.techtarget.com/whatis/definition/FIPS-Federal-Information-Processing-Standards) compliant version of Kairos, there are 2 requirements:
+
+- Your base image should be FIPS compliant
+- The kairos package from the fips category should be used (search for "fips" here: https://packages.kairos.io/)
+
+### FIPS compliant base image
+
+Different distributions provide different ways to get a FIPS compliant version of the Operating System. For example:
+
+- [Ubuntu docs](https://ubuntu.com/security/certifications/docs/fips)
+- [RedHat docs](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard)
+- [SLE micro](https://documentation.suse.com/zh-cn/sle-micro/5.4/html/SLE-Micro-all/cha-security-fips.html)
+
+Your pipeline that builds the base image should take these instructions into account and ensure the base OS is running FIPS compliant binaries.
+
+### FIPS comliant kairos binaries
+
+As described in the Dockerfile example above, while building a Kairos image from scratch, you need to copy binaries from a framework image. For FIPS compliant binaries, you should use the appropriate framework image.
+[The kairos pipelines already build one](https://github.com/kairos-io/kairos/blob/7d4b7162e08356ee348fafdf3bf7d74c44190930/framework-profile.yaml#L50-L54) Ubuntu 20 tls:
+
+```
+quay.io/kairos/framework:master_ubuntu-20-lts-fips
+```

From b5aecff9d4a93752396bbf65970107d605171277 Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Mon, 26 Jun 2023 16:21:28 +0300
Subject: [PATCH 2/2] Address PR comments

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 content/en/docs/Reference/build-from-scratch.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/Reference/build-from-scratch.md b/content/en/docs/Reference/build-from-scratch.md
index 406bae21..8cabcac4 100644
--- a/content/en/docs/Reference/build-from-scratch.md
+++ b/content/en/docs/Reference/build-from-scratch.md
@@ -181,7 +181,7 @@ docker run -v --net host \
 
 This example is available in the `examples/byoi/fedora` directory of the [Kairos repository](https://github.com/kairos-io/kairos/tree/master/examples/byoi/fedora), where you can run `build.sh` to reproduce it.
 
-## FIPSs compliant flavors
+## FIPS compliant flavors
 
 To build a [FIPS](https://www.techtarget.com/whatis/definition/FIPS-Federal-Information-Processing-Standards) compliant version of Kairos, there are 2 requirements:
 
@@ -198,7 +198,7 @@ Different distributions provide different ways to get a FIPS compliant version o
 
 Your pipeline that builds the base image should take these instructions into account and ensure the base OS is running FIPS compliant binaries.
 
-### FIPS comliant kairos binaries
+### FIPS compliant kairos binaries
 
 As described in the Dockerfile example above, while building a Kairos image from scratch, you need to copy binaries from a framework image. For FIPS compliant binaries, you should use the appropriate framework image.
 [The kairos pipelines already build one](https://github.com/kairos-io/kairos/blob/7d4b7162e08356ee348fafdf3bf7d74c44190930/framework-profile.yaml#L50-L54) Ubuntu 20 tls:
@@ -206,3 +206,6 @@ As described in the Dockerfile example above, while building a Kairos image from
 ```
 quay.io/kairos/framework:master_ubuntu-20-lts-fips
 ```
+
+The binaries in this framework image are built [with golang 1.19.10](https://github.com/kairos-io/packages/blob/082ef206ce523bb3e1d1d9f0bd9953b2550ab2b3/packages/toolchain-go/collection.yaml#L36)
+which uses [boringcrypto commit `ae223d61`](https://boringssl.googlesource.com/boringssl/+/ae223d6138807a13006342edfeef32e813246b39) (Defined [here](https://github.com/golang/go/blob/7fe60b5df764f5a16a2c40e4412b5ed60f709192/src/crypto/internal/boring/Dockerfile#L38)).