deps: update images to v0.18.0

Update the images dependency to v0.18.0
This includes a change in the Fedora IoT remote configuration which is
now installed through an RPM instead of being hard-coded in the image
definitions.

vendor/github.com/osbuild/images/pkg/blueprint/customizations.go

@@ -24,6 +24,7 @@ type Customizations struct {
 	Directories        []DirectoryCustomization  `json:"directories,omitempty" toml:"directories,omitempty"`
 	Files              []FileCustomization       `json:"files,omitempty" toml:"files,omitempty"`
 	Repositories       []RepositoryCustomization `json:"repositories,omitempty" toml:"repositories,omitempty"`
+	FIPS               *bool                     `json:"fips,omitempty" toml:"fips,omitempty"`
 }
 
 type IgnitionCustomization struct {
@@ -356,3 +357,10 @@ func (c *Customizations) GetRepositories() ([]RepositoryCustomization, error) {
 
 	return c.Repositories, nil
 }
+
+func (c *Customizations) GetFIPS() bool {
+	if c == nil || c.FIPS == nil {
+		return false
+	}
+	return *c.FIPS
+}

vendor/github.com/osbuild/images/pkg/distro/fedora/images.go

@@ -519,10 +519,7 @@ func iotImage(workload workload.Workload,
 	img.Workload = workload
 
 	img.Remote = ostree.Remote{
-		Name:        "fedora-iot",
-		URL:         "https://ostree.fedoraproject.org/iot",
-		ContentURL:  "mirrorlist=https://ostree.fedoraproject.org/iot/mirrorlist",
-		GPGKeyPaths: []string{"/etc/pki/rpm-gpg/"},
+		Name: "fedora-iot",
 	}
 	img.OSName = "fedora-iot"
 
@@ -585,9 +582,7 @@ func iotSimplifiedInstallerImage(workload workload.Workload,
 	rawImg.Platform = t.platform
 	rawImg.Workload = workload
 	rawImg.Remote = ostree.Remote{
-		Name:       "fedora-iot",
-		URL:        options.OSTree.URL,
-		ContentURL: options.OSTree.ContentURL,
+		Name: "fedora-iot",
 	}
 	rawImg.OSName = "fedora"
 

vendor/github.com/osbuild/images/pkg/distro/fedora/package_sets.go

@@ -87,8 +87,8 @@ func iotCommitPackageSet(t *imageType) rpmmd.PackageSet {
 			"clevis-dracut",
 			"clevis-luks",
 			"clevis-pin-tpm2",
-			"container-selinux",
 			"containernetworking-plugins",
+			"container-selinux",
 			"coreutils",
 			"cracklib-dicts",
 			"criu",
@@ -101,6 +101,7 @@ func iotCommitPackageSet(t *imageType) rpmmd.PackageSet {
 			"dracut-network",
 			"e2fsprogs",
 			"efibootmgr",
+			"fedora-iot-config",
 			"fedora-release-iot",
 			"firewalld",
 			"fwupd",
@@ -131,9 +132,9 @@ func iotCommitPackageSet(t *imageType) rpmmd.PackageSet {
 			"NetworkManager-wifi",
 			"NetworkManager-wwan",
 			"nss-altfiles",
-			"openssl",
 			"openssh-clients",
 			"openssh-server",
+			"openssl",
 			"parsec",
 			"passwd",
 			"pinentry",
@@ -164,8 +165,8 @@ func iotCommitPackageSet(t *imageType) rpmmd.PackageSet {
 			"usbguard",
 			"util-linux",
 			"vim-minimal",
-			"wpa_supplicant",
 			"wireless-regdb",
+			"wpa_supplicant",
 			"xfsprogs",
 			"xz",
 			"zezere-ignition",

vendor/github.com/osbuild/images/pkg/distro/rhel9/images.go

@@ -382,6 +382,7 @@ func edgeInstallerImage(workload workload.Workload,
 	img.OSName = "rhel"
 	img.OSVersion = d.osVersion
 	img.Release = fmt.Sprintf("%s %s", d.product, d.osVersion)
+	img.FIPS = customizations.GetFIPS()
 
 	img.Filename = t.Filename()
 
@@ -404,6 +405,7 @@ func edgeRawImage(workload workload.Workload,
 
 	img.Users = users.UsersFromBP(customizations.GetUsers())
 	img.Groups = users.GroupsFromBP(customizations.GetGroups())
+	img.FIPS = customizations.GetFIPS()
 
 	// The kernel options defined on the image type are usually handled in
 	// osCustomiztions() but ostree images don't use OSCustomizations, so we
@@ -468,6 +470,7 @@ func edgeSimplifiedInstallerImage(workload workload.Workload,
 
 	rawImg.Users = users.UsersFromBP(customizations.GetUsers())
 	rawImg.Groups = users.GroupsFromBP(customizations.GetGroups())
+	rawImg.FIPS = customizations.GetFIPS()
 
 	rawImg.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
 	rawImg.Keyboard = "us"

vendor/github.com/osbuild/images/pkg/distro/rhel9/imagetype.go

@@ -305,7 +305,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 		}
 
 		if t.name == "edge-simplified-installer" {
-			allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group"}
+			allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS"}
 			if err := customizations.CheckAllowed(allowed...); err != nil {
 				return warnings, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 			}
@@ -343,7 +343,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 				}
 			}
 		} else if t.name == "edge-installer" {
-			allowed := []string{"User", "Group"}
+			allowed := []string{"User", "Group", "FIPS"}
 			if err := customizations.CheckAllowed(allowed...); err != nil {
 				return warnings, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 			}
@@ -356,7 +356,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
 			return warnings, fmt.Errorf("%q images require specifying a URL from which to retrieve the OSTree commit", t.name)
 		}
 
-		allowed := []string{"Ignition", "Kernel", "User", "Group"}
+		allowed := []string{"Ignition", "Kernel", "User", "Group", "FIPS"}
 		if err := customizations.CheckAllowed(allowed...); err != nil {
 			return warnings, fmt.Errorf("unsupported blueprint customizations found for image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
 		}

vendor/github.com/osbuild/images/pkg/image/anaconda_ostree_installer.go

@@ -38,6 +38,7 @@ type AnacondaOSTreeInstaller struct {
 	AdditionalDracutModules   []string
 	AdditionalAnacondaModules []string
 	AdditionalDrivers         []string
+	FIPS                      bool
 }
 
 func NewAnacondaOSTreeInstaller(commit ostree.SourceSpec) *AnacondaOSTreeInstaller {
@@ -72,6 +73,12 @@ func (img *AnacondaOSTreeInstaller) InstantiateManifest(m *manifest.Manifest,
 	anacondaPipeline.Checkpoint()
 	anacondaPipeline.AdditionalDracutModules = img.AdditionalDracutModules
 	anacondaPipeline.AdditionalAnacondaModules = img.AdditionalAnacondaModules
+	if img.FIPS {
+		anacondaPipeline.AdditionalAnacondaModules = append(
+			anacondaPipeline.AdditionalAnacondaModules,
+			"org.fedoraproject.Anaconda.Modules.Security",
+		)
+	}
 	anacondaPipeline.AdditionalDrivers = img.AdditionalDrivers
 
 	rootfsPartitionTable := &disk.PartitionTable{
@@ -100,6 +107,9 @@ func (img *AnacondaOSTreeInstaller) InstantiateManifest(m *manifest.Manifest,
 	bootTreePipeline.UEFIVendor = img.Platform.GetUEFIVendor()
 	bootTreePipeline.ISOLabel = isoLabel
 	bootTreePipeline.KernelOpts = []string{fmt.Sprintf("inst.stage2=hd:LABEL=%s", isoLabel), fmt.Sprintf("inst.ks=hd:LABEL=%s:%s", isoLabel, kspath)}
+	if img.FIPS {
+		bootTreePipeline.KernelOpts = append(bootTreePipeline.KernelOpts, "fips=1")
+	}
 
 	// enable ISOLinux on x86_64 only
 	isoLinuxEnabled := img.Platform.GetArch() == platform.ARCH_X86_64

vendor/github.com/osbuild/images/pkg/image/ostree_disk.go

@@ -45,6 +45,8 @@ type OSTreeDiskImage struct {
 
 	Directories []*fsnode.Directory
 	Files       []*fsnode.File
+
+	FIPS bool
 }
 
 func NewOSTreeDiskImage(commit ostree.SourceSpec) *OSTreeDiskImage {
@@ -66,6 +68,7 @@ func baseRawOstreeImage(img *OSTreeDiskImage, m *manifest.Manifest, buildPipelin
 	osPipeline.SysrootReadOnly = img.SysrootReadOnly
 	osPipeline.Directories = img.Directories
 	osPipeline.Files = img.Files
+	osPipeline.FIPS = img.FIPS
 
 	// other image types (e.g. live) pass the workload to the pipeline.
 	osPipeline.EnabledServices = img.Workload.GetServices()

vendor/github.com/osbuild/images/pkg/manifest/ostree_deployment.go

@@ -53,6 +53,8 @@ type OSTreeDeployment struct {
 
 	EnabledServices  []string
 	DisabledServices []string
+
+	FIPS bool
 }
 
 // NewOSTreeDeployment creates a pipeline for an ostree deployment from a
@@ -160,6 +162,11 @@ func (p *OSTreeDeployment) serialize() osbuild.Pipeline {
 		)
 	}
 
+	if p.FIPS {
+		kernelOpts = append(kernelOpts, osbuild.GenFIPSKernelOptions(p.PartitionTable)...)
+		p.Files = append(p.Files, osbuild.GenFIPSFiles()...)
+	}
+
 	pipeline.AddStage(osbuild.NewOSTreeDeployStage(
 		&osbuild.OSTreeDeployStageOptions{
 			OsName: p.osName,
@@ -173,24 +180,21 @@ func (p *OSTreeDeployment) serialize() osbuild.Pipeline {
 		},
 	))
 
-	remoteURL := p.Remote.URL
-	if remoteURL == "" {
-		// if the remote URL for the image is not specified, use the source commit URL
-		remoteURL = commit.URL
-	}
-	pipeline.AddStage(osbuild.NewOSTreeRemotesStage(
-		&osbuild.OSTreeRemotesStageOptions{
-			Repo: "/ostree/repo",
-			Remotes: []osbuild.OSTreeRemote{
-				{
-					Name:        p.Remote.Name,
-					URL:         remoteURL,
-					ContentURL:  p.Remote.ContentURL,
-					GPGKeyPaths: p.Remote.GPGKeyPaths,
+	if p.Remote.URL != "" {
+		pipeline.AddStage(osbuild.NewOSTreeRemotesStage(
+			&osbuild.OSTreeRemotesStageOptions{
+				Repo: "/ostree/repo",
+				Remotes: []osbuild.OSTreeRemote{
+					{
+						Name:        p.Remote.Name,
+						URL:         p.Remote.URL,
+						ContentURL:  p.Remote.ContentURL,
+						GPGKeyPaths: p.Remote.GPGKeyPaths,
+					},
 				},
 			},
-		},
-	))
+		))
+	}
 
 	pipeline.AddStage(osbuild.NewOSTreeFillvarStage(
 		&osbuild.OSTreeFillvarStageOptions{
@@ -301,6 +305,13 @@ func (p *OSTreeDeployment) serialize() osbuild.Pipeline {
 		pipeline.AddStage(localeStage)
 	}
 
+	if p.FIPS {
+		for _, stage := range osbuild.GenFIPSStages() {
+			stage.MountOSTree(p.osName, commit.Ref, 0)
+			pipeline.AddStage(stage)
+		}
+	}
+
 	grubOptions := osbuild.NewGrub2StageOptionsUnified(p.PartitionTable,
 		strings.Join(kernelOpts, " "),
 		"",

vendor/github.com/osbuild/images/pkg/osbuild/fips.go

@@ -0,0 +1,43 @@
+package osbuild
+
+import (
+	"os"
+
+	"github.com/osbuild/images/internal/common"
+	"github.com/osbuild/images/internal/fsnode"
+	"github.com/osbuild/images/pkg/disk"
+)
+
+func GenFIPSKernelOptions(pt *disk.PartitionTable) []string {
+	cmdline := make([]string, 0)
+	cmdline = append(cmdline, "fips=1")
+	if bootMnt := pt.FindMountable("/boot"); bootMnt != nil {
+		boot := bootMnt.GetFSSpec()
+		if label := boot.Label; label != "" {
+			karg := "boot=LABEL=" + label
+			cmdline = append(cmdline, karg)
+		} else if uuid := boot.UUID; uuid != "" {
+			karg := "boot=UUID=" + uuid
+			cmdline = append(cmdline, karg)
+		}
+	}
+	return cmdline
+}
+
+func GenFIPSFiles() (files []*fsnode.File) {
+	file, _ := fsnode.NewFile("/etc/system-fips", common.ToPtr(os.FileMode(0644)),
+		"root", "root", []byte("# FIPS module installation complete\n"))
+	files = append(files, file)
+	return
+}
+
+func GenFIPSStages() (stages []*Stage) {
+	stages = []*Stage{
+		NewUpdateCryptoPoliciesStage(
+			&UpdateCryptoPoliciesStageOptions{
+				Policy: "FIPS",
+			}),
+	}
+	stages = append(stages, GenFileNodesStages(GenFIPSFiles())...)
+	return
+}

vendor/github.com/osbuild/images/pkg/osbuild/ostree_pull_stage.go

@@ -4,7 +4,7 @@ package osbuild
 type OSTreePullStageOptions struct {
 	// Location of the ostree repo
 	Repo string `json:"repo"`
-	// Remote to configure for all commits
+	// Add the 'remote' to the ref spec
 	Remote string `json:"remote,omitempty"`
 }
 

vendor/github.com/osbuild/images/pkg/osbuild/update_crypto_policies_stage.go

@@ -0,0 +1,14 @@
+package osbuild
+
+type UpdateCryptoPoliciesStageOptions struct {
+	Policy string `json:"policy"`
+}
+
+func (UpdateCryptoPoliciesStageOptions) isStageOptions() {}
+
+func NewUpdateCryptoPoliciesStage(options *UpdateCryptoPoliciesStageOptions) *Stage {
+	return &Stage{
+		Type:    "org.osbuild.update-crypto-policies",
+		Options: options,
+	}
+}