Enable agent to detect FIPS enabled hosts

agent/config/config.go

@@ -188,6 +188,9 @@ var (
 
 	// CgroupV2 Specifies whether or not to run in Cgroups V2 mode.
 	CgroupV2 = false
+
+	// isFIPSEnabled indicates whether FIPS mode is enabled on the host
+	isFIPSEnabled = false
 )
 
 // Merge merges two config files, preferring the ones on the left. Any nil or
@@ -226,6 +229,7 @@ func NewConfig(ec2client ec2.EC2MetadataClient) (*Config, error) {
 		errs = append(errs, err)
 	}
 	config := &envConfig
+	isFIPSEnabled = utils.DetectFIPSMode(utils.FIPSModeFilePath)
 
 	if config.External.Enabled() {
 		if config.AWSRegion == "" {
@@ -657,3 +661,7 @@ func (cfg *Config) String() string {
 		cfg.platformString(),
 	)
 }
+
+func IsFIPSEnabled() bool {
+	return isFIPSEnabled
+}

agent/utils/fips_linux.go

@@ -0,0 +1,45 @@
+//go:build linux
+// +build linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = "/proc/sys/crypto/fips_enabled"
+
+// DetectFIPSMode checks if FIPS mode is enabled based on the provided file path.
+func DetectFIPSMode(filePath string) bool {
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		logger.Debug(fmt.Sprintf("Error while detecting FIPS is enabled or not, err: %v", err))
+		return false
+	}
+
+	fipsValue := strings.TrimSpace(string(data))
+	if fipsValue == "1" {
+		logger.Info("FIPS mode detected on the host")
+		return true
+	}
+
+	logger.Debug(fmt.Sprintf("FIPS mode not enabled. FIPS mode explicitly set to %v", fipsValue))
+	return false
+}

agent/utils/fips_linux_test.go

@@ -0,0 +1,52 @@
+//go:build linux && unit
+// +build linux,unit
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDetectFIPSMode(t *testing.T) {
+	// Create a temporary file to mock the FIPS mode file
+	tempFile, err := ioutil.TempFile("", "fips_enabled")
+	assert.NoError(t, err)
+	defer os.Remove(tempFile.Name())
+	// Test FIPS mode enabled
+	_, err = tempFile.WriteString("1\n")
+	assert.NoError(t, err)
+	tempFile.Sync()
+	// Initialize the logger
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+	result := DetectFIPSMode(tempFile.Name())
+	assert.True(t, result, "FIPS mode should be detected")
+	// Test FIPS mode disabled
+	tempFile.Truncate(0)
+	tempFile.Seek(0, 0)
+	_, err = tempFile.WriteString("0\n")
+	assert.NoError(t, err)
+	tempFile.Sync()
+	result = DetectFIPSMode(tempFile.Name())
+	assert.False(t, result, "FIPS mode should not be detected")
+	// Test when the FIPS file does not exist
+	result = DetectFIPSMode("nonexistent_file")
+	assert.False(t, result, "FIPS mode should not be detected when file is missing")
+}

agent/utils/fips_unsupported.go

@@ -0,0 +1,28 @@
+//go:build !windows && !linux
+// +build !windows,!linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = ""
+
+func DetectFIPSMode(filepath string) bool {
+	logger.Debug("FIPS mode detection is not supported on this platform")
+	return false
+}

agent/utils/fips_windows.go

@@ -0,0 +1,28 @@
+//go:build windows && !linux
+// +build windows,!linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = ""
+
+func DetectFIPSMode(filepath string) bool {
+	logger.Debug("set isFIPSEnabled to false by default on Windows")
+	return false
+}