[rhcos-4.17] tests: add fips.hmac to verify VM will fail to reboot with FIPS and wrong hmac

[openshift-cherrypick-robot]

This is an automated cherry-pick of #4437

/assign HuijingHei

[openshift-ci]

Hi @openshift-cherrypick-robot. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[HuijingHei]

/ok-to-test

[gemini-code-assist]

Code Review

This pull request introduces a new test, fips.hmac, to verify that a VM with FIPS enabled fails to reboot when its kernel HMAC is corrupted. The changes include adding a new test file, a new test flag NoDracutFatalCheck to bypass dracut fatal error checks, and updating the harness to recognize this flag. The implementation of the new test is sound, but I have a suggestion to improve maintainability by replacing magic numbers with constants.

[gemini-code-assist]

This section uses a magic number for the sleep duration (90) and a hardcoded string for the console output pattern. It's better to define these as constants to improve readability and maintainability. This makes it clear what the values represent and centralizes their definitions.

	const (
		rebootFailureTimeout        = 90 * time.Second
		fipsIntegrityFailureMessage = "dracut: FATAL: FIPS integrity test failed"
	)

	// Wait for the boot to fail. Since the HMAC is corrupted, the machine
	// will fail FIPS integrity check and never come back online.
	// Using a timeout to allow enough time for boot attempt to fail.
	time.Sleep(rebootFailureTimeout)

	// Verify the machine did not come back online by attempting SSH
	_, _, err = m.SSH("whoami")
	if err == nil {
		c.Fatal("Expected machine to fail booting with corrupted HMAC, but it came back online")
	}

	// Destroy the machine to populate console output
	m.Destroy()

	// Check console output for FIPS integrity failure message
	consoleOutput := m.ConsoleOutput()
	if !strings.Contains(consoleOutput, fipsIntegrityFailureMessage) {
		c.Fatalf("Expected to find '%s' in console output after HMAC corruption, but it was not found", fipsIntegrityFailureMessage)
	}

[HuijingHei]

/test rhcos

[openshift-ci]

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/rhcos	d702e2f	link	true	/test rhcos

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.