diff --git a/base-fips-image/README.md b/base-fips-image/README.md index 76d424d3f..94b0b0a00 100644 --- a/base-fips-image/README.md +++ b/base-fips-image/README.md @@ -1,3 +1,83 @@ -# The SLE LTSS BCI 15 SP3 FIPS-140-2 Container image +# The SUSE Linux Enterprise 15 SP3 FIPS-140-2 Container image + + + +This container image is a SUSE Linux Enterprise 15 SP3 base container image +that includes the SLES 15 FIPS-140-2 certified OpenSSL module. + +The FIPS-140-2 certified OpenSSL module is a cryptographic module that provides +a FIPS-140-2 compliant cryptographic library. The module is certified by the +National Institute of Standards and Technology (NIST). + +The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the +standard OpenSSL library. It provides the same functionality as the standard +OpenSSL library, with additional security features to meet the FIPS-140-2 +requirements. + +The image is configured to enforce the use of FIPS-140 mode by default via the +environment variable `OPENSSL_FORCE_FIPS_MODE`. This variable is set to `1` in +the image. This means that all cryptographic operations performed by the +OpenSSL library are done in FIPS-140-2 mode. + +## Accessing the Container Image + +Accessing this container image requires a valid SUSE subscription. In order +to access the container image, you must login to the SUSE Registry with your credentials. +There are three ways to do that which are described below. The first two methods +leverage the system registration of your host system, while the third method +requires you to obtain the organisation SCC mirroring credentials. + +### Use the system registration of your host system + +If the host system you are using to build or run a container is already registered with +the correct subscription required for accessing the LTSS container images, you can use +the registration information from the host to log in to the registry. + +The file `/etc/zypp/credentials.d/SCCcredentials` contains a username and a password. +These credentials allow you to access any container that is available under the +subscription of the respective host system. You can use these credentials to log +in to SUSE Registry using the following commands +(use the leading space before the echo command to avoid storing the credentials in the +shell history): + +```ShellSession +set +o history + echo PASSWORD | podman login -u USERNAME --password-stdin registry.suse.com +set -o history +``` + +### Use a separate SUSE Customer Center registration code + +If the host system is not registered with SUSE Customer Center, you can use a valid +SUSE Customer Center registration code to log in to the registry: + +```ShellSession +set +o history + echo SCC_REGISTRATION_CODE | podman login -u "regcode" --password-stdin registry.suse.com +set -o history +``` +The user parameter in this case is the verbatim string `regcode`, and +`SCC_REGISTRATION_CODE` is the actual registration code obtained from SUSE. + +### Use the organization mirroring credentials + +You can also use the organization mirroring credentials to log in to the +SUSE Registry: + +```ShellSession +set +o history + echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com +set -o history +``` + +These credentials give you access to all subscriptions the organization owns, +including those related to container images in the SUSE Registry. +The credentials are highly privileged and should be preferably used for +a private mirroring registry only. +## Licensing +`SPDX-License-Identifier: MIT` + +The build recipe and this documentation is licensed as MIT. +The container itself contains various software components under various open source licenses listed in the associated +Software Bill of Materials (SBOM). -15 SP3 FIPS-140-2 container based on the SLE LTSS Base Container Image.