Skip to content

Update and rename SONiC-SAI-POST.md #2083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Update and rename SONiC-SAI-POST.md #2083

wants to merge 9 commits into from
+101 −13

Conversation

@vikram-nexthop
Copy link

@vikram-nexthop vikram-nexthop commented Oct 8, 2025
edited
Loading

  • include Control Plane POST.
  • CLI to fetch the POST status.

Implementation PRs:
sonic-net/sonic-buildimage#24067
sonic-net/sonic-swss#3907
sonic-net/sonic-wpa-supplicant#99

@mssonicbld
Copy link
Collaborator

mssonicbld commented Oct 8, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 8, 2025

No pipelines are associated with this pull request.

@vikram-nexthop vikram-nexthop marked this pull request as ready for review October 8, 2025 05:40
@rlhui rlhui requested a review from ysmanman October 22, 2025 18:01
ysmanman
ysmanman reviewed Oct 22, 2025
View reviewed changes
@judyjoseph
Copy link
Contributor

judyjoseph commented Oct 29, 2025

@vikram-nexthop Can you share more details on "Control Plane POST" ? I understand the SAI POST to check the ASIC/SecY -- but no so clear on the requirements on control plane POST

@vikram-nexthop
Copy link
Author

vikram-nexthop commented Oct 29, 2025

@judyjoseph Control plane POST validates the cryptographic module used by wpa_supplicant for MKA operations, which is separate from the SAI/ASIC crypto engines, and requires independent FIPS validation too.
Please see my clarification in PR #3907.

@vikram-nexthop
Update sample CLI output and ToC
4c1b8fc 
- Added sample MACsec POST status output for single and multi ASIC scenarios.
- Added CLI to ToC.
@mssonicbld
Copy link
Collaborator

mssonicbld commented Oct 30, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 30, 2025

No pipelines are associated with this pull request.

lihuay
lihuay reviewed Nov 15, 2025
View reviewed changes
lihuay
lihuay reviewed Nov 15, 2025
View reviewed changes
doc/fips/SONiC-MACSec-POST.md

The design must meet the following requirements:
- In order to accommodate different forwarding ASIC architecture or SAI implementation, the design should support enabling POST at either switch level (during switch init) or at MACSec engine level (during MACSec engine init).
- Should enable control plane POST at the MACSec level.
Copy link
Collaborator

@lihuay lihuay Nov 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a must for FIPS compliance?

Copy link
Author

@vikram-nexthop vikram-nexthop Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't say if it is a must(couldn't find a direct reference to control plane POST validation in the official FIPS documentation), but I do consider it necessary for SONiC MACsec FIPS compliance due to the following:

  1. These libraries (FIPS-certified OpenSSL FIPS Provider, SymCrypt) are not part of the SONiC repository but are critical to the security model - they handle authentication, data plane key generation, etc. Independent validation ensures their integrity and expected operational status (FIPS mode).
  2. Provides initialization-time detection of configuration errors, self-test failures, library corruption, etc enabling graceful service disabling rather than runtime failures.
  3. A one-time validation that reduces the attack surface by ensuring cryptographic libraries are in a known-good state.

This could prove redundant if the entire system (SONiC + 3rd party crypto libraries) is under a common FIPS boundary.

@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 17, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 17, 2025

No pipelines are associated with this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lihuay lihuay lihuay left review comments

+1 more reviewer

@ysmanman ysmanman ysmanman approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

SONiC Chassis
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vikram-nexthop @mssonicbld @judyjoseph @lihuay @ysmanman