openshift · openshift-merge-bot · Oct 10, 2025 · Oct 9, 2025
diff --git a/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile b/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_EC_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-ec-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile b/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_RC_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-rc-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/...rints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile b/...rints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_Y0_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-zstream-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled b/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+start_image="rhel96-bootc-brew-${LATEST_RELEASE_TYPE}-with-optional-fips"
+
+check_platform() {
+    if [[ "${UNAME_M}" =~ aarch64 ]] ; then
+        record_junit "setup" "scenario_create_vms" "SKIPPED"
+        exit 0
+    fi
+}
+
+scenario_create_vms() {
+    if ! does_commit_exist "${start_image}"; then
+        echo "Image '${start_image}' not found - skipping test"
+        return 0
+    fi
+
+    check_platform
+
+    prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}"
+    launch_vm --boot_blueprint rhel96-bootc --fips
+}
+
+scenario_remove_vms() {
+    check_platform
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    check_platform
+
+    run_tests host1 suites/fips/
+}