From d0d6c0971fb70899f58e36c637f94769ef9e42c6 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Mon, 4 Nov 2024 13:14:43 +0100
Subject: [PATCH] tests: Do not 'fips-mode-setup' to enable FIPS on RHEL 10

The fips-mode-setup tools is being removed from RHEL. Strarting
with RHEL 10 adding fips=1 to the boot cmdline is enough to
enable FIPS.
---
 tests/tests_luks.yml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/tests/tests_luks.yml b/tests/tests_luks.yml
index bac4dd10..6f2554e0 100644
--- a/tests/tests_luks.yml
+++ b/tests/tests_luks.yml
@@ -12,11 +12,28 @@
   tags:
     - tests::lvm
   tasks:
-    - name: Enable FIPS mode
+    - name: Enable FIPS mode (RHEL 10 and newer)
+      when:
+        - lookup("env", "SYSTEM_ROLES_TEST_FIPS") == "true"
+        - ansible_facts["os_family"] == "RedHat"
+        - ansible_facts["distribution_major_version"] | int > 9
+      block:
+        - name: Enable FIPS mode
+          changed_when: false
+          shell: |
+            set -euxo pipefail
+            kernel=$(grubby --default-kernel)
+            grubby --update-kernel=$kernel --args=fips=1
+
+        - name: Reboot
+          reboot:
+            test_command: grep 1 /proc/sys/crypto/fips_enabled
+    - name: Enable FIPS mode (RHEL 8 and 9)
       when:
         - lookup("env", "SYSTEM_ROLES_TEST_FIPS") == "true"
         - ansible_facts["os_family"] == "RedHat"
         - ansible_facts["distribution_major_version"] | int > 7
+        - ansible_facts["distribution_major_version"] | int < 10
       block:
         - name: Enable FIPS mode
           command: fips-mode-setup --enable
@@ -26,7 +43,7 @@
           reboot:
             test_command: fips-mode-setup --check
 
-    - name: Enable FIPS mode
+    - name: Enable FIPS mode (RHEL 7)
       when:
         - lookup("env", "SYSTEM_ROLES_TEST_FIPS") == "true"
         - ansible_facts["os_family"] == "RedHat"