From 4abf9158912789ba3959f70351cf945cefa32590 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 30 Jun 2023 16:50:09 +0200
Subject: [PATCH 01/12] Security Guide: add chapter skeleton

(cherry picked from commit f4bf60510b8c055718a94f9f9098ea77d1b33e1b)
---
 xml/book_security.xml         |  1 +
 xml/security_cryptopolicy.xml | 36 +++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 xml/security_cryptopolicy.xml

diff --git a/xml/book_security.xml b/xml/book_security.xml
index a67cce4351..2fa18325ac 100644
--- a/xml/book_security.xml
+++ b/xml/book_security.xml
@@ -60,6 +60,7 @@
   <xi:include href="security_yast2_security.xml"/>
   <xi:include href="security_polkit.xml"/>
   <xi:include href="security_acls.xml"/>
+  <xi:include href="security_cryptopolicy.xml"/>
 <!-- this is very outdated, removing until I can rewrite
   it with updated information cschroder 12 Dec 2021
   <xi:include href="security_certificatestore.xml"/>-->
diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
new file mode 100644
index 0000000000..ea17a61be9
--- /dev/null
+++ b/xml/security_cryptopolicy.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+]>
+
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         version="5.0"
+         xml:id="cha-security-cryptopolicy">
+
+ <title>Enforcing a system-wide crypto policy</title>
+ <info>
+      <abstract>
+        <para>
+         bla
+        </para>
+      </abstract>
+      <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+        <dm:bugtracker>
+        </dm:bugtracker>
+        <dm:translation>yes</dm:translation>
+      </dm:docmanager>
+ </info>
+
+ <sect1 xml:id="sec-security-cryptopolicy-oview">
+  <title>Conceptual overview</title>
+
+  <para>
+    bla
+  </para>
+ 
+ </sect1>
+</chapter>
\ No newline at end of file

From 08133b2b5bf18a7fc432b51bca9b953fec3bb268 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 30 Jun 2023 16:50:47 +0200
Subject: [PATCH 02/12] start adding basic info and ToDos

(cherry picked from commit 1952b23617fbe760f606724055da2fa38e0cf2b4)
---
 xml/security_cryptopolicy.xml | 58 +++++++++++++++++++++--------------
 1 file changed, 35 insertions(+), 23 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index ea17a61be9..6003faf61e 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -4,33 +4,45 @@
   <!ENTITY % entities SYSTEM "generic-entities.ent">
     %entities;
 ]>
-
 <chapter xmlns="http://docbook.org/ns/docbook"
          xmlns:xi="http://www.w3.org/2001/XInclude"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          version="5.0"
          xml:id="cha-security-cryptopolicy">
+  <!--taroth 2023-04-28
+    Main ToDos (based on https://bugzilla.suse.com/show_bug.cgi?id=1209998#c7)
+    * add new chapter to Security Guide, describe also integration
+    * explain how we intend customers to use the crypto-policies
+    * explain what changed exactly and what impact this has,
+       e.g. if someone updates from SP3 (no active crypto-policies)
+       to SP4 (active crypto-policies)-->
+  <title>Using system-wide crypto policies</title>
+  <info>
+    <abstract>
+      <para>
+        bla
+      </para>
+    </abstract>
+    <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+      <dm:bugtracker></dm:bugtracker>
+      <dm:translation>yes</dm:translation>
+    </dm:docmanager>
+  </info>
+  <sect1 xml:id="sec-security-cryptopolicy-oview">
+    <title>Conceptual overview</title>
 
- <title>Enforcing a system-wide crypto policy</title>
- <info>
-      <abstract>
-        <para>
-         bla
-        </para>
-      </abstract>
-      <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
-        <dm:bugtracker>
-        </dm:bugtracker>
-        <dm:translation>yes</dm:translation>
-      </dm:docmanager>
- </info>
-
- <sect1 xml:id="sec-security-cryptopolicy-oview">
-  <title>Conceptual overview</title>
+    <para>
+      The <package>crypto-policies</package> RPM package provides pre-built
+      configuration files with cryptographic policies for cryptographic
+      back-ends, such as SSL/TLS libraries. This package allows to set the
+      cryptographic security level for all applications that use a
+      cryptographic back-end supported by the policies.
+    </para>
 
-  <para>
-    bla
-  </para>
- 
- </sect1>
-</chapter>
\ No newline at end of file
+    <para>
+      For now, OpenSSL, GnuTLS, Apache2, Java/OpenJDK (java-1_8_0-openjdk and
+      java-11-openjdk) and perl-IO-Socket-SSL follow these policies. More
+      libraries and applications will be added gradually.
+    </para>
+  </sect1>
+</chapter>

From 9b0d761ac70b20b833a8ab575cbd81d734120439 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 30 Jun 2023 16:51:21 +0200
Subject: [PATCH 03/12] add predefined policy levels

(cherry picked from commit 48683d4034d74350f3cb96c1ebf7227c7737b4ff)
---
 xml/security_cryptopolicy.xml | 78 ++++++++++++++++++++++++++++++++---
 1 file changed, 73 insertions(+), 5 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 6003faf61e..b540970bc0 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -14,8 +14,8 @@
     * add new chapter to Security Guide, describe also integration
     * explain how we intend customers to use the crypto-policies
     * explain what changed exactly and what impact this has,
-       e.g. if someone updates from SP3 (no active crypto-policies)
-       to SP4 (active crypto-policies)-->
+    e.g. if someone updates from SP3 (no active crypto-policies)
+    to SP4 (active crypto-policies)-->
   <title>Using system-wide crypto policies</title>
   <info>
     <abstract>
@@ -40,9 +40,77 @@
     </para>
 
     <para>
-      For now, OpenSSL, GnuTLS, Apache2, Java/OpenJDK (java-1_8_0-openjdk and
-      java-11-openjdk) and perl-IO-Socket-SSL follow these policies. More
-      libraries and applications will be added gradually.
+      Crypto-policies apply to the configuration of the core cryptographic
+      subsystems. They cover the supported secure communications protocols on
+      the base operating system, such as TLS, IKE, IPSec, DNSSec and Kerberos
+      protocols.
+    </para>
+  </sect1>
+  <sect1>
+    <title>Predefined policy levels</title>
+
+    <para>
+      The <package>crypto-policies</package> package comes with the following
+      predefined policy levels:
+    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>DEFAULT</term>
+        <listitem>
+          <para>
+            A reasonable default policy for today's standards. It allows the
+            TLS 1.2, and TLS 1.3 protocols, as well as IKEv2 and SSH2. The
+            Diffie-Hellman parameters are accepted if they are at least 2048
+            bits long. The level provides at least 112-bit security with the
+            exception of allowing SHA-1 signatures in DNSSec where they are
+            still prevalent.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>FIPS</term>
+        <listitem>
+          <para>
+            A level that conforms to the FIPS 140-2 requirements. This policy
+            is used internally by the <command>fips-mode-setup</command> tool
+            which can switch the system into FIPS 140-2 compliance mode. The
+            level provides at least 112-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>FUTURE</term>
+        <listitem>
+          <para>
+            A conservative security level that is believed to withstand any
+            near-term future attacks. This level does not allow the use of
+            SHA-1 in signature algorithms. The level also provides some (not
+            complete) preparation for post-quantum encryption support in form
+            of 256-bit symmetric encryption requirement. The RSA and
+            Diffie-Hellman parameters are accepted if larger than 3071 bits.
+            The level provides at least 128-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>LEGACY</term>
+        <listitem>
+          <para>
+            This policy ensures maximum compatibility with legacy systems. It
+            is less secure and it includes support for TLS 1.0, TLS 1.1, and
+            SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
+            allowed, while RSA and Diffie-Hellman parameters are accepted if
+            larger than 1023 bits. The level provides at least 64-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      For more details on the individual policies, see the man page of
+      <command>crypto-policies</command>. All policies are located in
+      <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>.
     </para>
   </sect1>
 </chapter>

From 559093bfa5add0f1ef3a90632ff1fa978f49cb89 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 7 Jul 2023 17:45:12 +0200
Subject: [PATCH 04/12] adding minor info and skeleton for next section

---
 xml/security_cryptopolicy.xml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index b540970bc0..3626c25a94 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -43,7 +43,8 @@
       Crypto-policies apply to the configuration of the core cryptographic
       subsystems. They cover the supported secure communications protocols on
       the base operating system, such as TLS, IKE, IPSec, DNSSec and Kerberos
-      protocols.
+      protocols. Having crypto-policies allows to easily handle the deprecation
+      of algorithms or protocols system-wide and in a transparent manner.
     </para>
   </sect1>
   <sect1>
@@ -108,9 +109,19 @@
     </variablelist>
 
     <para>
-      For more details on the individual policies, see the man page of
+      Policies can change over time together with the security of the
+      cryptographic components. For the latest details on the individual
+      policies, therefore see the man page of
       <command>crypto-policies</command>. All policies are located in
       <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>.
     </para>
   </sect1>
+  <sect1>
+    <title>Setting the crypto-policy to use</title>
+
+    <para>
+      The policy that currently is in use on the system can be checked with the
+      update-crypto-policies command:
+    </para>
+  </sect1>
 </chapter>

From 79cc543e23902e001e4b95dd6ced1f22d9a787b6 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 4 Aug 2023 16:28:30 +0200
Subject: [PATCH 05/12] switch crypto-policy level

---
 xml/security_cryptopolicy.xml | 40 +++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 3626c25a94..5fbe35b66f 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -16,7 +16,7 @@
     * explain what changed exactly and what impact this has,
     e.g. if someone updates from SP3 (no active crypto-policies)
     to SP4 (active crypto-policies)-->
-  <title>Using system-wide crypto policies</title>
+  <title>Using system-wide cryptographic policies</title>
   <info>
     <abstract>
       <para>
@@ -117,11 +117,39 @@
     </para>
   </sect1>
   <sect1>
-    <title>Setting the crypto-policy to use</title>
+    <title>Switching to a different crypto-policy level</title>
 
-    <para>
-      The policy that currently is in use on the system can be checked with the
-      update-crypto-policies command:
-    </para>
+    <procedure>
+      <step>
+        <para>
+          To check the crypto-policy level that is currently in use:
+        </para>
+<screen>&prompt.root;<command>update-crypto-policies --show</command></screen>
+      </step>
+      <step>
+        <para>
+          To switch to a different policy level, use the <option>--set</option>
+          option:
+        </para>
+<screen>update-crypto-policies --set <replaceable>POLICY</replaceable></screen>
+        <remark>taroth 2023-07-04: do we need a word of caution here for LEGACY and FIPS?
+          and can we tell that switching to 'LEGACY' enables compatibility with a specific
+          older SLE version, like SLE 12 SP5 or so?
+        </remark>
+        <important>
+          <title>LEGACY crypto-policy level is less secure</title>
+          <para>
+            Switching to a LEGACY crypto-policy level makes your system and
+            applications less secure.
+          </para>
+        </important>
+      </step>
+      <step>
+        <para>
+          After switching to a different policy level restart the system to
+          apply the changes.
+        </para>
+      </step>
+    </procedure>
   </sect1>
 </chapter>

From 2240999bbe6be5f53fd8f860bb47ba59f49b9c51 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 4 Aug 2023 16:32:40 +0200
Subject: [PATCH 06/12] predefined policies are read-only

---
 xml/security_cryptopolicy.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 5fbe35b66f..ddc247e35a 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -112,8 +112,10 @@
       Policies can change over time together with the security of the
       cryptographic components. For the latest details on the individual
       policies, therefore see the man page of
-      <command>crypto-policies</command>. All policies are located in
-      <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>.
+      <command>crypto-policies</command>. All predefined policies are located
+      in
+      <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>
+      and are read-only.
     </para>
   </sect1>
   <sect1>

From 3a141939cb2981db867ab6c7467d5dc2d150d427 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 4 Aug 2023 17:42:06 +0200
Subject: [PATCH 07/12] custom subpolicy (WIP)

---
 xml/security_cryptopolicy.xml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index ddc247e35a..d22d43a484 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -121,6 +121,13 @@
   <sect1>
     <title>Switching to a different crypto-policy level</title>
 
+    <para>
+      Use the <command>update-crypto-policies</command> to set the policy level
+      which is applied to the cryptographic back-ends. It is the default policy
+      used by these back-ends unless the application user configures them
+      otherwise.
+    </para>
+
     <procedure>
       <step>
         <para>
@@ -154,4 +161,27 @@
       </step>
     </procedure>
   </sect1>
+  <sect1>
+    <title>Customizing existing crypto-policies</title>
+
+    <para>
+      You can modify aspects of any predefined policy by removing or adding
+      algorithms or protocols. This way, you create a subpolicy (or policy
+      modifier module), stored in text files that include the modifications.
+      After creation, one or multiple subpolicies can be applied on the command
+      line to one of the predefined policies. For details, see example ????.
+    </para>
+
+    <para>
+      Subpolicies need to be stored in
+      <filename>/usr/share/crypto-policies/policies/modules/</filename>. You
+      can also find example subpolicies in this directory. The name of the
+      subpolicy file must be <replaceable>MODULE</replaceable>.pmod, where
+      <replaceable>MODULE</replaceable> is the name of the modifier in
+      uppercase and without spaces.
+    </para>
+
+    <!--todo: add example and how to apply it, e.g. with update-crypto-policies -/-set DEFAULT:NO-SHA1-->
+    <!--todo: add another section how to create a new policy from scratch-->
+  </sect1>
 </chapter>

From e5590655729473558db7e13063b693d1b54f205c Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 11 Aug 2023 14:59:07 +0200
Subject: [PATCH 08/12] custom subpolicy: added example

---
 xml/security_cryptopolicy.xml | 73 ++++++++++++++++++++++++++++++-----
 1 file changed, 64 insertions(+), 9 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index d22d43a484..f6a92fec98 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -156,7 +156,7 @@
       <step>
         <para>
           After switching to a different policy level restart the system to
-          apply the changes.
+          apply the changes to the applications.
         </para>
       </step>
     </procedure>
@@ -169,19 +169,74 @@
       algorithms or protocols. This way, you create a subpolicy (or policy
       modifier module), stored in text files that include the modifications.
       After creation, one or multiple subpolicies can be applied on the command
-      line to one of the predefined policies. For details, see example ????.
+      line to one of the predefined policies. For details, see
+      <xref linkend="ex-crypto-policy-subpolicy"></xref>.
     </para>
 
     <para>
-      Subpolicies need to be stored in
-      <filename>/usr/share/crypto-policies/policies/modules/</filename>. You
-      can also find example subpolicies in this directory. The name of the
-      subpolicy file must be <replaceable>MODULE</replaceable>.pmod, where
-      <replaceable>MODULE</replaceable> is the name of the modifier in
-      uppercase and without spaces.
+      You can find example subpolicies in
+      <filename>/usr/share/crypto-policies/policies/modules</filename>.
+      However, your own subpolicies need to be stored in
+      <filename>/etc/crypto-policies/policies/modules</filename> (unless they
+      are packaged) . The name of the subpolicy file must be
+      <replaceable>MODULE</replaceable>.pmod, where
+      <replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
+      to be spelled in uppercase letters and without spaces.
     </para>
 
-    <!--todo: add example and how to apply it, e.g. with update-crypto-policies -/-set DEFAULT:NO-SHA1-->
+    <example xml:id="ex-crypto-policy-subpolicy">
+      <title>Removing support for RSA and PSK key exchanges</title>
+      <para>
+        The following example shows you how to create a subpolicy which removes
+        support for RSA and PSK key exchanges from the
+        <literal>DEFAULT</literal> policy. Both key exchanges do not provide
+        forward secrecy, which means they cannot make sure that session keys
+        are not compromised in case long-term secrets used in the key exchange
+        session are compromised.
+      </para>
+      <procedure>
+        <step>
+          <para>
+            In <filename>/etc/crypto-policies/policies/modules/</filename>
+            create a new file, named <filename>NO-RSA-PSK.pmod</filename>.
+          </para>
+        </step>
+        <step>
+          <para>
+            Add the following line and save the file afterwards:
+          </para>
+<screen>key_exchange = -RSA -PSK</screen>
+          <para>
+            Now you can apply the newly created subpolicy to one of the
+            predefined policies.
+          </para>
+        </step>
+        <step>
+          <para>
+            Assuming the current system-wide policy is
+            <literal>DEFAULT</literal> and you want to apply the newly created
+            subpolicy to <literal>DEFAULT</literal>:
+            command:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --set DEFAULT:NO-RSA-PSK</command></screen>
+        </step>
+        <step>
+          <para>
+            Double-check if the subpolicy has been added to
+            <literal>DEFAULT</literal>:
+          </para>
+<screen><command>update-crypto-policies --show</command>
+          DEFAULT:NO-RSA-PSK</screen>
+        </step>
+        <step>
+          <para>
+            Reboot the system to apply the system-wide policy adjustment to the
+            applications.
+          </para>
+        </step>
+      </procedure>
+    </example>
+
     <!--todo: add another section how to create a new policy from scratch-->
   </sect1>
 </chapter>

From c79575b44f00ad88666738cf7e494c093fb3bb2c Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 11 Aug 2023 16:15:20 +0200
Subject: [PATCH 09/12] create new policy

---
 xml/security_cryptopolicy.xml | 75 +++++++++++++++++++++++++++++++----
 1 file changed, 68 insertions(+), 7 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index f6a92fec98..97c5b21d03 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -114,7 +114,7 @@
       policies, therefore see the man page of
       <command>crypto-policies</command>. All predefined policies are located
       in
-      <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>
+      <filename>/usr/share/crypto-policies/policies/<replaceable>NAME</replaceable>.pol</filename>
       and are read-only.
     </para>
   </sect1>
@@ -178,8 +178,8 @@
       <filename>/usr/share/crypto-policies/policies/modules</filename>.
       However, your own subpolicies need to be stored in
       <filename>/etc/crypto-policies/policies/modules</filename> (unless they
-      are packaged) . The name of the subpolicy file must be
-      <replaceable>MODULE</replaceable>.pmod, where
+      are packaged). The name of the subpolicy file must be
+      <filename><replaceable>MODULE</replaceable>.pmod</filename>, where
       <replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
       to be spelled in uppercase letters and without spaces.
     </para>
@@ -216,7 +216,6 @@
             Assuming the current system-wide policy is
             <literal>DEFAULT</literal> and you want to apply the newly created
             subpolicy to <literal>DEFAULT</literal>:
-            command:
           </para>
 <screen>&prompt.root;<command>update-crypto-policies --set DEFAULT:NO-RSA-PSK</command></screen>
         </step>
@@ -226,17 +225,79 @@
             <literal>DEFAULT</literal>:
           </para>
 <screen><command>update-crypto-policies --show</command>
-          DEFAULT:NO-RSA-PSK</screen>
+DEFAULT:NO-RSA-PSK</screen>
         </step>
         <step>
           <para>
             Reboot the system to apply the system-wide policy adjustment to the
-            applications.
+            applications:
           </para>
+<screen>&prompt.root;<command>reboot</command></screen>
         </step>
       </procedure>
     </example>
+  </sect1>
+  <sect1>
+    <title>Creating a new policy from scratch</title>
+
+    <para>
+      Instead of customizing an existing crypto-policy with a subpolicy you can
+      also decide to write a new policy from scratch. You can use any of the
+      predefined policies in
+      <filename>/usr/share/crypto-policies/policies/</filename> as a starting
+      point. However, your own policy file needs to be stored in
+      <filename>/etc/crypto-policies/policies/</filename>. Name your file
+      <filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
+      <replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
+      it is owned by &rootuser; and is not writable by non-privileged users.
+    </para>
 
-    <!--todo: add another section how to create a new policy from scratch-->
+    <example xml:id="ex-crypto-policy-custom">
+      <title>Creating a new policy and applying it</title>
+      <para>
+        The following example shows you how to create a new policy based on the
+        <literal>DEFAULT</literal> policy.
+      </para>
+      <procedure>
+        <step>
+          <para>
+            Copy the <literal>DEFAULT</literal> policy to
+            <filename>/etc/crypto-policies/policies/</filename> and rename it:
+          </para>
+<screen>cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
+        </step>
+        <step>
+          <para>
+            Edit the policy as desired and save it.
+          </para>
+        </step>
+        <step>
+          <para>
+            Switch the system to the new policy:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --set MY_POLICY</command></screen>
+        </step>
+        <step>
+          <para>
+            Reboot the system to apply the new policy to the
+            applications and running services:
+          </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+        </step>
+        <step>
+          <para>
+            Double-check if the policy is active:
+          </para>
+<screen><command>update-crypto-policies --show</command>
+MY_POLICY</screen>
+        </step>
+        <step>
+          <para>
+            Reboot the system to apply the system-wide policy adjustment to the
+            applications.
+          </para>
+        </step>
+      </procedure>
+    </example>
   </sect1>
 </chapter>

From f113ed24a32e32f5ec37b2bc3aba2b9950169308 Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 11 Aug 2023 18:21:32 +0200
Subject: [PATCH 10/12] corrections from checking output

---
 xml/security_cryptopolicy.xml | 79 +++++++++++++++++------------------
 1 file changed, 38 insertions(+), 41 deletions(-)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 97c5b21d03..136413b460 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -8,7 +8,7 @@
          xmlns:xi="http://www.w3.org/2001/XInclude"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          version="5.0"
-         xml:id="cha-security-cryptopolicy">
+         xml:id="cha-security-cryptopolicies">
   <!--taroth 2023-04-28
     Main ToDos (based on https://bugzilla.suse.com/show_bug.cgi?id=1209998#c7)
     * add new chapter to Security Guide, describe also integration
@@ -20,7 +20,7 @@
   <info>
     <abstract>
       <para>
-        bla
+        TODO
       </para>
     </abstract>
     <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
@@ -28,11 +28,11 @@
       <dm:translation>yes</dm:translation>
     </dm:docmanager>
   </info>
-  <sect1 xml:id="sec-security-cryptopolicy-oview">
-    <title>Conceptual overview</title>
+  <sect1 xml:id="sec-security-cryptopolicies-concept">
+    <title>The <command>crypto-policies</command> concept</title>
 
     <para>
-      The <package>crypto-policies</package> RPM package provides pre-built
+      The <package>crypto-policies</package> RPM package provides predefined
       configuration files with cryptographic policies for cryptographic
       back-ends, such as SSL/TLS libraries. This package allows to set the
       cryptographic security level for all applications that use a
@@ -43,16 +43,16 @@
       Crypto-policies apply to the configuration of the core cryptographic
       subsystems. They cover the supported secure communications protocols on
       the base operating system, such as TLS, IKE, IPSec, DNSSec and Kerberos
-      protocols. Having crypto-policies allows to easily handle the deprecation
-      of algorithms or protocols system-wide and in a transparent manner.
+      protocols. Crypto-policies allow to handle the deprecation of algorithms
+      or protocols system-wide and in a transparent manner.
     </para>
   </sect1>
-  <sect1>
-    <title>Predefined policy levels</title>
+  <sect1 xml:id="sec-security-cryptopolicies-predefined">
+    <title>Predefined cryptographic policies</title>
 
     <para>
       The <package>crypto-policies</package> package comes with the following
-      predefined policy levels:
+      predefined policies that can be applied system-wide:
     </para>
 
     <variablelist>
@@ -118,20 +118,21 @@
       and are read-only.
     </para>
   </sect1>
-  <sect1>
-    <title>Switching to a different crypto-policy level</title>
+  <sect1 xml:id="sec-security-cryptopolicies-switch">
+    <title>Switching to a different crypto-policy</title>
 
     <para>
-      Use the <command>update-crypto-policies</command> to set the policy level
-      which is applied to the cryptographic back-ends. It is the default policy
-      used by these back-ends unless the application user configures them
+      Use the <command>update-crypto-policies</command> command to view and set
+      the policy which is applied system-wide to the cryptographic back-ends.
+      The policy which has been set with this command is used by these
+      back-ends by default unless the application user configures them
       otherwise.
     </para>
 
     <procedure>
       <step>
         <para>
-          To check the crypto-policy level that is currently in use:
+          To check the crypto-policy that is currently in use:
         </para>
 <screen>&prompt.root;<command>update-crypto-policies --show</command></screen>
       </step>
@@ -140,28 +141,28 @@
           To switch to a different policy level, use the <option>--set</option>
           option:
         </para>
-<screen>update-crypto-policies --set <replaceable>POLICY</replaceable></screen>
         <remark>taroth 2023-07-04: do we need a word of caution here for LEGACY and FIPS?
           and can we tell that switching to 'LEGACY' enables compatibility with a specific
           older SLE version, like SLE 12 SP5 or so?
         </remark>
         <important>
-          <title>LEGACY crypto-policy level is less secure</title>
+          <title>LEGACY crypto-policy is less secure</title>
           <para>
-            Switching to a LEGACY crypto-policy level makes your system and
+            Switching to a LEGACY crypto-policy makes your system and
             applications less secure.
           </para>
         </important>
       </step>
       <step>
         <para>
-          After switching to a different policy level restart the system to
-          apply the changes to the applications.
+          After switching to a different policy reboot the machine to apply the
+          changes to the applications:
         </para>
+<screen>&prompt.root;<command>reboot</command></screen>
       </step>
     </procedure>
   </sect1>
-  <sect1>
+  <sect1 xml:id="sec-security-cryptopolicies-subpolicies">
     <title>Customizing existing crypto-policies</title>
 
     <para>
@@ -178,10 +179,10 @@
       <filename>/usr/share/crypto-policies/policies/modules</filename>.
       However, your own subpolicies need to be stored in
       <filename>/etc/crypto-policies/policies/modules</filename> (unless they
-      are packaged). The name of the subpolicy file must be
+      are packaged). Name the subpolicy file
       <filename><replaceable>MODULE</replaceable>.pmod</filename>, where
-      <replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
-      to be spelled in uppercase letters and without spaces.
+      <replaceable>MODULE</replaceable> is the name of the subpolicy. The file
+      name needs to be spelled in uppercase letters and without spaces.
     </para>
 
     <example xml:id="ex-crypto-policy-subpolicy">
@@ -200,10 +201,11 @@
             In <filename>/etc/crypto-policies/policies/modules/</filename>
             create a new file, named <filename>NO-RSA-PSK.pmod</filename>.
           </para>
+<screen>&prompt.root;<command>touch</command> /etc/crypto-policies/policies/modules/NO-RSA-PSK.pmod</screen>
         </step>
         <step>
           <para>
-            Add the following line and save the file afterwards:
+            Add the following line to the file and save it afterwards:
           </para>
 <screen>key_exchange = -RSA -PSK</screen>
           <para>
@@ -224,13 +226,13 @@
             Double-check if the subpolicy has been added to
             <literal>DEFAULT</literal>:
           </para>
-<screen><command>update-crypto-policies --show</command>
+<screen>&prompt.root;<command>update-crypto-policies --show</command>
 DEFAULT:NO-RSA-PSK</screen>
         </step>
         <step>
           <para>
-            Reboot the system to apply the system-wide policy adjustment to the
-            applications:
+            Reboot the machine to apply the system-wide policy adjustment to
+            the applications:
           </para>
 <screen>&prompt.root;<command>reboot</command></screen>
         </step>
@@ -249,7 +251,8 @@ DEFAULT:NO-RSA-PSK</screen>
       <filename>/etc/crypto-policies/policies/</filename>. Name your file
       <filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
       <replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
-      it is owned by &rootuser; and is not writable by non-privileged users.
+      the policy file is owned by &rootuser; and is not writable by
+      non-privileged users.
     </para>
 
     <example xml:id="ex-crypto-policy-custom">
@@ -264,7 +267,7 @@ DEFAULT:NO-RSA-PSK</screen>
             Copy the <literal>DEFAULT</literal> policy to
             <filename>/etc/crypto-policies/policies/</filename> and rename it:
           </para>
-<screen>cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
+<screen>&prompt.root;<command>cp</command> /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
         </step>
         <step>
           <para>
@@ -275,12 +278,12 @@ DEFAULT:NO-RSA-PSK</screen>
           <para>
             Switch the system to the new policy:
           </para>
-<screen>&prompt.root;<command>update-crypto-policies --set MY_POLICY</command></screen>
+<screen>&prompt.root;<command>update-crypto-policies --set</command> MY_POLICY</screen>
         </step>
         <step>
           <para>
-            Reboot the system to apply the new policy to the
-            applications and running services:
+            Reboot the machine to apply the new policy to the applications and
+            running services:
           </para>
 <screen>&prompt.root;<command>reboot</command></screen>
         </step>
@@ -288,15 +291,9 @@ DEFAULT:NO-RSA-PSK</screen>
           <para>
             Double-check if the policy is active:
           </para>
-<screen><command>update-crypto-policies --show</command>
+<screen>&prompt.root;<command>update-crypto-policies --show</command>
 MY_POLICY</screen>
         </step>
-        <step>
-          <para>
-            Reboot the system to apply the system-wide policy adjustment to the
-            applications.
-          </para>
-        </step>
       </procedure>
     </example>
   </sect1>

From 6d105c142db9dbb9a98a3db719c35ec8cc5a7d7e Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 8 Mar 2024 17:33:07 +0100
Subject: [PATCH 11/12] predefined policies: add BSI (PED-4933)

---
 xml/security_cryptopolicy.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 136413b460..7fdcb19112 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -56,6 +56,26 @@
     </para>
 
     <variablelist>
+      <varlistentry>
+        <term>BSI</term>
+        <listitem>
+          <para>
+            A security policy based on recommendations by the German government
+            agency BSI (Bundesamt fuer Sicherheit in der Informationstechnik,
+            translated as <literal>agency for security in software
+            technology</literal>). The policy is based on the technical
+            recommendation ruleset <literal>TR 02102</literal>. The BSI TR
+            02102 standard is updated in regular intervals. This policy does
+            not allow the use of SHA-1 in signature algorithms (except DNSSEC
+            and RPM). The policy also provides some (not complete) preparation
+            for post-quantum encryption support in form of 256-bit symmetric
+            encryption requirement. The RSA parameters are accepted if larger
+            than 2047 bits, and Diffie-Hellman parameters are accepted if
+            larger than 3071 bits. This policy provides at least 128-bit
+            security, excepting the transition of RSA.
+          </para>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>DEFAULT</term>
         <listitem>

From 93b170e9c0fce681d30afb81711bd0a50a79f60b Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 8 Mar 2024 18:09:42 +0100
Subject: [PATCH 12/12] switch policy: mention FIPS enablement by script

---
 xml/security_cryptopolicy.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 7fdcb19112..08934ce555 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -181,6 +181,14 @@
 <screen>&prompt.root;<command>reboot</command></screen>
       </step>
     </procedure>
+    <tip os="sles">
+      <title>Enabling FIPS mode via script</title>
+       <para>
+        For the FIPS crypto-policy, &suse; also provides a script with which you
+        can comfortably enable the FIPS mode. See
+        <xref linkend="sec-how-to-fips-install"/> for details.
+       </para>
+     </tip>
   </sect1>
   <sect1 xml:id="sec-security-cryptopolicies-subpolicies">
     <title>Customizing existing crypto-policies</title>