From fd63ad84d21572e099427eed9401b2a596bd5f49 Mon Sep 17 00:00:00 2001
From: Scott Dodson <sdodson@redhat.com>
Date: Fri, 10 Apr 2026 15:24:41 -0400
Subject: [PATCH] Add post-quantum crypto-policies to RHEL9 base image

Convert base/Dockerfile.rhel9 to multi-stage build to configure
crypto-policies with DEFAULT:PQ policy. This adds post-quantum
cryptography support for future-proofing against quantum threats.

The builder stage installs crypto-policies and runs update-crypto-policies
--set DEFAULT:PQ, then the final stage copies /etc/crypto-policies/ from
the builder to include the configured policies in the base image.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 base/Dockerfile.rhel9 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/base/Dockerfile.rhel9 b/base/Dockerfile.rhel9
index f5dee2077..e0b5b6ee8 100644
--- a/base/Dockerfile.rhel9
+++ b/base/Dockerfile.rhel9
@@ -1,5 +1,16 @@
+# Builder stage: Configure crypto-policies with post-quantum support
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 AS builder
+
+RUN dnf install -y --nodocs crypto-policies-scripts && \
+    update-crypto-policies --set DEFAULT:PQ && \
+    dnf clean all && rm -rf /var/cache/*
+
+# Final stage: Base RHEL9 image with PQ crypto-policies
 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 
+# Copy crypto-policies configuration from builder stage
+COPY --from=builder /etc/crypto-policies/ /etc/crypto-policies/
+
 # A ubi9 image will expose python3 as /usr/bin/python. It does not contain
 # python2. Subsequent layers should install if it needed.
 #