Problems Disabling FIPS on RHEL 7

Latest response

Following STEPS 4 and 5 only of the procedures in the linked document below, I have a few systems (but NOT all of them) still indicating that FIPS is enabled.

The customer does not want us to remove the dracut-fips package(s) so we're trying to only disable FIPS. We're basically having to run the following commands, then reboot, but we have to run the commands and reboot TWICE to get the FIPS enabled check to show a status of 0 (zero).

grubby --update-kernel=ALL --remove-args=fips=1
sed -i 's/ fips=1//' /etc/default/grub

Granted, we don't need to run the sed command again.

The instructions indicate to simply reboot. Why do we need to reboot twice to show a disabled state?

https://access.redhat.com/solutions/2422061

Any ideas why that may be?

Also, if there's a fips=1 should there not be a fips=0 option that would work too? I see no mention of that online, unless I missed it.

Thanks for your ideas.

Chris

Responses

Hi,

At some point in the past, disabling FIPS by setting "fips=0" could cause the system to panic.

Otherwise, I think it is a valid option.

I use the Red Hat's procedure regularly and never had a problem with it.

Did you have any errors when running the commands as per red Hat's instructions?

Regards,

Dusan Baljevic (amateur radio VK2COT)

Thanks Dusan. I had also seen that post and was reluctant to try it. However, after just testing it and rebuilding grub, it "seems" to have worked, at least with kernel 3.10.0-693.el7. I think the link to the RH document I had provided in my initial post is missing a step. They say to edit the /etc/default/grub then reboot. I think they meant to have us rebuild with this:

grub2-mkconfig -o /boot/grub2/grub.cfg

It make sense since any instructions for "enabling" FIPS has us rebuild the grub.cfg file.

Do that sound about right to you?

I just tested in a VM. Now for the customer's servers.

Thanks again.

Hi Chris,

This step is not required for disabling FIPS.

I just reconfirmed it on a VM running 3.10.0-862.3.2.el7.x86_64.

In short, this was sufficient (I did not even bother with preserving initramfs as this is a test system):

yum remove dracut-fips\*
dracut --force
grubby --update-kernel=ALL --remove-args=fips=1
sed -i 's/ fips=1//' /etc/default/grub

Regards,

Dusan Baljevic (amateur radio VK2COT)

Fips maybe compiled as ON within the kernel as default
this has worked on my RHEL7 systems to have fips compiled in but disabled. I explicitly set fips=0

grubby --update-kernel=ALL --remove-args=fips=1 sed -i 's/ fips=1/fips=0/' /etc/default/grub