Problems Disabling FIPS on RHEL 7
Following STEPS 4 and 5 only of the procedures in the linked document below, I have a few systems (but NOT all of them) still indicating that FIPS is enabled.
The customer does not want us to remove the dracut-fips package(s) so we're trying to only disable FIPS. We're basically having to run the following commands, then reboot, but we have to run the commands and reboot TWICE to get the FIPS enabled check to show a status of 0 (zero).
grubby --update-kernel=ALL --remove-args=fips=1
sed -i 's/ fips=1//' /etc/default/grub
Granted, we don't need to run the sed command again.
The instructions indicate to simply reboot. Why do we need to reboot twice to show a disabled state?
https://access.redhat.com/solutions/2422061
Any ideas why that may be?
Also, if there's a fips=1 should there not be a fips=0 option that would work too? I see no mention of that online, unless I missed it.
Thanks for your ideas.
Chris
Responses
Hi,
At some point in the past, disabling FIPS by setting "fips=0" could cause the system to panic.
Otherwise, I think it is a valid option.
I use the Red Hat's procedure regularly and never had a problem with it.
Did you have any errors when running the commands as per red Hat's instructions?
Regards,
Dusan Baljevic (amateur radio VK2COT)
Hi Chris,
This step is not required for disabling FIPS.
I just reconfirmed it on a VM running 3.10.0-862.3.2.el7.x86_64.
In short, this was sufficient (I did not even bother with preserving initramfs as this is a test system):
yum remove dracut-fips\*
dracut --force
grubby --update-kernel=ALL --remove-args=fips=1
sed -i 's/ fips=1//' /etc/default/grub
Regards,
Dusan Baljevic (amateur radio VK2COT)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
