FIPS-140 dracut-fips-aesni not in an .iso downloadable format

Comments

This is pretty weak of RedHat.
- If you want to run in FIPS 140-2 mode in RHEL6 or RHEL7, you (optionally) install dracut-fips-aesni rpm, which is only available via a subscription channel (not via an .iso). "AES New Instructions (AES-NI)"

There are a ton of non-Internet connected hosts in the world that are running FIPS 140-2 mode. They are built by .iso. They'll never hook to an Internet-based rpm channel. They'll only install the non-HW-optimized dracut-fips rpm.

The customers most likely to really use FIPS 140-2 mode will never install the dracut-fips-aesni rpm. So, aesni HW commands on tons of chips will never be used.

Maybe RedHat should at least crank out a security .iso, if they want for some reason to keep their optional channel under the subscription lock. Solution 260203 is also weak.

Started 2019-03-15T13:00:03+00:00 by

Scott Packard

Active Contributor 155 points

Select Your Language

FIPS-140 dracut-fips-aesni not in an .iso downloadable format

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links