Chapter 8. Federal Standards and Regulations
8.1. Federal Information Processing Standard (FIPS)
8.1.1. Enabling FIPS Mode
During the System Installation
fips=1kernel option to the kernel command line during system installation. With this option, all keys' generations are done with FIPS-approved algorithms and continuous monitoring tests in place. After the installation, the system is configured to boot into FIPS mode automatically.
After the System Installation
- Install the dracut-fips package:
yum install dracut-fipsFor CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:
yum install dracut-fips-aesni
- Regenerate the
dracut -v -fTo enable the in-module integrity verification and to have all required modules present during the kernel boot, the
initramfsfile has to be regenerated.
WarningThis operation will overwrite the existing
- Modify boot loader configuration.To boot into FIPS mode, add the
fips=1option to the kernel command line of the boot loader. If your
/boot/EFI/partitions reside on separate partitions, add the
boot=<partition>(where <partition> stands for /boot or /boot/EFI) parameter to the kernel command line as well.To identify the boot partition, enter the following command:
df /bootFilesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /bootTo ensure that the
boot=configuration option works even if the device naming changes between boots, identify the universally unique identifier (UUID) of the partition by running the following command:
blkid /dev/sda1/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"Append the UUID to the kernel command line:
boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797Depending on your boot loader, make the following changes:
- GRUB 2Add the
boot=<partition of /boot or /boot/EFI>options to the
GRUB_CMDLINE_LINUXkey in the
/etc/default/grubfile. To apply the changes to
/etc/default/grub, rebuild the
grub.cfgfile as follows:
- On BIOS-based machines, enter the following command as
grub2-mkconfig -o /etc/grub2.cfg
- On UEFI-based machines, enter the following command as
grub2-mkconfig -o /etc/grub2-efi.cfg
- zipl (on the IBM z Systems architecture only)Add the
boot=<partition of /boot>options to the
/etc/zipl.confto the kernel command line and apply the changes by running the following command as
- Make sure prelinking is disabled.For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. Unless prelink has been installed, this step is not needed. To disable prelinking, set the
PRELINKING=nooption in the
/etc/sysconfig/prelinkconfiguration file. To disable existing prelinking on all system files, use the
prelink -u -acommand.
- Reboot your system.
Enabling FIPS Mode in a Container
- The dracut-fips package is installed in the container.
/etc/system-fipsfile is mounted on the container from the host.