Configuring FIPS on Fedora
From Dogtag
Overview
This page describes the process to enable FIPS mode on Fedora 28.
WARNING: Make sure the system is backed up. This procedure may render the system unusable.
Prerequisites
Install FIPS packages:
$ dnf install dracut-fips
Enabling FIPS Mode
Recreate initramfs file:
$ dracut -f
$ dracut --print-cmdline rd.lvm.lv=vg_root/lv_swap rd.lvm.lv=vg_root/lv_root resume=/dev/mapper/vg_root-lv_swap root=/dev/mapper/vg_root-lv_root rootfstype=ext4 rootflags=rw,relatime,seclabel,data=ordered
$ egrep -R . /{etc,lib}/dracut.conf* /etc/dracut.conf:# PUT YOUR CONFIG IN separate files /etc/dracut.conf:# in /etc/dracut.conf.d named "<name>.conf" /etc/dracut.conf:# SEE man dracut.conf(5) for options
Enable FIPS in /etc/default/grub:
GRUB_CMDLINE_LINUX="... fips=1"
If /boot reside on separate partition, find the partition UUID:
$ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 243823 137045 93978 60% /boot $ blkid /dev/vda1 /dev/vda1: UUID="ac6e6fb6-7336-49fe-a76a-01db03186919" TYPE="ext3" PARTUUID="c2dbf6db-01"
Specify the UUID in /etc/default/grub:
GRUB_CMDLINE_LINUX="... fips=1 boot=UUID=ac6e6fb6-7336-49fe-a76a-01db03186919"
Regenerate grub.cfg:
$ grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot the system:
$ reboot
Verification
Verify that the system is running in FIPS mode with the following command:
$ sysctl crypto.fips_enabled crypto.fips_enabled = 1