Configuring FIPS on Fedora

From Dogtag
Jump to: navigation, search

Overview

This page describes the process to enable FIPS mode on Fedora.

WARNING: Make sure the system is backed up. This procedure may render the system unusable.

Prerequisites

Install FIPS packages:

$ dnf install dracut-fips

Enabling FIPS Mode

Recreate initramfs file:

$ dracut -f
$ dracut --print-cmdline
rd.lvm.lv=vg_root/lv_swap 
rd.lvm.lv=vg_root/lv_root 
resume=/dev/mapper/vg_root-lv_swap root=/dev/mapper/vg_root-lv_root rootfstype=ext4 rootflags=rw,relatime,seclabel,data=ordered
$ egrep -R . /{etc,lib}/dracut.conf*
/etc/dracut.conf:# PUT YOUR CONFIG IN separate files
/etc/dracut.conf:# in /etc/dracut.conf.d named "<name>.conf"
/etc/dracut.conf:# SEE man dracut.conf(5) for options

Enable FIPS in /etc/default/grub:

GRUB_CMDLINE_LINUX="... fips=1"

If /boot reside on separate partition, find the partition UUID:

$ df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/vda1         243823 137045     93978  60% /boot
$ blkid /dev/vda1
/dev/vda1: UUID="ac6e6fb6-7336-49fe-a76a-01db03186919" TYPE="ext3" PARTUUID="c2dbf6db-01"

Specify the UUID in /etc/default/grub:

GRUB_CMDLINE_LINUX="... fips=1 boot=UUID=ac6e6fb6-7336-49fe-a76a-01db03186919"

Regenerate grub.cfg:

$ grub2-mkconfig -o /boot/grub2/grub.cfg

Reboot the system:

$ reboot

Verification

Verify that the system is running in FIPS mode with the following command:

$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1

References