FIPS stands for “Federal Information Processing Standards.” It’s a set of government standards that define how certain things are used in the government–for example, encryption algorithms. FIPS defines certain specific encryption methods that can be used, as well as methods for generating encryption keys. It’s published by the National Institute of Standards and Technology, or NIST. FIPS mode is stupid.
yum install dracut-fips
For CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:
yum install dracut-fips-aesni
Regenerate the initramfs file:
dracut -v -f
blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"
Append the UUID to the kernel command line:
boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
On BIOS-based machines, enter the following command as root:
grub2-mkconfig -o /etc/grub2.cfg
On UEFI-based machines, enter the following command as root:
grub2-mkconfig -o /etc/grub2-efi.cfg
For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. Unless prelink has been installed, this step is not needed. To disable prelinking, set the PRELINKING=no option in the /etc/sysconfig/prelink configuration file. To disable existing prelinking on all system files, use the prelink -u -a command.
reboot
Verify FPIS mode is enabled:
sysctl crypto
This should return cypto.fips_enabled = 1
A container can be switched to FIPS140-2 mode if the host is also set in FIPS140-2 mode and one of the following requirements is met:
- The
dracut-fipspackage is installed in the container. - The
/etc/system-fipsfile is mounted on the container from the host
yum remove dracut-fips* mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak} dracut grubby --update-kernel=ALL --remove-args=fips=1 [[ -f /etc/default/grub ]] && sed -i 's/ fips=1//' /etc/default/grub
reboot sysctl crypto.fips_enabled
should return 0
Hi @jfeilbach,
Thanks for posting this.
Would you happen to know how I can disable FIPS mode from within a container?
I'm running into an issue where my production image hits this FIPS error:
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPSA 3rd party library is calling the MD5 library without
usedforsecurity=False. I wanted a solution that didn't require monkey patching the library.If there's something I can do at the container level, that would be great.
The container is running on a 3rd party CI/CD pipeline, so I don't have access to the host either.
Hopefully, I don't have to use a whole different base image.
Thank you for your time :)