I’m having trouble activating FIPS via the Kickstart file.
The line is: bootloader --location=mbr --boot-drive=$DEV --append “fips=1”.
The $DEV device has three partitions, one of which is mounted on /boot.
After installation, the machine does not boot.
I received the following error:
GRUB Config:
When I manually add the device where /boot is mounted, it works.
How can I put this in the Kickstart file?
Was looking at this for AlmaLinux 10 (so should work with Rocky 10 I guess) and seems you need to specify the UUID of the /boot partition in the kernel options. So what I did (STIG hardening) in the kickstart for my AlmaLinux kickstart:
The Bootloader line (also have a --password line in there but not shared here):
bootloader --iscrypted --append="fips=1 pti=on vsyscall=none page_poison=1 slub_debug=P audit=1 audit_backlog_limit=8192"
And then at the end of the %post section the hardening + adding of UUID of the /boot partiton:
#Harden with OpenSCAP
oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.ssgproject.content_profile_stig' /usr/share/xml/scap/ssg/content/ssg-almalinux10-ds.xml
[ $? -eq 0 -o $? -eq 2 ] || exit 1
#Enable FIPS:
grubby --update-kernel=ALL --args="boot=UUID=$(findmnt /boot -no UUID)"
update-crypto-policies --set FIPS
touch /etc/system-fips
kernel-install add $(uname -r) /lib/modules/$(uname -r)/vmlinuz && dracut -f
After the kickstart finished and logged in I see:
[root@alma10test ~]# cat /proc/cmdline
BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.12.0-55.9.1.el10_0.x86_64 root=/dev/mapper/vg0-root ro fips=1 pti=on vsyscall=none page_poison=1 slub_debug=P audit=1 audit_backlog_limit=8192 resume=UUID=b1bedd12-da48-4d41-8d05-9333c118cd79 rd.lvm.lv=vg0/root rd.lvm.lv=vg0/swap rd.lvm.lv=vg0/usr rd.shell=0 boot=UUID=42f19c03-3a7a-4b3e-af9d-3c641ec550e2
[root@alma10test ~]# cat /proc/sys/crypto/fips_enabled
1
[root@alma10test ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@alma10test ~]# update-crypto-policies --show
FIPS
Good luck!
Thank you for your answer. When I added the boot device to the kernel parameters, it booted, but I have the problem that FIPS is not enabled correctly. It says that the installation of FIPS modules is incomplete.
I added the following line to the %post area:
fips-mode-setup --enable.
It automatically adds the boot partition as a kernel parameter, and I don’t receive any messages indicating that the modules are incomplete.
Does this have any effect on FIPS? Should I enable it another way?
This works fine for Rocky 8 and 9, however that command doesn’t exist in RHEL10/Rocky10. Using fips=1 when booting from grub or in kickstart will be the only way for the future.
Will there be any problems when I migrate to Rocky 10?
For example, will I need to re-enable or modify GRUB?
In theory no, there shouldn’t be any problems. But then, Rocky and the Rocky team do not support upgrades. It’s usually recommended to reinstall the system and restore data/apps using things like ansible to configure/reconfigure the server.
There is the elevate project which allows upgrading Rocky, but again, there is no support for it if things go wrong. Even RHEL with leapp don’t guarantee that all systems can be upgraded, even if you have a purchased support contract. In most cases it should work, but there are sometimes situations when it doesn’t.