Enable FIPS mode on RockyRPI/Raspberry pi4

FrancescoC · August 7, 2022, 9:48am

Hello,
i just installed rocky 8.6 on a Raspberry pi4, with the image downloaded from the website.

[root@fipsTEST fips]# cat /etc/os-release 
NAME="Rocky Linux"
VERSION="8.6 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.6 (Green Obsidian)"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky Linux"
ROCKY_SUPPORT_PRODUCT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8"

I need to activate FIPS mode.
I executed the command fips-mode-setup --enable, and everything seems ok.

[root@fipsTEST fips]# fips-mode-setup --enable
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
The grubby command is missing, please configure the bootloader manually.
FIPS mode will be enabled.
Now you need to configure the bootloader to add kernel options "fips=1 boot=UUID=6A67-933C"
and reboot the system for the setting to take effect.

I added fips=1 in the cmdline.txt file in the boot partition, and it seems that the parameters are correctly passed to the kernel.

[root@fipsTEST fips]# cat /proc/cmdline
coherent_pool=1M 8250.nr_uarts=0 snd_bcm2835.enable_compat_alsa=0 snd_bcm2835.enable_hdmi=1 bcm2708_fb.fbwidth=0 bcm2708_fb.fbheight=0 bcm2708_fb.fbswap=1 smsc95xx.macaddr=DC:A6:32:40:40:86 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000  console=ttyAMA0,115200 console=tty1 root=PARTUUID=0ed6aa64-03 rootfstype=ext4 elevator=deadline rootwait fips=1 boot=UUID=6A67-933C

But if i run the command fips-mode-setup --check, i get the following:

[root@fipsTEST fips]# fips-mode-setup --check
cat: /proc/sys/crypto/fips_enabled: No such file or directory
FIPS mode is .

Am I skipping any steps?
Thank you

FrancescoC · August 7, 2022, 10:17pm

Digging deeper, it seems that the parameter fips=1 is not accepted by the kernel.
This is from dmesg:

[    0.000000] Unknown kernel command line parameters "fips=1 boot=UUID=6A67-933C", will be passed to user space.

nazunalika · August 8, 2022, 12:03am

Hey there. According to one of our other Release Engineers (who works on providing the raspberrypi kernels), this is what he said:

I have a feeling that fips mode is included into the kernel by a patch that red hat only provides, not upstream. So I don’t think we’re porting it to the pi kernels (or if we can).
Now if it works with the generic kernels, we might be missing a config option, and that would be easier to fix.

He’ll likely investigate a bit and maybe we’ll have updates to pass through our repos in the future.

FrancescoC · August 8, 2022, 9:36pm

Hi nazunalika, thank you very much for the clarification.

Topic		Replies	Views
FIPS mode not working - RockyLinux 8.5 Rocky Linux General	4	2367	August 25, 2023
How to enable secure boot on Rocky 8.5 Rocky Linux General	4	3401	August 25, 2023
Rocky Linux 8.5 UEFI Install Issue Rocky Linux General	13	6990	August 25, 2023
Error installing Rocky 8.4 on macbook pro Rocky Linux General	10	5293	April 18, 2023
How to install ZFS on rocky 8.6 minimal Rocky Linux General	5	1832	August 25, 2023

Enable FIPS mode on RockyRPI/Raspberry pi4

Related Topics