FIPS mode not working - RockyLinux 8.5

bkrajmalnik · March 9, 2022, 11:56pm

Hello,
I just installed RockyLinux 8.5, using the minimal install with no added modules.
I proceeded to execute

fips-mode-setup --enable

and rebooted.

Upon reboot, I executed

fips-mode-setup --check

FIPS mode is disabled.

As can be seen it is disabled.
Verified that dracut-fips was installed. After this I ran dracut -f and executed fips-mode-setup --enable.
Still same result.

/etc/default/drub.conf is showing
GRUB_CMDLINE_LINUX=“crashkernel=auto resume=/dev/mapper/rl_fips-swap rd.lvm.lv=rl_fips/root rd.lvm.lv=rl_fips/swap rhgb quiet fips=1 boot=UUID=84799eb8-6702-47da-ab00-887c6ea9ccf2”

Not sure if additional packages need to be installed for this to work.
Any guidance will be deeply appreciated.

nazunalika · March 10, 2022, 12:49am

FIPS mode seems to be working here. All you need is dracut-fips and crypto-policies-scripts

[root@idp ~]# fips-mode-setup --enable
Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

[root@idp ~]# uptime
 17:41:01 up 6 min,  2 users,  load average: 3.55, 2.53, 1.21
[root@idp ~]# fips-
fips-finish-install  fips-mode-setup      
[root@idp ~]# fips-mode-setup --check
FIPS mode is enabled.
[root@idp ~]# cat /proc/cmdline 
BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-348.el8.0.2.x86_64 root=/dev/mapper/rockyvg-root ro crashkernel=auto resume=/dev/mapper/rockyvg-swap rd.lvm.lv=rockyvg/root rd.lvm.lv=rockyvg/swap rhgb quiet audit=1 fips=1 boot=UUID=03476030-bbbb-4f18-a002-0481f600b1d4

bkrajmalnik · March 11, 2022, 2:49am

In my case, after performing the same tasks, it is still not working. Checked dracut-fips is installed, as is crypto-policies-scripts. Re-ran fips-mode-setup --enable, rebooted. This is the end result

[root@fips ~]# uptime
19:40:57 up 2:35, 1 user, load average: 0.04, 0.01, 0.00
[root@fips ~]# fips-mode-setup --check
FIPS mode is disabled.
[root@fips ~]# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-4.18.0-348.el8.0.2.x86_64 root=/dev/mapper/rl_fips-root ro crashkernel=auto resume=/dev/mapper/rl_fips-swap rd.lvm.lv=rl_fips/root rd.lvm.lv=rl_fips/swap rhgb quiet
[root@fips ~]#

This although /etc/default/grub.conf states

GRUB_CMDLINE_LINUX=“crashkernel=auto resume=/dev/mapper/rl_fips-swap rd.lvm.lv=rl_fips/root rd.lvm.lv=rl_fips/swap rhgb quiet fips=1 boot=UUID=84799eb8-6702-47da-ab00-887c6ea9ccf2”

So while the GRUB_COMMANDLINE_LINUX is calling for fips mode, the command line being passed during boot does not have it.

bkrajmalnik · March 11, 2022, 3:04am

Resolved. Recreated grub.cfg manually with the command

grub2-mkconfig -o /boot/grub2/grub.cfg