Draft: fips-mode-setup: Remove
NOTE: I don't intend to merge this into master
right now. This is just here so I can start development and master and cherry-pick this change into rhel10
.
The fips-mode-setup
script was added to simplify switching to FIPS
mode consistently, because this operation required adjusting multiple
different knobs: the kernel command line needed fips=1
added, the
fips
dracut initramfs module needed to be enabled, and the
crypto-policy needed to switch to FIPS
.
Because there were multiple things to adjust and they could be out of
sync, fips-mode-setup
also offered --check
to verify their
consistency. This well-intentioned feature caused user experience
problems, because numerous people attempted to disable FIPS mode using
fips-mode-setup --disable
and were surprised that --check
reported
an inconsistent state (because the unsupported --disable
operation
would not undo changes to the initramfs, which are risky and might leave
the system unbootable).
Additionally, fips-mode-setup
by definition is used after installing
a system, but several components may have already made decisions based
on FIPS mode at that point. For example, cryptsetup defaults to Argon2
as key-derivation function and uses PBKDF2 in FIPS mode. Installing
a system with LUKS disk encryption and switching it to FIPS mode could
thus render it unbootable if Argon2 is the only keyslot and Argon2 use
is blocked. Because of these cases, switching into FIPS mode should only
be done at install time using the kernel command line argument fips=1
,
and the existence of fips-mode-setup
provides an option that is
neither safe nor recommended.
Instead, we have worked across multiple involved components to make
fips=1
on the kernel command line (and its run-time representation of
1
in /proc/sys/crypto/fips_enabled
) the de-facto switch to move
a system into FIPS mode, and made all related changes either obsolete or
automatic:
The initramfs now contains the dracut fips module unconditionally. This change is also helpful for unified kernel images, where adding initramfs modules requires re-signing.
The crypto-policy is automatically switched to FIPS using two bind-mounts if the system is in FIPS mode, but the crypto-policy is not. This is implemented once in dracut 1, and once in fips-crypto-policy-overlay.service in this repository. The former should be the standard case, but the latter may be required in containers that run systemd, or when a non-standard initramfs is used.
Users can still switch a system into and out of FIPS mode after installation using grubby, but this has the obvious downsides explained above, and better alternatives (e.g., image builder, bootc) exist.
Related: CRYPTO-14305 Signed-off-by: Clemens Lang cllang@redhat.com