Skip to content

Draft: fips-mode-setup: Remove

NOTE: I don't intend to merge this into master right now. This is just here so I can start development and master and cherry-pick this change into rhel10.

The fips-mode-setup script was added to simplify switching to FIPS mode consistently, because this operation required adjusting multiple different knobs: the kernel command line needed fips=1 added, the fips dracut initramfs module needed to be enabled, and the crypto-policy needed to switch to FIPS.

Because there were multiple things to adjust and they could be out of sync, fips-mode-setup also offered --check to verify their consistency. This well-intentioned feature caused user experience problems, because numerous people attempted to disable FIPS mode using fips-mode-setup --disable and were surprised that --check reported an inconsistent state (because the unsupported --disable operation would not undo changes to the initramfs, which are risky and might leave the system unbootable).

Additionally, fips-mode-setup by definition is used after installing a system, but several components may have already made decisions based on FIPS mode at that point. For example, cryptsetup defaults to Argon2 as key-derivation function and uses PBKDF2 in FIPS mode. Installing a system with LUKS disk encryption and switching it to FIPS mode could thus render it unbootable if Argon2 is the only keyslot and Argon2 use is blocked. Because of these cases, switching into FIPS mode should only be done at install time using the kernel command line argument fips=1, and the existence of fips-mode-setup provides an option that is neither safe nor recommended.

Instead, we have worked across multiple involved components to make fips=1 on the kernel command line (and its run-time representation of 1 in /proc/sys/crypto/fips_enabled) the de-facto switch to move a system into FIPS mode, and made all related changes either obsolete or automatic:

The initramfs now contains the dracut fips module unconditionally. This change is also helpful for unified kernel images, where adding initramfs modules requires re-signing.

The crypto-policy is automatically switched to FIPS using two bind-mounts if the system is in FIPS mode, but the crypto-policy is not. This is implemented once in dracut 1, and once in fips-crypto-policy-overlay.service in this repository. The former should be the standard case, but the latter may be required in containers that run systemd, or when a non-standard initramfs is used.

Users can still switch a system into and out of FIPS mode after installation using grubby, but this has the obvious downsides explained above, and better alternatives (e.g., image builder, bootc) exist.

Related: CRYPTO-14305 Signed-off-by: Clemens Lang cllang@redhat.com

Merge request reports

Loading