FIPS installed but not working
This document (7016636) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12)
Federal Information Processing Standard (FIPS)
SUSE Linux Enterprise Server 12 (SLES 12)
Federal Information Processing Standard (FIPS)
Situation
FIPS is installed, but does not seem to be working in kernel space.
The /etc/default/grub file shows:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts"
The /proc/cmdline shows:
BOOT_IMAGE=/vmlinuz-3.12.28-4-default root=UUID=1ba8a531-3b16-464d-8b80-d9260b4381a7 showopts
The /proc/sys/crypto/fips_enabled shows:
0
The /etc/default/grub file shows:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts"
The /proc/cmdline shows:
BOOT_IMAGE=/vmlinuz-3.12.28-4-default root=UUID=1ba8a531-3b16-464d-8b80-d9260b4381a7 showopts
The /proc/sys/crypto/fips_enabled shows:
0
Resolution
Finish configuring FIPS:
1. Edit /etc/default/grub
2 Add "fips=1" to GRUB_CMDLINE_LINUX_DEFAULT.
2.1 If you don't have a separate boot partition, it may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1"
2.2 If you have a separate boot partition you need to add the boot= parameter as well. For example if /boot is mounted on /dev/sda1, the variable may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1 boot=/dev/sda1"
3. Run grub2-mkconfig -o /boot/grub2/grub.cfg to remake the grub.cfg file.
4. Run mkinitrd
5. Reboot
2.3 If you do not have a separate boot partition, DO NOT use boot=/dev/sda1. The device is usually the vfat /boot/efi device and will result in an error 'Warning: dracut: FATAL: FIPS integrity test failed'. To see if you have a separate boot partition run: mount | grep boot. If there is no /boot mount point, you do not have a separate boot partition and boot= will cause a boot failure.
1. Edit /etc/default/grub
2 Add "fips=1" to GRUB_CMDLINE_LINUX_DEFAULT.
2.1 If you don't have a separate boot partition, it may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1"
2.2 If you have a separate boot partition you need to add the boot= parameter as well. For example if /boot is mounted on /dev/sda1, the variable may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1 boot=/dev/sda1"
3. Run grub2-mkconfig -o /boot/grub2/grub.cfg to remake the grub.cfg file.
4. Run mkinitrd
5. Reboot
2.3 If you do not have a separate boot partition, DO NOT use boot=/dev/sda1. The device is usually the vfat /boot/efi device and will result in an error 'Warning: dracut: FATAL: FIPS integrity test failed'. To see if you have a separate boot partition run: mount | grep boot. If there is no /boot mount point, you do not have a separate boot partition and boot= will cause a boot failure.
Cause
FIPS is not configured properly to run in kernel mode.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016636
- Creation Date: 25-Jun-2015
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
