1. Manuals
  2. Tumbleweed
  3. crypto-policies-scripts
  4. fips-mode-setup(8)

Scroll to navigation

FIPS-MODE-SETUP(8)   FIPS-MODE-SETUP(8)

NAME

fips-mode-setup - Check or enable the system FIPS mode.

SYNOPSIS

fips-mode-setup [COMMAND]

DESCRIPTION

fips-mode-setup(8) is used to check and control the system FIPS mode.

When enabling the system FIPS mode, the command completes the installation of FIPS modules if needed by calling fips-finish-install and changes the system crypto policy to FIPS (unless the policy has already been set to FIPS plus subpolicies on top, in which case the currently active subpolicies is retained).

Then the command modifies the boot loader configuration to add fips=1 and boot=<boot-device> options to the kernel command line.

When disabling the system FIPS mode the system crypto policy is switched to DEFAULT and the kernel command line option fips=0 is set.

On transactional systems, enabling the system in FIPS mode with the fips-mode-setup tool is not implemented. To enable the FIPS mode in these systems requires the following steps:

1.- Install the FIPS pattern on a running system:


    # transactional-update pkg install -t pattern microos-fips

2.- Reboot your system.

3.- Add the kernel command line parameter fips=1 to the boot loader


    configuration. To do so, edit the file /etc/default/grub and add


    fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.

4.- After logging in to the system, run:


    # transactional-update grub.cfg

5.- Reboot your system.

OPTIONS

The following options are available in fips-mode-setup tool.

•--enable: Enables the system FIPS mode.

•--disable: Undo some of the FIPS-enablement steps. Please note that module installation cannot be undone without reformatting of and overwriting, at least once, the platform’s hard drive or other permanent storage media. This option is not meant to be used in production, is not supported, and is implemented for testing purposes only.

•--check: Checks for inconsistently enabled FIPS mode. Exits successfully (0) for both consistently-enabled FIPS mode and consistently-disabled FIPS mode, returns error code (1) if inconsistencies are detected. For checking whether FIPS mode is enabled, see --is-enabled below.

•--is-enabled: Checks the system FIPS mode status and returns failure error code if disabled (2) or inconsistent (1).

•--no-bootcfg: The tool will not reconfigure the boot loader, and, instead, will print the options that need to be added to the kernel command line. Exception: it still attempts executing zipl(8) on s390x, as the system might become unbootable otherwise.

FILES

/proc/sys/crypto/fips_enabled

The kernel FIPS mode flag.

SEE ALSO

update-crypto-policies(8), fips-finish-install(8)

AUTHOR

Written by Tomáš Mráz.

09/22/2023 fips-mode-setup