-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.18
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Add FIPS support for ABI in RH Doc
ABI FIPS:
To generate FIPS-compatible images, use a FIPS-compatible binary for s390x. Additionally, ensure that the VM or LPAR where you are generating the FIPS image for ABI is FIPS-compatible.
Manually adding IBM Z agents
Configuring FIPS in an IBM Z environment for LPAR & z/VM
Procedure
If you have an existing .parm file, edit it to include the following entry to enable fips.
fips=1
This parameter allows the file to enable fips to the cluster.
Example .parm file
rd.neednet=1 cio_ignore=all,!condev
console=ttysclp0
coreos.live.rootfs_url=<coreos_url>
ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns>
rd.znet=qeth,<network_adaptor_range>,layer2=1
rd.<disk_type>=<adapter>
rd.zfcp=<adapter>,<wwpn>,<lun> random.trust_cpu=on
fips=1
zfcp.allow_lun_scan=0
ai.ip_cfg_override=1
ignition.firstboot ignition.platform.id=metal
random.trust_cpu=on
Adding IBM Z agents with RHEL KVM
To enable FIPS mode, add --extra-args "fips=1" to the virt-install command."
Sample virt-install command
virt-install \
--name <vm_name> \
--autostart \
--ram=16384 \
--cpu host \
--vcpus=8 \
--location <path_to_kernel_initrd_image>,kernel=kernel.img,initrd=initrd.img \
--disk <qcow_image_path> \
--network network:macvtap ,mac=<mac_address> \
--graphics none \
--noautoconsole \
--wait=-1 \
--extra-args "rd.neednet=1 nameserver=<nameserver>" \
--extra-args "ip=<IP>::<nameserver>::<hostname>:enc1:none" \
--extra-args "coreos.live.rootfs_url=http://<http_server>:8080/agent.s390x-rootfs.img" \
--extra-args "random.trust_cpu=on rd.luks.options=discard" \
--extra-args "ignition.firstboot ignition.platform.id=metal" \
--extra-args "console=tty1 console=ttyS1,115200n8" \
--extra-args "coreos.inst.persistent-kargs=console=tty1 console=ttyS1,115200n8" \
--extra-args “fips=1”
--osinfo detect=on,require=off
Note : FIPS with ISO boot for IBM Z is not supported.