Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-150327

General Cloud Image FIPS enablement for RHEL10+

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-10.0, rhel-10.1
    • cloud-init
    • None
    • Cloud FIPS enablement
    • None
    • rhel-virt-cloud
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      RHEL 10+ does not support enabling FIPS mode at runtime: it must be enabled at install time.  See our docs at

      https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/security_hardening/switching-rhel-to-fips-mode

      Cloud images are installed before launch and so there is no longer any ability to enable FIPS mode for cloud images.

      Adding separate variants for FIPS mode on all clouds, for all delivery options (1P/BYOS/3P), all architectures and all product variants (SAP, HA etc.) would double image delivery load and is completely unsustainable.

      So we need to investigate a way of re-enabling runtime enablement of FIPS mode.  But we don't need a general solution; we can accept restrictions such as

      • Only works for cloud images
      • Only works for the first launch of a cloud image
      • Has prerequisites that can be laid down during image build

      For example, a known problem with changing FIPS mode at runtime is that we would need to force regeneration of existing potentially-non-FIPS-compatible crypto keys.  That does not need to be a problem for the cloud image solution, as marketplace cloud images already need to guarantee that there are no preexisting local crypto keys present on the image.

      We need to investigate and deliver a general solution for enabling FIPS for the specific case of cloud images.

       

      Initial design conversation with crypto team is documented here:
      https://docs.google.com/document/d/1VYrjQUIGhdlZ-ridKKy9UfK_KPgEy2Z2xqwlxp8PrR4/edit?usp=sharing
       

      Summary is it looks like we already have all the enablement we need from the crypto team: booting a kernel with fips=1 is necessary and sufficient, and the rest of userland FIPS setup will follow from that.

      So the question is how to achiefve that, and cloud-init remains our best option for something that can

      • trigger off a provided cloud-init data source to determine we are trying to enable fips on first boot of a cloud instance
      • perform the necessary kernel grubby reconfiguration to add fips=1
      • force a reboot to retry initial setup with fips mode enabled

              rhn-engineering-sct Stephen Tweedie
              rhn-engineering-sct Stephen Tweedie
              Mark Thacker
              virt-bugs virt-bugs
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: