-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.0, rhel-10.1
-
None
-
Cloud FIPS enablement
-
None
-
rhel-virt-cloud
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
RHEL 10+ does not support enabling FIPS mode at runtime: it must be enabled at install time. See our docs at
Cloud images are installed before launch and so there is no longer any ability to enable FIPS mode for cloud images.
Adding separate variants for FIPS mode on all clouds, for all delivery options (1P/BYOS/3P), all architectures and all product variants (SAP, HA etc.) would double image delivery load and is completely unsustainable.
So we need to investigate a way of re-enabling runtime enablement of FIPS mode. But we don't need a general solution; we can accept restrictions such as
- Only works for cloud images
- Only works for the first launch of a cloud image
- Has prerequisites that can be laid down during image build
For example, a known problem with changing FIPS mode at runtime is that we would need to force regeneration of existing potentially-non-FIPS-compatible crypto keys. That does not need to be a problem for the cloud image solution, as marketplace cloud images already need to guarantee that there are no preexisting local crypto keys present on the image.
We need to investigate and deliver a general solution for enabling FIPS for the specific case of cloud images.
Initial design conversation with crypto team is documented here:
https://docs.google.com/document/d/1VYrjQUIGhdlZ-ridKKy9UfK_KPgEy2Z2xqwlxp8PrR4/edit?usp=sharing
Summary is it looks like we already have all the enablement we need from the crypto team: booting a kernel with fips=1 is necessary and sufficient, and the rest of userland FIPS setup will follow from that.
So the question is how to achiefve that, and cloud-init remains our best option for something that can
- trigger off a provided cloud-init data source to determine we are trying to enable fips on first boot of a cloud instance
- perform the necessary kernel grubby reconfiguration to add fips=1
- force a reboot to retry initial setup with fips mode enabled