Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-23049

Fedora UKI addons: create FIPS addon

XMLWordPrintable

    • rhel-sst-virtualization-cloud
    • ssg_virtualization
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • RHELOPC Sprint 1, RHELOPC Sprint 2, RHELOPC Sprint 3, RHELOPC Sprint 22, RHELOPC Sprint 23
    • None

      Goal

      North America Public Sales (NAPS) team was asking how to optionally enable FIPS in RHEL UKIs.

      In UKIs, this can be achieved effortlessly by creating a`fips=1` UKI addon and provide it in the ESP (/boot/efi/Linux/<UKI>.extra.d/ or /boot/efi/loader/addons). In this way, when the addon is present, the kernel cmdline will contain `fips=1`, when removed there won't be any `fips` option enabled.

      Requires systemd v254 at least (ukify needs to be able to build an addon, kernel.spec should be able to create addons)

      Acceptance Criteria

      In order to verify if this works:

      • Create the UKI addon
      • Add it to /boot/efi/loader/addons and reboot. Check that /proc/cmdline contains `fips=1`
      • Remove it from /boot/efi/loader/addons and reboot. Check that /proc/cmdline does not contain `fips=1`

              eesposit@redhat.com Emanuele Giuseppe Esposito
              eesposit@redhat.com Emanuele Giuseppe Esposito
              Emanuele Giuseppe Esposito Emanuele Giuseppe Esposito
              Li Tian Li Tian
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: