Goal

Switching a system to FIPS mode by adding fips=1 to the kernel command line should automatically switch the crypto-policy to FIPS if it is not based on it already. This should be done using a bind-mount so that the previous policy is restored should the user choose to disable FIPS mode again. This must happen before systemd is started to ensure systemd's use of cryptography complies with the appropriate policies, so it should happen in the initramfs.

A PR to do this has been merged upstream and can be backported.

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• When the system is booted with fips=1 on the kernel command line and the current crypto-policy is not FIPS or does not start with FIPS:, bind mounts over /etc/crypto-policies/back-ends and /etc/crypto-policies/config should be created
• In all other situations, nothing should change.

The crypto team can verify this for you.