Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65652

Remove fips-mode-setup

XMLWordPrintable

    • crypto-policies-20241106-2.git7073416.el10
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 11
    • 13
    • 1
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q4
    • Hide

      AC1) fips-mode-setup and fips-finish-install, along with their manpages, are no longer shipped with RHEL

      AC2) No other manpages in the crypto-policies package reference or use fips-mode-setup or fips-finish-install

      AC3) Changes are announced on rhel-devel or rhel-planning lists

      AC4) Test tool depending on fips-mode-setup are updated not to rely on it

      AC5) Issue for docs team is created to update any RHEL-10 documentation mentioning fips-mode-setup.

      Show
      AC1) fips-mode-setup and fips-finish-install , along with their manpages, are no longer shipped with RHEL AC2) No other manpages in the crypto-policies package reference or use fips-mode-setup or fips-finish-install AC3) Changes are announced on rhel-devel or rhel-planning lists AC4) Test tool depending on fips-mode-setup are updated not to rely on it AC5) Issue for docs team is created to update any RHEL-10 documentation mentioning fips-mode-setup.
    • Pass
    • Enabled
    • Automated
    • Removed Functionality
    • Hide
      .`fips-mode-setup` is removed

      The `fips-mode-setup` command is removed from RHEL. To enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140, enable FIPS mode during the system installation. See the link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/security_hardening/switching-rhel-to-fips-mode[Switching RHEL to FIPS mode chapter] in the Security hardening document for more information.
      Show
      .`fips-mode-setup` is removed The `fips-mode-setup` command is removed from RHEL. To enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140, enable FIPS mode during the system installation. See the link: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/security_hardening/switching-rhel-to-fips-mode [Switching RHEL to FIPS mode chapter] in the Security hardening document for more information.
    • Proposed
    • All
    • None

      Goal

      Remove fips-mode-setup. This is part of a bigger push to avoid the need for the tool in the first place, which was required because there are multiple knobs to turn when switching into FIPS mode; we are now moving towards a setup where these knobs are either eliminated completely, or follow the kernel command line flag fips=1 automatically, so that fips-mode-setup is no longer necessary.

      This also addresses potential issues when systems are initially set up outside of FIPS mode and then moved to FIPS mode afterwards, e.g., for algorithms used in LUKS disk encryption, or OpenSSH host keys.

      Acceptance criteria

      • fips-mode-setup and fips-finish-install, along with their manpages, are no longer shipped with RHEL. No other manpages in the crypto-policies package reference or use fips-mode-setup or fips-finish-install.

              omoris Ondrej Moris
              cllang@redhat.com Clemens Lang
              Clemens Lang Clemens Lang
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: