Goal

We never want customers to end up in a situation where they are running systems in FIPS mode (as set by the fips=1 kernel command line) and the active crypto-policy. Before RHEL 10, we were trying to make that happen by doing the switching using the fips-mode-setup tool, but this has shown some downsides in practice, which is why we are removing the fips-mode-setup tool and replacing it with automated bind-mounts (see CRYPTO-13556, RHEL-65652, RHEL-59678 for details).

On most systems, a new dracut initramfs module should automatically switch the active crypto-policy to FIPS if it is not yet and the system is in FIPS mode. There are, however, some corner cases where systems might be booted without going through the dracut initramfs module (e.g., because of a custom initramfs, or because the system is a container that runs systemd, but the container tech did not add the required bind-mounts, either). To catch these corner cases, the crypto-policies ships a systemd unit fips-crypto-policy-overlay.service that will create the required bind mounts during early boot if they don't exist yet and the system was booted with ConditionKernelCommandLine=fips=1.

To achieve this, this service should be enabled by default. Note that this does not apply on Fedora (yet), because Fedora for now will keep the fips-mode-setup tool.

tl;dr: Enable fips-crypto-policy-overlay.service by default to make sure FIPS crypto-policy is active in system containers on systems in FIPS mode if the container runtime doesn't already make this change. In almost all configurations, this is a no-op, because dracut already did it. On systems not in FIPS mode, this service isn't even enabled.

Acceptance criteria

• fips-crypto-policy-overlay.service is enabled automatically