7.2 Enabling FIPS Mode on Oracle Linux

You must enable FIPS mode on Oracle Linux prior to using FIPS validated cryptographic modules. The following procedure describes how to configure Oracle Linux to use only cryptographic algorithms that are FIPS-validated.

  1. Depending on the type of FIPS module that you plan to install, do one of the following:

    • If you plan to install FIPS validated cryptographic modules for Oracle Linux, ensure that the system is running Oracle Linux 6 Update 9 or later.

    • If you plan to install the OpenSSL FIPS object module, ensure that the system is Oracle Linux 6 Update 5 or later.

  2. Ensure that your system is registered with the Unbreakable Linux Network (ULN) and that the ol6_x86_64_latest channel is enabled.

    Alternatively, if you are using the Oracle Linux yum server, you can enable the ol6_latest repository. For example:

    # yum-config-manager --enable ol6_latest
  3. Install the dracut-fips package.

    # yum install dracut-fips

    The dracut-fips package provides the modules to build a dracut initramfs file system that performs an integrity check.

  4. If the system CPU supports AES New Instructions (AES-NI), install the package.

    • Run the following command to check whether the system supports AES-NI:

      # grep aes /proc/cpuinfo
    • To install the package:

      # yum install dracut-fips-aesni
  5. Recreate the initramfs file system.

    # dracut -f
  6. Perform the following steps to configure the kernel command line in the grub.conf file so that the system boots into FIPS mode:

    1. Identify the boot partition and the UUID of the partition, for example:

      # df /boot
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/sda1         508588 294476    214112  58% /boot
      
      # blkid /dev/sda1
      /dev/sda1: UUID="a305c68f-3e04-4c53-a566-9d67c12ff293" TYPE="xfs"
    2. As the root user, edit the /etc/grub.conf file as follows:

      1. Add the boot=UUID=boot_UUID line to the kernel command line.

        kernel /vmlinuz-4.1.12-61.1.28.el6uek.x86_64 ro root=/dev/mapper/VolGroup-lv_root
          rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16
          crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
          boot=UUID=a305c68f-3e04-4c53-a566-9d67c12ff293

        This step ensures that the system can identify the appropriate boot device.

      2. Add the fips=1 option to the kernel command line.

        kernel /vmlinuz-4.1.12-61.1.28.el6uek.x86_64 ro root=/dev/mapper/VolGroup-lv_root
          rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16
          crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
          boot=UUID=a305c68f-3e04-4c53-a566-9d67c12ff293 fips=1
      3. Save your changes.

  7. To ensure proper operation of the in-module integrity verification, prelinking must be disabled on all system files.

    By default, the prelink package is not installed on the system. However, if it is installed, disable prelinking on all libraries and binaries as follows:

    1. Set PRELINKING=no in the /etc/sysconfig/prelink configuration file.

    2. If the libraries were already prelinked, undo the prelink on all of the system files as follows:

      # prelink –u -a
  8. Reboot the system.

  9. Verify that FIPS is enabled.

    # cat /proc/sys/crypto/fips_enabled
    1