7.2 Enabling FIPS Mode on Oracle Linux

You must enable FIPS mode on Oracle Linux prior to using FIPS validated cryptographic modules. The following procedure describes how to configure Oracle Linux to use only cryptographic algorithms that are FIPS validated.

Note

The following procedure applies to systems running Oracle Linux 7 Update 3, Oracle Linux 7 Update 5, or Oracle Linux 7 Update 6. However, it is recommended that you update the system for which you are enabling FIPS mode to Oracle Linux 7 Update 6, which is the latest Oracle Linux 7 update.

Note also that you cannot use FIPS cryptographic modules on Oracle Linux 7 systems that are running an update prior to Update 3.

  1. Ensure that the system is at Oracle Linux 7 Update 6.

  2. Ensure that your system is registered with the Unbreakable Linux Network (ULN) and that the ol7_x86_64_latest channel is enabled.

    Alternatively, you can enable the ol7_latest channel as follows:

    # yum-config-manager --enable ol7_latest
  3. Install the dracut-fips package.

    # yum install dracut-fips

    The dracut-fips package provides the modules to build a dracut initramfs file system that performs an integrity check.

  4. If the system CPU supports AES New Instructions (AES-NI), install the package.

    • Run the following command to check whether the system supports AES-NI:

      # grep aes /proc/cpuinfo
    • To install the package:

      # yum install dracut-fips-aesni
  5. Recreate the initramfs file system.

    # dracut -f
  6. Perform the following steps to re-configure the boot loader so that the system boots in FIPS mode:

    1. Identify the boot partition and the UUID of the partition. If/boot or /boot/efi resides on a separate partition, the kernel parameter boot=partition of /boot or /boot/efi must be supplied.

      Identify the partition by running the df /boot or df /boot/efi command, for example:

      # df /boot
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/sda1         508588 294476    214112  58% /boot
      
      # blkid /dev/sda1
      /dev/sda1: UUID="6046308a-75fc-418e-b284-72d8bfad34ba" TYPE="xfs"
    2. As the root user, edit the /etc/default/grub file as follows:

      1. Add the fips=1 option to the boot loader configuration.

        GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
        rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
          vconsole.keymap=uk rhgb quiet fips=1"
      2. If the contents of /boot reside on a partition other than the root partition, you must use the boot=UUID=boot_UUID line to the boot loader configuration to specify that the device be mounted on /boot when the kernel loads.

        GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
             rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
             vconsole.keymap=uk rhgb quiet
             boot=UUID=6046308a-75fc-418e-b284-72d8bfad34ba fips=1"
      3. Save the changes.

        These steps are required for FIPS to perform kernel validation checks, where it verifies the kernel against the provided HMAC file in the /boot directory.

        Note

        On systems that are configured to boot with UEFI, /boot/efi is located on a dedicated partition, as it is formatted specifically to meet UEFI requirements, which does not automatically mean that /boot is located on a dedicated partition.

        Only use the boot= parameter if /boot is located on a dedicated partition. If the parameter is specified incorrectly or points to a non-existent device, the system might not boot.

        If your system is no longer able to boot, you can try to modify the kernel boot options in grub to specify an alternate device for the boot=UUID=boot_UUID parameter, or remove the parameter entirely.

  7. Rebuild the GRUB configuration as follows:

      • On BIOS-based systems, run the following command:

        # grub2-mkconfig -o /boot/grub2/grub.cfg
      • On UEFI-based systems, run the following command:

        # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    1. To ensure proper operation of the in-module integrity verification, prelinking must be disabled on all system files.

      By default, the prelink package is not installed on the system. However, if it is installed, disable prelinking on all libraries and binaries as follows:

      1. Set PRELINKING=no in the /etc/sysconfig/prelink configuration file.

      2. If the libraries were already prelinked, undo the prelink on all of the system files as follows:

        # prelink –u -a
  8. Reboot the system, then verify that FIPS is enabled by running the following command:

    # cat /proc/sys/crypto/fips_enabled
    1

    A response of 1 indicates that FIPS is enabled.