The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

7.2 Enabling FIPS Mode on Oracle Linux

You must enable FIPS mode on Oracle Linux prior to using FIPS validated cryptographic modules. The following procedure describes how to configure Oracle Linux to use only cryptographic algorithms that are FIPS-validated.

  1. Depending on the type of FIPS module that you plan to install, do one of the following:

    • If you plan to install FIPS validated cryptographic modules for Oracle Linux, ensure that the system is running Oracle Linux 6 Update 9 or later.

    • If you plan to install the OpenSSL FIPS object module, ensure that the system is Oracle Linux 6 Update 5 or later.

  2. Ensure that your system is registered with the Unbreakable Linux Network (ULN) and that you are subscribed to the ol6_x86_64_security_validation and ol6_x86_64_latest channels.

    If you are using the Oracle Linux yum server, enable the ol6_security_validation and ol6_latest repositories as follows: 

    # yum-config-manager --enable ol6_security_validation ol6_latest

  3. Install the dracut-fips package. 

    # yum install dracut-fips

    The dracut-fips package provides the modules to build a dracut initramfs file system that performs an integrity check.

  4. If the system CPU supports AES New Instructions (AES-NI), install the package.

    • Run the following command to check whether the system supports AES-NI: 

      # grep aes /proc/cpuinfo

    • To install the package: 

      # yum install dracut-fips-aesni

  5. Recreate the initramfs file system. 

    # dracut -f

  6. Perform the following steps to configure the kernel command line in the grub.conf file so that the system boots into FIPS mode:

    1. Identify the boot partition and the UUID of the partition, for example: 

      # df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1         508588 294476    214112  58% /boot

# blkid /dev/sda1
/dev/sda1: UUID="a305c68f-3e04-4c53-a566-9d67c12ff293" TYPE="xfs"

    2. As the root user, edit the /etc/grub.conf file as follows:

      1. Add the fips=1 option to the boot loader configuration. 

        GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
  vconsole.keymap=uk rhgb quiet fips=1"

      2. If the contents of /boot reside on a partition other than the root partition, you must use the boot=UUID=boot_UUID line to the boot loader configuration to specify that the device be mounted on /boot when the kernel loads. 

        GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
     rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
     vconsole.keymap=uk rhgb quiet
     boot=UUID=6046308a-75fc-418e-b284-72d8bfad34ba fips=1"

      3. Save the changes.

        These steps are required for FIPS to perform kernel validation checks, where it verifies the kernel against the provided HMAC file in the /boot directory.

        Note

        On systems that are configured to boot with UEFI, /boot/efi is located on a dedicated partition, as it is formatted specifically to meet UEFI requirements, which does not automatically mean that /boot is located on a dedicated partition.

        Only use the boot= parameter if /boot is located on a dedicated partition. If the parameter is specified incorrectly or points to a non-existent device, the system might not boot.

        If your system is no longer able to boot, you can try to modify the kernel boot options in grub to specify an alternate device for the boot=UUID=boot_UUID parameter, or remove the parameter entirely.

  7. Rebuild the GRUB configuration as follows:

      • On BIOS-based systems, run the following command: 

        # grub2-mkconfig -o /boot/grub2/grub.cfg

      • On UEFI-based systems, run the following command: 

        # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

    2. To ensure proper operation of the in-module integrity verification, prelinking must be disabled on all system files.

      By default, the prelink package is not installed on the system. However, if it is installed, disable prelinking on all libraries and binaries as follows:

      1. Set PRELINKING=no in the /etc/sysconfig/prelink configuration file.

      2. If the libraries were already prelinked, undo the prelink on all of the system files as follows: 

        # prelink –u -a

  8. Reboot the system, then run the following command to verify that FIPS is enabled: 

    # cat /proc/sys/crypto/fips_enabled
1

    A response of 1 indicates that FIPS is enabled.

Copyright © 2013, 2021, Oracle and/or its affiliates. Legal Notices