1. Enhancing System Security
  2. FIPS 140-2 Compliance in Oracle Linux 8

5 FIPS 140-2 Compliance in Oracle Linux 8

Oracle Linux provides a set of cryptographic libraries, services, and user-level cryptographic applications that are validated at the Federal Information Processing Standard (FIPS) Publication 140-2.

FIPS Publication 140-2, Security Requirements for Cryptographic Modules, specifies the security requirements that must be satisfied by a cryptographic module that is used within a security system to protect sensitive, but unclassified information. The NIST/CSE Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-2. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information.

FIPS Validated Cryptographic Modules for Oracle Linux 8.4

The following table describes Oracle's FIPS 140-2 Level 1 certifications for cryptographic components that reside within Oracle Linux 8.4 for the x86_64 and AARCH64 platforms. The package versions that are listed reflect information that is found in the logical cryptographic boundary for the specific module.

Cryptographic Module Name Package Version Certificate Number

Oracle Linux 8 OpenSSL Cryptographic Module

openssl-libs-1.1.1g-15.el8_3.x86_64

openssl-libs-1.1.1g-15.el8_3.aarch64

4215 (x86_64 and aarch64)

Oracle Linux 8 libgcrypt Cryptographic Module

libgcrypt-1.8.5-4.0.1.el8.x86_64

libgcrypt-1.8.5-4.0.1.el8.aarch64

4232 (x86_64 and aarch64)

Oracle Linux 8 NSS Cryptographic Module

nss-softokn-3.53.1-17.el8_3.x86_64

nss-softokn-3.53.1-17.el8_3.aarch64

4226 (x86_64 and aarch64)

Oracle Linux 8 GnuTLS Cryptographic Module

gnutls-3.6.14-8.0.1.el8.x86_64

gnutls-3.6.14-8.0.1.el8.aarch64

4229 (x86_64 and aarch64)

Oracle Linux Unbreakable Enterprise Kernel (UEK 6) Cryptographic Module

kernel-uek-5.4.17-2102.202.5.el8uek.x86_64

kernel-uek-5.4.17-2102.202.5.el8uek.aarch64

4211 (x86_64 and aarch64)

For the most recent information about FIPS validations involving Oracle Linux modules, seehttps://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html.

Where Packages for FIPS Validated Cryptographic Modules for Oracle Linux 8.4 Are Located

The following are the dedicated Unbreakable Linux Network (ULN) channels and yum repository containing FIPS validated cryptographic modules for Oracle Linux 8.4:

x86_64 Platform:

  • ol8_x86_64_u4_security_validation ULN channel

  • ol8_u4_security_validation yum repository

aarch64 Platform:

  • ol8_aarch64_u4_security_validation ULN channel

  • ol8_u4_security_validation yum repository

Note that the ol8_u4_security_validation yum repository is a common repository name for the x86_64 and aarch64 platforms. This repository contains FIPS validated packages for both platforms.

For specific instructions on installing FIPS validated cryptographic modules, see Installing FIPS Validated Cryptographic Modules for Oracle Linux 8.

More Information About Modules That Have Received FIPS 140-2 Validation

The site provides the following information for each module:

  • Name and description of the module.

  • Package version or versions for the module.

  • Status of the FIPS 140-2 validation process.

    Important:

    To achieve compliance with FIPS Publication 140-2, you must use the package version that the Security Policy document specifies for each respective module only. You cannot install and use other versions of the cryptographic modules.

  • Instructions on how to configure the module for FIPS mode. Refer to Section 10 of the Security Policy document when you install the module to verify that the package was FIPS 140-2 validated and ensure that you correctly enable the module for FIPS mode.

Configuring a System in FIPS Mode

The following procedures describe how to enable and disable FIPS mode on an Oracle Linux 8 system. Note that the method for enabling and disabling FIPS mode in this release has changed significantly from the method that was used in previous Oracle Linux releases. In particular, the dracut-fips package no longer exists, so you do not need to install it to enable FIPS mode on Oracle Linux 8. Also, you no longer need to edit the GRUB configuration file. Instead, you use the fips-mode-setup utility to set up and configure FIPS mode, as described in the following procedure.

Note:

For more information about enabling FIPS mode in Oracle Linux containers, see the Managing Containers chapter in the Oracle Linux: Podman User's Guide.

Enabling FIPS Mode

  1. To enable FIPS mode on the system, run the following command: 

    sudo fips-mode-setup --enable

    The following output is displayed: 

    Setting system policy to FIPS
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

    You must reboot the system for the setting to take effect.

    Running the previous command configures FIPS mode implicitly by setting the system-wide cryptographic policy to FIPS. Note that using the update-crypto-policies command to set FIPS mode is not sufficient, as shown in the following output: 

    sudo update-crypto-policies --set FIPS

    The following output is displayed: 

    Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for FIPS compliance.
Use 'fips-mode-setup --enable' command instead.

  2. Verify that FIPS is enabled by running any of the following commands: 

    sudo fips-mode-setup --check
    sudo update-crypto-policies --show
    sudo cat /etc/system-fips
    sudo sysctl crypto.fips_enabled 
    crypto.fips_enabled = 1

    For the command output in the last example, a response of 1 indicates that FIPS is enabled.

Disabling FIPS Mode

If you need to disable FIPS mode for any reason, run the following command: 

sudo fips-mode-setup --disable
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be disabled.
Please reboot the system for the setting to take effect.

You must reboot the system for the setting to take effect.

Installing FIPS Validated Cryptographic Modules for Oracle Linux 8

After you enable FIPS mode on Oracle Linux 8, you can then install FIPS validated cryptographic modules, as required. For information about where packages for FIPS validated cryptographic modules are located, see Where Packages for FIPS Validated Cryptographic Modules for Oracle Linux 8.4 Are Located.

The following information applies to systems that are running an Oracle Linux 8 release that includes support for installing and enabling FIPS cryptographic modules.

Note:

You cannot use FIPS cryptographic modules on Oracle Linux 8 systems that are running an update earlier than Oracle Linux 8.4.

To install FIPS validated cryptographic modules, refer to Section 10 of the Security Policy document for the FIPS module that you plan to install.

The Security Policy document explains how to verify that the package is FIPS 140-2 validated, as well as how to configure the module for FIPS mode. Refer to FIPS Validated Cryptographic Modules for Oracle Linux 8.4 for the certificate number, which includes a link to the NIST FIPS 140 validation page. This page provides details about FIPS certification and the Security Policy document.