blob: 676698bf521c52df9d18124927158f5c9965950d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
To turn your system (kernel and user space) into FIPS mode, follow these steps:
1. Enable FIPS mode in kernel:
The `fips=1' kernel option needs to be added to the kernel command line so that key
generation is done with FIPS approved algorithms and continuous monitoring tests in
place:
...
[ 0.000000] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019
[ 0.000000] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1
[ 0.281178] alg: self-tests for rsa-generic (rsa) passed
[ 0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed
[ 0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed
[ 0.285596] alg: self-tests for sha1-generic (sha1) passed
[ 0.287474] alg: self-tests for sha256-generic (sha256) passed
[ 0.289138] alg: self-tests for sha224-generic (sha224) passed
[ 0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed
[ 0.292005] alg: self-tests for aes-generic (aes) passed
[ 0.294431] alg: self-tests for crc32c-generic (crc32c) passed
[ 0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed
[ 0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed
[ 0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed
[ 0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed
[ 0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed
[ 0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed
[ 0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed
[ 0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed
[ 0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed
[ 0.311120] DRBG: Continuing without Jitter RNG
[ 0.316952] alg: self-tests for ecdh-generic (ecdh) passed
[ 0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed
[ 3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed
...
Kernel FIPS mode verification
You have two options:
1) cat /proc/sys/crypto/fips_enabled
2) sysctl crypto.fips_enabled
NOTE: 1 indicates enabled, while 0 indicates disabled.
2. Enable FIPS mode in user space (default yes)
File /etc/system-fips to determine if a FIPS module is installed and
FIPS mode is enabled
1) openssh:
- sshd
2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized
- ssh
# ssh root@localhost
FIPS mode initialized
- ssh-keygen
# ssh-keygen -A
ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode
NOTE: Once openssh enables FIPS mode, openssh ptest will fail. The test case
of openssh does not consider FIPS mode support.
|