On 03/14/2017 08:42 PM, Rob Crittenden wrote:
Standa Laznicka wrote:
On 03/14/2017 04:21 PM, Rob Crittenden wrote:
Standa Laznicka wrote:
On 03/14/2017 03:14 PM, Martin Basti wrote:
On 14.03.2017 14:56, Luc de Louw wrote:
My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
I can't believe this is correct. Did you try it and it failed? Did you
file bugs?
Yes, yes and no. Please see the header at this page:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?
It was the only document I found really mentioning FIPS by the time. There are no instructions how to set Fedora to FIPS mode so we used the RHEL guidelines and the boot failed but the instructions do not necessarily have to work for Fedora.
We tried to set up Fedora for FIPS in RHEV but the machine would not
even start.
Fedora 25 works for me in libvirt.

crypto.fips_enabled is 1.

It is enforcing it too, md5sum fails because FIPS is enabled.

So if it isn't working for you then bugs are required.

rob

The dracut-fips and dracut-fips-aesni packages are both available.
I will check dracut-fips on my earliest convenience, I did not notice it when we started working on FIPS for FreeIPA, thanks.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to