Refer RedHat/Fedora/SUSE/Oracle/IBM ways 1. Add `fips=1' to kernel option to enable FIPS mode in kernel
2. File /etc/system-fips to determine if a FIPS mode is enabled in user space, currently openssh only Refer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard https://access.redhat.com/discussions/3293631 https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131007/1124363.html https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lgdd/lgdd_r_fipsparm.html https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2323738_1.html Signed-off-by: Hongxu Jia <hongxu....@windriver.com> --- README.enable_fips | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 README.enable_fips diff --git a/README.enable_fips b/README.enable_fips new file mode 100644 index 0000000..8016346 --- /dev/null +++ b/README.enable_fips @@ -0,0 +1,56 @@ +To turn your system (kernel and user space) into FIPS mode, follow these steps: + +1. Enable FIPS mode in kernel: +The `fips=1' kernel option needs to be added to the kernel command line so that key +generation is done with FIPS approved algorithms and continuous monitoring tests in +place: +... +[ 0.000000] Linux version 5.3.0-yoctodev-standard (oe-user@oe-host) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Sun Sep 22 07:03:58 UTC 2019 +[ 0.000000] Command line: root=/dev/vda rw highres=off console=ttyS0 fips=1 +[ 0.281178] alg: self-tests for rsa-generic (rsa) passed +[ 0.283124] alg: self-tests for cipher_null-generic (cipher_null) passed +[ 0.284199] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed +[ 0.285596] alg: self-tests for sha1-generic (sha1) passed +[ 0.287474] alg: self-tests for sha256-generic (sha256) passed +[ 0.289138] alg: self-tests for sha224-generic (sha224) passed +[ 0.290277] alg: self-tests for des3_ede-generic (des3_ede) passed +[ 0.292005] alg: self-tests for aes-generic (aes) passed +[ 0.294431] alg: self-tests for crc32c-generic (crc32c) passed +[ 0.295046] alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed +[ 0.296927] alg: self-tests for drbg_pr_hmac_sha384 (stdrng) passed +[ 0.298001] alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed +[ 0.301064] alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed +[ 0.303057] alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed +[ 0.304026] alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed +[ 0.304999] alg: self-tests for drbg_nopr_hmac_sha384 (stdrng) passed +[ 0.306001] alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed +[ 0.307377] alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed +[ 0.311120] DRBG: Continuing without Jitter RNG +[ 0.316952] alg: self-tests for ecdh-generic (ecdh) passed +[ 0.996938] alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed +[ 3.330824] alg: self-tests for cbc(aes-generic) (cbc(aes)) passed +... + +Kernel FIPS mode verification +You have two options: +1) cat /proc/sys/crypto/fips_enabled +2) sysctl crypto.fips_enabled + +NOTE: 1 indicates enabled, while 0 indicates disabled. + + +2. Enable FIPS mode in user space (default yes) +File /etc/system-fips to determine if a FIPS module is installed and +FIPS mode is enabled + +1) openssh: +- sshd +2019-09-22T12:20:04.631097+00:00 qemux86-64 sshd[437]: FIPS mode initialized + +- ssh +# ssh root@localhost +FIPS mode initialized + +- ssh-keygen +# ssh-keygen -A +ssh-keygen: generating new host keys: DSA DSA keys are not allowed in FIPS mode -- 2.7.4 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto