FIPS installed but not working

This document (7016636) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12)
Federal Information Processing Standard (FIPS)


Situation

FIPS is installed, but does not seem to be working in kernel space.

The /etc/default/grub file shows:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts"

The /proc/cmdline shows:
BOOT_IMAGE=/vmlinuz-3.12.28-4-default root=UUID=1ba8a531-3b16-464d-8b80-d9260b4381a7 showopts

The /proc/sys/crypto/fips_enabled shows:
0

Resolution

Finish configuring FIPS:
1. Edit /etc/default/grub
2 Add "fips=1" to GRUB_CMDLINE_LINUX_DEFAULT.
2.1 If you don't have a separate boot partition, it may look like this:

GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1"

2.2 If you have a separate boot partition you need to add the boot= parameter as well. For example if /boot is mounted on /dev/sda1, the variable may look like this:

GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1 boot=/dev/sda1"

3. Run grub2-mkconfig -o /boot/grub2/grub.cfg to remake the grub.cfg file.
4. Run mkinitrd
5. Reboot

2.3 If you do not have a separate boot partition, DO NOT use boot=/dev/sda1. The device is usually the vfat /boot/efi device and will result in an error 'Warning: dracut: FATAL: FIPS integrity test failed'. To see if you have a separate boot partition run: mount | grep boot. If there is no /boot mount point, you do not have a separate boot partition and boot= will cause a boot failure.



Cause

FIPS is not configured properly to run in kernel mode.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016636
  • Creation Date: 25-Jun-2015
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center