FIPS installed but not working
This document (7016636) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12 (SLES 12)
Federal Information Processing Standard (FIPS)
The /etc/default/grub file shows:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts"
The /proc/cmdline shows:
BOOT_IMAGE=/vmlinuz-3.12.28-4-default root=UUID=1ba8a531-3b16-464d-8b80-d9260b4381a7 showopts
The /proc/sys/crypto/fips_enabled shows:
1. Edit /etc/default/grub
2 Add "fips=1" to GRUB_CMDLINE_LINUX_DEFAULT.
2.1 If you don't have a separate boot partition, it may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1"
2.2 If you have a separate boot partition you need to add the boot= parameter as well. For example if /boot is mounted on /dev/sda1, the variable may look like this:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/disk/by-label/swapspace splash=silent quiet showopts fips=1 boot=/dev/sda1"
3. Run grub2-mkconfig -o /boot/grub2/grub.cfg to remake the grub.cfg file.
4. Run mkinitrd
2.3 If you do not have a separate boot partition, DO NOT use boot=/dev/sda1. The device is usually the vfat /boot/efi device and will result in an error 'Warning: dracut: FATAL: FIPS integrity test failed'. To see if you have a separate boot partition run: mount | grep boot. If there is no /boot mount point, you do not have a separate boot partition and boot= will cause a boot failure.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016636
- Creation Date: 25-Jun-2015
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: email@example.com