Bug 1009708
Summary: | FIPS-140 updates needed | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Steve Grubb <sgrubb> |
Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> |
Status: | CLOSED NOTABUG | QA Contact: | Release Test Team <release-test-team-automation> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.5 | CC: | arubin, dgregor, ebenes, lkocman, notting, rrelyea, sforsber, sgrubb |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-26 17:04:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 968473 |
Description
Steve Grubb
2013-09-18 23:29:57 UTC
The request is fine, but in order to avoid a future where changes to FIPS require a change in anaconda, let's establish some conventions: 1) All packages required for FIPS that are special case should be in a @fips group defined in comps. This data is maintained outside of anaconda, but is read by anaconda at install time. 2) When fips=1 is passed, anaconda can simply ensure that the @fips group is explicitly added to the package install set. This avoids us having to maintain a list of packages in anaconda. Does this sound reasonable to everyone? If so, we need another bug to handle the comps changes (#1). We can use this bug to handle #2. Can we get agreement on a solution and devel ack this blocker bug for 6.5? You're asking us to move heaven and earth to create a new installation paradigm for fips systems A MONTH AFTER DEVEL FREEZE. Why wasn't this brought up at any point earlier during 6.5 development? Well, the NIST requirements are very new. We have been wresting with a solution and trying to get all the pieces in place. This part of the problem was discovered earlier this week when someone was trying to do a FIPS install. There may be some misunderstanding of the "ask" here. What we need is -fips files to be in the install media. In know crypt-setup will have one. I don't know if nss, openssl, or openssh is used during install. But that is about the extent of it. There is the secondary issue of wanting -fips files to wind up in the installed system if the install kernel is booted with fips=1. *** Bug 1011225 has been marked as a duplicate of this bug. *** |