Bug 1012626

Summary: [FIPS140] dracut-fip updates needed for certification
Product: Red Hat Enterprise Linux 6 Reporter: Steve Grubb <sgrubb>
Component: dracutAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact: Marian Ganisin <mganisin>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.5CC: borgan, dracut-maint-list, ebenes, jrieden, mganisin, notting, omoris, sforsber, tlavigne, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dracut-004-330.el6 Doc Type: Enhancement
Doc Text:
Feature: A file marker /etc/system-fips should be present, if the rpm package dracut-fips is installed. Reason: We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product.
 Story Points: ---
Clone Of:
: 1014284 (view as bug list) Environment:
Last Closed: 2013-11-21 21:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 968473    

Description Steve Grubb 2013-09-26 18:15:36 UTC 
Description of problem:
The current FIPS-140 certification needs some updates so that we can continue the certification.

1) We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product. On RHEL6 & 7 the dracut-fips files moved around a lot. So, its hard to have a solution for both OS. 

2) we switch to fips-check for kernel verification. Currently nss is used to validate the kernel's integrity. Nss will not be certified on 6.5 but we need to certify the kernel. Therefore we need to switch from nss based integrity check to fips-check based.

3) Doublecheck that the new cipher added in the kernel is also in the initramfs. A new AES-GCM kernel module was added to the FIPS certification. We need to make sure its preloaded like the other approved crypto modules.
Comment 1 Steve Grubb 2013-10-01 17:08:21 UTC 
The modules that were added in 6.5 are:

gcm(aes)
cts(cbc(aes)
gcm(aes-aesni)
ctr(aes-aesni)
cts(cbc(aes-aesni))
Comment 6 Harald Hoyer 2013-10-02 10:09:40 UTC 
changed the file from /etc/redhat-fips to /etc/system-fips

dracut-004-330.el6
Comment 9 errata-xmlrpc 2013-11-21 21:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1674.html