Bug 1014284

Summary: [FIPS140] dracut-fip updates needed for certification
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: dracutAssignee: dracut-maint
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: borgan, dracut-maint-list, ebenes, harald, ljozsa, rvokal, sforsber, sgrubb, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dracut-033-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1012626 Environment:
Last Closed: 2014-06-13 11:38:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2013-10-01 15:49:31 UTC 
+++ This bug was initially created as a clone of Bug #1012626 +++

Description of problem:
The current FIPS-140 certification needs some updates so that we can continue the certification.

We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product. On RHEL6 & 7 the dracut-fips files moved around a lot. So, its hard to have a solution for both OS.
Comment 4 Harald Hoyer 2013-10-02 10:07:34 UTC 
dracut-033-4.el7

changed the file from /etc/redhat-fips to /etc/system-fips
Comment 6 Ladislav Jozsa 2014-03-24 11:58:21 UTC 
Verified with dracut-033-150.el7, RHEL-7.0-20140320.0.

(In reply to Steve Grubb from comment #3)
> Based on the problem description
> 
> 1) a file is being added at /etc/redhat-fips. We just need to make sure its
> there.

/etc/system-fips present, see c#4.

> 2) is a no-op. dracut already uses sha512hmac.
> 3) need to ensure the kernel modules in comment #1 are being loaded. This
> can be done by inspecting an initramfs built by the new dracut to see if the
> modules are present and the script loads them.

I did inspection inside the running initramfs with the following results.

gcm modules:
gcm(aes)
gcm(aes-aesni)
# cat /proc/modules | grep -w gcm
gcm 23457 0 - Live 0xffffffffa0257000

# dmesg | grep -w gcm
[   13.047514] alg: self-tests for gcm_base(ctr(aes-asm),ghash-generic) (gcm(aes)) passed
[   13.047873] alg: self-tests for gcm(aes) (gcm(aes)) passed

cts modules:
cts(cbc(aes)
cts(cbc(aes-aesni))

# cat /proc/modules | grep -w cts
cts 12854 0 - Live 0xffffffffa022d000

no match for cts in dmesg | grep -w cts

ctr module:
ctr(aes-aesni)

no module named ctr, however dmesg | grep -w ctr reveals:

[   13.015579] alg: self-tests for ctr(aes-asm) (ctr(aes)) passed
[   13.015866] alg: self-tests for ctr(aes) (ctr(aes)) passed
[   13.035801] alg: self-tests for rfc3686(ctr(aes-asm)) (rfc3686(ctr(aes))) passed
[   13.036102] alg: self-tests for rfc3686(ctr(aes)) (rfc3686(ctr(aes))) passed
[   13.047514] alg: self-tests for gcm_base(ctr(aes-asm),ghash-generic) (gcm(aes)) passed
[   13.058113] alg: self-tests for ccm_base(ctr(aes-asm),aes-asm) (ccm(aes)) passed
[   13.079691] alg: self-tests for rfc4309(ccm_base(ctr(aes-asm),aes-asm)) (rfc4309(ccm(aes))) passed

Steve, is it ok?
Comment 7 Steve Grubb 2014-03-27 00:12:51 UTC 
As best as I can tell, it looks OK. If we have any more changes, we'll address it on RHEL 7.1. Thanks.
Comment 8 Ludek Smid 2014-06-13 11:38:41 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.