Bug 1654645

Summary: fips-mode-setup --disable is incomplete
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0CC: nmavrogi
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-30 08:35:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2018-11-29 10:30:39 UTC 
Description of problem:

Disabling FIPS mode using fips-mode-setup --disable has the following issues:

a) /etc/system-fips is not deleted
   
b) dracut fips modules is not removed and initramsfs is not 
   re-generated 

Version-Release number of selected component (if applicable):

crypto-policies-20181026-1.gitcc78cb7.el8.noarch

How reproducible:

Always

Steps to Reproduce:

1. Enable fips mode: fips-mode-setup --enable
2. Reboot
3. Disable fips mode: fips-mode-setup --disable
4. Reboot
5. Check dracut configuration, initramfs and /etc/system-fips.

Actual results:

Correct:

* Bootloader configuration is upated correctly
* FIPS mode is turned-off in kernel

Incorrect:

* /etc/system-fips is present
* etc/system-fips is present in initramfs
* dracut contains fips module 
* initramfs created in step (1) is not updated in (3)

Expected results:

* Bootloader configuration is upated correctly
* FIPS mode is turned-off in kernel
* /etc/system-fips is not present
* etc/system-fips is not present in initramfs
* dracut does not contains fips module 
* initramfs is re-generated in (3)

Additional info:

Moreover, fips-mode-setup --check does not detect this inconsistency (reports that FIPS mode is disabled and returns 0).
Comment 1 Tomas Mraz 2018-11-30 08:35:18 UTC 
Yes, this is expected behavior implemented as required by FIPS 140-2 Implementation Guidance. The effect of fips-finish-install is and must be irreversible.
Comment 5 Ondrej Moriš 2018-11-30 10:53:22 UTC 
Thank you both. I also discussed with this with Tomas privately and now it makes sense to me. I did checked documentation and man page FIPS-FINISH-INSTAL(8) is quite clear about this: "[T]he completion of the installation cannot be undone. The system has to be reinstalled if the FIPS modules are not supposed to be installed anymore." Since we cannot really expect anyone to toggle between FIPS mode enabled and disabled I think this explanation is sufficient (in a combination with fips-mode-setup(8) man page). We should only make sure that components related to modules behave the same way as on the system where FIPS mode was never turned on.