Bug 753296

Summary: [RFE] Enable FIPS mode
Product: [Retired] oVirt Reporter: Perry Myers <pmyers>
Component: ovirt-nodeAssignee: Fabian Deutsch <fdeutsch>
Status: CLOSED WONTFIX QA Contact: bugs <bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, fdeutsch, hadong, harald, iheim, leiwang, ovirt-bugs, ovirt-maint, pwouters, sgrubb
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: node
Fixed In Version: 2.7.0 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-22 12:27:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Perry Myers 2011-11-11 20:09:07 UTC 
Description of problem:
Enable FIPS via default kernel cmdline parameter.  Figure out what breaks when FIPS is enabled, and fix those issues.  Ideally we can enable FIPS for all variants/versions of oVirt Node
Comment 1 Alan Pevec 2011-11-12 09:20:15 UTC 
When I tried it on rhevh ISO, fips dracut module required kernel hmac file[1] which is currently not handled by livecd-creator (only initramfs and vmlinuz are copied to isolinux folder) so that needs to fixed first.

On a normal RHEL-6 system, this is provided by the kernel RPM e.g.
/boot/.vmlinuz-2.6.32-217.el6.x86_64.hmac
but I don't see that in F16 kernel RPM. How is FIPS, if at all, working in Fedora?

[1] http://git.kernel.org/?p=boot/dracut/dracut.git;a=blob;f=modules.d/01fips/fips.sh;h=67eefb819bfb3b61076c14b2d06380f546083de9;hb=HEAD#l64
Comment 2 Mike Burns 2012-04-17 13:33:20 UTC 
*** Bug 794868 has been marked as a duplicate of this bug. ***
Comment 4 Paul Wouters 2012-05-09 21:25:28 UTC 
I understood this is all moved from dracut into systemd
Comment 5 Steve Grubb 2012-05-10 12:52:34 UTC 
It can't move away from dracut due to needing to check the kernel for integrity during stage2. Someone misspoke or confused this with another feature.
Comment 6 Fabian Deutsch 2013-11-28 15:20:24 UTC 
Harald,

did you merge the latest FIPS dracut changes into upstream?
Comment 7 Itamar Heim 2014-02-13 18:30:59 UTC 
pushing to target release 3.5, assuming its not planned for 3.4 at this point...
Comment 8 Harald Hoyer 2014-03-14 10:42:18 UTC 
(In reply to Fabian Deutsch from comment #6)
> Harald,
> 
> did you merge the latest FIPS dracut changes into upstream?

yes
Comment 9 Itamar Heim 2014-06-22 12:27:06 UTC 
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug.