Description of problem:
The current FIPS-140 certification needs some updates so that we can continue the certification.
1) We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product. On RHEL6 & 7 the dracut-fips files moved around a lot. So, its hard to have a solution for both OS.
2) we switch to fips-check for kernel verification. Currently nss is used to validate the kernel's integrity. Nss will not be certified on 6.5 but we need to certify the kernel. Therefore we need to switch from nss based integrity check to fips-check based.
3) Doublecheck that the new cipher added in the kernel is also in the initramfs. A new AES-GCM kernel module was added to the FIPS certification. We need to make sure its preloaded like the other approved crypto modules.
The modules that were added in 6.5 are:
changed the file from /etc/redhat-fips to /etc/system-fips
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.