Bug 1012626 - [FIPS140] dracut-fip updates needed for certification
[FIPS140] dracut-fip updates needed for certification
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut (Show other bugs)
6.5
Unspecified Unspecified
urgent Severity high
: rc
: ---
Assigned To: Harald Hoyer
Marian Ganisin
:
Depends On:
Blocks: RHEL65FIPS140
  Show dependency treegraph
 
Reported: 2013-09-26 14:15 EDT by Steve Grubb
Modified: 2013-11-21 16:58 EST (History)
10 users (show)

See Also:
Fixed In Version: dracut-004-330.el6
Doc Type: Enhancement
Doc Text:
Feature: A file marker /etc/system-fips should be present, if the rpm package dracut-fips is installed. Reason: We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product.
Story Points: ---
Clone Of:
: 1014284 (view as bug list)
Environment:
Last Closed: 2013-11-21 16:58:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2013-09-26 14:15:36 EDT
Description of problem:
The current FIPS-140 certification needs some updates so that we can continue the certification.

1) We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product. On RHEL6 & 7 the dracut-fips files moved around a lot. So, its hard to have a solution for both OS. 

2) we switch to fips-check for kernel verification. Currently nss is used to validate the kernel's integrity. Nss will not be certified on 6.5 but we need to certify the kernel. Therefore we need to switch from nss based integrity check to fips-check based.

3) Doublecheck that the new cipher added in the kernel is also in the initramfs. A new AES-GCM kernel module was added to the FIPS certification. We need to make sure its preloaded like the other approved crypto modules.
Comment 1 Steve Grubb 2013-10-01 13:08:21 EDT
The modules that were added in 6.5 are:

gcm(aes)
cts(cbc(aes)
gcm(aes-aesni)
ctr(aes-aesni)
cts(cbc(aes-aesni))
Comment 6 Harald Hoyer 2013-10-02 06:09:40 EDT
changed the file from /etc/redhat-fips to /etc/system-fips

dracut-004-330.el6
Comment 9 errata-xmlrpc 2013-11-21 16:58:29 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1674.html

Note You need to log in before you can comment on or make changes to this bug.