Bug 1012626 - [FIPS140] dracut-fip updates needed for certification
Summary: [FIPS140] dracut-fip updates needed for certification
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut   
(Show other bugs)
Version: 6.5
Hardware: Unspecified Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Marian Ganisin
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL65FIPS140
TreeView+ depends on / blocked
 
Reported: 2013-09-26 18:15 UTC by Steve Grubb
Modified: 2013-11-21 21:58 UTC (History)
10 users (show)

Fixed In Version: dracut-004-330.el6
Doc Type: Enhancement
Doc Text:
Feature: A file marker /etc/system-fips should be present, if the rpm package dracut-fips is installed. Reason: We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product.
Story Points: ---
Clone Of:
: 1014284 (view as bug list)
Environment:
Last Closed: 2013-11-21 21:58:29 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1674 normal SHIPPED_LIVE Moderate: dracut security, bug fix, and enhancement update 2013-11-20 21:52:47 UTC

Description Steve Grubb 2013-09-26 18:15:36 UTC
Description of problem:
The current FIPS-140 certification needs some updates so that we can continue the certification.

1) We need have a stable file location for fips product determination. NIST has new requirements that causes us to need to define the FIPS module as the crypto system + the dracut-fips package. Libraries and applications will need to look for the presence of the file to know that this is a FIPS product rather than an ordinary product. On RHEL6 & 7 the dracut-fips files moved around a lot. So, its hard to have a solution for both OS. 

2) we switch to fips-check for kernel verification. Currently nss is used to validate the kernel's integrity. Nss will not be certified on 6.5 but we need to certify the kernel. Therefore we need to switch from nss based integrity check to fips-check based.

3) Doublecheck that the new cipher added in the kernel is also in the initramfs. A new AES-GCM kernel module was added to the FIPS certification. We need to make sure its preloaded like the other approved crypto modules.

Comment 1 Steve Grubb 2013-10-01 17:08:21 UTC
The modules that were added in 6.5 are:

gcm(aes)
cts(cbc(aes)
gcm(aes-aesni)
ctr(aes-aesni)
cts(cbc(aes-aesni))

Comment 6 Harald Hoyer 2013-10-02 10:09:40 UTC
changed the file from /etc/redhat-fips to /etc/system-fips

dracut-004-330.el6

Comment 9 errata-xmlrpc 2013-11-21 21:58:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1674.html


Note You need to log in before you can comment on or make changes to this bug.