* Does the service require post-rpm-installation configuration in order to be useful (for example, does it need manual edits to a configuration file)? The service is not enabled unless the system is booted with `fips=1` on the kernel command line, so the majority of users will not see any effect. For the systems where the service is enabled, it will silently do nothing if the crypto-policy is already based on the FIPS crypto-policy (which should be the default when systems are switched to FIPS mode by booting the installer with `fips=1` or when using `fips-mode-setup`). If the crypto-policy is not yet based on FIPS, a dracut initramfs module will switch it (see https://github.com/dracut-ng/dracut-ng/pull/576, recently backported into Fedora in https://github.com/redhat-plumbers/dracut-fedora/pull/36 and https://github.com/redhat-plumbers/dracut-fedora/pull/39). Only in configurations where the initramfs module does not make this switch (e.g., because we're looking at a container that runs systemd, which is also not based on podman, which would automatically create the bind mounts fips-crypto-policy-overlay.service creates), this service would make the switch. For that, it does not need configuration. * Does the service listen on a network socket for connections originating on a separate physical or virtual machine? No. * Is the service non-persistent (i.e. run once at startup and exit)? Yes; it only runs once and exits. * What is the exact name (or names) of the systemd unit files to be enabled? /usr/lib/systemd/system/fips-crypto-policy-overlay.service * Is this request for all Fedora deliverables or only for some Editions (list them)? rawhide only.
This is under discussion by FESCo in https://pagure.io/fesco/issue/3290 (due to it having impact on other services and applications on the system). We will probably require that the Crypto team submit a proper Fedora Change to explain the new approach to FIPS mode before we enable this service.
FIPS mode is not really something supported on Fedora. It's just there because it's the RHEL upstream. Fedora users should not run in FIPS mode (the modules are not certified, so doing so it pointless anyway except for RHEL upstream testing purposes), and we will not address bug reports about FIPS mode in Fedora. Because of this, I don't think FESCo should care about how FIPS mode switches the crypto policy to FIPS (either manually by using `fips-mode-setup`, or automatically using the dracut module). From a user perspective, there is no change here. Note that this service is also just a third-level safeguard, we can live without enabling it if FESCo decides for whatever reason that they don't want it. I have a ticket to write a Fedora Change to remove `fips-mode-setup`, which is what we did in RHEL, so FESCo can expect that to happen when I find the time.
Yeah, sorry, but going through a Fedora change for introducing a systemd unit that's 1. not even slotted into the depgraph unless fips=1 is on the cmdline, and 2. is a second line of defense of "no-ops, unless a blatant misconfiguration happened 3. when somebody opted into FIPS mode in the first place, but the wrong way" sounds so excessive, writing it with a straight face would be impossible.
FESCo discussed this in the meeting today and we agreed that I had initially misunderstood the scope of this change. We approved the preset and I've just built it.