How to set /proc/sys/crypto/fips_enabled fips=1

eric.vanh · 07-29-2019, 09:33 PM

Hi,
I'm trying to set my system (leap 15.1) to FIPS=1

I went through every entry sysctl.conf reads, but none has a line that would say fips=0 to change it to 1

I've added two lines in sysctl.conf
"mk crypto"
"touch fips_enabled"
But got error when I "sysctl -p"

Since no config file create a /crypto in /proc/sys/ at boot, I'm not sure it's a good idea to set fips=1 parameter in boot

I've looked at any and every related post I found on the internet, but I'm stuck

berndbausch · 07-30-2019, 01:18 AM

sysctl.conf is not a shell script. It contains assignments as documented on the man page.

fips_enabled seems to be a read-only parameter. To set it, you need to boot the system with kernel parameter fips=1. However, this is not sufficient; see instructions at https://www.suse.com/support/kb/doc/?id=7023789 (this is for SLES, not OpenSUSE).

eric.vanh · 07-30-2019, 08:24 AM

Quote:

Originally Posted by berndbausch

fips_enabled seems to be a read-only parameter. To set it, you need to boot the system with kernel parameter fips=1. However, this is not sufficient; see instructions at https://www.suse.com/support/kb/doc/?id=7023789 (this is for SLES, not OpenSUSE).

Thks, I've already read about Suse Entreprise Serveur, and am now asking for a way to activate it on Leap as it is (even if partially) based on SLES

I've DL'd all modules "fips related" from standard repos and pacman, including the dracut-fips ...

eric.vanh · 07-30-2019, 08:31 AM

BTW, out of the 5 config files that sysctl.conf reads I found 3 being empty

Code:

/run/sysctl.d/*.conf
       /etc/sysctl.d/*.conf
       /usr/local/lib/sysctl.d/*.conf
       /usr/lib/sysctl.d/*.conf
       /lib/sysctl.d/*.conf

MK (/proc/sys/) Crypto should be somewhere in there, as it has to be "mounted" (created, actually) at kernel boot
And therefore fips_enabled created at boot too
And set to 1 thks to the boot parameter fips=1 (which is useless as long as I don't have /crypto/fips_enabled)

eric.vanh · 07-30-2019, 09:40 AM

Here is what sysctl -a give me:
I don't see the

Code:

abi.vsyscall32 = 1
crypto.fips_enabled = 0
debug.exception-trace = 1

that should be within the very first lines

Code:

dev.cdrom.info = 
dev.cdrom.lock = 1
dev.scsi.logging_level = 0
fs.dir-notify-enable = 1
kernel.bootloader_type = 114
kernel.bootloader_version = 2
kernel.ctrl-alt-del = 0
kernel.hardlockup_panic = 1
kernel.hostname = MaxiCrevette
kernel.modprobe = /sbin/modprobe
kernel.modules_disabled = 0
kernel.numa_balancing = 0
kernel.panic_on_warn = 0
kernel.perf_event_paranoid = 2
kernel.random.poolsize = 4096
kernel.random.read_wakeup_threshold = 64
kernel.random.urandom_min_reseed_secs = 60
kernel.shm_rmid_forced = 0
kernel.shmall = 1152921504606846720
kernel.shmmax = 18446744073709551615
kernel.shmmni = 4096
kernel.soft_watchdog = 1
kernel.softlockup_all_cpu_backtrace = 0
kernel.softlockup_panic = 0
kernel.stack_tracer_enabled = 0
kernel.suid_dumpable = 0
kernel.sysctl_writes_strict = 1
kernel.sysrq = 184
kernel.tainted = 0
kernel.threads-max = 63030
kernel.timer_migration = 1
kernel.traceoff_on_warning = 0
kernel.tracepoint_printk = 0
kernel.unknown_nmi_panic = 0
kernel.unprivileged_bpf_disabled = 0
kernel.unprivileged_userns_apparmor_policy = 1
kernel.usermodehelper.bset = 4294967295 63
kernel.usermodehelper.inheritable = 4294967295  63
kernel.version = #1 SMP Sat Jul 13 17:59:31 UTC 2019 (0ab03b7)
kernel.watchdog = 1
kernel.watchdog_cpumask = 0-3
kernel.watchdog_thresh = 10
net.ipv4.cipso_cache_bucket_size = 10
net.ipv4.cipso_cache_enable = 1
net.ipv4.cipso_rbm_optfmt = 0
net.ipv4.cipso_rbm_strictvalid = 1
net.ipv6.calipso_cache_enable = 1
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.wlan1.accept_dad = 1
net.ipv6.ip_nonlocal_bind = 0
net.netfilter.nf_log.0 = NONE
net.unix.max_dgram_qlen = 512
user.max_cgroup_namespaces = 31515
vm.laptop_mode = 0
vm.page-cluster = 3
vm.panic_on_oom = 0
MaxiCrevette:/home/eric #

eric.vanh · 07-30-2019, 09:51 AM

I've set the boot parameter to fips=1 in YAST, reboot,
I've seen two failure in the boot sequence code
I'll give it some time and then will probably have to reboot -e to remove the fips=1 in code

eric.vanh · 07-30-2019, 10:48 AM

restart with -e at boot to change the "fips=1" command to "fips=0"
works. (it starts)

Still not /crypto in /proc/sys
And therefore still no /fips_enabled

I guess I will have to give up .... :/

Sauerland · 07-30-2019, 12:41 PM

You do not read carefully:

Quote:

Edit /etc/default/grub and add fips=1 to end of line. If this system has a separate boot partition, it is REQUIRED to add boot=/dev/sda1 (use the correct path to your boot partition) or fips will fail and the system may not boot. In the following example, there is not a separate boot partition:

https://www.suse.com/support/kb/doc/?id=7023789

And:
https://www.suse.com/support/kb/doc/?id=7016546

eric.vanh · 07-30-2019, 02:44 PM

here is my nano /etc/default/grub:
Indeed I didn't read carefully enough, thks for pointing that out.

Code:

# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.

# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent fips=1 resume=/dev/disk/by-uuid/e0221bcd-7f4a-4cbc-a14e-8719$
GRUB_CMDLINE_LINUX=""

# Uncomment to automatically save last booted menu entry in GRUB2 environment

# variable `saved_entry'
# GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs

# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)

GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE

# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="auto"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries

# GRUB_DISABLE_RECOVERY="true"
#Uncomment to get a beep at grub start

# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"

eric.vanh · 07-30-2019, 02:48 PM

Here is my "new" grub:

Code:

# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.

# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent resume=/dev/disk/by-uuid/e0221bcd-7f4a-4cbc-a14e-8719$ quiet mitigations=auto boot=/dev/sda1 fips=1"
GRUB_CMDLINE_LINUX=""

# Uncomment to automatically save last booted menu entry in GRUB2 environment

# variable `saved_entry'
# GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs

# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)

GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE

# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="auto"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries

# GRUB_DISABLE_RECOVERY="true"
#Uncomment to get a beep at grub start

# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"

eric.vanh · 07-30-2019, 02:53 PM

Failed to apply kernel ... something (goes too fast to read it all)

berndbausch · 07-30-2019, 06:03 PM

Quote:

Originally Posted by eric.vanh

Failed to apply kernel ... something (goes too fast to read it all)

If this is a kernel message, you should see it in the message buffer (the dmesg command). You may also want to remove the splash and quiet options from the Linux command line so that you get more information (however in your case it may be counterproductive, since you seem to get too much information already).

Before we continue, allow me to ask: Is this a correct summary of your problem?

You include fips=1 and boot=/dev/sda1 in the Linux command line, but:
After booting, fips_enabled is 0
At boot time, you seem to get an error message that you think is related to FIPS, but you can't read it fully

eric.vanh · 07-31-2019, 04:33 PM

Quote:

Originally Posted by berndbausch

If this is a kernel message, you should see it in the message buffer (the dmesg command). You may also want to remove the splash and quiet options from the Linux command line so that you get more information (however in your case it may be counterproductive, since you seem to get too much information already).

I will, at least to make sure the (red) message is indeed related to crypto (fips=1)

Quote:

Originally Posted by berndbausch

Before we continue, allow me to ask: Is this a correct summary of your problem?

You include fips=1 and boot=/dev/sda1 in the Linux command line, but:

Yes.

Quote:

Originally Posted by berndbausch

After booting, fips_enabled is 0

No, I don't have /proc/sys/fips_enabled created as the system doesn't boot (I have to -e at boot to set fips=0 in a way to be able to boot).

Quote:

Originally Posted by berndbausch

At boot time, you seem to get an error message that you think is related to FIPS, but you can't read it fully

yes, and since the system boot when I set fips=0 I take it the boot failure is due to boot=1

eric.vanh · 07-31-2019, 04:45 PM

I removed the splash and quiet options
I still can't read (too fast) the "red" error message.
The bash screen then stop and I can read the bottom:

Code:

Starting dracut pre-pivot and cleanup hook...
888 dracut: FATAL: FIPS integrity test failed
888 dracut: Refusing to continue
888 dracut:-pre-pivot(435): Warning: /boot/.vmlinuz-4.12(...)-default.hmac does not exist
888 systemd-shutdown:
....
888 stoping disk
888 reboot: System halted

eric.vanh · 07-31-2019, 05:06 PM

once I -e the grub code to set fips=1 to fips=0,
then I can boot,
and dmesg show me some errors (about one of my partition in fat) but none "red" error message, and nothing about crypto nor fips