7.2 Enabling FIPS Mode on Oracle Linux

You must enable FIPS mode on Oracle Linux before you can use FIPS validated cryptographic modules. Enabling FIPS mode configures Oracle Linux to use only cryptographic algorithms that are FIPS-validated.

To enable FIPS mode, do the following:

  1. Ensure the system is at Oracle Linux 7 Update 3.

    You cannot use FIPS cryptographic modules on Oracle Linux 7 systems that are lower than Update 3.

  2. Ensure your system is registered with the Unbreakable Linux Network (ULN) and that the ol7_x86_64_latest channel is enabled.

    Alternatively, you can enable the ol7_latest channel as follows:

    # yum-config-manager --enable ol7_latest
  3. Install the dracut-fips package.

    # yum install dracut-fips

    The dracut-fips package provides the modules to build a dracut initramfs file system that performs an integrity check.

  4. If the system CPU supports AES New Instructions (AES-NI), install the dracut-fips-aesni package.

    # yum install dracut-fips-aesni
  5. Recreate the initramfs file system.

    # dracut -f
  6. Configure the boot loader so that the system boots into FIPS mode.

    1. Identify the boot partition and the UUID of the partition, for example:

      # df /boot
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/sda1         508588 294476    214112  58% /boot
      
      # blkid /dev/sda1
      /dev/sda1: UUID="6046308a-75fc-418e-b284-72d8bfad34ba" TYPE="xfs"
    2. As the root user, open /etc/default/grub for editing.

    3. If /boot or /boot/efi reside on a separate partition to the root partition, add the boot=UUID=boot_UUID line to the boot loader configuration. This step ensures that the system can identify the appropriate boot device.

      GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
        rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
        vconsole.keymap=uk rhgb quiet
        boot=UUID=6046308a-75fc-418e-b284-72d8bfad34ba
    4. Add the fips=1 option to the boot loader configuration.

      GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
        rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
        vconsole.keymap=uk rhgb quiet
        boot=UUID=6046308a-75fc-418e-b284-72d8bfad34ba fips=1
    5. Save your changes and then close /etc/default/grub.

  7. Rebuild the GRUB configuration.

    • On BIOS-based systems, run the following command:

      # grub2-mkconfig -o /boot/grub2/grub.cfg
    • On UEFI-based systems, run the following command:

      # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  8. Disable and remove prelinking from binaries and libraries.

    1. As the root user, open /etc/sysconfig/prelink for editing.

    2. Set PRELINKING=no.

    3. Save your changes and then close /etc/sysconfig/prelink.

    4. Run the following command to remove all existing prelinking:

      # prelink -u -a
  9. Reboot the system.

  10. Verify that FIPS is enabled, as follows:

    # cat /proc/sys/crypto/fips_enabled
    1