NAME¶
fips-mode-setup - Check or enable the system FIPS mode.
SYNOPSIS¶
fips-mode-setup [COMMAND]
DESCRIPTION¶
fips-mode-setup(8) is used to check and control the system FIPS
mode.
When enabling the system FIPS mode, the command completes the
installation of FIPS modules if needed by calling fips-finish-install
and changes the system crypto policy to FIPS (unless the policy has already
been set to FIPS plus subpolicies on top, in which case the currently active
subpolicies is retained).
Then the command modifies the boot loader configuration to add
fips=1 and boot=<boot-device> options to the kernel
command line.
When disabling the system FIPS mode the system crypto policy is
switched to DEFAULT and the kernel command line option fips=0 is
set.
OPTIONS¶
The following options are available in fips-mode-setup tool.
•--enable: Enables the system FIPS mode.
•--disable: Undo some of the FIPS-enablement
steps. Please note that module installation cannot be undone without
reformatting of and overwriting, at least once, the platform’s hard
drive or other permanent storage media. This option is not meant to be used in
production, is not supported, and is implemented for testing purposes
only.
•--check: Checks for inconsistently enabled FIPS
mode. Exits successfully (0) for both consistently-enabled FIPS mode and
consistently-disabled FIPS mode, returns error code (1) if inconsistencies are
detected. For checking whether FIPS mode is enabled, see --is-enabled
below.
•--is-enabled: Checks the system FIPS mode status
and returns failure error code if disabled (2) or inconsistent (1).
•--no-bootcfg: The tool will not reconfigure the
boot loader, and, instead, will print the options that need to be added to the
kernel command line. Exception: it still attempts executing zipl(8) on s390x,
as the system might become unbootable otherwise.
FILES¶
/proc/sys/crypto/fips_enabled
The kernel FIPS mode flag.
AUTHOR¶
Written by Tomáš Mráz.