Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
Applies to SUSE Linux Enterprise Desktop 15 SP3

28 Enabling FIPS 140-2 Edit source

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standard for cryptographic modules. Modules are certified by the National Institute of Standards and Technology (NIST, see https://csrc.nist.gov/projects/cryptographic-module-validation-program). See https://www.suse.com/support/security/certifications/ for a list of certified modules.

28.1 Enabling FIPS Edit source

Enabling FIPS takes a few steps. First, read the /usr/share/doc/packages/openssh-common/FIPS.SUSE and /usr/share/doc/packages/openssh-common/README.SUSE files, from the openssh-common package. These contain important information about FIPS on SUSE Linux Enterprise.

Check if FIPS is already enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 0

crypto.fips_enabled = 0 indicates that it is not enabled. A return value of 1 means that it is enabled.

To enable FIPS, install the fips pattern:

tux > sudo zypper in -t pattern fips

Then edit /etc/default/grub. If /boot is not on a separate partition, add fips=1 to GRUB_CMDLINE_LINUX_DEFAULT, like the following example:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1"

If /boot is on a separate partition, specify which partition, like the following example, substituting the name of your boot partition:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1 boot=/dev/sda1"

Save your changes, and rebuild your GRUB configuration and initramfs image:

tux > sudo grub2-mkconfig -o /boot/grub2/grub.cfg
tux > sudo mkinitrd

Reboot, then verify your changes. The following example shows that FIPS is enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 1

After enabling FIPS it is possible that your system will not boot. If this happens, reboot to bring up the GRUB menu. Press E to edit your boot entry, and delete fips=1 from the linux line. Save your changes and boot. This is a temporary change, so you can find the error and correct it.