Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 15

25 Enabling FIPS 140-2 Edit source

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standard for cryptographic modules. Modules are certified by the National Institute of Standards and Technology (NIST, see https://csrc.nist.gov/projects/cryptographic-module-validation-program). See https://www.suse.com/support/security/certifications/ for a list of certified modules.

25.1 Installing FIPS Edit source

When you are installing a new instance of SUSE Linux Enterprise, select the patterns-server-enterprise-fips pattern. Then, after the installation is complete, enable FIPS by running the steps in Section 25.2, “Enabling FIPS”.

On an existing installation, install patterns-server-enterprise-fips, then follow the steps in Section 25.2, “Enabling FIPS”.

25.2 Enabling FIPS Edit source

Enabling FIPS takes a few steps. First, read the /usr/share/doc/packages/openssh/README.FIPS and /usr/share/doc/packages/openssh/README.SUSE files, from the openssh package. These contain important information about FIPS on SUSE Linux Enterprise.

Check if it is already enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 0

crypto.fips_enabled = 0 indicates that it is not enabled. A return value of 1 means that it is enabled.

Then edit /etc/default/grub. If /boot is not on a separate partition, add fips=1 to GRUB_CMDLINE_LINUX_DEFAULT, like the following example:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1"

If /boot is on a separate partition, specify which partition, like the following example, substituting the name of your boot partition:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1 boot=/dev/sda1"

Save your changes, and rebuild your GRUB configuration and initramfs image:

tux > sudo grub2-mkconfig -o /boot/grub2/grub.cfg
tux > sudo mkinitrd

Reboot, then verify your changes. The following example shows that FIPS is enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 1

After enabling FIPS it is possible that your system will not boot. If this happens, reboot to bring up the GRUB menu. Press E to edit your boot entry, and delete the fips entry from the linux line. Press the F10 key to boot. This is a temporary change, and most likely the problem is an error in /etc/default/grub. Correct it, rebuild GRUB and initramfs, then reboot.

Print this page