From Fedora Project Wiki
(Create initial draft)
 
(submitting change to fesco)
 
(8 intermediate revisions by 3 users not shown)
Line 14: Line 14:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForFesco]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
Line 30: Line 28:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* [Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/JIS6MS3YN55THFOG6TA25BZUXCUMFQCI/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f42-change-proposal-remove-fips-mode-setup-system-wide/138983 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3303 #3303]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 45: Line 43:
* Use `bootc` as documented at https://gitlab.com/fedora/bootc/examples/-/tree/main/fips
* Use `bootc` as documented at https://gitlab.com/fedora/bootc/examples/-/tree/main/fips


Switching to FIPS mode after installation will be explicitly unsupported, see below for the rationale. Switching out of FIPS mode without reinstalling will be equally unsupported, since it does not make sense from a compliance point of view.
This will remove all tooling to switching in and out of FIPS mode after installation. Switching after installation is a bad idea anyway, see below for the rationale. Switching out of FIPS mode without reinstalling does not make sense from a compliance point of view.




Line 65: Line 63:
This user confusion is one of the reasons why we propose to remove this tool.
This user confusion is one of the reasons why we propose to remove this tool.


Instead, we will remove or have already removed some of these knobs and instead automate them:
Instead, we will turn the `fips=1` kernel command line flag into the single source of truth for whether FIPS mode is enabled. We have already removed or will remove some of the separate knobs and instead automate them to follow the single source of truth:


* The system-wide cryptographic policy will automatically follow the `fips=1` kernel command line flag to remove the need for the manual switch previously performed by `fips-mode-setup`. This is [https://github.com/dracut-ng/dracut-ng/tree/main/modules.d/01fips-crypto-policies already implemented by a dracut module], which will add two bind-mounts before pivoting to the root filesystem if the system is in FIPS mode but the crypto-policy is not.
* The system-wide cryptographic policy will automatically follow the `fips=1` kernel command line flag to remove the need for the manual switch previously performed by `fips-mode-setup`. This is [https://github.com/dracut-ng/dracut-ng/tree/main/modules.d/01fips-crypto-policies already implemented by a dracut module], which will add two bind-mounts before pivoting to the root filesystem if the system is in FIPS mode, but the crypto-policy is not.
* For systems that are not started using dracut (e.g., containers with systemd), the `crypto-policies` package ships `fips-crypto-policy-overlay.service`, which runs early during boot and also applies these bind mounts.
* For systems that are not started using dracut (e.g., containers with systemd), the `crypto-policies` package ships `fips-crypto-policy-overlay.service`, which runs early during boot and also applies these bind mounts. See https://bugzilla.redhat.com/show_bug.cgi?id=2325499. This change is independent of this change proposal, and we will pursue this regardless of whether the community agrees that this change is a good idea, since it does make sense as a separate incremental improvement.
* Containers started using `podman` on hosts in FIPS mode did already create these bind mounts, but we are also modernizing that see [https://github.com/containers/common/issues/2130 containers/common#2130] and [https://github.com/containers/common/pull/2174 containers/common#2174].
* Containers started using `podman` on hosts in FIPS mode did already create these bind mounts, but we are also modernizing that, see [https://github.com/containers/common/issues/2130 containers/common#2130] and [https://github.com/containers/common/pull/2174 containers/common#2174].
* The `crypto-policies` package has been adjusted to detect and handle this situation during upgrades and when `update-crypto-policies --set` is called manually. This also improves the behavior of `update-crypto-policies --set` in containers in FIPS mode, which was a lot more brittle before.
* The `crypto-policies` package has been adjusted to detect and handle this situation during upgrades and when `update-crypto-policies --set` is called manually. This also improves the behavior of `update-crypto-policies --set` in containers in FIPS mode, which was a lot more brittle before.
* We will enable the dracut `fips` module on all systems. This is required for unified kernel images anyway. The `fips` dracut module does nothing if the system is not in FIPS mode (i.e., `fips=1` is not on the kernel command line).
* We will enable the dracut `fips` module on all systems. This is required for unified kernel images anyway. The `fips` dracut module does nothing if the system is not in FIPS mode (i.e., `fips=1` is not on the kernel command line).
Line 83: Line 81:


<pre>grubby --update-kernel=ALL --args="fips=1 boot=UUID=$(blkid --output value --match-tag UUID "$(findmnt --first --noheadings -o SOURCE /boot)")"</pre>
<pre>grubby --update-kernel=ALL --args="fips=1 boot=UUID=$(blkid --output value --match-tag UUID "$(findmnt --first --noheadings -o SOURCE /boot)")"</pre>
The `boot=UUID=<partition-uuid>` part of this command is only required if `/boot` is a separate partition, because the `fips` dracut initramfs module will otherwise not be able to locate the message authentication code to verify the integrity of the kernel image.


Users that do not care about compliance that want to switch systems out of FIPS mode can equally use grubby to remove the `fips=1` kernel command line flag.
Users that do not care about compliance that want to switch systems out of FIPS mode can equally use grubby to remove the `fips=1` kernel command line flag.
Line 95: Line 95:
* Proposal owners: Most of the changes mentioned above are incremental improvements that made sense on their own and have already landed. Removal of the `fips-mode-setup` tool is the remaining step that could not be done without a change proposal and TBD.
* Proposal owners: Most of the changes mentioned above are incremental improvements that made sense on their own and have already landed. Removal of the `fips-mode-setup` tool is the remaining step that could not be done without a change proposal and TBD.
* Other developers: No further changes are expected from other developers. From a user point of view, FIPS mode will continue to work as it did before. The only change is on how to enable FIPS mode. The anaconda installer that used to invoke `fips-mode-setup` has already been changed to call `/usr/libexec/fips-setup-helper` provided by the `crypto-policies` package instead.
* Other developers: No further changes are expected from other developers. From a user point of view, FIPS mode will continue to work as it did before. The only change is on how to enable FIPS mode. The anaconda installer that used to invoke `fips-mode-setup` has already been changed to call `/usr/libexec/fips-setup-helper` provided by the `crypto-policies` package instead.
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/12472 #12472]
* Policies and guidelines: not needed for this Change
* Policies and guidelines: not needed for this Change
* Trademark approval: not needed for this Change
* Trademark approval: not needed for this Change
Line 143: Line 143:
The `fips-mode-setup` command that could be used to switch systems to FIPS mode after installation has been removed.
The `fips-mode-setup` command that could be used to switch systems to FIPS mode after installation has been removed.


Switching to FIPS mode is no longer supported after installation. To switch systems to FIPS mode,
Switching to FIPS mode after installation has subtle bugs and is no longer recommended. To switch systems to FIPS mode,


* add `fips=1` to the kernel command line of the installer
* add `fips=1` to the kernel command line of the installer
Line 151: Line 151:
* use `bootc` and add the `fips=1` kernel command line flag in your `Containerfile` as documented in the example at https://gitlab.com/fedora/bootc/examples/-/tree/main/fips
* use `bootc` and add the `fips=1` kernel command line flag in your `Containerfile` as documented in the example at https://gitlab.com/fedora/bootc/examples/-/tree/main/fips


Disabling FIPS mode is not supported. To disable FIPS mode, re-install your system without enabling FIPS mode.
To disable FIPS mode, re-install your system without enabling FIPS mode. Disabling FIPS mode without reinstalling does not make sense from a compliance point of view.

Latest revision as of 20:55, 16 December 2024

Remove fips-mode-setup

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Remove the fips-mode-setup command provided by the crypto-policies package. The functionality it currently performs will be partially removed, partially replaced by automation.

Owner

  • Name: Clemens Lang
  • Email: cllang@redhat.com

Current status

Detailed Description

fips-mode-setup in the crypto-policies package is currently used to switch Fedora systems into FIPS mode. FIPS mode is designed to change cryptographic components in Fedora (the kernel's crypto API, OpenSSL, NSS, GnuTLS, and libgcrypt) to comply with the United States Federal Information Processing Standards requirements for cryptographic modules, better known as FIPS 140.

We propose removing this utility. Instead, systems should be placed into FIPS mode using one of the following methods:

  • Pass fips=1 on the kernel command line of the Anaconda installer (i.e., install in FIPS mode)
  • Use the osbuild-composer image build functionality with the
    [customizations]\n fips=true
    customization to build an image in FIPS mode
  • Use bootc as documented at https://gitlab.com/fedora/bootc/examples/-/tree/main/fips

This will remove all tooling to switching in and out of FIPS mode after installation. Switching after installation is a bad idea anyway, see below for the rationale. Switching out of FIPS mode without reinstalling does not make sense from a compliance point of view.


Context information on FIPS

For compliance with these standards, the cryptographic modules must be submitted to the Cryptographic Module Validation Program run by the US National Institute of Standards and Technology. Such certifications are lengthy efforts involving a company accredited to perform review and testing before submission, the so-called Cryptographic and Security Testing Laboratories (CSTLs). It takes upwards of a year to receive a certification, and costs a mid five-figure sum per CPU architecture to do this. Due to lack of funding and the fast pace of Fedora, Fedora's modules are not submitted. As a consequence, FIPS mode on Fedora is useful for testing only. Several distributions downstream of Fedora (RHEL, AlmaLinux, Oracle Linux, Amazon Linux), perform their own FIPS validations.

Occasionally, users think that enabling FIPS mode improves security. While running in FIPS mode does enable some additional checks and disables some older algorithms, we see FIPS mode as a compliance tool, not as a security tool. In some situations, enabling FIPS mode actually decreases security: for example, LUKS disk encryption normally uses the modern GPU-resistant Argon2 key derivation function, but because it is not FIPS-approved, it falls back to the older and generally considered weaker PBKDF2 in FIPS mode. FIPS mode also does not allow the use of Curve25519 for key exchange (used by default in TLS 1.3), or the ChaCha20-Poly1305 authenticated encryption algorithm (again, used in TLS 1.3) both of which are considered modern and good. We do not recommend running FIPS mode to "improve security". A well-configured crypto policy is a much better tool to limit the use of legacy algorithms without the side effect of disabling newer non-US-specified algorithms.

Why remove fips-mode-setup?

To correctly switch a system to FIPS mode, multiple knobs need to be adjusted:

  • The system-wide cryptographic policy needs to be FIPS or based on it
  • The fips dracut initramfs module needs to be enabled to run an integrity test (a FIPS 140 requirement) on the kernel image, followed by re-generating the initramfs
  • The kernel command line needs to contain fips=1 to switch the kernel to FIPS mode (which also enables a slower FIPS-compliant DRBG)
  • If /boot is on a separate partition, a boot=UUID=<uuid-of-boot-partition> flag needs to be added to the kernel command line for the fips dracut initramfs module to be able to find the expected message authentication code for the kernel binary.

This process is somewhat brittle due to the number of different changes that need to be made. Additionally, fips-mode-setup --disable, which only exists for testing purposes because the compliance requirements do not support switching systems out of FIPS mode, does not undo adding the fips module to the initramfs to avoid a risk that the system will no longer boot afterwards. fips-mode-setup --check subsequently reports an inconsistent configuration, which is frequently confusing users.

This user confusion is one of the reasons why we propose to remove this tool.

Instead, we will turn the fips=1 kernel command line flag into the single source of truth for whether FIPS mode is enabled. We have already removed or will remove some of the separate knobs and instead automate them to follow the single source of truth:

  • The system-wide cryptographic policy will automatically follow the fips=1 kernel command line flag to remove the need for the manual switch previously performed by fips-mode-setup. This is already implemented by a dracut module, which will add two bind-mounts before pivoting to the root filesystem if the system is in FIPS mode, but the crypto-policy is not.
  • For systems that are not started using dracut (e.g., containers with systemd), the crypto-policies package ships fips-crypto-policy-overlay.service, which runs early during boot and also applies these bind mounts. See https://bugzilla.redhat.com/show_bug.cgi?id=2325499. This change is independent of this change proposal, and we will pursue this regardless of whether the community agrees that this change is a good idea, since it does make sense as a separate incremental improvement.
  • Containers started using podman on hosts in FIPS mode did already create these bind mounts, but we are also modernizing that, see containers/common#2130 and containers/common#2174.
  • The crypto-policies package has been adjusted to detect and handle this situation during upgrades and when update-crypto-policies --set is called manually. This also improves the behavior of update-crypto-policies --set in containers in FIPS mode, which was a lot more brittle before.
  • We will enable the dracut fips module on all systems. This is required for unified kernel images anyway. The fips dracut module does nothing if the system is not in FIPS mode (i.e., fips=1 is not on the kernel command line).


The other big reason for removing fips-mode-setup is that it allows switching to FIPS mode after installation, which means that certain algorithmic choices have already been made. For example, cryptsetup will use PBKDF2 as key derivation function in FIPS setup, but Argon2 otherwise. A system with LUKS disk encryption initially set up outside of FIPS mode but switched into FIPS mode later using fips-mode-setup would end up in one of two states: either, non-compliant due to the use of Argon2, or unbootable in case the cryptographic library refuses the attempt to use Argon2. OpenSSH is also affected during installation or first system boot with its hostkey algorithm choices. Additionally, even keys that would be usable in FIPS mode must be considered tainted on systems switched to FIPS mode after installation, because key generation behaves different in FIPS mode (e.g., all RSA keys would have to be thrown away and re-generated).

For these reasons, we have come to the conclusion that the only sane way to create a system in FIPS mode, is to install it in FIPS mode. fips-mode-setup is therefore actively harmful.


Feedback

Users that do not care about compliance but only run Fedora in FIPS mode for testing may not want to reinstall from scratch just for that purpose. For these cases, and when the above limitations are well understood, the fips=1 kernel command line flag can be modified directly, e.g. using

grubby --update-kernel=ALL --args="fips=1 boot=UUID=$(blkid --output value --match-tag UUID "$(findmnt --first --noheadings -o SOURCE /boot)")"

The boot=UUID=<partition-uuid> part of this command is only required if /boot is a separate partition, because the fips dracut initramfs module will otherwise not be able to locate the message authentication code to verify the integrity of the kernel image.

Users that do not care about compliance that want to switch systems out of FIPS mode can equally use grubby to remove the fips=1 kernel command line flag.

Benefit to Fedora

  • Upstream testing on systems in FIPS mode will use consistent algorithm choices everywhere.
  • Misconfigurations such as the use of the Argon2 key derivation function for LUKS disk encryption in FIPS mode will be reduced.
  • Misconfigurations such as the use of a non-FIPS system-wide cryptographic policy in FIPS mode will automatically be avoided
  • Maintenance for fips-mode-setup can be stopped, freeing up resources for other changes

Scope

  • Proposal owners: Most of the changes mentioned above are incremental improvements that made sense on their own and have already landed. Removal of the fips-mode-setup tool is the remaining step that could not be done without a change proposal and TBD.
  • Other developers: No further changes are expected from other developers. From a user point of view, FIPS mode will continue to work as it did before. The only change is on how to enable FIPS mode. The anaconda installer that used to invoke fips-mode-setup has already been changed to call /usr/libexec/fips-setup-helper provided by the crypto-policies package instead.
  • Release engineering: #12472
  • Policies and guidelines: not needed for this Change
  • Trademark approval: not needed for this Change
  • Alignment with the Fedora Strategy: This simplifies the ecosystem connections because it reduces the number of downstream changes.

Upgrade/compatibility impact

Systems in FIPS mode that were configured to not use the FIPS system-wide cryptographic policy will see their policy automatically be changed to FIPS mode. Running in FIPS mode with a non-FIPS crypto-policy is considered a misconfiguration.

Scripts that used fips-mode-setup will stop working after the upgrade.

Early Testing (Optional)

Do you require 'QA Blueprint' support? No

How To Test

Testers that will try the three methods outlined above to switch to FIPS mode are welcome. From downstream testing, we expect no issues.

Using dnf reinstall crypto-policies on a system that has the two bind-mounts for the FIPS crypto-policy (i.e., that's in FIPS mode but its crypto-policy was not manually switched to FIPS) should pass without issue, and the files in /etc/crypto-policies/back-ends should correspond to those in /usr/share/crypto-policies/back-ends/FIPS. We also expect no issues here from downstream testing.

Testers that run Fedora containers with systemd on hosts in FIPS mode (i.e., /proc/sys/crypto/fips_enabled contains 1) both with podman and with other container runtimes are very welcome.

User Experience

Users will notice that fips-mode-setup no longer exists. Users that want to switch systems to FIPS mode need to follow different steps.

At the same time, switching to FIPS mode now comes with fewer pitfalls and fewer possibilities for misconfigurations and inconsistencies.

Dependencies

The following packages have already adapted to this potential change and will continue to work:

  • anaconda
  • dracut
  • podman
  • crypto-policies (in particular update-crypto-policies and the package %pre and %post scriptlets)

Contingency Plan

  • Contingency mechanism: We will keep fips-mode-setup and try again next release
  • Contingency deadline: beta freeze (or even later, if required)
  • Blocks release? No


Documentation

Release Notes

The fips-mode-setup command that could be used to switch systems to FIPS mode after installation has been removed.

Switching to FIPS mode after installation has subtle bugs and is no longer recommended. To switch systems to FIPS mode,

  • add fips=1 to the kernel command line of the installer
  • use osbuild-composer with the following customization to build a FIPS-enabled image:
 [customizations]
 fips = true

To disable FIPS mode, re-install your system without enabling FIPS mode. Disabling FIPS mode without reinstalling does not make sense from a compliance point of view.