Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 9. Enabling the FIPS mode while building a bootc image

Federal Information Processing Standards (FIPS) include standards for cryptographic operations. You can enable FIPS mode when building a bootc image, to configure the system to use only FIPS-approved modules. You can use the following options to enable FIPS mode:

  • By using the bootc-image-builder tool: You must enable the FIPS system-wide cryptographic policy in the Containerfile.
  • When performing an Anaconda installation: You must enable the FIPS system-wide cryptographic policy in the Containerfile, and also add the fips=1 kernel argument during the boot time.

A FIPS dracut module is built-in to the base image. It defaults to a boot=UUID= karg in bootc install-to-filesystem.

9.1. Enabling FIPS mode by using bootc-image-builder
Copier lien

Create a disk image by using bootc-image-builder or bootc install to-disk, and enable FIPS mode by passing the custom Containerfile as an argument when building the image.

Prerequisites

  • Podman is installed on your host machine.
  • virt-install is installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Create a 01-fips.toml to configure FIPS enablement, for example: 

    # Enable FIPS
kargs = ["fips=1"]
    Copy to Clipboard Toggle word wrap

  2. Create a Containerfile with the following instructions to enable the fips=1 kernel argument: 

    FROM registry.redhat.io/rhel9/rhel-bootc:latest
# Enable fips=1 kernel argument: https://bootc-dev.github.io/bootc/building/kernel-arguments.html
COPY 01-fips.toml /usr/lib/bootc/kargs.d/
# Enable the FIPS system-wide cryptographic policy
# crypto-policies-scripts is not installed by default in RHEL-10
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS
    Copy to Clipboard Toggle word wrap

  3. Create your bootc <image> compatible base disk image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .
    Copy to Clipboard Toggle word wrap

Verification

  • After login in to the system, check that FIPS mode is enabled: 

    $ cat /proc/sys/crypto/fips_enabled
1
$ update-crypto-policies --show
FIPS
    Copy to Clipboard Toggle word wrap

9.2. Enabling FIPS mode to perform an Anaconda installation
Copier lien

To create a disk image and enable FIPS mode when performing an Anaconda installation, use the following procedure:

Prerequisites

  • Podman is installed on your host machine.
  • virt-install is installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Create a 01-fips.toml to configure FIPS enablement, for example: 

    # Enable FIPS
kargs = ["fips=1"]
    Copy to Clipboard Toggle word wrap

  2. Create a Containerfile with the following instructions to enable the fips=1 kernel argument: 

    FROM registry.redhat.io/rhel9/rhel-bootc:latest
# Enable fips=1 kernel argument: https://bootc-dev.github.io/bootc/building/kernel-arguments.html
COPY 01-fips.toml /usr/lib/bootc/kargs.d/
# Install and enable the FIPS system-wide cryptographic policy
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS
    Copy to Clipboard Toggle word wrap

  3. Create your bootc <image> compatible base disk image by using Containerfile in the current directory: 

    $ sudo podman run \
    --rm \
    -it \
    --privileged \
    --pull=newer \
    --security-opt label=type:unconfined_t \
    -v $(pwd)/config.toml:/config.toml:ro \
    -v $(pwd)/output:/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --local
    --type iso \
    quay.io/<namespace>/<image>:<tag>
    Copy to Clipboard Toggle word wrap

  4. Enable FIPS mode during the system installation:

    1. When booting the RHEL Anaconda installer, on the installation screen, press the TAB key and add the fips=1 kernel argument.

      After the installation, the system starts in FIPS mode automatically.

Verification

  • After login in to the system, check that FIPS mode is enabled: 

    $ cat /proc/sys/crypto/fips_enabled
1
$ update-crypto-policies --show
FIPS
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début