Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 8. Enabling the FIPS mode while building a bootc image
FIPs include standards for cryptographic operations. You can enable the FIPS mode during the bootc image build time, when building a bootc image, to configure the system to use only FIPS approved modules. There are 2 options to enable FIPS mode:
-
By using the
bootc-image-buildertool: you must enable the FIPS crypto policy into the Containerfile. -
When performing an Anaconda installation: apart from enabling the FIPS crypto policy into the Containerfile, you must add the
fips=1kernel argument during the boot time.
FIPS dracut module is built-in to the base image. It defaults to a boot=UUID= karg in bootc install-to-filesystem.
8.1. Enabling the FIPS mode by using bootc-image-builder
Create a disk image by using bootc-image-builder or bootc install to-disk, and enable the FIPS mode by passing the custom Containerfile as an argument when building the image.
Prerequisites
- You have Podman installed on your host machine.
-
You have
virt-installinstalled on your host machine. -
You have root access to run the
bootc-image-buildertool, and run the containers in--privilegedmode, to build the images.
Procedure
Create a
01-fips.tomlto configure FIPS enablement, for example:# Enable FIPS kargs = ["fips=1"]
Create a Containerfile with the following instructions to enable the
fips=1kernel argument:FROM registry.redhat.io/rhel9/rhel-bootc:latest # Enable fips=1 kernel argument: https://containers.github.io/bootc/building/kernel-arguments.html COPY 01-fips.toml /usr/lib/bootc/kargs.d/ # Enable the FIPS crypto policy # crypto-policies-scripts is not installed by default in RHEL-10 RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS
Create your bootc
<image>compatible base disk image by usingContainerfilein the current directory:$ podman build -t quay.io/<namespace>/<image>:<tag> .
Verification
After login in to the system, check that FIPS mode is enabled:
$ *fips-mode-setup --check* FIPS mode is enabled.
Additional resources
8.2. Enabling the FIPS mode to perform an Anaconda installation
To create a disk image and enable the FIPS mode when performing an Anaconda installation, follow the steps:
Prerequisites
- You have Podman installed on your host machine.
-
You have
virt-installinstalled on your host machine. -
You have root access to run the
bootc-image-buildertool, and run the containers in--privilegedmode, to build the images.
Procedure
Create a
01-fips.tomlto configure FIPS enablement, for example:# Enable FIPS kargs = ["fips=1"]
Create a Containerfile with the following instructions to enable the
fips=1kernel argument:FROM registry.redhat.io/rhel9/rhel-bootc:latest # Enable fips=1 kernel argument: https://containers.github.io/bootc/building/kernel-arguments.html COPY 01-fips.toml /usr/lib/bootc/kargs.d/ # Install and enable the FIPS crypto policy RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS
Create your bootc
<image>compatible base disk image by usingContainerfilein the current directory:$ sudo podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v $(pwd)/config.toml:/config.toml:ro \ -v $(pwd)/output:/output \ -v /var/lib/containers/storage:/var/lib/containers/storage \ registry.redhat.io/rhel9/bootc-image-builder:latest \ --local --type iso \ quay.io/<namespace>/<image>:<tag>
Enable FIPS mode during the system installation:
When booting the RHEL Anaconda installer, on the installation screen, press the TAB key and add the
fips=1kernel argument.After the installation, the system starts in FIPS mode automatically.
Verification
After login in to the system, check that FIPS mode is enabled:
$ *fips-mode-setup --check* FIPS mode is enabled.
Additional resources
