Tassos | Hello, | 09:35 |
---|---|---|
Tassos | Is it possible to enable the FIPS mode during the installation time with cloud-init ? | 09:35 |
Tassos | for example, something like : fips: true | 09:36 |
Tassos | ? | 09:36 |
meena | Tassos: no. | 09:44 |
Tassos | Oh, it's not possible so far ? | 09:47 |
Tassos | I read here : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening | 09:49 |
Tassos | "Add the `fips=1` option to the kernel command line during the system installation." | 09:49 |
Tassos | So, I assumed there is a way to do this via cloud-init.. :-/ | 09:50 |
meena | i mean, if you want to modify a grub config file from cloud-init, yes, that's probably possible. | 09:52 |
Tassos | Could you give me an example please ? | 09:56 |
meena | Tassos: i haven't touched grub in ten years. I mostly work on FreeBSD, and I'm the only person awake. | 09:58 |
meena | but basically, you could have a runcmd that does a sed on a grub config file, and then run whatever grub needs to run to update the config | 09:59 |
Tassos | Oh! OK! Thank by the way! I will try to find something in documentation ( but doesn't help me to be honest ) | 10:00 |
meena | Tassos: basically, cloud-init reacts to FIPS being enabled, but doesn't do anything to enable it itself. | 10:01 |
meena | Which would mean you'd need a second run… and I'm not sure how well that's gonna work | 10:01 |
Tassos | Hm.. thanks for letting me know, yes it's a bit new and strange case | 10:04 |
Tassos | or you need maybe an image with already enabled the FIPS mode ? ( if that works... :P ) | 10:04 |
simpoir | couldn't you just set something like `runcmd: ["fips-mode-setup --enable"]` ? | 10:06 |
Tassos | I don't know, I will try it now... :-. Let's see... | 10:09 |
simpoir | I don't know enough about RHEL, but from the doc linked, it seems like that tool can be called directly. | 10:11 |
Tassos | Hm.. reading again from official RHEL documentation : | 10:15 |
Tassos | > Switching the system to FIPS mode by using the fips-mode-setup tool does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible. | 10:15 |
Tassos | So, it's not the best idea | 10:16 |
Tassos | For sure, I am able to do this ( I've done this ) after lunching a new VM, but I don't know enough about cloud-init so that's why I am asking here, I don't know if it is possible to add a kernel parameter | 10:17 |
simpoir | Well, you could also use the write_files and power_state cloud-config to switch the grub config with your own and reboot once. | 10:23 |
minimal | Tassos: "during the installation time with cloud-init" - typically cloud-init is not run at installation time, it is run upon boot(s) of an already installed system. | 15:30 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!