Enable FIPS in SUSE ELS (AWS)

nanoak · April 26, 2021, 9:55am

Hi,
I’m trying to enable FIPS in SUSE Enterprise Linux Server, in AWS without success.
First of all, I install FIPS:

sudo zypper in -t pattern fips

After that, I edit the grub file:

sudo vim /etc/default/grub

And find the GRUB_CMDLINE_LINUX_DEFAULT. This is how it looks my file:

# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.

# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
# GRUB_DISTRIBUTOR=""

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=1
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 multipath=off net.ifnames=0 nvme_core.io_timeout=4294967295 nvme_core.admin_timeout=4294967295 8250.nr_uarts=4 dis_ucode_ldr"
GRUB_CMDLINE_LINUX=""

# Uncomment to automatically save last booted menu entry in GRUB2 environment
# variable `saved_entry'
#GRUB_SAVEDEFAULT="true"

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
GRUB_DISTRIBUTOR="SLES15-SP2"
GRUB_GFXMODE=800x600
GRUB_TERMINAL="gfxterm"
GRUB_USE_INITRDEFI=true
GRUB_USE_LINUXEFI=true
GRUB_BACKGROUND=/boot/grub2/themes/SLE/background.png
GRUB_THEME=/boot/grub2/themes/SLE/theme.txt

Now, let’s see what is the partition of boot:

lsblk

NAME        MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1     259:0    0  15G  0 disk 
??nvme0n1p1 259:1    0   2M  0 part 
??nvme0n1p2 259:2    0  20M  0 part /boot/efi
??nvme0n1p3 259:3    0  15G  0 part /

Then, I edit GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 multipath=off net.ifnames=0 nvme_core.io_timeout=4294967295 nvme_core.adm in_timeout=4294967295 8250.nr_uarts=4 dis_ucode_ldr fips=1 boot=/dev/nvme0n1p2"

And run:
grub2-mkconfig -o /boot/grub2/grub.cfg
mkinitrd
But the system can’t boot anymore. Am I missing something?

Thank you in advance,

Topic		Replies	Views
systemd gets stuck with FIPS enabled SLES Install-Boot	5	658	February 1, 2019
FIPS 140-2 Installation SLES 13 SLES Configure-Administer	6	181	October 21, 2014
Loading graphical environment is slow when FIPS is enabled SLES Configure-Administer	4	380	June 2, 2018
Unable to initialize FIPS mode for strongswan in SLES 11 sp SLES Networking	2	228	May 19, 2014
FIPS 140-2 Kernel fails to boot SLES Updates	4	778	March 17, 2020

Enable FIPS in SUSE ELS (AWS)

Related topics