1FIPS-MODE-SETUP(8) FIPS-MODE-SETUP(8)
2
3
4
6 fips-mode-setup - Check or enable the system FIPS mode.
7
9 fips-mode-setup [COMMAND]
10
12 fips-mode-setup(8) is used to check and control the system FIPS mode.
13
14 When enabling the system FIPS mode, the command completes the
15 installation of FIPS modules if needed by calling fips-finish-install
16 and changes the system crypto policy to FIPS (unless the policy has
17 already been set to FIPS plus subpolicies on top, in which case the
18 currently active subpolicies is retained).
19
20 Then the command modifies the boot loader configuration to add fips=1
21 and boot=<boot-device> options to the kernel command line.
22
23 When disabling the system FIPS mode the system crypto policy is
24 switched to DEFAULT and the kernel command line option fips=0 is set.
25
27 The following options are available in fips-mode-setup tool.
28
29 • --enable: Enables the system FIPS mode.
30
31 • --disable: Undo some of the FIPS-enablement steps. Please note that
32 module installation cannot be undone without reformatting of and
33 overwriting, at least once, the platform’s hard drive or other
34 permanent storage media. This option is not meant to be used in
35 production, is not supported, and is implemented for testing
36 purposes only.
37
38 • --check: Checks for inconsistently enabled FIPS mode. Exits
39 successfully (0) for both consistently-enabled FIPS mode and
40 consistently-disabled FIPS mode, returns error code (1) if
41 inconsistencies are detected. For checking whether FIPS mode is
42 enabled, see --is-enabled below.
43
44 • --is-enabled: Checks the system FIPS mode status and returns
45 failure error code if disabled (2) or inconsistent (1).
46
47 • --no-bootcfg: The tool will not reconfigure the boot loader, and,
48 instead, will print the options that need to be added to the kernel
49 command line. Exception: it still attempts executing zipl(8) on
50 s390x, as the system might become unbootable otherwise.
51
53 /proc/sys/crypto/fips_enabled
54 The kernel FIPS mode flag.
55
57 update-crypto-policies(8), fips-finish-install(8)
58
60 Written by Tomáš Mráz.
61
62
63
64fips-mode-setup 11/13/2023 FIPS-MODE-SETUP(8)