Before using FIPS validated cryptographic modules on systems that are running Oracle Linux 7, you must enable FIPS mode. The following procedure describes how to configure Oracle Linux to use only those cryptographic algorithms that are FIPS validated.

Unless otherwise noted, the following procedure applies to systems that are running an Oracle Linux 7 release that includes functionality for the enabling of FIPS mode. We recommend that you update the system to the latest Oracle Linux 7 release that provides this capability. You can't use FIPS cryptographic modules on Oracle Linux 7 systems that are running an update earlier than Oracle Linux 7.3.

1. Ensure that the system is running an Oracle Linux 7 release that includes functionality for validated FIPS cryptographic modules.

2. Ensure that the system is registered with the Unbreakable Linux Network (ULN) and that it's subscribed to the appropriate channel for the Oracle Linux 7 release that you're running. If you're using the Oracle Linux yum server, enable the appropriate repository, or repositories, as required:

   1. If you're running Oracle Linux 7.8 on the x86_64 platform, subscribe to the ol7_x86_64_u8_security_validation and ol7_x86_64_latest ULN channels.

      If you're running Oracle Linux 7.8 on the aarch64 platform, subscribe to the ol7_aarch64_u8_security_validation and ol7_aarch64_latest ULN channels.

   2. If you're using the Oracle Linux yum server, enable the ol7_u8_security_validation and ol7_latest yum repositories, for example:

      sudo yum-config-manager --enable ol7_u8_security_validation ol7_latest

   For more information, see Yum Repositories and ULN Channels for FIPS Validated Cryptographic Modules.

3. Install the dracut-fips package.

   sudo yum install dracut-fips

   The dracut-fips package provides the modules to build a dracut initramfs file system that performs an integrity check.

4. If the system CPU supports AES New Instructions (AES-NI), install the dracut-fips-aesni package.

   1. Check whether the system supports AES-NI:

      grep aes /proc/cpuinfo

   2. Install the package.

      sudo yum install dracut-fips-aesni

5. Refresh the initramfs file system.

   sudo dracut -f

6. Reconfigure the boot loader so that the system boots in FIPS mode:

   1. With appropriate administrative privileges, edit the /etc/default/grub file and add the fips=1 option to the boot loader configuration:

      GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
      rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
        vconsole.keymap=uk rhgb quiet fips=1"

   2. If /boot is on a dedicated partition rather than the root partition, you must update the boot loader configuration to use the boot=UUID=boot_UUID option so that the device is mounted at /boot when the kernel loads. For example:

      GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16
           rd.lvm.lv=ol/swap rd.lvm.lv=ol/root crashkernel=auto
           vconsole.keymap=uk rhgb quiet
           boot=UUID=69fa3946-dd8d-4870-bf38-0d540eb9e6c6 fips=1"

      You can confirm whether a dedicated block device exists for the boot partition by typing:

      lsblk -f | grep /boot

      ├─nvme0n1p1     vfat     20DC-FE64                              /boot/efi
      └─nvme0n1p2     xfs      69fa3946-dd8d-4870-bf38-0d540eb9e6c6   /boot

      Note:

      On systems that are configured to boot with UEFI, /boot/efi is always on a dedicated partition, as it's formatted to meet UEFI requirements. Ignore /boot/efi when confirming whether the /boot is on a dedicated partition.

      Only use the boot= parameter if /boot is on a dedicated partition. If the parameter is specified incorrectly or points to a missing device, the system might not boot.

      These steps are required for FIPS to perform kernel validation checks, where it verifies the kernel against the provided HMAC file in the /boot directory.

   3. Save the changes that you have made to the /etc/default/grub file.

7. Rebuild the GRUB configuration.

   • On BIOS-based systems, run the following command:

     sudo grub2-mkconfig -o /boot/grub2/grub.cfg

   • On UEFI-based systems, run the following command:

     sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

8. Disable prelinking on all libraries and binaries.

   To ensure proper operation of the in-module integrity verification, prelinking must be disabled on all system files and the prelink package must not be installed on the system.

   If the prelink package is installed, disable prelinking on all libraries and binaries as follows:

   1. Set PRELINKING=no in the /etc/sysconfig/prelink configuration file.

   2. If the libraries were already prelinked, undo the prelink on all the system files by using the following command:

      sudo prelink –u -a

   3. Remove the prelink package from the system:

      sudo yum remove prelink

9. Reboot the system and verify that FIPS is enabled:

   cat /proc/sys/crypto/fips_enabled

   A response of 1 indicates that FIPS is enabled.

After you enable FIPS mode on Oracle Linux 7, you can then install FIPS validated cryptographic modules, as required.

The Oracle FIPS Certifications documentation page provides the following information for each Oracle Linux OS module:

• Name and description of the module.

• Status of the FIPS 140-2 validation process.

  Important:

  To achieve compliance with FIPS Publication 140-2, you must use the package version that the Security Policy document specifies for each respective module only. You can't install and use other versions of the cryptographic modules.

• Package version for the module.

• Certificate number for the module.

After NIST completes its review for each cryptographic module, the status moves from "Review Pending" or "In Review" to "Validated." You can then click the certificate number for each cryptographic module to review its associated FIPS certificate, and each FIPS certificate links to the relevant Security Policy document for that module. See the "Life-Cycle Assurance" section of those Security Policy documents for details about each module, and instructions with which the Cryptographic officer can verify their installation and configuration.

After you enable FIPS mode on Oracle Linux 7, you can then install FIPS validated cryptographic modules, as required. For information about the software channels that provide packages containing FIPS validated cryptographic modules, see Yum Repositories and ULN Channels for FIPS Validated Cryptographic Modules.

The following information applies to systems that are running a fully patched Oracle Linux 7 release that can install and enable FIPS cryptographic modules.

To install FIPS validated cryptographic modules, see the "Life-Cycle Assurance" section of the Security Policy document for the FIPS module that you plan to install.

The Security Policy document explains how to verify that the package is FIPS 140-2 validated, and how to configure the module for FIPS mode. See the Oracle FIPS Certifications website for the certificate number, which includes a link to the NIST FIPS 140-2 validation page. This page provides details about FIPS certification and the Security Policy document.

The package versions that are listed reflect information that's found in the logical cryptographic boundary for the specific module. The epoch for packages with the _fips suffix is set to 10, so they supersede any versions of the same package without the _fips suffix.

The following are the dedicated Unbreakable Linux Network (ULN) channels and yum repository containing FIPS validated cryptographic modules for Oracle Linux 7.8:

x86_64 Platform:

• ol7_x86_64_u8_security_validation ULN channel

• ol7_u8_security_validation yum repository

aarch64 Platform:

• ol7_aarch64_u8_security_validation ULN channel

• ol7_u8_security_validation yum repository

Note that the ol7_u8_security_validation yum repository is a common repository name for the x86_64 and aarch64 platforms and contains FIPS validated packages for both architectures.

From Oracle Linux 7.8 onwards, FIPS validated versions of cryptographic modules for OpenSSL, OpenSSH, and libreswan also receive security errata updates through the ol7_x86_64_u8_security_validation and ol7_aarch64_u8_security_validation ULN channels. A corresponding ol7_u8_security_validation yum repository is also provided for FIPS validated packages released on x86_64 and aarch64 platforms.

For instructions about how to manage yum repositories, see Oracle Linux 7: Managing Software, or for instructions about how to manage ULN channels, see Oracle Linux: Unbreakable Linux Network User's Guide for Oracle Linux 6 and Oracle Linux 7.

For instructions on installing FIPS validated cryptographic modules on Oracle Linux 7, see Information About Modules That Have Received FIPS 140-2 Validation.