Enabling FIPS mode for CentOS 7 changes the way that the kernel initramfs loads crypto modules. If you simply enable FIPS mode with
fips=1 on the kernel command line, then it will fail to boot with an error message like the following:
[FAILED] Failed to start Cryptography Setup for luks-....
After digging a little bit deeper in the logs, you might find the following:
Libgcrypt error: integrity check using `/lib64/.libgcrypt.so.11.hmac' failed: No such file or directory
This is because Dracut is not packaging the .hmac file when it builds the initramfs, so you have to
yum install dracut-fips-aesni and then rebuild the initramfs with
dracut --force . Be sure you are running the latest kernel version, because by default Dracut will build the initramfs for the kernel that you are running, so if there is a new version available, then it will load if you reboot without the .hmac file.
If you do not have hardware AES support, then you can omit
-aesni and install
dracut-fips. Even if you do not have hardware support, however, installing the aesni version should still work, but without the performance boost.
Once enabling FIPS mode, we discovered on a CentOS 7 install that the
drbg kernel module was not loaded which prevents
aes-xts-plain64 formatted LUKS volumes (and possibly others) from being activated by cryptsetup. To fix this, add the following to your kernel commandline:
rd.driver.post=drbg . This problem is evident if you see the error
error allocating crypto tfm at boot time or in the Dracut journal.
Finally, it is common to mount the boot partition on a different volume. If this is the case, then Dracut in FIPS mode will require the .hmac for vmlinuz and may give an error like the following:
/boot/.vmlinuz-3.10.0-693.21.1-el7.x86_64.hmac does not exist . To fix this, specify the boot partition so that Dracut will mount it before validation with one of these options:
specify the device, where /boot is located. e.g.
Red Hat has documentation about this problem here: https://bugzilla.redhat.com/show_bug.cgi?id=1014527#c7
I hope this helps, when you are done you will have the following added to your kernel commandline:
fips=1 rd.driver.post=drbg boot=/dev/sdaX
You will of course need to specify the correct boot volume for your machine.