AWS CentOS 7 FIPS mode
DO NOT USE CENTOS FOR FEDRAMP
This probably took me entirely too long to figure out so I figured I’d make a post on it to help anyone else trying to enable FIPS in AWS on CentOS boxes.
If you’re trying to get FedRAMP certification this is something you’re going to need. FIPS 140-2 validated/compliant encryption is necessary for FedRAMP. If you don’t have FIPS 140-2 you will end up with high-findings on your SAR and a no-go for FedRAMP certification.
I followed this guide on how to enable FIPS on CentOS.
I came from environments that didn’t use “the cloud” so I’m used to lvm mapping separate partitions to /boot and this is what threw me off. Step 4 specifically messed me up. I would update the /etc/default/grub file kernel command line with the following:
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=12345a0b-1234-1234-1abc-abcd12ef1234"
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=UUID=12345a0b-1234-1234-1abc-abcd12ef1234"
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=/dev/xvda1"
When I would restart the EC2 instance the machine would just fail and not boot. This was incredibly frustrating. The typical error:
dracut: FATAL: FIPS integrity test failed
I also saw
dracut: FATAL: You have to specify boot= as a boot option for fips=1
The latter was why I was so adamant about using the “boot=” option on the kernel command line. This was just wrong since the /boot partition was on the root partition in AWS.
I fixed this by improving my reading comprehension. You’ll see on the instructions, “To boot into FIPS mode, add the fips=1 option to the kernel command line of the boot loader. If your /boot or /boot/EFI/ partitions reside on separate partitions, add the boot= (where stands for /boot or /boot/EFI) parameter to the kernel command line as well. “
Once I sat back and actually read this again I realized I needed to just omit the boot= parameter.
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1"
And voila, it works!
In hindsight someone with a deeper knowledge of the boot process would’ve known this and it’s probably why I couldn’t find this exact example on google but I figured I’d post it anywhere. I’ve been coddled by other engineers taking care of hardware (virtualization teams and cloud platforms) so I guess this is good to know.
4 thoughts on “AWS CentOS 7 FIPS mode”
From one engineer to another, thank you so much for documenting this! I’ve been pulling my hair for the last hour trying to figure this one out.
Were you able to get FedRAMP certification using CentOS? Our commercial offering is built on CentOS, but our consultant that did a FedRAMP gap analysis recommended that we switch to RHEL. He couldn’t really say for certain that it was mandatory but recommended against it. I’d prefer to stick with CentOS, but would feel better knowing that someone else has gone through the process and achieved certification.
Unfortunately, Red Hat’s crypto modules are only FIPS validated on RHEL. FedRAMP has recently put out a statement on this. See:
[JAB Guidance on CentOS Linux End of Life – https://www.fedramp.gov/2021-03-30-CentOS-Linux-End-of-Life/%5D
It includes the following statement:
Additionally, Red Hat cryptographic modules running on any version of CentOS lack FIPS-140 validation, and FedRAMP cannot accept FIPS-140 validation assertions of these modules on the CentOS platform, including CentOS 7.
Good to know! Looks like FedRAMP finally made a solid call on using CentOS. I’ll update this post.