This probably took me entirely too long to figure out so I figured I’d make a post on it to help anyone else trying to enable FIPS in AWS on CentOS boxes.
If you’re trying to get FedRAMP certification this is something you’re going to need. FIPS 140-2 validated/compliant encryption is necessary for FedRAMP. If you don’t have FIPS 140-2 you will end up with high-findings on your SAR and a no-go for FedRAMP certification.
I followed this guide on how to enable FIPS on CentOS.
I came from environments that didn’t use “the cloud” so I’m used to lvm mapping separate partitions to /boot and this is what threw me off. Step 4 specifically messed me up. I would update the /etc/default/grub file kernel command line with the following:
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=12345a0b-1234-1234-1abc-abcd12ef1234"
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=UUID=12345a0b-1234-1234-1abc-abcd12ef1234"
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=/dev/xvda1"
When I would restart the EC2 instance the machine would just fail and not boot. This was incredibly frustrating. The typical error:
dracut: FATAL: FIPS integrity test failed
I also saw
dracut: FATAL: You have to specify boot= as a boot option for fips=1
The latter was why I was so adamant about using the “boot=” option on the kernel command line. This was just wrong since the /boot partition was on the root partition in AWS.
I fixed this by improving my reading comprehension. You’ll see on the instructions, “To boot into FIPS mode, add the fips=1 option to the kernel command line of the boot loader. If your /boot or /boot/EFI/ partitions reside on separate partitions, add the boot= (where stands for /boot or /boot/EFI) parameter to the kernel command line as well. “
Once I sat back and actually read this again I realized I needed to just omit the boot= parameter.
GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 fips=1"
And voila, it works!
In hindsight someone with a deeper knowledge of the boot process would’ve known this and it’s probably why I couldn’t find this exact example on google but I figured I’d post it anywhere. I’ve been coddled by other engineers taking care of hardware (virtualization teams and cloud platforms) so I guess this is good to know.