How to enable FIPS on instances using Red Hat Unified Kernel Images?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 9
    • Red Hat Unified Kernel Image
  • Microsoft Azure
  • Confidential Virtual Machines

Issue

  • Cannot enable FIPS mode in RHEL UKI
  • Unable to enable FIPS in Confidential Virtual Machines on Azure
  • Unable to enable FIPS in Confidential Virtual Machines on Azure with fips-mode-setup tool

Resolution

1. Use RHEL 9.5 or later

2. Install the kernel-uki-virt-addons package:

$ dnf install kernel-uki-virt-addons

3. Copy file

$ cp /lib/modules/$(uname -r)/vmlinuz-virt.efi.extra.d/fips-enable-virt.rhel.x86_64.addon.efi /boot/efi/loader/addons

4. Execute below command

$ update-crypto-policies --set FIPS

5. Reboot the system.

NOTE: Using fips-mode-setup is deprecated, see RHEL 9.5 Release Notes - Security

Root Cause

  • Systems with UKI kernel require a different way to enable FIPS

Diagnostic Steps

  • Trying to enable FIPS fails with:
# fips-mode-setup --enable
The grubby command is missing, please configure the bootloader manually.
Kernel initramdisks are being regenerated. This might take some time.
dracut: Can't write to /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64: Directory /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64 does not exist or is not accessible.
Installation of FIPS modules could not be completed.
  • After a reboot:
# fips-mode-setup --check
Installation of FIPS modules is not completed.
FIPS mode is enabled.
Inconsistent state detected.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.