Support a boot option for disabling FIPS in PXE booted systems when using transparent disk encryption

Description

This isn't so much a bug as it is just a comment/request to change some comments/documentation on disabling FIPS. In the sample KS file the END FIPS line ends after the check for the cryptcreds are added to /etc/dracut.conf and the initramfs is regenerated. This means if you skim through and are disabling FIPS without looking in detail at exactly what each line is doing in while leaving transparent disk encryption enabled then the PXE booted system will not boot because the initramfs will not be updated with the password.

My suggestion would be to change the disabling/enabling of FIPS within PXE booted systems to work the same way the disk encryption is enabled with the simp_disk_crypt option. Something along the lines of simp_fips_enabled so as the integrator I don't need to know exactly what lines to comment out or not as well as then if FIPS and disk encryption is disabled the logic wouldn't waste time regenerating the initramfs.

Acceptance Criteria

None

Activity

Show:
Trevor Vaughan
December 31, 2019, 3:41 PM

In general, we encourage folks to enable FIPS during the kickstart process even if they want to disable it at a later time.

This prevents issues if FIPS is required and ensures that keys are created in a compatible manner out of the box.

FIPS can be easily disabled post-boot (and will be by Puppet if you set the parameters appropriately) but enabling it from a disabled state tends to cause issues.

Labels

Epic Link

None

Story Points

None

Priority

Lowest
Configure