On Tuesday 30 September 2008 18:30:29 Will Woods wrote:
- Any features that will need close attention between now and
This is not a Fedora Feature (yet) but it is something we are curious
about...libgcrypt has been updated to support FIPS-140-2. The way that we've
worked things to enable FIPS mode is to add a fips=1 to the grub kernel boot
params. However, that is not scheduled to be in a kernel until 2.6.28 (we
wished the Fedora 10 kernel were patched so deeper testing could be done). In
the meantime, libgcrypt in rawhide/F-10 does have a way of forcing the FIPS
This causes it to disable certain non-FIPS approved algorithms and enable
startup and continuous cryptographic tests. Any problems in applications will
be noted in syslog. We know that FIPS mode breaks gnutls and everything
linked to it. We don't know what else is potentially broken.
We need every application linked to libgcrypt to either work as advertised or
output a reasonable error message saying why it doesn't work - iow it depends
exclusively on algorthims or keysizes that are forbidden by FIPS. The docs
for gcrypt have been updated and explains in a lot more detail how things
work (also required for FIPS). So, that should help fix apps.
This is not mandatory to be working at F-10 release since the kernel support
is still way off in the future. (We'll probablys start a F-11 feature page
for this soon.) I expect a fair amount of breakage and would like a head
start on making things work. No one should see any ill effects when not in
FIPS mode, which is the way we expect everyone to run today.