Flatcar Container Linux FIPS guide

FIPS stands for Federal Information Processing Standards, a set of standards issued by the National Institute of Standards and Technology (NIST). While Flatcar is not officially FIPS certified, it is possible to deploy it so that it is compliant with two of these standards:

• FIPS 200
• FIPS 140-2

Enabling FIPS

Booting the instance with the kernel parameter fips=1 allows the instance to operate in a FIPS 200 mode. This means the kernel will use FIPS-compliant algorithms and will enforce some security practices like RSA key size . It’s also recommended to create the empty file /etc/system-fips for other software (like cryptsetup).

To confirm that FIPS mode is enabled on the Kernel, check the content of the file /proc/sys/crypto/fips_enabled:

1
2
3

$ cat /proc/sys/crypto/fips_enabled
0 # disabled
1 # enabled

or by inspecting boot logs:

1
2

$ journalctl --boot | grep -i "kernel: fips"
Jun 27 18:07:22 localhost kernel: fips mode: enabled

Enabling OpenSSL FIPS provider

OpenSSL is an open-source library used for ciphering and hashing. As a library, it is widely used by programming software and third-party programs to ensure security. OpenSSL 3.0 FIPS provider is FIPS validated since Aug. 2022.

OpenSSL FIPS module is built by default on Flatcar. Overwriting /etc/ssl/openssl.cnf with the following section will enable the provider:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

config_diagnostics = 1
openssl_conf = openssl_init
# it includes the fipsmodule configuration
.include /etc/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1

NOTE: For Flatcar LTS-2023 (with OpenSSL < 3.0.8), it’s still required to generate the fipsmodule configuration, see upstream documentation on how to do it.

Once again, it’s possible to check that FIPS is enabled:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.8
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.8
    status: active
$ echo "Flatcar + FIPS" | openssl sha1 -
SHA1(stdin)= ee2219bd6a234fa0e4436b475fc3b351e2dc85a0
$ echo "Flatcar + FIPS" | openssl md5 -
Error setting digest C0422ACDB57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 104), Properties ()C0422ACDB57F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:

OpenSSL FIPS module is also being used by cryptsetup when running in FIPS mode (detection is based on fips kernel parameter and /etc/system-fips file).

To check that cryptsetup runs in FIPS mode, it’s possible to add the --verbose flag:

1
2
3
4

$ cryptsetup --verbose luksFormat ./volume
...
Running in FIPS mode.
Command successful.

NOTE: Formatting a LUKS device with cryptsetup on a non-FIPS instance will use argon2id as key derivation function. This algorithm is not FIPS-compliant, so it will be impossible to open the LUKS device on a FIPS instance. It is possible to have a FIPS-compatible LUKS device if it is formatted using cryptsetup luksFormat --pbkdf=pbkdf2 ./my-volume which is the default behavior on a Flatcar FIPS instance even if --pbkdf=pbkdf2 is not specified.

Ignition provisioning

The two sections above can be combined into one Ignition configuration, as follows.

Starting from 3185.0.0 with Butane config:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# To transpile it to Ignition config:
# butane < config.yml > ignition.json
---
version: 1.0.0
variant: flatcar
kernel_arguments:
  should_exist:
    - fips=1
storage:
  files:
    - path: /etc/system-fips
    - path: /etc/ssl/openssl.cnf
      overwrite: true
      mode: 0644
      contents:
        inline: |
          config_diagnostics = 1
          openssl_conf = openssl_init
          # it includes the fipsmodule configuration
          .include /etc/ssl/fipsmodule.cnf
          [openssl_init]
          providers = provider_sect
          [provider_sect]
          fips = fips_sect
          base = base_sect
          [base_sect]
          activate = 1

Troubleshooting

SSH login does not work with OpenSSL FIPS provider

It’s possible to have a SSH connection refused when OpenSSL FIPS provider is enabled. Inspecting the SSHd logs:

1

Jun 28 07:58:39 localhost sshd[1080]: ssh_dispatch_run_fatal: Connection from 10.0.2.2 port 40192: invalid argument [preauth]

In this case, it is likely that one of the Ciphers, defined in the /etc/ssh/sshd_config, is not FIPS-compliant (like chacha20-poly1305).