diskimage-builder/diskimage_builder/elements/fips/README.rst

====
fips
====

This image element attempts to setup the image so it will boot and operate
in what is often referred to as "FIPS mode", where cryptography policies
and algorithms are enforced to only those which are FIPS approved and
certified. In this context, FIPS is an abbreviation for
Federal Information Processing Standard, specifically publication number
140. You can learn more about FIPS policies at
https://csrc.nist.gov/publications/fips

This element is a best-effort element and additional software or elements
may be processed after the fact which may impact the work of this element.
It is **generally** regarded as critical to enable FIPS as early as possible,
as cryptography policy can be applied, but may not be fully enforced without
the kernel also operating in FIPS mode.

If you intend to utilize this element to generate production FIPS images,
it is highly recommended you do so on a host which has already had FIPS
enabled for itself.

Additionally, not all distributions are explicitly supported. Unsupported
distributions will error providing appropriate guidance, if available.
Add a FIPS element Adds an element whose purpose is to set the stage in the resulting image so that a user can generate an image utilizing DIB which can be used in a FIPS configuration without doing so with the input image or after the fact. Change-Id: Ia8a45584a56f6e06856fc2920c333351935dcd9d 2023-03-15 17:59:03 +00:00			`====`
			`fips`
			`====`

			`This image element attempts to setup the image so it will boot and operate`
			`in what is often referred to as "FIPS mode", where cryptography policies`
			`and algorithms are enforced to only those which are FIPS approved and`
			`certified. In this context, FIPS is an abbreviation for`
			`Federal Information Processing Standard, specifically publication number`
			`140. You can learn more about FIPS policies at`
			`https://csrc.nist.gov/publications/fips`

			`This element is a best-effort element and additional software or elements`
			`may be processed after the fact which may impact the work of this element.`
			`It is generally regarded as critical to enable FIPS as early as possible,`
			`as cryptography policy can be applied, but may not be fully enforced without`
			`the kernel also operating in FIPS mode.`

			`If you intend to utilize this element to generate production FIPS images,`
			`it is highly recommended you do so on a host which has already had FIPS`
			`enabled for itself.`

			`Additionally, not all distributions are explicitly supported. Unsupported`
			`distributions will error providing appropriate guidance, if available.`