////
Copyright (C) 2018-2021 Red Hat, Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
////


fips-mode-setup(8)
==================
:doctype: manpage
:man source: fips-mode-setup


NAME
----
fips-mode-setup - Check or enable the system FIPS mode.


SYNOPSIS
--------
*fips-mode-setup* ['COMMAND']


DESCRIPTION
-----------
fips-mode-setup(8) is used to check and control the system FIPS mode.

When enabling the system FIPS mode, the command completes the installation
of FIPS modules if needed by calling 'fips-finish-install' and changes the
system crypto policy to FIPS
(unless the policy has already been set to FIPS plus subpolicies on top,
in which case the currently active subpolicies is retained).

Then the command modifies the boot loader configuration to add
'fips=1' and 'boot=<boot-device>' options to the kernel command line.

When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.


[[options]]
OPTIONS
-------

The following options are available in fips-mode-setup tool.

* --enable:     Enables the system FIPS mode.

* --disable:    Undo some of the FIPS-enablement steps (unsupported).

* --check:      Checks for inconsistently enabled FIPS mode.
                Exits successfully (0) for both consistently-enabled FIPS mode
                and consistently-disabled FIPS mode,
                returns error code (1) if inconsistencies are detected.
                For checking whether FIPS mode is enabled,
                see --is-enabled below.

* --is-enabled: Checks the system FIPS mode status and returns failure
                error code if disabled (2) or inconsistent (1).

* --no-bootcfg: The tool will not reconfigure the boot loader,
                and, instead, will print the options that need
                to be added to the kernel command line.
                Exception: it still attempts executing zipl(8) on s390x,
                as the system might become unbootable otherwise.


FILES
-----
/proc/sys/crypto/fips_enabled::
	The kernel FIPS mode flag.


SEE ALSO
--------
update-crypto-policies(8), fips-finish-install(8)

AUTHOR
------
Written by Tomáš Mráz.
