FIPS mode

6.18 LPAR mode z/VM guest KVM guest

In Federal Information Processing Standard (FIPS) mode, the kernel enforces FIPS security standards, including FIPS 140-2.

FIPS 140-2 includes, but is not limited to, the following requirements:

Only FIPS 140-2 approved encryption algorithms can be used.
All kernel modules must be signed. The lengths of RSA keys used for signing are limited to 2048 or 3072 bits. For details about signing kernel modules, see Documentation/module-signing.txt in the kernel source tree.

For more information about FIPS 140-2, go to csrc.nist.gov/publications/detail/fips/140/2/final.

Note: Enabling FIPS mode is not sufficient to make your kernel certified according to FIPS 140-2.

FIPS 140-2 certification is specific to a particular hardware platform and kernel build. Typically, running in FIPS mode is required, but not sufficient to be FIPS 140-2 certified. Check with your distributor to find out whether your kernel is certified according to FIPS 140-2.