Add a boot menu for fips=1

In RHEL10 it is no longer possible to switch a system to FIPS after it is installed. Setting fips=1 is documents, but in order to make it easier for users there should also be a menu entry. Resolves: RHEL-91929
2025-05-07 09:46:40 -07:00 · 2025-05-07 09:46:40 -07:00 · 5d2bf7ce08
commit 5d2bf7ce08
parent 5f724032d8
5 changed files with 22 additions and 0 deletions
--- a/80-rhel/config_files/aarch64/grub2-efi.cfg
+++ b/80-rhel/config_files/aarch64/grub2-efi.cfg
@ -34,6 +34,10 @@ menuentry 'Test this media & install @PRODUCT@ @VERSION@' --class red --class gn
 	linux @KERNELPATH@ @ROOT@ rd.live.check
 	initrd @INITRDPATH@
 }
+menuentry 'Install @PRODUCT@ @VERSION@ in FIPS mode' --class red --class gnu-linux --class gnu --class os {
+	linux @KERNELPATH@ @ROOT@ ro fips=1
+	initrd @INITRDPATH@
+}
 submenu 'Troubleshooting -->' {
 	menuentry 'Install @PRODUCT@ @VERSION@ in basic graphics mode' --class red --class gnu-linux --class gnu --class os {
 		linux @KERNELPATH@ @ROOT@ nomodeset
--- a/80-rhel/config_files/ppc/grub.cfg.in
+++ b/80-rhel/config_files/ppc/grub.cfg.in
@ -13,6 +13,11 @@ menuentry "Test this media & install @PRODUCT@ @VERSION@  (64-bit kernel)" --cla
      initrd /ppc/ppc64/initrd.img
 }

+menuentry "Install @PRODUCT@ @VERSION@ (64-bit kernel) in FIPS mode" --class fedora --class gnu-linux --class gnu --class os {
+      linux /ppc/ppc64/vmlinuz @ROOT@ ro fips=1
+      initrd /ppc/ppc64/initrd.img
+}
+
 menuentry "Rescue a @PRODUCT@ system (64-bit kernel)" --class fedora --class gnu-linux --class gnu --class os {
      linux /ppc/ppc64/vmlinuz @ROOT@ inst.rescue ro
      initrd /ppc/ppc64/initrd.img
--- a/80-rhel/config_files/x86/grub2-bios.cfg
+++ b/80-rhel/config_files/x86/grub2-bios.cfg
@ -25,6 +25,10 @@ menuentry 'Test this media & install @PRODUCT@ @VERSION@' --class fedora --class
 	linux @KERNELPATH@ @ROOT@ rd.live.check quiet
 	initrd @INITRDPATH@
 }
+menuentry 'Install @PRODUCT@ @VERSION@ in FIPS mode' --class fedora --class gnu-linux --class gnu --class os {
+	linux @KERNELPATH@ @ROOT@ quiet fips=1
+	initrd @INITRDPATH@
+}
 submenu 'Troubleshooting -->' {
 	menuentry 'Install @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os {
 		linux @KERNELPATH@ @ROOT@ nomodeset quiet
--- a/80-rhel/config_files/x86/grub2-efi.cfg
+++ b/80-rhel/config_files/x86/grub2-efi.cfg
@ -28,6 +28,10 @@ menuentry 'Test this media & install @PRODUCT@ @VERSION@' --class fedora --class
 	linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet
 	initrdefi @INITRDPATH@
 }
+menuentry 'Install @PRODUCT@ @VERSION@ in FIPS mode' --class fedora --class gnu-linux --class gnu --class os {
+	linuxefi @KERNELPATH@ @ROOT@ quiet fips=1
+	initrdefi @INITRDPATH@
+}
 submenu 'Troubleshooting -->' {
 	menuentry 'Install @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os {
 		linuxefi @KERNELPATH@ @ROOT@ nomodeset quiet
--- a/80-rhel/config_files/x86/isolinux.cfg
+++ b/80-rhel/config_files/x86/isolinux.cfg
@ -69,6 +69,11 @@ label check
  kernel vmlinuz
  append initrd=initrd.img @ROOT@ rd.live.check quiet

+label fips
+  menu label ^Install @PRODUCT@ @VERSION@ in FIPS mode
+  kernel vmlinuz
+  append initrd=initrd.img @ROOT@ quiet fips=1
+
 menu separator # insert an empty line

 # utilities submenu