add steps to enable FIPS mode on IBM Z

SNiemann15 · SNiemann15 · commit ed0a02df469c · 2025-02-17T10:14:28.000+01:00
diff --git a/modules/adding-ibm-z-lpar-agent.adoc b/modules/adding-ibm-z-lpar-agent.adoc
@@ -23,17 +23,19 @@ rd.neednet=1 cio_ignore=all,!condev \
 console=ttysclp0 \
 ignition.firstboot ignition.platform.id=metal
 coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <1>
-coreos.inst.persistent-kargs=console=ttysclp0
+coreos.inst.persistent-kargs=console=ttysclp0 \
 ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \// <2>
 rd.znet=qeth,<network_adaptor_range>,layer2=1
 rd.<disk_type>=<adapter> \// <3>
-zfcp.allow_lun_scan=0
-ai.ip_cfg_override=1 \//
+fips=1 \// <4>
+zfcp.allow_lun_scan=0 \
+ai.ip_cfg_override=1 \
 random.trust_cpu=on rd.luks.options=discard
 ----
 <1> For the `coreos.live.rootfs_url` artifact, specify the matching `rootfs` artifact for the `kernel` and `initramfs` that you are starting. Only HTTP and HTTPS protocols are supported.
 <2> For the `ip` parameter, manually assign the IP address, as described in _Installing a cluster with z/VM on IBM Z and IBM LinuxONE_.
 <3> For installations on DASD-type disks, use `rd.dasd` to specify the DASD where {op-system-first} is to be installed. For installations on FCP-type disks, use `rd.zfcp=<adapter>,<wwpn>,<lun>` to specify the FCP disk where {op-system} is to be installed.
+<4> To enable FIPS mode, specify `fips=1`. This entry is required in addition to setting the `fips` parameter to `true` in the `install-config.yaml` file.
 +
 [NOTE]
 ====
diff --git a/modules/agent-installer-configuring-fips-compliance.adoc b/modules/agent-installer-configuring-fips-compliance.adoc
@@ -10,6 +10,11 @@
 
 During a cluster deployment, the Federal Information Processing Standards (FIPS) change is applied when the Red Hat Enterprise Linux CoreOS (RHCOS) machines are deployed in your cluster. For Red Hat Enterprise Linux (RHEL) machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines.
 
+[IMPORTANT]
+====
+{product-title} requires the use of a FIPS-capable installation binary to install a cluster in FIPS mode.
+====
+
 You can enable FIPS mode through the preferred method of `install-config.yaml` and `agent-config.yaml`:
 
 . You must set value of the `fips` field to `True` in the `install-config.yaml` file:
@@ -24,6 +29,11 @@ metadata:
   name: sno-cluster
 fips: True
 ----
++
+[IMPORTANT]
+====
+To enable FIPS mode on {ibm-z-name} clusters, you must also enable FIPS in either the `.parm` file or using `virt-install` as outlined in the procedures for manually adding {ibm-z-name} agents.
+====
 
 . Optional: If you are using the {ztp} manifests, you must set the value of `fips` as `True` in the `Agent-install.openshift.io/install-config-overrides` field in the `agent-cluster-install.yaml` file:
 
diff --git a/modules/installing-ocp-agent-ibm-z-kvm.adoc b/modules/installing-ocp-agent-ibm-z-kvm.adoc
@@ -49,10 +49,12 @@ $ virt-install \
    --osinfo detect=on,require=off
 ----
 <1> For the `--location` parameter, specify the location of the kernel/initrd on the HTTP or HTTPS server.
+
 endif::pxe-boot[]
 
 ifndef::pxe-boot[]
 +
+.ISO boot
 [source,terminal]
 ----
 $ virt-install
@@ -72,6 +74,43 @@ $ virt-install
 <1> For the `--cdrom` parameter, specify the location of the ISO image on the HTTP or HTTPS server.
 endif::pxe-boot[]
 
+. Optional: Enable FIPS mode.
++
+To enable FIPS mode on {ibm-z-name} clusters with {op-system-base} KVM you must use PXE boot instead and run the `virt-install` command with the following parameters:
++
+.PXE boot
+[source,terminal]
+----
+$ virt-install \
+   --name <vm_name> \
+   --autostart \
+   --ram=16384 \
+   --cpu host \
+   --vcpus=8 \
+   --location <path_to_kernel_initrd_image>,kernel=kernel.img,initrd=initrd.img \// <1>
+   --disk <qcow_image_path> \
+   --network network:macvtap ,mac=<mac_address> \
+   --graphics none \
+   --noautoconsole \
+   --wait=-1 \
+   --extra-args "rd.neednet=1 nameserver=<nameserver>" \
+   --extra-args "ip=<IP>::<nameserver>::<hostname>:enc1:none" \
+   --extra-args "coreos.live.rootfs_url=http://<http_server>:8080/agent.s390x-rootfs.img" \
+   --extra-args "random.trust_cpu=on rd.luks.options=discard" \
+   --extra-args "ignition.firstboot ignition.platform.id=metal" \
+   --extra-args "console=tty1 console=ttyS1,115200n8" \
+   --extra-args "coreos.inst.persistent-kargs=console=tty1 console=ttyS1,115200n8" \
+   --extra-args "fips=1" \// <2>
+   --osinfo detect=on,require=off
+----
+<1> For the `--location` parameter, specify the location of the kernel/initrd on the HTTP or HTTPS server.
+<2> To enable FIPS mode, specify `fips=1`. This entry is required in addition to setting the `fips` parameter to `true` in the `install-config.yaml` file.
++
+[NOTE]
+====
+Currently, only PXE boot is supported to enable FIPS mode on {ibm-z-name}.
+====
+
 ifeval::["{context}" == "prepare-pxe-assets-agent"]
 :!pxe-boot:
 endif::[]
diff --git a/modules/installing-ocp-agent-ibm-z-zvm.adoc b/modules/installing-ocp-agent-ibm-z-zvm.adoc
@@ -23,13 +23,14 @@ Only use this procedure for {ibm-z-name} clusters with z/VM.
 ----
 rd.neednet=1 \
 console=ttysclp0 \
-coreos.live.rootfs_url=<rootfs_url> \ <1>
-ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \ <2>
-zfcp.allow_lun_scan=0 \ <3>
+coreos.live.rootfs_url=<rootfs_url> \// <1>
+ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \// <2>
+zfcp.allow_lun_scan=0 \// <3>
 ai.ip_cfg_override=1 \
 rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
-rd.dasd=0.0.4411 \ <4>
-rd.zfcp=0.0.8001,0x50050763040051e3,0x4000406300000000 \ <5>
+rd.dasd=0.0.4411 \// <4>
+rd.zfcp=0.0.8001,0x50050763040051e3,0x4000406300000000 \// <5>
+fips=1 \// <6>
 random.trust_cpu=on rd.luks.options=discard \
 ignition.firstboot ignition.platform.id=metal \
 console=tty1 console=ttyS1,115200n8 \
@@ -40,6 +41,7 @@ coreos.inst.persistent-kargs="console=tty1 console=ttyS1,115200n8"
 <3> The default is `1`. Omit this entry when using an OSA network adapter.
 <4> For installations on DASD-type disks, use `rd.dasd` to specify the DASD where {op-system-first} is to be installed. Omit this entry for FCP-type disks.
 <5> For installations on FCP-type disks, use `rd.zfcp=<adapter>,<wwpn>,<lun>` to specify the FCP disk where {op-system} is to be installed. Omit this entry for DASD-type disks.
+<6> To enable FIPS mode, specify `fips=1`. This entry is required in addition to setting the `fips` parameter to `true` in the `install-config.yaml` file.
 +
 Leave all other parameters unchanged.
 
