202 Fabric OS Administrator’s Guide
53-1001763-02
FIPS Support
9
When firmwareDownload installs a firmware file, it needs to validate the signature of the file.
Different scenarios are handled as follows:
If a firmware file does not have a signature, how it is handled depends on the
“signed_firmware” parameter on the switch. If it is enabled, firmwareDownload will fail.
Otherwise, firmwareDownload will display a warning message and proceed normally. So
when downgrading to a non-FIPS compliant firmware, the “signed_firmware” flag needs to
be disabled.
If the firmware file has a signature but the validation fails, firmwareDownload will fail. This
means the firmware is not from Brocade or its content has been modified.
If the firmware file has a signature and the validation succeeds, firmwareDownload will
proceed normally.
SAS, DMM, and third party application images are not signed.

Configuring the switch for signed firmware

1. Connect to the switch and log in using an account assigned to the admin role.
2. Type the configure command.
3. Respond to the prompts as follows:

Power-on Firmware Checksum Test

FIPS requires the checksums of the executables and libraries on the filesystem to be validated
before Fabric OS modules are launched. This is to make sure these files have not been changed
after they are installed.
When firmware RPM packages are installed during firmwareDownload, the MD5 checksums of the
firmware files are stored in the RPM database on the filesystem. The checksums go through all of
the files in the RPM database. Every file compares its current checksum with the checksum that is
in the RPM database. If they are different, the command displays an output message informing you
of the difference.
Because the validation may take up to a few minutes, it will not be performed during hot code load.
It is only performed after a cold reboot of the switch.
For more information on FIPS, see Chapter 7, “Configuring Security Policies”.
System Service Default is no; press Enter to select default setting.
ssl attributes Default is no; press Enter to select default setting.
snmp
attributes
Default is no; press Enter to select default setting.
rpcd attributes Default is no; press Enter to select default setting.
cfgload
attributes
Select Yes. The following questions are displayed:
Enforce secure config Upload/Download: Select yes
Enforce signed firmware download: Select yes
Webtools
attributes
Default is no; press Enter to select default setting.
System Default is no; press Enter to select default setting.