[BUG] FIPS Mode Isn't REALLY Disabled When --no-fips Flag Is Set

[ferricoxide]

Describe the bug

While doing:

$ cat /proc/sys/crypto/fips_enabled

On an EC2 built from an AMI created using the --no-fips flag will correctly result in a 0 output, executing:

update-crypto-policies --show

Will still show:

FIPS

Note: This issue was uncovered after using the Cross-Distro Bootstrap instructions to produce an OL8 AMI. Packer's (current) inability to negotiate SSH connections on FIPS-enabled instances was on full display when attempting to provision the resulting EC2.

Severity

• Completely Broken (No work-around evident)
• Severely Broken (Work-around possible but difficult)
• Moderately Broken (Trivial work-around)
• Nuisance (Functions but untrapped errors can slip through)

To Reproduce
Steps to reproduce the behavior:

1. Create an AMI using the PostBuild.sh script's --no-fips flag
2. Launch an EC2 from the resulting AMI
3. Login to the EC2
4. Execute FIPS-mode steps as described above to see the incorrect/inconsistent FIPS-state

Expected behavior

FIPS is fully and completely disabled within EC2s launched from AMIs built by passing the --no-fips flag to the PostBuild.sh script

Deviance Description

FIPS is only partially disabled (see opening bug description) within EC2s launched from AMIs built by passing the --no-fips flag to the PostBuild.sh script

Screenshots

Additional context

Fix Suggestions

Ensure that the PostBuild.sh script's --no-fips logic includes an execution of:

update-crypto-policies --set DEFAULT