close
Back to Projects

FIPS Gate

GitHub Source

FIPS compliance is one of those things that sounds straightforward until you’re debugging why a container ran happily on a developer’s laptop but failed an audit in production. The problem isn’t usually the application itself. It’s that nobody checked whether the host kernel actually had FIPS mode enabled before the application started. FIPS Gate is a tiny Rust binary that does exactly that check, and nothing else.

The problem

Containers inherit their crypto from the host kernel. You can build a perfectly FIPS-validated image with all the right OpenSSL modules, but if the host isn’t running in FIPS mode, those modules won’t enforce FIPS restrictions. Your application runs fine, passes functional tests, and silently violates your compliance requirements.

I wanted a way to fail fast. If the host isn’t in FIPS mode, the container shouldn’t start. No silent failures, no hoping someone remembered to check.

How it works

FIPS Gate is a container entrypoint. It sits in front of your actual application and reads /proc/sys/crypto/fips_enabled from the host kernel. If the value is 1, it calls exec() to replace itself with your command. If it’s anything else, it prints an error and exits with code 1.

Because it uses exec(), your application becomes PID 1 in the container. Signals get delivered directly to it. Exit codes pass through unchanged. FIPS Gate effectively disappears after doing its job.

The whole thing is around 50 lines of Rust. There’s no runtime overhead once the check passes.

Using it

Drop the binary into your container image and set it as the entrypoint:

FROM registry.access.redhat.com/ubi9/ubi-minimal

COPY --from=fips-gate /fips-gate /fips-gate
COPY myapp /myapp

ENTRYPOINT ["/fips-gate"]
CMD ["/myapp", "--config", "/etc/myapp.conf"]

Putting the command in CMD rather than ENTRYPOINT means users can override what gets run without losing the FIPS check. Running podman run myimage /bin/sh still goes through the gate.

For development on non-FIPS systems, set FIPS_GATE_BYPASS=1 to skip the check entirely. It’s a simple escape hatch so developers don’t need a FIPS-enabled kernel just to test locally.

What it doesn’t do

FIPS Gate only verifies that the host kernel has FIPS mode enabled. It doesn’t check whether your userspace libraries are FIPS-validated or correctly configured. Full FIPS compliance needs both, a FIPS-enabled kernel and properly set up OpenSSL, GnuTLS, or NSS modules. This tool handles one half of that equation. The other half is on your image build process.