Change the fips document section order

sonic-net · Mar 9, 2022 · 30f4f2b · 30f4f2b
1 parent 80dbfeb
commit 30f4f2b
Showing 1 changed file with 37 additions and 36 deletions.
diff --git a/doc/sonic-build-system/SONiC-OpenSSL-FIPS-140-3.md b/doc/sonic-build-system/SONiC-OpenSSL-FIPS-140-3.md
@@ -10,9 +10,6 @@
 - [Abbreviation](#abbreviation)
 - [Requirement](#requirement)
 - [The cryptographic modules in SONiC](#the-cryptographic-modules-in-SONiC)
-- [SONiC FIPS Configuration](#SONiC-FIPS-Configuration)
-  * [Enable FIPS on system level](#Enable-FIPS-on-system-level)
-  * [Enable FIPS on application level](#Enable-FIPS-on-application-level)
 - [OpenSSL FIPS 140-3](#OpenSSL-FIPS-140-3)
   * [OpenSSL Engine](#OpenSSL-Engine)
   * [SymCrypt OpenSSL Engine](#symCrypt-openSSL-engine)
@@ -21,6 +18,9 @@
   * [SymCrypt OpenSSL Engine debian package](#SymCrypt-OpenSSL-Engine-debian-package)
 - [Kerberos Cryptographic Module](#Kerberos-Cryptographic-Module)
 - [Golang Cryptographic Module](#Golang-Cryptographic-Module)
+- [SONiC FIPS Configuration](#SONiC-FIPS-Configuration)
+  * [Enable FIPS on system level](#Enable-FIPS-on-system-level)
+  * [Enable FIPS on application level](#Enable-FIPS-on-application-level)
 
 
 ## Abbreviation
@@ -45,42 +45,15 @@ SONiC only uses cryptographic modules validated by FIPS 140-3, Make SONiC compli
 | Libgcrypto           | GPG             | A general purpose cryptographic library originally based on code from GnuPG |
 | Kernel Crypto        | --              | Linux crypto kernel module |
 
+## Scopes:
 In Scopes:
-1. OpenSSL
-2. Kerberos
-3. Golang
+1. Cryptographic Modules: OpenSSL, Kerberos, Golang
+2. SONiC management plane
 
 Out of Scopes:
-1. Linux Kernel
-2. Libgcrypt
-
-## SONiC FIPS Configuration
-### Enable FIPS on system level
-Add the Linux System parameter fips=1, in grub config, one of implemetation as below:
-
-cat /etc/grub.d/99-fips.cfg
-```
-GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
-```
+1. Cryptographic Modules: Linux Kernel, Libgcrypt
+2. SONiC data plane
 
-To validate the FIPS enabled, grep 'fips=1' /proc/cmdline.
-
-### Enable FIPS on application level
-```
-export ENABLE_FIPS=1
-```
-
-Alternative option for the golang applications only:
-```
-export GOLANG_FIPS=1
-```
-
-Alternative option for the OpenSSL applications only:
-
-see https://www.openssl.org/docs/manmaster/man7/openssl-env.html
-```
-export OPENSSL_CONFIG=/usr/lib/ssl/openssl-fips.cnf
-```
 
 ## OpenSSL FIPS 140-3
 
@@ -139,4 +112,32 @@ To support FIPS for Golang, RedHat offers an alternative solution (see [here](ht
 How OpenSSL Engine works in Golang?
 ![Golang API](images/golang-api.png)
 
-When FIPS enabled, both of the BoringSSL Enable Option and the SymCrypt Enabled option will be set.
+When FIPS enabled, both of the BoringSSL Enable Option and the SymCrypt Enabled option will be set.
+
+## SONiC FIPS Configuration
+### Enable FIPS on system level
+Add the Linux System parameter fips=1, in grub config, one of implemetation as below:
+
+cat /etc/grub.d/99-fips.cfg
+```
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
+```
+
+To validate the FIPS enabled, grep 'fips=1' /proc/cmdline.
+
+### Enable FIPS on application level
+```
+export ENABLE_FIPS=1
+```
+
+Alternative option for the golang applications only:
+```
+export GOLANG_FIPS=1
+```
+
+Alternative option for the OpenSSL applications only:
+
+see https://www.openssl.org/docs/manmaster/man7/openssl-env.html
+```
+export OPENSSL_CONFIG=/usr/lib/ssl/openssl-fips.cnf
+```