{"id":"fips-enforcement-spans-install-runtime-and-architecture","text":"FIPS compliance in OpenShift is a cross-cutting constraint spanning three dimensions: install-time (must install from a FIPS-enabled RHEL machine), runtime (CRI-O propagates FIPS awareness to containers, SSH keys restricted to RSA/ECDSA), and architecture (validated only on x86_64, ppc64le, s390x — not ARM)","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["fips-requires-fips-enabled-rhel","ocp-fips-requires-rsa-or-ecdsa-not-ed25519","ocp-crio-provides-fips-awareness","fips-supported-x86-ppc64le-s390x"],"outlist":[],"label":"depth-1 — four base FIPS beliefs group into a three-dimensional enforcement model showing FIPS is not a single toggle but a pervasive constraint"}],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"fips-enforcement-spans-install-runtime-and-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["fips-requires-fips-enabled-rhel","ocp-fips-requires-rsa-or-ecdsa-not-ed25519","ocp-crio-provides-fips-awareness","fips-supported-x86-ppc64le-s390x"],"label":"depth-1 — four base FIPS beliefs group into a three-dimensional enforcement model showing FIPS is not a single toggle but a pervasive constraint"},{"node":"fips-requires-fips-enabled-rhel","truth_value":"IN","reason":"premise"},{"node":"ocp-fips-requires-rsa-or-ecdsa-not-ed25519","truth_value":"IN","reason":"premise"},{"node":"ocp-crio-provides-fips-awareness","truth_value":"IN","reason":"premise"},{"node":"fips-supported-x86-ppc64le-s390x","truth_value":"IN","reason":"premise"}]}}