doc/release-notes: add information on FIPS compliance

Change-Id: Ib3d012c2b2a4a9281b9adb126a7d466086cc23f2
BUG: 1539842
Signed-off-by: Ravishankar N <ravishankar@redhat.com>

1 files changed, 15 insertions, 5 deletions

diff --git a/doc/release-notes/4.0.0.md b/doc/release-notes/4.0.0.md
index 5b7211a12aa..61eb6d805ec 100644
--- a/doc/release-notes/4.0.0.md
+++ b/doc/release-notes/4.0.0.md
@@ -250,14 +250,24 @@ for these users while still keeping best performance for file accesses.
 #### 2. Replace MD5 usage to enable FIPS support
 **Notes for users:**
 - https://github.com/gluster/glusterfs/issues/230
-- Need a lot of context on options and versions before which this feature can be used
-- Release notes:
-    - Need help from authors to complete
 
-**Limitations:**
+Previously, if gluster was run on a FIPS enabled system, it used to crash
+because MD5 is not FIPS compliant and gluster consumes MD5 checksum in
+various places like self-heal and geo-rep. This has been fixed by
+replacing MD5 with SHA256 which is FIPS compliant.
 
+  However, in order for AFR self-heal to work correctly during rolling upgrade
+to 4.0, we have tied this to a volume option called `fips-mode-rchecksum`.
 
-**Known Issues:**
+i.e. `gluster volume set <VOLNAME> fips-mode-rchecksum on` has to be performed
+for the posix_rchecksum() FOP (which is called by self-heal logic) to use SHA256.
+If it is 'off', it continues to use MD5 checksum, allowing hassle free upgrade.
+
+Once glusterfs 3.x is EOL'ed, we could make the 'fips-mode-rchecksum'
+option a no-op and let posix_rchecksum use SHA256 unconditionally.
+
+In summary, if you want to be FIPS compliant for now, ensure all nodes are on 
+4.0 and then set this volume option.
 
 #### 3. Dentry fop serializer xlator on brick stack
 **Notes for users:**