Loading...

XML

Word

Printable

Acceptance Criteria:
Hide

AC1: Empty /boot => fips-mode-setup fails

AC2.1: For both chroot and no chroot, (proper) /boot and / on the same partition => no boot= parameter is given to bootloader

AC2.2: For both chroot and no chroot, (proper) /boot/ and / on different partitions => boot= parameter is given to bootloader (having and not having /boot in /etc/fstat might be considered)

AC3: fips-mode-setup --no-boot-cfg succeeds without modifying bootloader configuration reagardless of chroot
Show
AC1: Empty /boot => fips-mode-setup fails AC2.1: For both chroot and no chroot, (proper) /boot and / on the same partition => no boot= parameter is given to bootloader AC2.2: For both chroot and no chroot, (proper) /boot/ and / on different partitions => boot= parameter is given to bootloader (having and not having /boot in /etc/fstat might be considered) AC3: fips-mode-setup --no-boot-cfg succeeds without modifying bootloader configuration reagardless of chroot
Test Plan:
https://tcms.engineering.redhat.com/plan/34117
Preliminary Testing:
Pass
Test Link:
https://tcms.engineering.redhat.com/case/615982
Errata Link:
https://errata.devel.redhat.com/advisory/120978
Gating Tests:

Not Needed
Test Coverage:

Yes

Takeaways:

If /boot is empty, fips-mode-setup should abort and ask to mount it first
In a chroot with /boot mounted as different partition from /, fips-mode-setup should add boot=UUID=... to kernel parameters
In a chroot with /boot sharing the partition with /, fips-mode-setup should not add boot= to kernel parameters
/boot checks should mind autofs / automount.boot / systemd-gpt-auto-generator(8)

links to

RHEA-2023:120978 crypto-policies enhancement update

mentioned on