What were you trying to do that didn't work?

On  RHEL 9.6 installed with FIPS mode enabled (FIPS=1 at the grub menu), the systemd-cryptsetup utility ignores the tries= parameter during boot, allowing only a single passphrase attempt for LUKS-encrypted root volumes.

What is the impact of this issue to you?

Critical impact for the customer, unable to deploy his systems correctly.

Please provide the package NVR for which the bug is seen:

systemd-udev-252-51.el9.x86_64 and probably later as well.

How reproducible is this bug?:

All the time.

Steps to reproduce

1. Install RHEL 9.6 with fips=1 on kernel command line and luks2 encryption for /root, with fips=1 anaconda uses pbkdf2
2. Observe the generated systemd unit file for root volume decryption (/run/systemd/generator/systemd-cryptsetup@...service) contains tries=0 or tries=3
3. Reboot and intentionally enter an incorrect LUKS passphrase
4. Observe that systemd-cryptsetup fails after a single attempt, regardless of tries setting

Expected results:

tries=0 prompts indefinitely; tries=N prompts N times

Actual results

Fails after one attempt, ignores tries parameter