The in-place upgrade is failing when FIPS is enabled using builds with the new storage initialisation (tbd: add ticket). The problem is that we mount the boot partition into the /sysroot/boot, but the fips dracut module expect it to be mounted in /boot (iniramfs) instead. As it cannot discover any related .hmac file, it ends with following error:

dracut: FATAL: FIPS integrity test failed
Warning: /boot//.vmlinuz-<version>.hmac does not exists
dracut: Refusing to continue

The solution is to either

• removal of the `boot` argument from the kernel cmdline (only for the upgrade boot entry!); then ensure it's set back for the target upgrade kernel
• or create additional mount unit file to bind-mount /sysroot/boot to /boot automatically.

The 2nd option seems better as we do not know what negative consequence could occur on some setups if we drop the boot argument from the kernel cmdline. So bind-mount seems to be a safer.

Steps to reproduce:

1. Setup the machine to use FIPS following the article

2. Proceed with standard upgrade

Additional info:

Content of /boot:

[root@localhost rh]# ls -la /boot/ | grep vmlinuz-upgrade
-rwxr-xr-x.  1 root root  15092528 Oct 24 07:21 vmlinuz-upgrade.x86_64
-rw-r--r--.  1 root root       153 Oct 24 07:23 .vmlinuz-upgrade.x86_64.hmac