-
Bug
-
Resolution: Won't Do
-
Minor
-
None
-
rhel-9.5
-
crypto-policies-20240815-1.gite217f03.el9
-
None
-
Moderate
-
2
-
rhel-sst-security-crypto
-
ssg_security
-
0.25
-
False
-
-
None
-
Red Hat Enterprise Linux
-
Crypto24Q3, Crypto24Q4
-
None
-
None
-
None
What were you trying to do that didn't work?
We are deploying UKI's on Confidential VM's on multiple Cloud platforms. Customers are requesting FIPS mode enabling on RHEL. 'fips-mode-setup' tool relies on grubby/grub which does not present on systems with UKI.
# fips-mode-setup --enable The grubby command is missing, please configure the bootloader manually. Kernel initramdisks are being regenerated. This might take some time. dracut: Can't write to /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64: Directory /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64 does not exist or is not accessible. Installation of FIPS modules could not be completed.
Please provide the package NVR for which bug is seen:
crypto-policies-scripts-20240304-1.gitb1c706d.el9.noarch
How reproducible:
Always
Steps to reproduce
Expected results
- # fips-mode-setup --enable
should enable FIPS mode without errors. - # fips-mode-setup --check
should indicate successful check.
Actual results
Right now, to enable FIPS with UKI, I need to add 'fips=1' cmdline parameter and run below command:
# update-crypto-policies --set FIPS
After a reboot and dmesg indicates FIPS enabled. However, "fips-mode-setup --check" still isn't satisfied.
# fips-mode-setup --check Installation of FIPS modules is not completed. FIPS mode is enabled. Inconsistent state detected. # fips-mode-setup --enable The grubby command is missing, please configure the bootloader manually. Kernel initramdisks are being regenerated. This might take some time. dracut: Can't write to /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64: Directory /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64 does not exist or is not accessible. Installation of FIPS modules could not be completed.
- is caused by
-
RHELDOCS-19284 Mark fips-mode-setup deprecated in RHEL 9
- Closed
- relates to
-
RHEL-23049 Fedora UKI addons: create FIPS addon
- Closed
- links to