Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36450

[Azure][FIPS][UKI] 'fips-mode-setup' tool doesn't work well with UKI

    • crypto-policies-20240815-1.gite217f03.el9
    • None
    • Moderate
    • 2
    • rhel-sst-security-crypto
    • ssg_security
    • 0.25
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • Crypto24Q3, Crypto24Q4
    • None
    • None
    • None

      What were you trying to do that didn't work?

      We are deploying UKI's on Confidential VM's on multiple Cloud platforms. Customers are requesting FIPS mode enabling on RHEL. 'fips-mode-setup' tool relies on grubby/grub which does not present on systems with UKI. 

      # fips-mode-setup --enable
      The grubby command is missing, please configure the bootloader manually.
      Kernel initramdisks are being regenerated. This might take some time.
      dracut: Can't write to /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64: Directory /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64 does not exist or is not accessible.
      Installation of FIPS modules could not be completed. 

      Please provide the package NVR for which bug is seen:

      crypto-policies-scripts-20240304-1.gitb1c706d.el9.noarch

      How reproducible:

      Always

      Steps to reproduce

      1.  # fips-mode-setup --enable

      Expected results

      1. # fips-mode-setup --enable
        should enable FIPS mode without errors.
      2. # fips-mode-setup --check
        should indicate successful check.

      Actual results

      Right now, to enable FIPS with UKI, I need to add 'fips=1' cmdline parameter and run below command:

      # update-crypto-policies --set FIPS  

      After a reboot and dmesg indicates FIPS enabled. However, "fips-mode-setup --check" still isn't satisfied.

      # fips-mode-setup --check
      Installation of FIPS modules is not completed.
      FIPS mode is enabled.
      Inconsistent state detected. 
      # fips-mode-setup --enable
      The grubby command is missing, please configure the bootloader manually.
      Kernel initramdisks are being regenerated. This might take some time.
      dracut: Can't write to /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64: Directory /boot/efi/4e0590cc53424aef88b9014c4642a3cb/5.14.0-440.el9.x86_64 does not exist or is not accessible.
      Installation of FIPS modules could not be completed. 

       

              asosedki@redhat.com Alexander Sosedkin
              litian@redhat.com Li Tian
              Alexander Sosedkin Alexander Sosedkin
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: