-
Story
-
Resolution: Unresolved
-
Normal
-
rhel-9.6
-
None
-
dracut-057-67.git20240812.el9
-
sst_cs_plumbers
-
ssg_core_services
-
24
-
26
-
3
-
Dev ack
-
False
-
-
None
-
None
-
Pass
-
RegressionOnly
-
None
Currently, dracut requires to run privileged if 'fips' module is to be used:
/lib/dracut/modules.d/01fips/module-setup.sh:
...
[ -c "${initdir}"/dev/random ] || mknod "${initdir}"/dev/random c 1 8 \
|| {
dfatal "Cannot create /dev/random"
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
[ -c "${initdir}"/dev/urandom ] || mknod "${initdir}"/dev/urandom c 1 9 \
|| {
dfatal "Cannot create /dev/urandom"
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
...
This doesn't work well with dracut's usage in kernel specfile: rpms are not build by a privileged user and thus the module can't be used in the UKI.
The requirement is in fact unneeded and can be dropped. The following PR was recently merged to dracut-ng:
https://github.com/dracut-ng/dracut-ng/pull/311
Please backport this to RHEL9+ to make it possible to include FIPS module into RHEL UKI.
P.S. I'm not exactly sure about the relationship between 'dracut' and 'dracut-ng' projects but I can certainly submit the same PR to dracut repo upstream if it makes sense, the code is exactly the same.
- links to
-
RHBA-2024:137511
dracut bug fix and enhancement update
