Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39003

unable to unlock encrypted disk after enabling FIPS mode

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.5
    • cryptsetup
    • None
    • cryptsetup-2.7.2-3.el9_5
    • None
    • Important
    • sst_logical_storage
    • ssg_filesystems_storage_and_HA
    • 27
    • 28
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • Approved Exception
    • None

      What were you trying to do that didn't work?

      When a RHEL-9.5 system is installed with disk encryption enabled and then FIPS is enabled on that system after the installation, disk cannot be unlocked and the system ends up in emergency dracut shell.

      Please provide the package NVR for which bug is seen:

      RHEL-9.5

      cryptsetup-libs-2.7.2-1.el9

      How reproducible:

      100%

      Steps to reproduce

      1. Install the system, enable disk encryption.
      2. Boot the installed system and enable FIPS mode, reboot.

      Expected results

      Successful boot.

      Actual results

      Boot failed:

      [    OK     ] Found device /dev/disk/by-…c-bdf6-4ba3-9ad6-99c0e55fef82   
      Starting Cryptography Setu…bdf6-4ba3-9ad6-99c0e55fef82   
      ... 
      [        FAILED   ] Failed to start Cryptograp…c-bdf6-4ba3-9ad6-99c0e55fef82 
      See 'systemctl status "systemd-cryptset…\x2d99c0e55fef82.service"' for details. 
      [              DEPEND   ] Dependency failed for Local Encrypted Volumes   
      [-- MARK -- Tue May 28 10:30:00 2024] 
      [  181.624072] dracut-initqueue[531]: Warning: dracut-initqueue: timeout, still waiting for following initqueue hooks: 
      [  181.629889] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/90-crypt.sh: "[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*51c9dcacbdf64ba39ad699c0e55fef82*-* ] || exit 1" 
      [  181.635675] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2fmapper\x2frhel_sheep--45-root.sh: "if ! grep -q After=remote-fs-pre.target /run/systemd/generator/systemd-cryptsetup@*.service 2>/dev/null; then 
      [  181.643165] dracut-initqueue[531]:     [ -e "/dev/mapper/rhel_sheep--45-root" ] 
      [  181.646362] dracut-initqueue[531]: fi" 
      [  181.649250] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2frhel_sheep-45\x2froot.sh: "[ -e "/dev/rhel_sheep-45/root" ]" 
      [  181.656166] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2frhel_sheep-45\x2fswap.sh: "[ -e "/dev/rhel_sheep-45/swap" ]" 

      Additional Information

      1. When the system in already installed in FIPS mode, disk encryption works fine.
      2. After discussing the issues with okozina@redhat.com we found out that the culprit is that the default KDF (argon2) is forbidden in FIPS mode by openssl. Previously (in RHEL-9.4) it cryptsetup allowed to unlock the keyslot because it had it own implementaion of the algorithm.
      3. This is technically a regression from the customer point of view. The default KDF should be FIPS compatible so that once a customer enable FIPS mode on their system, it is still possible to unlock the disks while booting.

            okozina@redhat.com Ondrej Kozina
            omoris Ondrej Moris
            Ondrej Kozina Ondrej Kozina
            Guangwu Zhang Guangwu Zhang
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated: