-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
None
-
cryptsetup-2.7.2-3.el9_5
-
None
-
Important
-
sst_logical_storage
-
ssg_filesystems_storage_and_HA
-
27
-
28
-
5
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
Approved Exception
-
None
What were you trying to do that didn't work?
When a RHEL-9.5 system is installed with disk encryption enabled and then FIPS is enabled on that system after the installation, disk cannot be unlocked and the system ends up in emergency dracut shell.
Please provide the package NVR for which bug is seen:
RHEL-9.5
cryptsetup-libs-2.7.2-1.el9
How reproducible:
100%
Steps to reproduce
- Install the system, enable disk encryption.
- Boot the installed system and enable FIPS mode, reboot.
Expected results
Successful boot.
Actual results
Boot failed:
[ OK ] Found device /dev/disk/by-…c-bdf6-4ba3-9ad6-99c0e55fef82 Starting Cryptography Setu…bdf6-4ba3-9ad6-99c0e55fef82 ... [ FAILED ] Failed to start Cryptograp…c-bdf6-4ba3-9ad6-99c0e55fef82 See 'systemctl status "systemd-cryptset…\x2d99c0e55fef82.service"' for details. [ DEPEND ] Dependency failed for Local Encrypted Volumes [-- MARK -- Tue May 28 10:30:00 2024] [ 181.624072] dracut-initqueue[531]: Warning: dracut-initqueue: timeout, still waiting for following initqueue hooks: [ 181.629889] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/90-crypt.sh: "[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*51c9dcacbdf64ba39ad699c0e55fef82*-* ] || exit 1" [ 181.635675] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2fmapper\x2frhel_sheep--45-root.sh: "if ! grep -q After=remote-fs-pre.target /run/systemd/generator/systemd-cryptsetup@*.service 2>/dev/null; then [ 181.643165] dracut-initqueue[531]: [ -e "/dev/mapper/rhel_sheep--45-root" ] [ 181.646362] dracut-initqueue[531]: fi" [ 181.649250] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2frhel_sheep-45\x2froot.sh: "[ -e "/dev/rhel_sheep-45/root" ]" [ 181.656166] dracut-initqueue[531]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2frhel_sheep-45\x2fswap.sh: "[ -e "/dev/rhel_sheep-45/swap" ]"
Additional Information
- When the system in already installed in FIPS mode, disk encryption works fine.
- After discussing the issues with okozina@redhat.com we found out that the culprit is that the default KDF (argon2) is forbidden in FIPS mode by openssl. Previously (in RHEL-9.4) it cryptsetup allowed to unlock the keyslot because it had it own implementaion of the algorithm.
- This is technically a regression from the customer point of view. The default KDF should be FIPS compatible so that once a customer enable FIPS mode on their system, it is still possible to unlock the disks while booting.
- is triggering
-
RHEL-39026 [RFE] warn if Argon2 usage is detected
- Release Pending
- links to
-
RHBA-2024:131736 cryptsetup bug fix and enhancement update