Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4649

Images built with stig profile remediation fail to boot with FIPS error

Details

    • Bug
    • Resolution: Unresolved
    • Critical
    • None
    • rhel-8.7.0
    • osbuild-composer
    • Major
    • sst_image_builder
    • ssg_front_door
    • False
    • Hide

      None

      Show
      None
    • Unspecified
    • Known Issue
    • Hide
      .Images built with the `stig` profile remediation fails to boot with FIPS error

      FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with the `xccdf_org.ssgproject.content_profile_stig` profile remediation, the system fails to boot with the following error:

      [literal,subs="quotes"]
      ----
      Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist
      FATAL: FIPS integrity test failed
      Refusing to continue
      ----

      Enabling the FIPS policy manually after the system image installation with the `fips-mode-setup --enable` command does not work, because the `/boot` directory is on a different partition. System boots successfully if FIPS is disabled. Currently, there is no workaround available.

      NOTE: You can manually enable FIPS after installing the image by using the `fips-mode-setup --enable` command.
      Show
      .Images built with the `stig` profile remediation fails to boot with FIPS error FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with the `xccdf_org.ssgproject.content_profile_stig` profile remediation, the system fails to boot with the following error: [literal,subs="quotes"] ---- Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist FATAL: FIPS integrity test failed Refusing to continue ---- Enabling the FIPS policy manually after the system image installation with the `fips-mode-setup --enable` command does not work, because the `/boot` directory is on a different partition. System boots successfully if FIPS is disabled. Currently, there is no workaround available. NOTE: You can manually enable FIPS after installing the image by using the `fips-mode-setup --enable` command.
    • Done

    Description

      Description of problem:
      Images built with composer/image builder fail to boot with an error:

      Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist
      FATAL: FIPS integrity test failed
      Refusing to continue

      Version-Release number of selected component (if applicable):

      osbuild-composer-core-62-3.el8_7.x86_64
      osbuild-composer-dnf-json-62-3.el8_7.x86_64
      osbuild-composer-worker-62-3.el8_7.x86_64
      cockpit-composer-41-1.el8.noarch
      osbuild-composer-62-3.el8_7.x86_64
      genisoimage-1.1.11-39.el8.x86_64

      How reproducible:
      Every time an image is built with xccdf_org.ssgproject.content_profile_stig profile

      Steps to Reproduce:
      1. Create a blueprint with the following:

      [customizations.openscap]
      datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml"
      profile_id = "xccdf_org.ssgproject.content_profile_stig"

      2. Build the image (tested with both qcow2 and vmdk)

      3. Boot the image

      Actual results:
      System fails to boot with an error that the .hmac for the kernel does not exist

      Expected results:
      The system should boot

      Additional info:
      I've tested with and without a scap user and got the same results:

      [[customizations.user]]
      name = "scap-security-guide"
      description = "Admin account"
      password = "hash"
      home = "/home/scap-security-guide"
      group = ["wheel"]

      I booted the system from an ISO and confirmed that the .hmac file does exist, as does the scap user. However the scap user is not part of the wheel group, not sure why or if that's relevant to the issue.

      System boots fine if FIPS is disabled.

      Manually enabling FIPS after installation with "fips-mode-setup --enable" works fine.

      Since the error message says the system is looking for an hmac at /boot//.vmlinuz, I'm wondering if this is an issue with the path it's using?

      Attachments

        Activity

          People

            osbuilders Osbuilders Bot Account
            rhn-support-lagordon Lark Gordon
            Osbuilders Bot Account Osbuilders Bot Account
            RH Bugzilla Integration RH Bugzilla Integration
            Eliane Pereira Eliane Pereira
            Votes:
            2 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated: