What were you trying to do that didn't work?

RHEL 8.10 system faces issue when booting to rescue initramfs entry in the Grub while when FIPS is enabled

On Fresh OS installaton:

• After fresh installation of RHEL 8.10 with FIPS enabled (with anaconda boot option fips=1) on RHEL 8.10 the system cannot boot into the rescue initramfs entry created during OS installation.
• This rescue initramfs created during OS installation does not contain the fips module    

  [root@rhel-8-10-fips ~]# lsinitrd /boot/initramfs-0-rescue-d70e7b3dd63e44189dba3d012752737c.img | grep -i fips
  [root@rhel-8-10-fips ~]# 

• When booting to rescue initramfs entry we face the following error seen in the screenshot below.  

           This seems to be the issue which we see highlighted in the KCS.

           System fails to boot, printing "Core dump to |/bin/false pipe failed" in loop
           https://access.redhat.com/solutions/5656171

After the OS installation:

• If we remove the old rescue entries and recreated new rescue entries (as part of kernel reinstallation) it will add fips mod to the initramfs
   This is due to the presence of the below configuration file which enables it even when generating rescue initramfs. 

  [root@rhel9-test ~]# cat /etc/dracut.conf.d/40-fips.conf 
  # turn on fips moduleadd_dracutmodules+=" fips "
  
  [root@rhel9-test ~]# lsinitrd /boot/initramfs-0-rescue-f5e226c546b0484baf88cdd718f3c46d.img | grep fips
  fips
  -rw-r--r--   1 root     root          147 Jan  4  2024 etc/fipsmodules
  -rw-r--r--   1 root     root          387 Jan  4  2024 etc/modprobe.d/fips.conf
  -rw-r--r--   1 root     root           36 Jan  4  2024 etc/system-fips
  drwxr-xr-x   2 root     root            0 Jan  4  2024 usr/lib64/fipscheck
  -rw-r--r--   1 root     root           65 Aug 10  2021 usr/lib64/fipscheck/libcrypt.so.2.0.0.hmac
  lrwxrwxrwx   1 root     root           47 Jan  4  2024 usr/lib64/fipscheck/libcrypt.so.2.hmac -> ../../../lib64/fipscheck/libcrypt.so.2.0.0.hmac
  -rw-r--r--   2 root     root           65 Aug  3  2023 usr/lib64/fipscheck/libgmp.so.10.4.0.hmac
  lrwxrwxrwx   1 root     root           46 Jan  4  2024 usr/lib64/fipscheck/libgmp.so.10.hmac -> ../../../lib64/fipscheck/libgmp.so.10.4.0.hmac
  -rw-r--r--   1 root     root           65 Dec  7  2023 usr/lib64/fipscheck/libkcapi.so.1.4.0.hmac
  lrwxrwxrwx   1 root     root           47 Jan  4  2024 usr/lib64/fipscheck/libkcapi.so.1.hmac -> ../../../lib64/fipscheck/libkcapi.so.1.4.0.hmac
  -rwxr-xr-x   1 root     root      1337112 Jan  4  2024 usr/lib64/ossl-modules/fips.so
  -rwxr-xr-x   1 root     root          424 Jun 20  2022 usr/lib/dracut/hooks/pre-mount/01-fips-boot.sh
  -rwxr-xr-x   1 root     root          402 Jun 20  2022 usr/lib/dracut/hooks/pre-pivot/01-fips-noboot.sh
  -rwxr--r--   1 root     root          363 Jun 20  2022 usr/lib/dracut/hooks/pre-udev/01-fips-load-crypto.sh
  -rwxr-xr-x   1 root     root         6296 Jan  4  2024 usr/sbin/fips.sh

• This time also the boot to the rescue image fails because it tried to launch the fips module which check for the presence of HMAC file "/boot/.vmlinuz-0-rescue-d70e7b3dd63e44189dba3d012752737c.hmac" which is not present.

So In this case where the system has fips enabled initramfs or not for rescue entry , it always fails to boot with fips is enabled.

I also made modification for disabling fips in - /usr/lib/kernel/install.d/51-dracut-rescue.install. However because this system fails even without fips module with the coredump error as seen in the KCS article and screenshot earlier , this change did solve the issue.

 92         if [[ ! -f "$BOOT_DIR_ABS/$INITRD" ]]; then
 93             dracut -f --no-hostonly -a "rescue" -o "fips" "$BOOT_DIR_ABS/$INITRD" "$KERNEL_VERSION"
 94             ((ret+=$?))
 95         fi 

The only way to boot sucessfully into the FIPS enabled initramfs is by manually editting the boot option while selecting the rescue entry and chaning "fips=1" to "fips=0"

There is a similar issue with RHEL 9.4 , however it does not face problem of coredump error when FIPS module is not included in the initramfs as 
I will raise a seperate but for RHEL 9.4 as recreating the rescue initramfs still causes the failure due to HMAC file not being present.

Please provide the package NVR for which bug is seen:

1. rpm -qa | grep dracut
   dracut-049-233.git20240115.el8.x86_64
   dracut-network-049-233.git20240115.el8.x86_64
   dracut-squash-049-233.git20240115.el8.x86_64
   dracut-config-rescue-049-233.git20240115.el8.x86_64

   How reproducible:

Everytime

Steps to reproduce

1. On Fresh installation of FIPS enabled (fips=1 on anaconda command line while installing) RHEL 8.10 system, boot into the rescue entry on grub. It will produce coredump errors.
2. Remove rescue kernel/initramfs and recreate them.

   # mv -v /boot/*rescue* /root
   
   # yum reinstall kernel-core
    OR
   # /usr/lib/kernel/install.d/51-dracut-rescue.install add $(uname -r) "" /lib/modules/$(uname -r)/vmlinuz

1. Try booting to this new rescue image (which contains fips module) . It will produce error as it can't find HMAC file associated with rescue vmlinuz 

Expected results

RHEL 8.10 boot successfully into rescue entry on OS installation as well as if rescue initramfs is recreated.

Actual results

Currently RHEL 8.10 fails to boot to the rescue entry on OS installation (fips module is not present in the initramfs at this time) as well as if rescue entry is recreated (fips module is present in the intramfs when recreated)