Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-53364

[RHEL 9.6] Rescue initramfs does not boot on FIPS enabled system

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.6
    • rhel-9.6
    • dracut
    • None
    • dracut-057-87.git20250311.el9_6
    • No
    • Moderate
    • rhel-sst-cs-bootloaders
    • ssg_core_services
    • 29
    • 3
    • Hide

      Note: HMAC checksum needs to be included in initramfs as well.

      Show
      Note: HMAC checksum needs to be included in initramfs as well.
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • Proposed Exception
    • All
    • None

      What were you trying to do that didn't work?

      RHEL 9.4 system faces issue when booting to rescue initramfs entry in the Grub while when FIPS is enabled in case when the rescue initramfs is rebuilt after installation.

      This is similar to the Jira I raisied for RHEL 8 - https://issues.redhat.com/browse/RHEL-53355, however in this case when fips module is not present in rescue image, its able to boot the system through rescue entry.

      • After fresh installation of RHEL 9.4 with FIPS enabled (with anaconda boot option fips=1) on RHEL 9.4 the system is able to into the rescue initramfs entry created during OS installation.
      • This rescue initramfs created during OS installation does not contain the fips module 
        [root@rhel9-test ~]# lsinitrd /boot/initramfs-0-rescue-f5e226c546b0484baf88cdd718f3c46d.img | grep fips
[root@rhel9-test ~]# 
      • If we remove the old rescue entries(for any reason to recreate it) and recreated new rescue entries (as part of kernel reinstallation) it will add fips mod to the initramfs.
         This is due to the presence of the below configuration file which enables it even when generating rescue initramfs.  
        [root@rhel9-test ~]# cat /etc/dracut.conf.d/40-fips.conf 
# turn on fips moduleadd_dracutmodules+=" fips "

[root@rhel9-test ~]# lsinitrd /boot/initramfs-0-rescue-f5e226c546b0484baf88cdd718f3c46d.img | grep fips
fips
-rw-r--r--   1 root     root          147 Jan  4  2024 etc/fipsmodules
-rw-r--r--   1 root     root          387 Jan  4  2024 etc/modprobe.d/fips.conf
-rw-r--r--   1 root     root           36 Jan  4  2024 etc/system-fips
drwxr-xr-x   2 root     root            0 Jan  4  2024 usr/lib64/fipscheck
-rw-r--r--   1 root     root           65 Aug 10  2021 usr/lib64/fipscheck/libcrypt.so.2.0.0.hmac
lrwxrwxrwx   1 root     root           47 Jan  4  2024 usr/lib64/fipscheck/libcrypt.so.2.hmac -> ../../../lib64/fipscheck/libcrypt.so.2.0.0.hmac
-rw-r--r--   2 root     root           65 Aug  3  2023 usr/lib64/fipscheck/libgmp.so.10.4.0.hmac
lrwxrwxrwx   1 root     root           46 Jan  4  2024 usr/lib64/fipscheck/libgmp.so.10.hmac -> ../../../lib64/fipscheck/libgmp.so.10.4.0.hmac
-rw-r--r--   1 root     root           65 Dec  7  2023 usr/lib64/fipscheck/libkcapi.so.1.4.0.hmac
lrwxrwxrwx   1 root     root           47 Jan  4  2024 usr/lib64/fipscheck/libkcapi.so.1.hmac -> ../../../lib64/fipscheck/libkcapi.so.1.4.0.hmac
-rwxr-xr-x   1 root     root      1337112 Jan  4  2024 usr/lib64/ossl-modules/fips.so
-rwxr-xr-x   1 root     root          424 Jun 20  2022 usr/lib/dracut/hooks/pre-mount/01-fips-boot.sh
-rwxr-xr-x   1 root     root          402 Jun 20  2022 usr/lib/dracut/hooks/pre-pivot/01-fips-noboot.sh
-rwxr--r--   1 root     root          363 Jun 20  2022 usr/lib/dracut/hooks/pre-udev/01-fips-load-crypto.sh
-rwxr-xr-x   1 root     root         6296 Jan  4  2024 usr/sbin/fips.sh
      • Now booting this fips enabled rescue image fails because it tried to launch the fips module which check for the presence of HMAC file "/boot/.vmlinuz-0-rescue-f5e226c546b0484baf88cdd718f3c46d.hmac" which is not present.  

      As opposed to the RHEL 8.10 Jira, here the system can boot when fips module is not present in the rescue initramfs.

      Due to this, the modification for disabling fips in - /usr/lib/kernel/install.d/51-dracut-rescue.install works in RHEL 9.4's case.

       98         if [[ ! -f "$BOOT_DIR_ABS/$INITRD" ]]; then
 99             dracut -f --no-hostonly -a "rescue" -o "fips" "$BOOT_DIR_ABS/$INITRD" "$KERNEL_VERSION"
100             ((ret+=$?))
101         fi

      Please provide the package NVR for which bug is seen:

      1. rpm -qa |grep dracut
        dracut-057-53.git20240104.el9.x86_64
        dracut-network-057-53.git20240104.el9.x86_64
        dracut-squash-057-53.git20240104.el9.x86_64
        dracut-config-rescue-057-53.git20240104.el9.x86_64

        How reproducible:

      Everytime

      Steps to reproduce

      1. On a FIPS enabled RHEL 9.4 system, remove and recreate the rescue initramfs 
        # mv -v /boot/*rescue* /root

# yum reinstall kernel-core
 OR
# /usr/lib/kernel/install.d/51-dracut-rescue.install add $(uname -r) "" /lib/modules/$(uname -r)/vmlinuz
      1. Try booting to this new rescue image (which contains fips module) . It will produce error as it can't find HMAC file associated with rescue vmlinuz 

      Expected results

      RHEL 9.4 boot successfully into rescue entry if rescue initramfs is recreated.

      Actual results

      Currently RHEL 9.4 fails to boot to the rescue entry on FIPS enabled system if rescue entry is recreated (fips module is present in the intramfs when recreated)

        1. image-2024-08-07-21-56-45-717.png
          image-2024-08-07-21-56-45-717.png
          45 kB

              pvalena@redhat.com Pavel Valena
              rhn-support-amepatil Ameya Patil
              dracut maint mailing list dracut maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: