-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
None
-
dracut-057-86.git20250217.el9
-
Yes
-
Moderate
-
rhel-sst-cs-bootloaders
-
ssg_core_services
-
26
-
1
-
Dev ack
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
What were you trying to do that didn't work?
With RHEL8.10 it was not possible to boot the Rescue kernel (<machineid>-0-rescue) when system was being installed with `fips=1` because there is no .hmac for that kernel and also because the FIPS module is not embedded in the Rescue initramfs.
This was generating errors during the boot.
Astonishingly, with RHEL9, it's possible to boot the Rescue kernel, despite having fips=1 on the kernel command line.
Additionally, executing fips-mode-setup --check reports compliance, which it should not:
[root@vm-fips95 ~]# cat /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/vmlinuz-0-rescue-c393348bca4242b8b62309c8ff141e50 root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M boot=UUID=6030c85d-650f-4acc-af69-69080060d1f7 resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap fips=1 [root@vm-fips95 ~]# fips-mode-setup --check FIPS mode is enabled.
Since the initramfs is not FIPS-compliant, there should be some error reported, nobody knows what was embedded in that initramfs...
What is the impact of this issue to you?
None.
Please provide the package NVR for which the bug is seen:
RHEL9.5 DVD
How reproducible is this bug?:
Always
Steps to reproduce
- Install the system with fips=1 on the kernel command line
- After installation, boot the Rescue kernel entry
Expected results
Errors on boot.
Actual results
No error and fips-mode-setup --check reports all is fine.
- depends on
-
-
- Release Pending
-
- links to
-
RHBA-2024:143814
dracut bug fix and enhancement update
