Bug 1010945

Summary: .hmac checksums for openssl are missing in initird
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Moriš <omoris>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: agk, dracut-maint-list, ebenes, lkardos, mvadkert, okozina, omoris, prajnoha, prockai, sbueno, sforsber, sgrubb, zkabelac
Target Milestone: rc   
Target Release: 6.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-11 20:06:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 843829, 972747    

Description Ondrej Moriš 2013-09-23 10:53:23 UTC 
Description of problem:

When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption setup to encrypt /. You can successfully boot right after the installation with chosen encryption password. However when you turn the system into fips mode [1], the system does not boot at all, the password is not accepted and dracut prints the following error:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

[1] https://access.redhat.com/site/solutions/137833

Version-Release number of selected component (if applicable):

cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64

fipscheck-1.2.0-9.el6.x86_64
nss-softokn-fips-3.14.3-8.el6.x86_64
openssh-clients-fips-5.3p1-93.el6.x86_64
nss-softokn-freebl-fips-3.14.3-8.el6.x86_64
openssl-fips-1.0.1e-11.el6.x86_64
openswan-fips-2.6.32-24.el6.x86_64
dracut-fips-004-328.el6.noarch
fipscheck-lib-1.2.0-9.el6.x86_64
openssh-server-fips-5.3p1-93.el6.x86_64

dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-kernel-004-328.el6.noarch

kernel-2.6.32-419.el6.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Install the system via GUI using disk encryption (no specific setup).
2. Boot the system (it should work fine).
3. Turn the system into FIPS mode:
   * prelink -u -a
   * yum remove -y prelink
   * yum install dracut-fips -y
   * add the kernel parameters to grub: fips=1 boot=/dev/vda1
     - where /dev/vda1 stands for boot partition (set it appropriately)
   * dracut -f -v
   * yum install "*-fips" -y
4. Reboot

Actual results:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

Expected results:

Successful boot.

Additional info:

This is a regression from Alpha (RHEL6.5-20130830.2), where disk encrypted system could be booted successfully.
Comment 1 Ondrej Moriš 2013-09-23 11:14:02 UTC 
(In reply to Ondrej Moriš from comment #0)
> Description of problem:
> 
> When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate
> (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption
> setup to encrypt /. You can successfully boot right after the installation
> with chosen encryption password. However when you turn the system into fips
> mode [1], the system does not boot at all, the password is not accepted and
> dracut prints the following error:
> 
> Password (/dev/vda2):dracut: FIPS checksum verification failed.
> 
> [1] https://access.redhat.com/site/solutions/137833
> 
> Steps to Reproduce:
 
I have also upgraded to the latest packages - ie. those from RHEL6.5-20130921.2:

  0. yum upgrade -y

> 1. Install the system via GUI using disk encryption (no specific setup).
Comment 2 Steve Grubb 2013-09-23 20:22:13 UTC 
My guess would be that a hmac file is not in the initrd. I am wondering if you can tell if they are missing compared to an initrd made previously?
Comment 3 Ondrej Moriš 2013-09-24 15:02:46 UTC 
(In reply to Steve Grubb from comment #2)
> My guess would be that a hmac file is not in the initrd. I am wondering if
> you can tell if they are missing compared to an initrd made previously?

Yes, this seems to be the cause:

Alpha
=====

[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.0.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

Beta
====
[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac

Therefore the following hmacs are missing in Beta initrd (when rebuilt with dracut-fips):

./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac
Comment 4 Harald Hoyer 2013-10-07 13:36:25 UTC 
(In reply to Ondrej Moriš from comment #3)
> (In reply to Steve Grubb from comment #2)
> > My guess would be that a hmac file is not in the initrd. I am wondering if
> > you can tell if they are missing compared to an initrd made previously?
> 
> Yes, this seems to be the cause:
> 
> Alpha
> =====
> 
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.0.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac
> 
> Beta
> ====
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.1.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> 
> Therefore the following hmacs are missing in Beta initrd (when rebuilt with
> dracut-fips):
> 
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac


Well, nothing changed in dracut. Is the package containing /usr/lib64/.libcrypto.so.1.0.1e.hmac installed, at the time, when the initramfs gets created (rpm posttrans)?
Comment 5 Steve Grubb 2013-10-09 14:08:07 UTC 
Has this been retested with the current beta packages? This may be an artifact from the initial attempt to define the FIPS Product. If it is a leftover from moving the hmacs, then the bz can be closed. Thanks.
Comment 6 Suzanne Forsberg 2013-10-10 15:28:48 UTC 
Proposing as blocker since the report says this prevents the system from booting.
Comment 7 Harald Hoyer 2013-10-11 12:32:53 UTC 
*** Bug 1017755 has been marked as a duplicate of this bug. ***
Comment 8 Samantha N. Bueno 2013-10-11 20:06:41 UTC 
On the latest rhel65 compose (looks to be from 09 Oct), I see the hmac files which were originally missing in comment 3:

[root@localhost initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

So it seems to me this can be closed.