Bug 1014284
Summary: | [FIPS140] dracut-fip updates needed for certification | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steve Grubb <sgrubb> |
Component: | dracut | Assignee: | dracut-maint |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Release Test Team <release-test-team-automation> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.0 | CC: | borgan, dracut-maint-list, ebenes, harald, ljozsa, rvokal, sforsber, sgrubb, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | dracut-033-4.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1012626 | Environment: | |
Last Closed: | 2014-06-13 11:38:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steve Grubb
2013-10-01 15:49:31 UTC
dracut-033-4.el7 changed the file from /etc/redhat-fips to /etc/system-fips Verified with dracut-033-150.el7, RHEL-7.0-20140320.0. (In reply to Steve Grubb from comment #3) > Based on the problem description > > 1) a file is being added at /etc/redhat-fips. We just need to make sure its > there. /etc/system-fips present, see c#4. > 2) is a no-op. dracut already uses sha512hmac. > 3) need to ensure the kernel modules in comment #1 are being loaded. This > can be done by inspecting an initramfs built by the new dracut to see if the > modules are present and the script loads them. I did inspection inside the running initramfs with the following results. gcm modules: gcm(aes) gcm(aes-aesni) # cat /proc/modules | grep -w gcm gcm 23457 0 - Live 0xffffffffa0257000 # dmesg | grep -w gcm [ 13.047514] alg: self-tests for gcm_base(ctr(aes-asm),ghash-generic) (gcm(aes)) passed [ 13.047873] alg: self-tests for gcm(aes) (gcm(aes)) passed cts modules: cts(cbc(aes) cts(cbc(aes-aesni)) # cat /proc/modules | grep -w cts cts 12854 0 - Live 0xffffffffa022d000 no match for cts in dmesg | grep -w cts ctr module: ctr(aes-aesni) no module named ctr, however dmesg | grep -w ctr reveals: [ 13.015579] alg: self-tests for ctr(aes-asm) (ctr(aes)) passed [ 13.015866] alg: self-tests for ctr(aes) (ctr(aes)) passed [ 13.035801] alg: self-tests for rfc3686(ctr(aes-asm)) (rfc3686(ctr(aes))) passed [ 13.036102] alg: self-tests for rfc3686(ctr(aes)) (rfc3686(ctr(aes))) passed [ 13.047514] alg: self-tests for gcm_base(ctr(aes-asm),ghash-generic) (gcm(aes)) passed [ 13.058113] alg: self-tests for ccm_base(ctr(aes-asm),aes-asm) (ccm(aes)) passed [ 13.079691] alg: self-tests for rfc4309(ccm_base(ctr(aes-asm),aes-asm)) (rfc4309(ccm(aes))) passed Steve, is it ok? As best as I can tell, it looks OK. If we have any more changes, we'll address it on RHEL 7.1. Thanks. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |