Bug 1184142

Summary: RHEL 6.6 kernel will not boot with fips enabled
Product: Red Hat Enterprise Linux 6 Reporter: Allie DeVolder <adevolder>
Component: dracutAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: adevolder, dracut-maint-list, harald, mganisin, mkolaja, pholica
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: nss-softokn-freebl changed files internally. Consequence: dracut could not build an initramfs for FIPS mode, because one file was missing. Fix: nss-softokn-freebl delivers its own dracut module and dracut requires now nss-softokn-freebl >= 3.14.3-22.el6_6 Result: dracut can build a FIPS enabled initramfs with all files.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:38:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Allie DeVolder 2015-01-20 16:34:02 UTC 
Description of problem:
When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual attempts to create an initrd failed with "Failed to install /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to create a dummy file, the resulting initrd panics on boot as follows:
~~~
Kernel Panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
Call Trace:
~~~


Version-Release number of selected component (if applicable):
dracut-004-356.el6.noarch        
dracut-fips-004-356.el6.noarch   
dracut-kernel-004-356.el6.noarch 


How reproducible:
Unknown

Steps to Reproduce:
1. Update FIPS-enabled system to RHEL 6.6
2. Create initrd manually with dracut after update fails to have done so
3. Attempt to boot with FIPS enabled

Actual results:
Panic

Expected results:
Successful upgrade and reboot

Additional info:
Comment 2 Harald Hoyer 2015-01-21 12:51:33 UTC 
(In reply to Allan Voss from comment #0)
> Description of problem:
> When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual
> attempts to create an initrd failed with "Failed to install
> /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to
> create a dummy file, the resulting initrd panics on boot as follows:
> ~~~
> Kernel Panic - not syncing: VFS: Unable to mount root fs on
> unknown-block(0,0)
> Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
> Call Trace:
> ~~~


This kernel message says, that no initramfs was loaded by the kernel. Are you sure, you created the initramfs image correctly? Is your bootloader config correct?
Comment 3 Harald Hoyer 2015-01-21 12:53:39 UTC 
Please provide the output of:

# dracut --debug test.img
Comment 8 Marcel Kolaja 2015-01-30 11:25:15 UTC 
This bug should be resolved in RHEL 6.6.z within bug #1182725 and will be resolved in RHEL 6.7 within bug #1182297. Am I getting it right Harald? Thanks!
Comment 12 Pavel Holica 2015-05-13 09:51:57 UTC 
Reproduced on RHEL-6.6 with nss-softokn-3.14.3-19.el6_6 and nss-softokn-freebl-3.14.3-19.el6_6 updated from RHN.

Verified that dracut from RHEL-6.7-20150506.0 requires nss-softokn-freebl >= 3.14.3-22.el6_6. nss-softokn-freebl-3.14.3-22.el6_6 is available in compose and on RHN already. After nss-softokn-freebl update, dracut was able to successfully buil initramfs and boot in fips mode.

Moving to VERIFIED.
Comment 13 errata-xmlrpc 2015-07-22 06:38:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1328.html