Bug 1398097

Summary: crypto.fips_enabled is 0 after set FIPS=1 in cmdline
Product: Red Hat Enterprise Virtualization Manager Reporter: Huijuan Zhao <huzhao>
Component: ovirt-nodeAssignee: Fabian Deutsch <fdeutsch>
Status: CLOSED WORKSFORME QA Contact: Huijuan Zhao <huzhao>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.9CC: cshao, dguo, dougsland, gklein, huzhao, jiawu, leiwang, lsurette, qiyuan, rbarry, weiwang, yaniwang, ycui, ykaul, yzhao
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-25 07:54:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
All the logs in /var/log/ and sosreport none

Description Huijuan Zhao 2016-11-24 06:43:17 UTC 
Created attachment 1223523 [details]
All the logs in /var/log/ and sosreport

Description of problem:
Install RHEVH in FIPS mode append FIPS=1 in cmdline, but crypto.fips_enabled is 0 and the output of /proc/sys/crypto/fips_enabled is 0, they should be 1.


Version-Release number of selected component (if applicable):
rhevh-7.3-20161028.1.el6ev.iso
ovirt-node-3.6.1-34.0.el7ev.noarch
fipscheck-1.4.1-5.el7.x86_64
dracut-fips-033-463.el7.x86_64
hmaccalc-0.9.13-4.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Start installation in FIPS mode append FIPS=1 in cmdline  
2. Reboot the system
3. Login to the system using SSH, 
   # cat /proc/sys/crypto/fips_enabled
   # sysctl crypto.fips_enabled   


Actual results:
In step3, both of the output is 0:
# cat /proc/sys/crypto/fips_enabled
0
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

Expected results:
In step3, both of the output should be 1.


Additional info:
# cat ./dev/.initramfs/live/grub2/grub.cfg

#default saved
set timeout=5
#hiddenmenu
menuentry "RHEV-H 7.3-20161028.1.el7ev" {
set root=(hd0,3)
search --no-floppy --label Root --set root
linux /vmlinuz0 root=live:LABEL=Root ro rootfstype=auto rootflags=ro ksdevice=bootif rd.dm=0  rd.md=0 crashkernel=256M lang= max_loop=256 rhgb quiet elevator=deadline rd.live.check rd.luks=0 rd.live.image FIPS=1
initrd /initrd0.img
}
Comment 1 Fabian Deutsch 2016-11-24 16:12:48 UTC 
dracut-fips might be missing.

But did you use fips=1 (non-capital letters)?
Comment 2 Huijuan Zhao 2016-11-25 03:11:45 UTC 
(In reply to Fabian Deutsch from comment #1)
> dracut-fips might be missing.
> 
> But did you use fips=1 (non-capital letters)?

I tested with fips=1 (non-capital letters) just now, no such issue.

Test steps:
1. Start installation in FIPS mode append fips=1 in cmdline  
2. Reboot the system
3. Login to the system using SSH, 
   # cat /proc/sys/crypto/fips_enabled
   # sysctl crypto.fips_enabled 

Test result:
In step3, both of the output is 1.


So for vintage RHEV-H, should use fips=1 in cmdline to make it effective?
Comment 3 Fabian Deutsch 2016-11-25 07:41:14 UTC 
Yes.
Comment 4 Huijuan Zhao 2016-11-25 07:54:13 UTC 
Thanks Fabian.
According to Comment 2 and Comment 3, I will close this bug.