Bug 1672023
| Summary: | [RHEL 8 HTB] update-crypto-policies/fips-mode-setup hangs server | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Yogita <ysoni> |
| Component: | crypto-policies | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | deepak.rajaling, jreznik, nmavrogi, szidek, tmraz, ysoni |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-03 13:17:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yogita
2019-02-03 08:17:52 UTC
There is no need to explicitly call update-crypto-policies --set FIPS or update-crypto-policies --set DEFAULT. The command prints warning to not do that even. The fips-mode-setup --enable and fips-mode-setup --disable implicitly changes the crypto policy to FIPS and back to DEFAULT. As for the hang - I think this is just continuous manifestation of the "too low entropy in kernel" during boot. We made multiple workarounds how to improve the situation however apparently the problem still happens sometimes. To further debug it is crucial to find out at which stage during the boot the boot hangs. Also we need to know the exact details of the machine - is it virtual or real hw, does it have rdrand, ... So actually Snapshot 2 had a known issue with low entropy on boot, could you please test a newer snapshot? Hi Tomaz,
>> Also we need to know the exact details of the machine - is it virtual or real hw, does it have rdrand, ...
I tested the mentioned steps on my VirtualBox VM.
Not sure about rdrand here but.
Did you test anything newer than Snapshot 2? >> Did you test anything newer than Snapshot 2?
By snapshot 2, you mean the latest RHEL8 release right? If yes, I'll do that soon and update you with my observation soon.
Hi Tomaz, >> Did you test anything newer than Snapshot 2? I believe you are talking about the Snapshot 2 mentioned in below link - http://download.eng.pnq.redhat.com/pub/rhel/rel-eng/ I'm not really sure how to use the same as I can't see direct ISO for this. Can you please confirm what's your observation with Snapshot 2? Will be great if you can mention how to use the snapshot as well here. I can confirm , this is now fixed in Snapshot 6. Thanks alot! Hi, I am facing the similar issue in Aws Rhel8 image. As per audit requirement we asked to enable this fips-mode-setup --enable . AFter enabling and rebooting the AWS Redhat 8 ec2 vm the system doesn't come up. Even we have tried with 2 to 3 different AWS account and different location. it is same after reboot not coming up. Since AWS doesn;t have console option we couldn;t see where it got stuck. Does any one come across and fix this? |