Bug 2051630
| Summary: | cryptsetup fails in FIPS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Stanislav Zidek <szidek> |
| Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
| Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | agk, guazhang, jbrassow, okozina, omoris, prajnoha |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | cryptsetup-2.4.3-2.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:48:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 1
guazhang@redhat.com
2022-02-08 13:44:44 UTC
Hi, # cryptsetup --debug -v luksFormat /dev/loop0 --key-file=keyfile <<< YES # cryptsetup 2.4.3 processing "cryptsetup --debug -v luksFormat /dev/loop0 --key-file=keyfile" # Running command luksFormat. # Locking memory. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating context for crypt device /dev/loop0. # Trying to open and read device /dev/loop0 with direct-io. # Initialising device-mapper backend library. WARNING: Device /dev/loop0 already contains a 'crypto_LUKS' superblock signature. # File descriptor passphrase entry requested. Running in FIPS mode. # Crypto backend (OpenSSL 3.0.1 14 Dec 2021 [fips]) initialized in cryptsetup library version 2.4.3. # Detected kernel Linux 5.14.0-55.el9.x86_64 x86_64. # PBKDF pbkdf2-sha256, time_ms 2000 (iterations 0). Existing 'crypto_LUKS' superblock signature on device /dev/loop0 will be wiped. Existing 'crypto_LUKS' superblock signature on device /dev/loop0 will be wiped. # Formatting device /dev/loop0 as type LUKS2. # Auto-detected optimal encryption sector size for device /dev/loop0 is 512 bytes. # Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes. # Checking if cipher aes-xts-plain64 is usable. # Using userspace crypto wrapper to access keyslot area. # Formatting LUKS2 with JSON metadata area 12288 bytes and keyslots area 16744448 bytes. # Creating new digest 0 (pbkdf2). # Setting PBKDF2 type key digest 0. # Running pbkdf2(sha256) benchmark. Not compatible PBKDF2 options (using hash algorithm sha256). # Releasing crypt device /dev/loop0 context. # Releasing device-mapper backend. # Closing read only fd for /dev/loop0. # Unlocking memory. I got the bug, but I don't know why the fips don't works before. please help to check my steps #yum install dracut-fips #dracut -f add fips=1 to kernel line #grub2-mkconfig -o /boot/grub2/grub.cfg reboot # openssl version OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) # cat /proc/sys/crypto/fips_enabled 1 #sysctl crypto.fips_enabled crypto.fips_enabled = 1 openssl-3.0.1-5.el9.x86_64 works well. /usr/bin/fips-mode-setup --enable /usr/bin/fips-finish-install --complete Test pass with fixed package, move to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: cryptsetup), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3913 |