Bug 2107952
| Summary: | Error in GnuTLS initialization during boot after FIPS is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Romano Silva <romano.silva> |
| Component: | gnutls | Assignee: | Daiki Ueno <dueno> |
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.6 | CC: | JONATHAN.SATTELBERGER |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for the report. Since this is during the early boot process, I suspect the error has something to do with DRBG. |
Description of problem: After fips is enabled in RHEL 8, a GnuTLS initialization error is displayed during boot: >> Jul 17 20:08:16 nlb01 dracut-cmdline[474]: Error in GnuTLS initialization: Error while performing self checks. Jul 17 20:08:15 nlb01 systemd-modules-load[368]: Inserted module 'fuse' Jul 17 20:08:15 nlb01 systemd[1]: systemd-vconsole-setup.service: Succeeded. Jul 17 20:08:15 nlb01 systemd[1]: Started Setup Virtual Console. Jul 17 20:08:15 nlb01 systemd[1]: Starting dracut cmdline hook... Jul 17 20:08:15 nlb01 dracut-cmdline[395]: dracut-8.6 (Ootpa) dracut-049-202.git20220511.el8_6 Jul 17 20:08:15 nlb01 systemd[1]: Started Apply Kernel Variables. Jul 17 20:08:15 nlb01 dracut-cmdline[395]: Using kernel command line parameters: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-372.16.1.el8_6.x86_64 root=/dev/mapper/vg00-lvroot ro crashkernel=auto resume=/dev/mapper/vg00-lvswap rd.lvm.lv=vg00/lvroot rd.lvm.lv=vg00/lvswap rd.lvm.lv=vg00/lvusr rhgb quiet fips=1 boot=UUID=b808273f-c1d8-4478-8ce8-c807a204e01f Jul 17 20:08:16 nlb01 dracut-cmdline[474]: Error in GnuTLS initialization: Error while performing self checks. Jul 17 20:08:16 nlb01 systemd[1]: Started dracut cmdline hook. Jul 17 20:08:16 nlb01 systemd[1]: Starting dracut pre-udev hook... Jul 17 20:08:16 nlb01 dracut-pre-udev[478]: Loading and integrity checking all crypto modules Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha1_mb (sha1) passed Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha256_mb (sha256) passed Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha512_mb (sha512) passed Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha3-224-generic (sha3-224) passed Jul 17 20:08:17 nlb01 kernel: alg: self-tests for sha3-256-generic (sha3-256) passed Jul 17 20:08:17 nlb01 kernel: alg: self-tests for sha3-384-generic (sha3-384) passed Version-Release number of selected component (if applicable): #uname -a Linux spctp-unxhpp-nlb01 4.18.0-372.16.1.el8_6.x86_64 #1 SMP Tue Jun 28 03:02:21 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux # rpm -qa | grep dracut dracut-049-202.git20220511.el8_6.x86_64 dracut-squash-049-202.git20220511.el8_6.x86_64 dracut-config-rescue-049-202.git20220511.el8_6.x86_64 dracut-network-049-202.git20220511.el8_6.x86_64 # rpm -qa | grep fips # rpm -qa | grep gnutls rsyslog-gnutls-8.2102.0-7.el8_6.1.x86_64 gnutls-utils-3.6.16-4.el8.x86_64 gnutls-3.6.16-4.el8.x86_64 gnutls-dane-3.6.16-4.el8.x86_64 How reproducible: Always after FIPS is enabled Steps to Reproduce: 1. fips-mode-setup --enable 2. reboot 3. Actual results: Error displayed during boot Expected results: No GnuTLS error message is displayed during boot Additional info: It seems to work fine after boot. Message only happens during boot. Example: # gnutls-serv Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done