Bug 737081

Summary: mkinitrd's FIPS support for dmraid is missing
Product: Red Hat Enterprise Linux 5 Reporter: Leon Fauster <leonfauster>
Component: mkinitrdAssignee: Brian Lane <bcl>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.7CC: agk, atodorov, ddumas, jreed, lkardos, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: mkinitrd- Doc Type: Release Note
Doc Text:
FIPS Mode Support for dmraid Red Hat Enterprise Linux 5.9 adds support for using FIPS mode with dmraid root devices. A dmraid device is now activated before the FIPS checksum is checked.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 07:06:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
init-script with FIPS
init-script without FIPS none

Description Leon Fauster 2011-09-09 14:28:56 UTC
Created attachment 522346 [details]
init-script with FIPS


$ df -h
/dev/md0          251M   34M  215M  14% /boot
/dev/md2          140G   6,7G  132G    5% /

$ rpm -q kernel-xen mkinitrd

$ mkinitrd --with-fips -f /boot/initrd-2.6.18-274.3.1.el5xen.with-fips.img 2.6.18-274.3.1.el5xen

$ cat /boot/grub/grub.conf |tail -18 |head -7

title CentOS (2.6.18-274.3.1.el5xen) with FIPS
        root (hd0,0)
        kernel /xen.gz-2.6.18-274.3.1.el5 console=vga
        module /vmlinuz-2.6.18-274.3.1.el5xen ro root=/dev/md2 elevator=deadline xencons=tty fips=1
        module /initrd-2.6.18-274.3.1.el5xen.with-fips.img

$ cat /proc/sys/crypto/fips_enabled

Description of problem:

mkinitrd generates a initrd.img file that has a unsuitable "init"-script-sequence, 
if the boot partition is on one dmraid e.g. /dev/md0 

In FIPS Mode the init script of the initrd tries to check the /boot/.vmlinuz-$(uname -r).hmac file
while doing this it tries to mount the boot partition. At that stage the system is unable to mount 
a md device e.g. /dev/md0 because corresponding kernel modules are not already loaded.

How reproducible:

Steps to Reproduce:

0. Setup a dmraid based boot partition
1. Boot the system
2. Recreate the initrd:
3. $ mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
4. Add “fips=1” to grub kernel boot line
5. Reboot

Actual results:
Boot process will be interrupted and the system reboots.

Expected results:
System boots with fips mode enabled

Additional info:
as attachments:


packaging the initrd manually with a changed init-script 
sequence helps me to boot the system in fips mode. 
The changes:
all md-, raid-, scsi-, blockdev-related modules
are loaded before the hmac checks starts

Comment 1 Leon Fauster 2011-09-09 14:29:40 UTC
Created attachment 522347 [details]
init-script without FIPS

Comment 2 RHEL Product and Program Management 2012-04-02 09:00:56 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 7 Ľuboš Kardoš 2012-09-26 11:15:34 UTC
Verified on RHEL5.9 mkinitrd-

Comment 9 errata-xmlrpc 2013-01-08 07:06:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.