Bug 737081
Summary: | mkinitrd's FIPS support for dmraid is missing | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Leon Fauster <leonfauster> | ||||||
Component: | mkinitrd | Assignee: | Brian Lane <bcl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Release Test Team <release-test-team-automation> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 5.7 | CC: | agk, atodorov, ddumas, jreed, lkardos, sgrubb | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | mkinitrd-5.1.19.6-77.el5 | Doc Type: | Release Note | ||||||
Doc Text: |
FIPS Mode Support for dmraid
Red Hat Enterprise Linux 5.9 adds support for using FIPS mode with dmraid root devices. A dmraid device is now activated before the FIPS checksum is checked.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-01-08 07:06:07 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 522347 [details]
init-script without FIPS
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Verified on RHEL5.9 mkinitrd-5.1.19.6-78.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0027.html |
Created attachment 522346 [details] init-script with FIPS --------------------------------------------- Context: --------------------------------------------- $ df -h /dev/md0 251M 34M 215M 14% /boot /dev/md2 140G 6,7G 132G 5% / $ rpm -q kernel-xen mkinitrd kernel-xen-2.6.18-274.3.1.el5 mkinitrd-5.1.19.6-71.el5 $ mkinitrd --with-fips -f /boot/initrd-2.6.18-274.3.1.el5xen.with-fips.img 2.6.18-274.3.1.el5xen $ cat /boot/grub/grub.conf |tail -18 |head -7 title CentOS (2.6.18-274.3.1.el5xen) with FIPS root (hd0,0) kernel /xen.gz-2.6.18-274.3.1.el5 console=vga module /vmlinuz-2.6.18-274.3.1.el5xen ro root=/dev/md2 elevator=deadline xencons=tty fips=1 module /initrd-2.6.18-274.3.1.el5xen.with-fips.img $ cat /proc/sys/crypto/fips_enabled 0 --------------------------------------------- Description of problem: --------------------------------------------- mkinitrd generates a initrd.img file that has a unsuitable "init"-script-sequence, if the boot partition is on one dmraid e.g. /dev/md0 In FIPS Mode the init script of the initrd tries to check the /boot/.vmlinuz-$(uname -r).hmac file while doing this it tries to mount the boot partition. At that stage the system is unable to mount a md device e.g. /dev/md0 because corresponding kernel modules are not already loaded. --------------------------------------------- How reproducible: --------------------------------------------- Steps to Reproduce: 0. Setup a dmraid based boot partition 1. Boot the system 2. Recreate the initrd: 3. $ mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) 4. Add “fips=1” to grub kernel boot line 5. Reboot --------------------------------------------- Actual results: --------------------------------------------- Boot process will be interrupted and the system reboots. --------------------------------------------- Expected results: --------------------------------------------- System boots with fips mode enabled --------------------------------------------- Additional info: --------------------------------------------- as attachments: init-initrd-2.6.18-274.3.1.el5xen.img.txt init-NOFIPS-initrd-2.6.18-274.3.1.el5xen.img.txt packaging the initrd manually with a changed init-script sequence helps me to boot the system in fips mode. The changes: all md-, raid-, scsi-, blockdev-related modules are loaded before the hmac checks starts