Bug 831598

Summary: FATAL: Module aes-xts not found (FIPS integrity check failed)
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: dracutAssignee: dracut-maint
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: harald, jstodola, pvrabec, pwouters
Target Milestone: beta   
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dracut-018-65.git20120612.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:57:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717789    
Attachments:
Description Flags
/run/initramfs/init.log
none
dracut -f --debug
none
Fix xts module name
none
Fix module names none

Description Ondrej Moriš 2012-06-13 12:01:32 UTC 
Description of problem:

FIPS integrity check provided by dracut fails in RHEL7. It causes that dracut dies during boot and kernel panics. When all 'die' in dracut-fips are replaced by 'warn' system boots into FIPS mode and you can see its init log file:

...
//sbin/fips.sh@53(do_fips): info 'Checking integrity of kernel'
//lib/dracut-lib.sh@316(info): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@317(info): echo '<30>dracut: Checking integrity of kernel'
//lib/dracut-lib.sh@318(info): '[' yes '!=' yes ']'
//sbin/fips.sh@54(do_fips): newroot=/sysroot
///sbin/fips.sh@55(do_fips): uname -r
//sbin/fips.sh@55(do_fips): KERNEL=3.3.0-0.13.el7.x86_64
//sbin/fips.sh@57(do_fips): '[' -e /sysroot/boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac ']'
//sbin/fips.sh@57(do_fips): unset newroot
//sbin/fips.sh@59(do_fips): ls -la /boot
total 24246
dr-xr-xr-x  5 root root     1024 Jun 12  2012 .
drwxr-xr-x 13 root root        0 Jun 12 13:37 ..
-rw-r--r--  1 root root      166 May 31 14:06 .vmlinuz-3.3.0-0.13.el7.x86_64.hmac
-rw-------  1 root root  2743548 May 31 14:06 System.map-3.3.0-0.13.el7.x86_64
-rw-r--r--  1 root root   113682 May 31 14:06 config-3.3.0-0.13.el7.x86_64
drwxr-xr-x  2 root root     1024 Jun  6 11:34 grub
drwxr-xr-x  6 root root     1024 Jun  6 11:41 grub2
-rw-r--r--  1 root root 16969413 Jun 12  2012 initramfs-3.3.0-0.13.el7.x86_64.img
drwx------  2 root root    12288 Jun  6 11:31 lost+found
-rwxr-xr-x  1 root root  4973104 May 31 14:06 vmlinuz-3.3.0-0.13.el7.x86_64
//sbin/fips.sh@60(do_fips): '[' -e /boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac ']'
//sbin/fips.sh@65(do_fips): sha512hmac -c /boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac
/boot/vmlinuz-3.3.0-0.13.el7.x86_64: OK
///sbin/fips.sh@67(do_fips): cat /etc/fipsmodules
//sbin/fips.sh@67(do_fips): FIPSMODULES='aead
aes_generic
aes-xts
aes-x86_64
ansi_cprng
cbc
ccm
chainiv
ctr
des
deflate
ecb
eseqiv
hmac
seqiv
sha256
sha512
cryptomgr
crypto_null
tcrypt
dm-mod
dm-crypt'
//sbin/fips.sh@69(do_fips): info 'Loading and integrity checking all crypto modules'
//lib/dracut-lib.sh@316(info): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@317(info): echo '<30>dracut: Loading and integrity checking all crypto modules'
//lib/dracut-lib.sh@318(info): '[' yes '!=' yes ']'
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aead '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aead
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aes_generic '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes_generic
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes-xts
FATAL: Module aes-xts not found.
//sbin/fips.sh@72(do_fips): return 1
///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS integrity test failed'
//lib/dracut-lib.sh@310(warn): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@311(warn): echo '<28>dracut Warning: FIPS integrity test failed'
//lib/dracut-lib.sh@312(warn): echo 'dracut Warning: FIPS integrity test failed'
dracut Warning: FIPS integrity test failed
...

Obviously, the problems is caused by:

FATAL: Module aes-xts not found.

Version-Release number of selected component (if applicable):

dracut-fips-018-53.git20120605.el7.noarch
dracut-018-53.git20120605.el7.noarch
kernel-3.3.0-0.13.el7.x86_64

How reproducible:

100%

Steps to Reproduce:

1. uninstall of disable prelink
2. install dracut-fips
3. perl -pi -e 's#die #warn #g' /usr/lib/dracut/modules.d/01fips/*
4. dracut -f 
5. reboot and enter grub menu
6. add kernel parameters: rd.debug fips=1 boot=/dev/sda1 
   (or whatever your boot partition is) 
7. boot and see /run/initramfs/init.log
  
Actual results:

...
FATAL: Module aes-xts not found.
...
dracut Warning: FIPS integrity test failed
...

Expected results:

...
dracut: FIPS integrity test passed
...

Additional info:

See attachments.
Comment 1 Ondrej Moriš 2012-06-13 12:02:06 UTC 
Created attachment 591456 [details]
/run/initramfs/init.log
Comment 2 Ondrej Moriš 2012-06-13 12:03:57 UTC 
Created attachment 591457 [details]
dracut -f --debug
Comment 3 Harald Hoyer 2012-06-13 12:16:23 UTC 
https://admin.fedoraproject.org/updates/dracut-018-65.git20120612.fc17
Comment 4 Ondrej Moriš 2012-06-13 14:39:05 UTC 
Hm, I still see it:

dracut-018-65.git20120612.el7.noarch

...
//sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes-xts
FATAL: Module aes-xts not found.
//sbin/fips.sh@72(do_fips): return 1
///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS integrity test failed'
//lib/dracut-lib.sh@310(warn): check_quiet
...
Comment 5 Harald Hoyer 2012-06-18 11:42:22 UTC 
(In reply to comment #4)
> Hm, I still see it:
> 
> dracut-018-65.git20120612.el7.noarch
> 
> ...
> //sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
> //sbin/fips.sh@72(do_fips): modprobe aes-xts
> FATAL: Module aes-xts not found.
> //sbin/fips.sh@72(do_fips): return 1
> ///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS
> integrity test failed'
> //lib/dracut-lib.sh@310(warn): check_quiet
> ...

are you sure, that you regenerated the initramfs after updating?
Comment 6 Milan Broz 2012-06-27 14:33:34 UTC 
Created attachment 594801 [details]
Fix xts module name

Harald, I think this is just bug in dracut, there was never aes-xts module.

It should be xts (like in RHEL6).

See attached patch - I think it should be fixed upstream.
Comment 7 Milan Broz 2012-06-29 11:49:02 UTC 
Created attachment 595281 [details]
Fix module names

In F18/rawhide is also sha256 module compiled in, so modprobe fails - use aes256_generic which works always.
Comment 8 Milan Broz 2012-06-29 11:50:47 UTC 
Can the attached patch be committed upstream and for rawhide/F17 dracut please?
Comment 9 Paul Wouters 2012-07-17 22:19:54 UTC 
dracut-020-96.git20120717.fc17 but there haven't been any builds of dracut in a while, so it is still on dracut 0.18 in Fedora....

Is there any reason why this isn't being built in rawhide/f17?
Comment 10 Harald Hoyer 2012-07-18 10:27:15 UTC 
(In reply to comment #9)
> dracut-020-96.git20120717.fc17 but there haven't been any builds of dracut
> in a while, so it is still on dracut 0.18 in Fedora....
> 
> Is there any reason why this isn't being built in rawhide/f17?


huh? dracut-020-96.git20120717.fc17? Where is this? Built 
dracut-020-96.git20120717.fc18 to rawhide http://koji.fedoraproject.org/koji/buildinfo?buildID=330901 but not F17!
Comment 11 Harald Hoyer 2012-07-18 10:41:33 UTC 
will backport some fixes to F17 today.
Comment 12 Harald Hoyer 2012-07-19 13:33:34 UTC 
https://admin.fedoraproject.org/updates/dracut-018-93.git20120719.fc17
Comment 14 Harald Hoyer 2013-02-26 09:24:40 UTC 
fixed with dracut-024-25.git20130205.el7
Comment 15 Jan Stodola 2013-07-09 12:43:02 UTC 
Retested with dracut-029-1.el7, system booted successfully in fips mode, no errors reported.

Moving to VERIFIED.
Comment 16 Ludek Smid 2014-06-13 11:57:55 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.