Bug 857310

Summary: RHEL5.9 kernel fails to boot in fips mode
Product: Red Hat Enterprise Linux 5 Reporter: Shaolong Hu <shu>
Component: kvmAssignee: Virtualization Maintenance <virt-maint>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 5.9CC: chayang, juzhang, michen, mkenneth, pmoore, pwouters, rhod, virt-maint
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-17 03:25:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 805676    
Attachments:
Description Flags
dmidecode output
none
sosreport none

Description Shaolong Hu 2012-09-14 05:21:47 UTC 
Created attachment 612722 [details]
dmidecode output

Description of problem:
------------------------
After enable FIPS on RHEL5.9 host, kernel fails to boot.


Version-Release number of selected component (if applicable):
---------------------------------------------------------------
2.6.18-339.el5


How reproducible:
------------------
100%


Steps to Reproduce:
----------------------
1. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
2. Add “fips=1” to grub kernel boot line
3. reboot host


Actual results:
----------------
Warning: pci_mmcfg_init marking 256MB space uncacheable.
�Red Hat nash version 5.1.19.6 starting
SELF TEST FAILED (/usr/lib64/hmaKernel panic - not syncing: Attempted to kill init!
ccalc/sha512hmac .hmac)


Additional info:
-------------------
This happens on some hosts, i try two hosts, both hit the problem, my colleague's host works fine anyway, so i think this is hardware related problem, my host dmidecode output is in attachment.

By the way, i am verifying:
Bug 805676 - FIPS 140-2 kernel and KVM

So this is a blocker.
Comment 1 Shaolong Hu 2012-09-14 05:41:38 UTC 
Created attachment 612726 [details]
sosreport
Comment 2 Paul Moore 2012-09-14 12:29:33 UTC 
Did you follow all of the steps described in the article below?

 * https://access.redhat.com/knowledge/articles/38655

Common problems you may want to verify on your test system:

1. FIPS mode requires a separate /boot partition.
2. Prelinking must be disabled.
Comment 3 Eduard Benes 2012-09-14 13:51:20 UTC 
Hello Hu, one observation in addition to suggestions from Paul in previous comment. By inspecting your sosreport, I see you have in /etc/sysconfig/prelink  still enabled prelinking. Even if you undo prelink, you should disable it at all so a cron job doesn't run it again and break your system.
Comment 4 Shaolong Hu 2012-09-17 03:25:01 UTC 
OK, thanks for specification, this is NOTABUG, close it.