Bug 956521

Summary:	hmac check fail in initramfs
Product:	[Fedora] Fedora	Reporter:	Dave Young <ruyang>
Component:	dracut	Assignee:	dracut-maint
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	bhe, dracut-maint, harald, jonathan, tmraz
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	dracut-027-39.git20130425.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-05-22 03:12:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dave Young 2013-04-25 07:05:23 UTC

Description of problem:

Dracut refuse to continue:
Warning: dracut: FATAL: FIPS integrity test failed
Warning: dracut: Refusing to continue

Test with:
[root@localhost ~]# uname -a
Linux localhost 3.9.0-0.rc7.git3.1.fc19.x86_64 #1 SMP Thu Apr 18 20:29:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# rpm -qa|grep dracut
dracut-network-027-36.git20130418.fc19.x86_64
dracut-fips-027-36.git20130418.fc19.x86_64
dracut-027-36.git20130418.fc19.x86_64


In dracut shell, manually run below command fails(boot part mounted ok):
sha512hmac -c /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac
fails with:
Error ensuring FIPS mode.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Harald Hoyer 2013-04-25 07:34:22 UTC

(In reply to comment #0)
> Description of problem:
> 
> Dracut refuse to continue:
> Warning: dracut: FATAL: FIPS integrity test failed
> Warning: dracut: Refusing to continue
> 
> Test with:
> [root@localhost ~]# uname -a
> Linux localhost 3.9.0-0.rc7.git3.1.fc19.x86_64 #1 SMP Thu Apr 18 20:29:47
> UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> [root@localhost ~]# rpm -qa|grep dracut
> dracut-network-027-36.git20130418.fc19.x86_64
> dracut-fips-027-36.git20130418.fc19.x86_64
> dracut-027-36.git20130418.fc19.x86_64
> 
> 
> In dracut shell, manually run below command fails(boot part mounted ok):
> sha512hmac -c /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac
> fails with:
> Error ensuring FIPS mode.
> 


So, manually running
# sha512hmac -c /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac

fails, too?

Comment 2 Dave Young 2013-04-25 07:36:24 UTC

Sure, it fails with manually running.
BTW, kernel boot with "fips=1 boot=/dev/vda1 1"

Comment 3 Harald Hoyer 2013-04-25 09:13:44 UTC

So, if /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac is corrupt/wrong, dracut does the right thing.

Does it fail, if you boot without fips, in the real root also?

Comment 4 Dave Young 2013-04-25 09:27:57 UTC

It work well in non-fips mode real root.

Comment 5 Fedora Update System 2013-04-25 18:46:26 UTC

dracut-027-39.git20130425.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/dracut-027-39.git20130425.fc19

Comment 6 Dave Young 2013-04-26 02:35:50 UTC

Hi, Harald

Thanks for the quick fix for this. I believe you have passed the test on physical machines.

But there's still issues in kvm guest, see below:

dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'camellia_aesni_avx_x86_64': No such device
dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'crc32c_intel': No such device

Above two modules return -ENODEV in module_init, I'm not sure why fips.sh fail for modprobe failure in below code:

    for module in $FIPSMODULES; do
        if [ "$module" != "tcrypt" ]; then
            modprobe ${module} || return 1
        fi
    done

How about only return 1 when modprobe tctypt failing? for other modules just go ahead?

I guess there's probably similar problem in arches other then X86. 

Thanks
Dave

Comment 7 Fedora Update System 2013-04-26 14:28:28 UTC

Package dracut-027-39.git20130425.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dracut-027-39.git20130425.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6673/dracut-027-39.git20130425.fc19
then log in and leave karma (feedback).

Comment 8 Baoquan He 2013-04-27 08:08:12 UTC

Hi Harald,

I tested local PC, it failed either. It seems the same reason as Dave's caused this problem.

Baoquan
Thanks

Comment 9 Harald Hoyer 2013-04-29 05:55:26 UTC

(In reply to comment #6)
> Hi, Harald
> 
> Thanks for the quick fix for this. I believe you have passed the test on
> physical machines.
> 
> But there's still issues in kvm guest, see below:
> 
> dracut-pre-trigger[130]: modprobe: ERROR: could not insert
> 'camellia_aesni_avx_x86_64': No such device
> dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'crc32c_intel':
> No such device
> 
> Above two modules return -ENODEV in module_init, I'm not sure why fips.sh
> fail for modprobe failure in below code:
> 
>     for module in $FIPSMODULES; do
>         if [ "$module" != "tcrypt" ]; then
>             modprobe ${module} || return 1
>         fi
>     done
> 
> How about only return 1 when modprobe tctypt failing? for other modules just
> go ahead?

Yeah, will do that.

Comment 10 Fedora Update System 2013-04-30 17:27:17 UTC

dracut-027-45.git20130430.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/dracut-027-45.git20130430.fc19

Comment 11 Fedora Update System 2013-05-22 03:12:17 UTC

dracut-027-39.git20130425.fc19 has been pushed to the Fedora 19 obsolete repository.  If problems still persist, please make note of it in this bug report.