Bug 982152
Summary: | cryptsetup does not work in FIPS mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Toman <mtoman> |
Component: | cryptsetup | Assignee: | Ondrej Kozina <okozina> |
Status: | CLOSED NOTABUG | QA Contact: | Release Test Team <release-test-team-automation> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | agk, mtoman, okozina, pknirsch, prajnoha, rvokal, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-09 11:59:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Toman
2013-07-08 09:23:17 UTC
Please, could you supply output from: ls -l /usr/lib{,64}/fipscheck/libcryptsetup.* turn off FIPS mode temporary, in case you have rootfs on encrypted device... $ ls -l /usr/lib{,64}/fipscheck/libcryptsetup.* ls: cannot access /usr/lib/fipscheck/libcryptsetup.*: No such file or directory -rw-r--r--. 1 root root 65 Apr 4 15:32 /usr/lib64/fipscheck/libcryptsetup.so.4.5.0.hmac -rw-r--r--. 1 root root 65 Apr 4 15:32 /usr/lib64/fipscheck/libcryptsetup.so.4.hmac OK. Maybe we are getting somewhere. I installed a fresh RHEL7 and everything worked as intended in FIPS mode. So far, it looks like you have something wrong with checksum files in initramfs image (provided you have encrypted device with root filesystem and you need to open it before rootfs is mounted) Could you please unpack your initramfs image and look for libcryptsetup checksum files? It will be at the same location inside the image: <initramfs_image>/usr/lib64/fipscheck/libcryptsetup.so.4.5.0.hmac. In case the checksum files are missing (there should be also checksum for cryptsetup cmd line binary), try to run dracut -f -M once again, to see which modules are actually included in your initramfs image. In case both files (cryptsetup.hmac and libcryptsetup...) are present, try to run following command and paste the output here, please: FIPSCHECK_DEBUG=error fipscheck /usr/lib64/libcryptsetup.so.4; echo $? FIPSCHECK_DEBUG=error fipscheck /usr/sbin/cryptsetup; echo $? Oh! Concerning the last 2 commands: I need the output from an emergency shell, after the failure (In reply to Ondrej Kozina from comment #5) > OK. Maybe we are getting somewhere. I installed a fresh RHEL7 and everything > worked as intended in FIPS mode. So far, it looks like you have something > wrong with checksum files in initramfs image (provided you have encrypted > device with root filesystem and you need to open it before rootfs is mounted) This is exactly the case The checksums got pulled into initramfs: # ls -l /usr/lib64/fipscheck/ total 20 -rw-r--r-- 1 root 0 65 Apr 4 15:32 cryptsetup.hmac -rw-r--r-- 1 root 0 65 Mar 16 16:59 fipscheck.hmac -rw-r--r-- 2 root 0 65 Apr 4 15:32 libcryptsetup.so.4.5.0.hmac -rw-r--r-- 2 root 0 65 Apr 4 15:32 libcryptsetup.so.4.hmac -rw-r--r-- 1 root 0 65 Mar 16 16:59 libfipscheck.so.1.1.0.hmac lrwxrwxrwx 1 root 0 26 Jul 8 22:57 libfipscheck.so.1.hmac -> libfipscheck.so.1.1.0.hmac # FIPSCHECK_DEBUG=error fipscheck /usr/lib64/libcryptsetup.so.4; echo $? fipscheck: FIPS_mode_set() failed 14 # FIPSCHECK_DEBUG=error fipscheck /usr/sbin/cryptsetup; echo $? fipscheck: FIPS_mode_set() failed 14 We need also the .hmac files from the openssl-libs package for the fipscheck to work. These are: /usr/lib64/.libcrypto.so.1.0.1e.hmac /usr/lib64/.libcrypto.so.10.hmac /usr/lib64/.libssl.so.1.0.1e.hmac /usr/lib64/.libssl.so.10.hmac /usr/lib64/libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.10 /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so.10 These are also present: # ls -l <the list> -rw-r--r-- 1 root 0 65 May 10 19:20 /usr/lib64/.libcrypto.so.1.0.1e.hmac lrwxrwxrwx 1 root 0 25 Jul 9 11:49 /usr/lib64/.libcrypto.so.10.hmac -> .libcrypto.so.1.0.1e.hmac -rw-r--r-- 1 root 0 65 May 10 19:20 /usr/lib64/.libssl.so.1.0.1e.hmac lrwxrwxrwx 1 root 0 22 Jul 9 11:49 /usr/lib64/.libssl.so.10.hmac -> .libssl.so.1.0.1e.hmac -rwxr-xr-x 1 root 0 1960312 May 10 19:20 /usr/lib64/libcrypto.so.1.0.1e lrwxrwxrwx 1 root 0 19 Jul 9 11:49 /usr/lib64/libcrypto.so.10 -> libcrypto.so.1.0.1e -rwxr-xr-x 1 root 0 441920 May 10 19:20 /usr/lib64/libssl.so.1.0.1e lrwxrwxrwx 1 root 0 16 Jul 9 11:49 /usr/lib64/libssl.so.10 -> libssl.so.1.0.1e Running fipscheck on libssl or libcrypto results into the same behavior as on cryptsetup: # FIPSCHECK_DEBUG=error fipscheck /usr/lib64/libcrypto.so.1.0.1e; echo $? fipscheck: FIPS_mode_set() failed 14 # FIPSCHECK_DEBUG=error fipscheck /usr/lib64/libssl.so.1.0.1e; echo $? fipscheck: FIPS_mode_set() failed 14 Here's the list of modules that dracut pulls: # dracut -f -M fips i18n drm plymouth crypt dm kernel-modules resume rootfs-block terminfo udev-rules biosdevname systemd usrmount base fs-lib shutdown I have openssl-libs-1.0.1e-8.el7.x86_64 installed. One thing that comes to my mind is that all the .hmac files seem to contain 256-bit long hashes. In my initramfs, I can only see /usr/bin/sha512hmac and /usr/lib64/hmaccalc/sha512hmac.hmac hmaccalc and sha512hmac is not used by fipscheck and cryptsetup. Are the libcrypto and libssl files exactly the same as in vanilla openssl-libs-1.0.1e-8.el7 package? Do you have prelink disabled? Although I didn't have prelink installed, installing it and unprelinking everything fixed the problem. Thank you for your quick responses and consider this NOTABUG. More on that in comment #12 and #13 For anyone experiencing same chain of errors, please look into: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html, chapter 7.2.1, item 1: You have to use prelink -u -a command before creating initramfs image every time unless you are absolutely sure there is no prelinked binary or library in your system. |