1010945 – .hmac checksums for openssl are missing in initird

Bug 1010945 - .hmac checksums for openssl are missing in initird

Summary: .hmac checksums for openssl are missing in initird

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	anaconda
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	6.5
Assignee:	Anaconda Maintenance Team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1017755 (view as bug list)
Depends On:
Blocks:	843829 972747
TreeView+	depends on / blocked

Reported:	2013-09-23 10:53 UTC by Ondrej Moriš
Modified:	2014-08-14 09:14 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-11 20:06:41 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ondrej Moriš 2013-09-23 10:53:23 UTC

Description of problem:

When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption setup to encrypt /. You can successfully boot right after the installation with chosen encryption password. However when you turn the system into fips mode [1], the system does not boot at all, the password is not accepted and dracut prints the following error:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

[1] https://access.redhat.com/site/solutions/137833

Version-Release number of selected component (if applicable):

cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64

fipscheck-1.2.0-9.el6.x86_64
nss-softokn-fips-3.14.3-8.el6.x86_64
openssh-clients-fips-5.3p1-93.el6.x86_64
nss-softokn-freebl-fips-3.14.3-8.el6.x86_64
openssl-fips-1.0.1e-11.el6.x86_64
openswan-fips-2.6.32-24.el6.x86_64
dracut-fips-004-328.el6.noarch
fipscheck-lib-1.2.0-9.el6.x86_64
openssh-server-fips-5.3p1-93.el6.x86_64

dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-kernel-004-328.el6.noarch

kernel-2.6.32-419.el6.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Install the system via GUI using disk encryption (no specific setup).
2. Boot the system (it should work fine).
3. Turn the system into FIPS mode:
* prelink -u -a
* yum remove -y prelink
* yum install dracut-fips -y
* add the kernel parameters to grub: fips=1 boot=/dev/vda1
- where /dev/vda1 stands for boot partition (set it appropriately)
* dracut -f -v
* yum install "*-fips" -y
4. Reboot

Actual results:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

Expected results:

Successful boot.

Additional info:

This is a regression from Alpha (RHEL6.5-20130830.2), where disk encrypted system could be booted successfully.

Comment 1 Ondrej Moriš 2013-09-23 11:14:02 UTC

(In reply to Ondrej Moriš from comment #0)
> Description of problem:
> 
> When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate
> (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption
> setup to encrypt /. You can successfully boot right after the installation
> with chosen encryption password. However when you turn the system into fips
> mode [1], the system does not boot at all, the password is not accepted and
> dracut prints the following error:
> 
> Password (/dev/vda2):dracut: FIPS checksum verification failed.
> 
> [1] https://access.redhat.com/site/solutions/137833
> 
> Steps to Reproduce:
 
I have also upgraded to the latest packages - ie. those from RHEL6.5-20130921.2:

  0. yum upgrade -y

> 1. Install the system via GUI using disk encryption (no specific setup).

Comment 2 Steve Grubb 2013-09-23 20:22:13 UTC

My guess would be that a hmac file is not in the initrd. I am wondering if you can tell if they are missing compared to an initrd made previously?

Comment 3 Ondrej Moriš 2013-09-24 15:02:46 UTC

(In reply to Steve Grubb from comment #2)
> My guess would be that a hmac file is not in the initrd. I am wondering if
> you can tell if they are missing compared to an initrd made previously?

Yes, this seems to be the cause:

Alpha
=====

[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.0.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

Beta
====
[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac

Therefore the following hmacs are missing in Beta initrd (when rebuilt with dracut-fips):

./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

Comment 4 Harald Hoyer 2013-10-07 13:36:25 UTC

(In reply to Ondrej Moriš from comment #3)
> (In reply to Steve Grubb from comment #2)
> > My guess would be that a hmac file is not in the initrd. I am wondering if
> > you can tell if they are missing compared to an initrd made previously?
> 
> Yes, this seems to be the cause:
> 
> Alpha
> =====
> 
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.0.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac
> 
> Beta
> ====
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.1.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> 
> Therefore the following hmacs are missing in Beta initrd (when rebuilt with
> dracut-fips):
> 
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac


Well, nothing changed in dracut. Is the package containing /usr/lib64/.libcrypto.so.1.0.1e.hmac installed, at the time, when the initramfs gets created (rpm posttrans)?

Comment 5 Steve Grubb 2013-10-09 14:08:07 UTC

Has this been retested with the current beta packages? This may be an artifact from the initial attempt to define the FIPS Product. If it is a leftover from moving the hmacs, then the bz can be closed. Thanks.

Comment 6 Suzanne Forsberg 2013-10-10 15:28:48 UTC

Proposing as blocker since the report says this prevents the system from booting.

Comment 7 Harald Hoyer 2013-10-11 12:32:53 UTC

*** Bug 1017755 has been marked as a duplicate of this bug. ***

Comment 8 Samantha N. Bueno 2013-10-11 20:06:41 UTC

On the latest rhel65 compose (looks to be from 09 Oct), I see the hmac files which were originally missing in comment 3:

[root@localhost initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

So it seems to me this can be closed.

Note You need to log in before you can comment on or make changes to this bug.