Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1010945

Summary: .hmac checksums for openssl are missing in initird
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Moriš <omoris>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: agk, dracut-maint-list, ebenes, lkardos, mvadkert, okozina, omoris, prajnoha, prockai, sbueno, sforsber, sgrubb, zkabelac
Target Milestone: rc   
Target Release: 6.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-11 20:06:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 843829, 972747    

Description Ondrej Moriš 2013-09-23 10:53:23 UTC 
Description of problem:

When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption setup to encrypt /. You can successfully boot right after the installation with chosen encryption password. However when you turn the system into fips mode [1], the system does not boot at all, the password is not accepted and dracut prints the following error:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

[1] https://access.redhat.com/site/solutions/137833

Version-Release number of selected component (if applicable):

cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64

fipscheck-1.2.0-9.el6.x86_64
nss-softokn-fips-3.14.3-8.el6.x86_64
openssh-clients-fips-5.3p1-93.el6.x86_64
nss-softokn-freebl-fips-3.14.3-8.el6.x86_64
openssl-fips-1.0.1e-11.el6.x86_64
openswan-fips-2.6.32-24.el6.x86_64
dracut-fips-004-328.el6.noarch
fipscheck-lib-1.2.0-9.el6.x86_64
openssh-server-fips-5.3p1-93.el6.x86_64

dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-kernel-004-328.el6.noarch

kernel-2.6.32-419.el6.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Install the system via GUI using disk encryption (no specific setup).
2. Boot the system (it should work fine).
3. Turn the system into FIPS mode:
   * prelink -u -a
   * yum remove -y prelink
   * yum install dracut-fips -y
   * add the kernel parameters to grub: fips=1 boot=/dev/vda1
     - where /dev/vda1 stands for boot partition (set it appropriately)
   * dracut -f -v
   * yum install "*-fips" -y
4. Reboot

Actual results:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

Expected results:

Successful boot.

Additional info:

This is a regression from Alpha (RHEL6.5-20130830.2), where disk encrypted system could be booted successfully.
Comment 1 Ondrej Moriš 2013-09-23 11:14:02 UTC 
(In reply to Ondrej Moriš from comment #0)
> Description of problem:
> 
> When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate
> (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption
> setup to encrypt /. You can successfully boot right after the installation
> with chosen encryption password. However when you turn the system into fips
> mode [1], the system does not boot at all, the password is not accepted and
> dracut prints the following error:
> 
> Password (/dev/vda2):dracut: FIPS checksum verification failed.
> 
> [1] https://access.redhat.com/site/solutions/137833
> 
> Steps to Reproduce:
 
I have also upgraded to the latest packages - ie. those from RHEL6.5-20130921.2:

  0. yum upgrade -y

> 1. Install the system via GUI using disk encryption (no specific setup).
Comment 2 Steve Grubb 2013-09-23 20:22:13 UTC 
My guess would be that a hmac file is not in the initrd. I am wondering if you can tell if they are missing compared to an initrd made previously?
Comment 3 Ondrej Moriš 2013-09-24 15:02:46 UTC 
(In reply to Steve Grubb from comment #2)
> My guess would be that a hmac file is not in the initrd. I am wondering if
> you can tell if they are missing compared to an initrd made previously?

Yes, this seems to be the cause:

Alpha
=====

[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.0.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

Beta
====
[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac

Therefore the following hmacs are missing in Beta initrd (when rebuilt with dracut-fips):

./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac
Comment 4 Harald Hoyer 2013-10-07 13:36:25 UTC 
(In reply to Ondrej Moriš from comment #3)
> (In reply to Steve Grubb from comment #2)
> > My guess would be that a hmac file is not in the initrd. I am wondering if
> > you can tell if they are missing compared to an initrd made previously?
> 
> Yes, this seems to be the cause:
> 
> Alpha
> =====
> 
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.0.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac
> 
> Beta
> ====
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.1.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> 
> Therefore the following hmacs are missing in Beta initrd (when rebuilt with
> dracut-fips):
> 
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac


Well, nothing changed in dracut. Is the package containing /usr/lib64/.libcrypto.so.1.0.1e.hmac installed, at the time, when the initramfs gets created (rpm posttrans)?
Comment 5 Steve Grubb 2013-10-09 14:08:07 UTC 
Has this been retested with the current beta packages? This may be an artifact from the initial attempt to define the FIPS Product. If it is a leftover from moving the hmacs, then the bz can be closed. Thanks.
Comment 6 Suzanne Forsberg 2013-10-10 15:28:48 UTC 
Proposing as blocker since the report says this prevents the system from booting.
Comment 7 Harald Hoyer 2013-10-11 12:32:53 UTC 
*** Bug 1017755 has been marked as a duplicate of this bug. ***
Comment 8 Samantha N. Bueno 2013-10-11 20:06:41 UTC 
On the latest rhel65 compose (looks to be from 09 Oct), I see the hmac files which were originally missing in comment 3:

[root@localhost initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

So it seems to me this can be closed.