Bug 1010945 - .hmac checksums for openssl are missing in initird
.hmac checksums for openssl are missing in initird
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: anaconda (Show other bugs)
6.5
All Linux
high Severity high
: rc
: 6.5
Assigned To: Anaconda Maintenance Team
Release Test Team
:
: 1017755 (view as bug list)
Depends On:
Blocks: 843829 972747
  Show dependency treegraph
 
Reported: 2013-09-23 06:53 EDT by Ondrej Moriš
Modified: 2014-08-14 05:14 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-11 16:06:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2013-09-23 06:53:23 EDT
Description of problem:

When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption setup to encrypt /. You can successfully boot right after the installation with chosen encryption password. However when you turn the system into fips mode [1], the system does not boot at all, the password is not accepted and dracut prints the following error:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

[1] https://access.redhat.com/site/solutions/137833

Version-Release number of selected component (if applicable):

cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64

fipscheck-1.2.0-9.el6.x86_64
nss-softokn-fips-3.14.3-8.el6.x86_64
openssh-clients-fips-5.3p1-93.el6.x86_64
nss-softokn-freebl-fips-3.14.3-8.el6.x86_64
openssl-fips-1.0.1e-11.el6.x86_64
openswan-fips-2.6.32-24.el6.x86_64
dracut-fips-004-328.el6.noarch
fipscheck-lib-1.2.0-9.el6.x86_64
openssh-server-fips-5.3p1-93.el6.x86_64

dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-kernel-004-328.el6.noarch

kernel-2.6.32-419.el6.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Install the system via GUI using disk encryption (no specific setup).
2. Boot the system (it should work fine).
3. Turn the system into FIPS mode:
   * prelink -u -a
   * yum remove -y prelink
   * yum install dracut-fips -y
   * add the kernel parameters to grub: fips=1 boot=/dev/vda1
     - where /dev/vda1 stands for boot partition (set it appropriately)
   * dracut -f -v
   * yum install "*-fips" -y
4. Reboot

Actual results:

Password (/dev/vda2):dracut: FIPS checksum verification failed.

Expected results:

Successful boot.

Additional info:

This is a regression from Alpha (RHEL6.5-20130830.2), where disk encrypted system could be booted successfully.
Comment 1 Ondrej Moriš 2013-09-23 07:14:02 EDT
(In reply to Ondrej Moriš from comment #0)
> Description of problem:
> 
> When an encryption checkbox in anaconda install of RHEL-6.5 Beta candidate
> (RHEL6.5-20130913.0) is checked, anaconda use a default disk encryption
> setup to encrypt /. You can successfully boot right after the installation
> with chosen encryption password. However when you turn the system into fips
> mode [1], the system does not boot at all, the password is not accepted and
> dracut prints the following error:
> 
> Password (/dev/vda2):dracut: FIPS checksum verification failed.
> 
> [1] https://access.redhat.com/site/solutions/137833
> 
> Steps to Reproduce:
 
I have also upgraded to the latest packages - ie. those from RHEL6.5-20130921.2:

  0. yum upgrade -y

> 1. Install the system via GUI using disk encryption (no specific setup).
Comment 2 Steve Grubb 2013-09-23 16:22:13 EDT
My guess would be that a hmac file is not in the initrd. I am wondering if you can tell if they are missing compared to an initrd made previously?
Comment 3 Ondrej Moriš 2013-09-24 11:02:46 EDT
(In reply to Steve Grubb from comment #2)
> My guess would be that a hmac file is not in the initrd. I am wondering if
> you can tell if they are missing compared to an initrd made previously?

Yes, this seems to be the cause:

Alpha
=====

[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.0.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

Beta
====
[initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac

Therefore the following hmacs are missing in Beta initrd (when rebuilt with dracut-fips):

./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac
Comment 4 Harald Hoyer 2013-10-07 09:36:25 EDT
(In reply to Ondrej Moriš from comment #3)
> (In reply to Steve Grubb from comment #2)
> > My guess would be that a hmac file is not in the initrd. I am wondering if
> > you can tell if they are missing compared to an initrd made previously?
> 
> Yes, this seems to be the cause:
> 
> Alpha
> =====
> 
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.0.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac
> 
> Beta
> ====
> [initrd]# find . -name "*.hmac" | sort
> ./lib64/.libcryptsetup.so.1.1.0.hmac
> ./lib64/.libcryptsetup.so.1.hmac
> ./lib64/.libfipscheck.so.1.1.1.hmac
> ./lib64/.libfipscheck.so.1.hmac
> ./lib64/.libgcrypt.so.11.hmac
> ./sbin/.cryptsetup.hmac
> ./usr/bin/.fipscheck.hmac
> ./usr/lib64/hmaccalc/sha512hmac.hmac
> 
> Therefore the following hmacs are missing in Beta initrd (when rebuilt with
> dracut-fips):
> 
> ./usr/lib64/.libcrypto.so.1.0.1e.hmac
> ./usr/lib64/.libcrypto.so.10.hmac
> ./usr/lib64/.libssl.so.1.0.1e.hmac


Well, nothing changed in dracut. Is the package containing /usr/lib64/.libcrypto.so.1.0.1e.hmac installed, at the time, when the initramfs gets created (rpm posttrans)?
Comment 5 Steve Grubb 2013-10-09 10:08:07 EDT
Has this been retested with the current beta packages? This may be an artifact from the initial attempt to define the FIPS Product. If it is a leftover from moving the hmacs, then the bz can be closed. Thanks.
Comment 6 Suzanne Forsberg 2013-10-10 11:28:48 EDT
Proposing as blocker since the report says this prevents the system from booting.
Comment 7 Harald Hoyer 2013-10-11 08:32:53 EDT
*** Bug 1017755 has been marked as a duplicate of this bug. ***
Comment 8 Samantha N. Bueno 2013-10-11 16:06:41 EDT
On the latest rhel65 compose (looks to be from 09 Oct), I see the hmac files which were originally missing in comment 3:

[root@localhost initrd]# find . -name "*.hmac" | sort
./lib64/.libcryptsetup.so.1.1.0.hmac
./lib64/.libcryptsetup.so.1.hmac
./lib64/.libfipscheck.so.1.1.1.hmac
./lib64/.libfipscheck.so.1.hmac
./lib64/.libgcrypt.so.11.hmac
./sbin/.cryptsetup.hmac
./usr/bin/.fipscheck.hmac
./usr/lib64/hmaccalc/sha512hmac.hmac
./usr/lib64/.libcrypto.so.1.0.1e.hmac
./usr/lib64/.libcrypto.so.10.hmac
./usr/lib64/.libssl.so.1.0.1e.hmac

So it seems to me this can be closed.

Note You need to log in before you can comment on or make changes to this bug.