1184142 – RHEL 6.6 kernel will not boot with fips enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1184142 - RHEL 6.6 kernel will not boot with fips enabled

Summary: RHEL 6.6 kernel will not boot with fips enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	dracut
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Harald Hoyer
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-20 16:34 UTC by Allie DeVolder
Modified:	2019-05-20 11:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: nss-softokn-freebl changed files internally. Consequence: dracut could not build an initramfs for FIPS mode, because one file was missing. Fix: nss-softokn-freebl delivers its own dracut module and dracut requires now nss-softokn-freebl >= 3.14.3-22.el6_6 Result: dracut can build a FIPS enabled initramfs with all files.
Clone Of:
Environment:
Last Closed:	2015-07-22 06:38:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1328	0	normal	SHIPPED_LIVE	dracut bug fix and enhancement update	2015-07-20 17:53:04 UTC

Description Allie DeVolder 2015-01-20 16:34:02 UTC

Description of problem:
When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual attempts to create an initrd failed with "Failed to install /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to create a dummy file, the resulting initrd panics on boot as follows:
~~~
Kernel Panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
Call Trace:
~~~


Version-Release number of selected component (if applicable):
dracut-004-356.el6.noarch        
dracut-fips-004-356.el6.noarch   
dracut-kernel-004-356.el6.noarch 


How reproducible:
Unknown

Steps to Reproduce:
1. Update FIPS-enabled system to RHEL 6.6
2. Create initrd manually with dracut after update fails to have done so
3. Attempt to boot with FIPS enabled

Actual results:
Panic

Expected results:
Successful upgrade and reboot

Additional info:

Comment 2 Harald Hoyer 2015-01-21 12:51:33 UTC

(In reply to Allan Voss from comment #0)
> Description of problem:
> When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual
> attempts to create an initrd failed with "Failed to install
> /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to
> create a dummy file, the resulting initrd panics on boot as follows:
> ~~~
> Kernel Panic - not syncing: VFS: Unable to mount root fs on
> unknown-block(0,0)
> Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
> Call Trace:
> ~~~


This kernel message says, that no initramfs was loaded by the kernel. Are you sure, you created the initramfs image correctly? Is your bootloader config correct?

Comment 3 Harald Hoyer 2015-01-21 12:53:39 UTC

Please provide the output of:

# dracut --debug test.img

Comment 8 Marcel Kolaja 2015-01-30 11:25:15 UTC

This bug should be resolved in RHEL 6.6.z within bug #1182725 and will be resolved in RHEL 6.7 within bug #1182297. Am I getting it right Harald? Thanks!

Comment 12 Pavel Holica 2015-05-13 09:51:57 UTC

Reproduced on RHEL-6.6 with nss-softokn-3.14.3-19.el6_6 and nss-softokn-freebl-3.14.3-19.el6_6 updated from RHN.

Verified that dracut from RHEL-6.7-20150506.0 requires nss-softokn-freebl >= 3.14.3-22.el6_6. nss-softokn-freebl-3.14.3-22.el6_6 is available in compose and on RHN already. After nss-softokn-freebl update, dracut was able to successfully buil initramfs and boot in fips mode.

Moving to VERIFIED.

Comment 13 errata-xmlrpc 2015-07-22 06:38:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1328.html

Note You need to log in before you can comment on or make changes to this bug.