Bug 1184142 - RHEL 6.6 kernel will not boot with fips enabled
Summary: RHEL 6.6 kernel will not boot with fips enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dracut
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-20 16:34 UTC by Allie DeVolder
Modified: 2019-05-20 11:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: nss-softokn-freebl changed files internally. Consequence: dracut could not build an initramfs for FIPS mode, because one file was missing. Fix: nss-softokn-freebl delivers its own dracut module and dracut requires now nss-softokn-freebl >= 3.14.3-22.el6_6 Result: dracut can build a FIPS enabled initramfs with all files.
Clone Of:
Environment:
Last Closed: 2015-07-22 06:38:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1328 normal SHIPPED_LIVE dracut bug fix and enhancement update 2015-07-20 17:53:04 UTC

Description Allie DeVolder 2015-01-20 16:34:02 UTC
Description of problem:
When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual attempts to create an initrd failed with "Failed to install /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to create a dummy file, the resulting initrd panics on boot as follows:
~~~
Kernel Panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
Call Trace:
~~~


Version-Release number of selected component (if applicable):
dracut-004-356.el6.noarch        
dracut-fips-004-356.el6.noarch   
dracut-kernel-004-356.el6.noarch 


How reproducible:
Unknown

Steps to Reproduce:
1. Update FIPS-enabled system to RHEL 6.6
2. Create initrd manually with dracut after update fails to have done so
3. Attempt to boot with FIPS enabled

Actual results:
Panic

Expected results:
Successful upgrade and reboot

Additional info:

Comment 2 Harald Hoyer 2015-01-21 12:51:33 UTC
(In reply to Allan Voss from comment #0)
> Description of problem:
> When upgrading to RHEL 6.6, dracut failed to create an initrd, and manual
> attempts to create an initrd failed with "Failed to install
> /usr/lib64/libfreebl3.chk". After following the bugzilla workaround to
> create a dummy file, the resulting initrd panics on boot as follows:
> ~~~
> Kernel Panic - not syncing: VFS: Unable to mount root fs on
> unknown-block(0,0)
> Pid: 1, comm: swapper Not tainted 2.6.32-504.3.3.el6.x86_64 #1
> Call Trace:
> ~~~


This kernel message says, that no initramfs was loaded by the kernel. Are you sure, you created the initramfs image correctly? Is your bootloader config correct?

Comment 3 Harald Hoyer 2015-01-21 12:53:39 UTC
Please provide the output of:

# dracut --debug test.img

Comment 8 Marcel Kolaja 2015-01-30 11:25:15 UTC
This bug should be resolved in RHEL 6.6.z within bug #1182725 and will be resolved in RHEL 6.7 within bug #1182297. Am I getting it right Harald? Thanks!

Comment 12 Pavel Holica 2015-05-13 09:51:57 UTC
Reproduced on RHEL-6.6 with nss-softokn-3.14.3-19.el6_6 and nss-softokn-freebl-3.14.3-19.el6_6 updated from RHN.

Verified that dracut from RHEL-6.7-20150506.0 requires nss-softokn-freebl >= 3.14.3-22.el6_6. nss-softokn-freebl-3.14.3-22.el6_6 is available in compose and on RHN already. After nss-softokn-freebl update, dracut was able to successfully buil initramfs and boot in fips mode.

Moving to VERIFIED.

Comment 13 errata-xmlrpc 2015-07-22 06:38:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1328.html


Note You need to log in before you can comment on or make changes to this bug.