Hide Forgot
Created attachment 1223523 [details] All the logs in /var/log/ and sosreport Description of problem: Install RHEVH in FIPS mode append FIPS=1 in cmdline, but crypto.fips_enabled is 0 and the output of /proc/sys/crypto/fips_enabled is 0, they should be 1. Version-Release number of selected component (if applicable): rhevh-7.3-20161028.1.el6ev.iso ovirt-node-3.6.1-34.0.el7ev.noarch fipscheck-1.4.1-5.el7.x86_64 dracut-fips-033-463.el7.x86_64 hmaccalc-0.9.13-4.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Start installation in FIPS mode append FIPS=1 in cmdline 2. Reboot the system 3. Login to the system using SSH, # cat /proc/sys/crypto/fips_enabled # sysctl crypto.fips_enabled Actual results: In step3, both of the output is 0: # cat /proc/sys/crypto/fips_enabled 0 # sysctl crypto.fips_enabled crypto.fips_enabled = 0 Expected results: In step3, both of the output should be 1. Additional info: # cat ./dev/.initramfs/live/grub2/grub.cfg #default saved set timeout=5 #hiddenmenu menuentry "RHEV-H 7.3-20161028.1.el7ev" { set root=(hd0,3) search --no-floppy --label Root --set root linux /vmlinuz0 root=live:LABEL=Root ro rootfstype=auto rootflags=ro ksdevice=bootif rd.dm=0 rd.md=0 crashkernel=256M lang= max_loop=256 rhgb quiet elevator=deadline rd.live.check rd.luks=0 rd.live.image FIPS=1 initrd /initrd0.img }
dracut-fips might be missing. But did you use fips=1 (non-capital letters)?
(In reply to Fabian Deutsch from comment #1) > dracut-fips might be missing. > > But did you use fips=1 (non-capital letters)? I tested with fips=1 (non-capital letters) just now, no such issue. Test steps: 1. Start installation in FIPS mode append fips=1 in cmdline 2. Reboot the system 3. Login to the system using SSH, # cat /proc/sys/crypto/fips_enabled # sysctl crypto.fips_enabled Test result: In step3, both of the output is 1. So for vintage RHEV-H, should use fips=1 in cmdline to make it effective?
Yes.
Thanks Fabian. According to Comment 2 and Comment 3, I will close this bug.