Bug 1415032 - dracut-fips does not check the path in BOOT_IMAGE for .hmac
Summary: dracut-fips does not check the path in BOOT_IMAGE for .hmac
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dracut
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukáš Nykrýn
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-20 02:11 UTC by Ryan Barry
Modified: 2019-12-10 16:52 UTC (History)
10 users (show)

Fixed In Version: dracut-033-534.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 18:07:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1414664 0 unspecified CLOSED System halted when booting new build after upgrade if the old build enable fips 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:0964 0 None None None 2018-04-10 18:10:22 UTC

Internal Links: 1414664

Description Ryan Barry 2017-01-20 02:11:01 UTC
Description of problem:
dracut-fips does not check BOOT_IMAGE carefully, and assumes .vmlinuz*.hmac will always be found in /boot, even when BOOT_IMAGE specifies a kernel in a subdirectory.

Version-Release number of selected component (if applicable):
dracut-fips-033-463.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Put vmlinuz, initramfs, System.map, and .vmlinuz*.hmac in a subdirectory of /boot
2. Try to boot with fips=1

Actual results:
dracut-fips cannot find .vmlinuz*.hmac

Expected results:
BOOT_IMAGE supports booting from subdirectories, so dracut-fips should do the same.

Comment 3 Jan Stodola 2017-02-07 09:38:54 UTC
Harald, Lukáš,
the patch would probably break booting on s390x, since BOOT_IMAGE there doesn't contain the path to the kernel image - it identifies the number of the boot record that was selected in the bootloader, for example:

[root@rtt7 ~]# cat /proc/cmdline 
root=/dev/mapper/rhel_rtt7-root crashkernel=auto rd.dasd=0.0.3227 rd.dasd=0.0.3427 rd.dasd=0.0.3727 rd.dasd=0.0.3027 rd.dasd=0.0.3527 rd.dasd=0.0.3327 rd.dasd=0.0.3127 rd.dasd=0.0.3627 rd.lvm.lv=rhel_rtt7/root rd.lvm.lv=rhel_rtt7/swap cio_ignore=all,!condev rd.znet=qeth,0.0.0a00,0.0.0a01,0.0.0a02,layer2=1,portno=0,portname=FOOBAR BOOT_IMAGE=2
[root@rtt7 ~]#

Comment 4 Harald Hoyer 2017-06-29 08:41:09 UTC
(In reply to Jan Stodola from comment #3)
> Harald, Lukáš,
> the patch would probably break booting on s390x, since BOOT_IMAGE there
> doesn't contain the path to the kernel image - it identifies the number of
> the boot record that was selected in the bootloader, for example:
> 
> [root@rtt7 ~]# cat /proc/cmdline 
> root=/dev/mapper/rhel_rtt7-root crashkernel=auto rd.dasd=0.0.3227
> rd.dasd=0.0.3427 rd.dasd=0.0.3727 rd.dasd=0.0.3027 rd.dasd=0.0.3527
> rd.dasd=0.0.3327 rd.dasd=0.0.3127 rd.dasd=0.0.3627 rd.lvm.lv=rhel_rtt7/root
> rd.lvm.lv=rhel_rtt7/swap cio_ignore=all,!condev
> rd.znet=qeth,0.0.0a00,0.0.0a01,0.0.0a02,layer2=1,portno=0,portname=FOOBAR
> BOOT_IMAGE=2
> [root@rtt7 ~]#

https://github.com/dracutdevs/dracut/commit/3d875f77f3d1c5e4161794ca59025bc6bcd77eaa

Comment 18 Jakub Vavra 2018-02-23 14:02:25 UTC
Due to internal working of booting on s390x this fix does not work there because BOOT_IMAGE is not populated with the expected strings but a number instead.
On x86_64 the patch works as expected.
On s390x is the normal boot with everything in /boot unaffected but moving kernel, initrd and hmac into subdirectory results in broken boot as the hmac is still expected directly in /boot.

I am marking this as VERIFIED.

Comment 21 errata-xmlrpc 2018-04-10 18:07:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0964

Comment 22 Jonathan Lebon 2019-12-10 16:52:04 UTC
Related to this, note that dracut was updated to handle relative paths in the HMAC file: https://github.com/dracutdevs/dracut/pull/661/commits/7e326aaf89f233818788df783e78a9854de2b54c. And rpm-ostree today hacks up the HMAC file for this: https://github.com/coreos/rpm-ostree/pull/1934.


Note You need to log in before you can comment on or make changes to this bug.