RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1415032 - dracut-fips does not check the path in BOOT_IMAGE for .hmac
Summary: dracut-fips does not check the path in BOOT_IMAGE for .hmac
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dracut
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukáš Nykrýn
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-20 02:11 UTC by Ryan Barry
Modified: 2019-12-10 16:52 UTC (History)
10 users (show)

Fixed In Version: dracut-033-534.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 18:07:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1414664 0 unspecified CLOSED System halted when booting new build after upgrade if the old build enable fips 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:0964 0 None None None 2018-04-10 18:10:22 UTC

Internal Links: 1414664

Description Ryan Barry 2017-01-20 02:11:01 UTC 
Description of problem:
dracut-fips does not check BOOT_IMAGE carefully, and assumes .vmlinuz*.hmac will always be found in /boot, even when BOOT_IMAGE specifies a kernel in a subdirectory.

Version-Release number of selected component (if applicable):
dracut-fips-033-463.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Put vmlinuz, initramfs, System.map, and .vmlinuz*.hmac in a subdirectory of /boot
2. Try to boot with fips=1

Actual results:
dracut-fips cannot find .vmlinuz*.hmac

Expected results:
BOOT_IMAGE supports booting from subdirectories, so dracut-fips should do the same.
Comment 2 Harald Hoyer 2017-01-30 08:27:37 UTC 
https://github.com/dracutdevs/dracut/commit/4693daa5fa7dddc6b35825831f35657cb66bd531
Comment 3 Jan Stodola 2017-02-07 09:38:54 UTC 
Harald, Lukáš,
the patch would probably break booting on s390x, since BOOT_IMAGE there doesn't contain the path to the kernel image - it identifies the number of the boot record that was selected in the bootloader, for example:

[root@rtt7 ~]# cat /proc/cmdline 
root=/dev/mapper/rhel_rtt7-root crashkernel=auto rd.dasd=0.0.3227 rd.dasd=0.0.3427 rd.dasd=0.0.3727 rd.dasd=0.0.3027 rd.dasd=0.0.3527 rd.dasd=0.0.3327 rd.dasd=0.0.3127 rd.dasd=0.0.3627 rd.lvm.lv=rhel_rtt7/root rd.lvm.lv=rhel_rtt7/swap cio_ignore=all,!condev rd.znet=qeth,0.0.0a00,0.0.0a01,0.0.0a02,layer2=1,portno=0,portname=FOOBAR BOOT_IMAGE=2
[root@rtt7 ~]#
Comment 4 Harald Hoyer 2017-06-29 08:41:09 UTC 
(In reply to Jan Stodola from comment #3)
> Harald, Lukáš,
> the patch would probably break booting on s390x, since BOOT_IMAGE there
> doesn't contain the path to the kernel image - it identifies the number of
> the boot record that was selected in the bootloader, for example:
> 
> [root@rtt7 ~]# cat /proc/cmdline 
> root=/dev/mapper/rhel_rtt7-root crashkernel=auto rd.dasd=0.0.3227
> rd.dasd=0.0.3427 rd.dasd=0.0.3727 rd.dasd=0.0.3027 rd.dasd=0.0.3527
> rd.dasd=0.0.3327 rd.dasd=0.0.3127 rd.dasd=0.0.3627 rd.lvm.lv=rhel_rtt7/root
> rd.lvm.lv=rhel_rtt7/swap cio_ignore=all,!condev
> rd.znet=qeth,0.0.0a00,0.0.0a01,0.0.0a02,layer2=1,portno=0,portname=FOOBAR
> BOOT_IMAGE=2
> [root@rtt7 ~]#

https://github.com/dracutdevs/dracut/commit/3d875f77f3d1c5e4161794ca59025bc6bcd77eaa
Comment 12 Lukáš Nykrýn 2017-12-18 14:00:22 UTC 
https://github.com/dracutdevs/dracut/pull/335/commits/8f5c564cb30966878b0d90025568253016e1402f
Comment 14 Lukáš Nykrýn 2017-12-26 11:26:47 UTC 
https://github.com/dracutdevs/dracut/pull/343/commits/120d77cfa9cace603ee58f6cdefd2b7099c5594c
Comment 18 Jakub Vavra 2018-02-23 14:02:25 UTC 
Due to internal working of booting on s390x this fix does not work there because BOOT_IMAGE is not populated with the expected strings but a number instead.
On x86_64 the patch works as expected.
On s390x is the normal boot with everything in /boot unaffected but moving kernel, initrd and hmac into subdirectory results in broken boot as the hmac is still expected directly in /boot.

I am marking this as VERIFIED.
Comment 21 errata-xmlrpc 2018-04-10 18:07:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0964
Comment 22 Jonathan Lebon 2019-12-10 16:52:04 UTC 
Related to this, note that dracut was updated to handle relative paths in the HMAC file: https://github.com/dracutdevs/dracut/pull/661/commits/7e326aaf89f233818788df783e78a9854de2b54c. And rpm-ostree today hacks up the HMAC file for this: https://github.com/coreos/rpm-ostree/pull/1934.
Note You need to log in before you can comment on or make changes to this bug.