Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1593153

Summary: Failed to boot RHVH with fips enable
Product: Red Hat Enterprise Virtualization Manager Reporter: cshao <cshao>
Component: rhev-hypervisor-ngAssignee: Ryan Barry <rbarry>
Status: CLOSED WORKSFORME QA Contact: cshao <cshao>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.2.4CC: cshao, dfediuck, huzhao, jiaczhan, qiyuan, sbonazzo, weiwang, yaniwang, ycui, yzhao
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-21 19:19:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fip=1
none
fip=1_grub none

Description cshao 2018-06-20 08:06:10 UTC 
Created attachment 1453144 [details]
fip=1

Description of problem:
Failed to boot RHVH with fips enable.

dracut: FATAL: FIPS integrity test failed
dracut: Refusing to continue

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.2-20180615.0
imgbased-1.0.19-0.1.el7ev.noarch
dracut-fips-033-535.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install RHVH via anaconda GUI.
2. Reboot, add fips=1 into grub.
3.

Actual results:
Failed to boot RHVH with fips enable.

Expected results:
Boot RHVH can succeed with fips enable.

Additional info:
No such issue on previous build redhat-virtualization-host-4.2-20180430.0, so this is a regression bug.
Comment 1 cshao 2018-06-20 08:07:11 UTC 
Created attachment 1453145 [details]
fip=1_grub
Comment 3 Ryan Barry 2018-06-21 02:56:11 UTC 
I can't reproduce this.

Can you please provide a test system with IPMI?

Also, the output of booting with "quiet" removed and "rd.debug" added, please.
Comment 4 cshao 2018-06-21 06:37:58 UTC 
(In reply to Ryan Barry from comment #3)
> I can't reproduce this.
> 
> Can you please provide a test system with IPMI?
> 
> Also, the output of booting with "quiet" removed and "rd.debug" added,
> please.

Already sent test env for you by mail.
Comment 5 Ryan Barry 2018-06-21 19:19:04 UTC 
I also can't reproduce on this system.

Note that, on RHEL7, "boot=UUID=${uuid_of_boot_partition}" is required. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

You can also log into the provided test system, which is currently booted in FIPS mode, and look at the changes to /boot/grub2/grub.cfg. Specifically, I added:

fips=1 boot=UUID=$(blkid /dev/sda1 | awk '{print $2}' | sed -e 's/"//')
Comment 6 Franta Kust 2019-05-16 13:08:20 UTC 
BZ<2>Jira Resync