Bug 1649743 - FIPS: misleading "FATAL: Module xxx not found" messages when booting
Summary: FIPS: misleading "FATAL: Module xxx not found" messages when booting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dracut
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: beta
: ---
Assignee: Lukáš Nykrýn
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-14 12:31 UTC by Renaud Métrich
Modified: 2019-08-06 13:13 UTC (History)
3 users (show)

Fixed In Version: dracut-033-560.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:13:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
proposed patch (597 bytes, patch)
2019-01-16 10:34 UTC, Masahiro Matsuya
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Github dracutdevs dracut pull 490 None None None 2018-11-14 12:31:53 UTC
Red Hat Knowledge Base (Solution) 2853221 None None None 2018-11-19 14:05:37 UTC
Red Hat Product Errata RHBA-2019:2289 None None None 2019-08-06 13:13:54 UTC

Description Renaud Métrich 2018-11-14 12:31:25 UTC
Description of problem:

When booting a RHEL7.6 system with FIPS, the journal records the following messages:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# journalctl -b | grep FATAL
dracut-pre-trigger[241]: modprobe: FATAL: Module sha1 not found.
dracut-pre-trigger[241]: modprobe: FATAL: Module sha256 not found.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

These are due to the initramfs not containing the sha1 and sha256 modules because they are blacklisted in /lib/modprobe.d/dist-blacklist.conf:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# crypto algorithms
blacklist sha1-mb

# see bz #1562114
blacklist sha256-mb
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This causes dracut's instmods to just ignore these.

Because the kernel provides a generic algo for these, there is no need to output these misleading and confusing messages. 


Version-Release number of selected component (if applicable):

dracut-fips-033-554.el7.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Boot with fips enabled
2. Check the journal

Actual results:

# journalctl -b | grep FATAL
Nov 14 13:14:05 vm-fips7 dracut-pre-trigger[241]: modprobe: FATAL: Module sha1 not found.
Nov 14 13:14:05 vm-fips7 dracut-pre-trigger[241]: modprobe: FATAL: Module sha256 not found.


Expected results:

No message

Comment 3 Masahiro Matsuya 2019-01-16 10:34:13 UTC
I have another customer case about this bug.
I thought why sha1-mb and sha256-mb modules were not added into initramfs even if those (sha1 and sha256) are listed as fips modules. It's aliases for sha1-mb and sha256-mb modules. So, I think those aliases should be resolved into the actual module file name. I will attach a proposed patch.

Masahiro Matsuya

Comment 4 Masahiro Matsuya 2019-01-16 10:34:53 UTC
Created attachment 1520951 [details]
proposed patch

Comment 5 Lukáš Nykrýn 2019-01-16 10:59:08 UTC
There is already a different patch from Renaud that should fix the issue https://github.com/dracutdevs/dracut/commit/01ffcf342ae65984c655f10a2fd35019a492ee5c
devel_ack for including that to 7.7

Comment 6 Masahiro Matsuya 2019-01-17 01:38:25 UTC
That's good to hear. Renaud++

Comment 11 errata-xmlrpc 2019-08-06 13:13:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2289


Note You need to log in before you can comment on or make changes to this bug.