Description of problem: During code review of a patch for fips-mode-setup in upstream[1], it was discovered that we also need to have /etc/system-fips as part of the initrd when FIPS mode is turned on. Otherwise, crypto libraries (like libgcrypt) don't completely boot in FIPS mode. [1] https://gitlab.com/redhat-crypto/fedora-crypto-policies/merge_requests/53
Investigating this.
Verified on 4.3.0-0.nightly-2019-12-18-145749 that /etc/system-fips on the master and worker nodes in the initrd $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2019-12-18-145749 True False 26s Cluster version is 4.3.0-0.nightly-2019-12-18-145749 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-136-147.ec2.internal Ready worker 20m v1.16.2 ip-10-0-139-154.ec2.internal Ready master 31m v1.16.2 ip-10-0-145-3.ec2.internal Ready worker 20m v1.16.2 ip-10-0-146-248.ec2.internal Ready master 31m v1.16.2 ip-10-0-164-215.ec2.internal Ready worker 20m v1.16.2 ip-10-0-170-115.ec2.internal Ready master 31m v1.16.2 $ oc debug node/ip-10-0-136-147.ec2.internal Starting pod/ip-10-0-136-147ec2internal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# ls -latr /boot/ostree/ total 8 drwxrwxr-x. 2 root root 1024 Dec 13 16:36 rhcos-f5d289b85923cedb8f8bdb3a971bcabfa460ae30ce4217998e963edea26b983e drwxrwxr-x. 4 root root 1024 Dec 18 20:55 . drwxr-xr-x. 2 root root 1024 Dec 18 20:55 rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f drwxr-xr-x. 7 root root 1024 Dec 18 20:55 .. sh-4.4# lsinitrd /boot/ostree/rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f/initramfs-4.18.0-147.3.1.el8_1.x86_64.img | grep 'etc/system-fips' -rw-r--r-- 1 root root 40 Jan 1 1970 etc/system-fips sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... $ oc debug node/ip-10-0-139-154.ec2.internal Starting pod/ip-10-0-139-154ec2internal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# ls -latr /boot/ostree/ total 8 drwxrwxr-x. 2 root root 1024 Dec 13 16:36 rhcos-f5d289b85923cedb8f8bdb3a971bcabfa460ae30ce4217998e963edea26b983e drwxrwxr-x. 4 root root 1024 Dec 18 20:42 . drwxr-xr-x. 2 root root 1024 Dec 18 20:42 rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f drwxr-xr-x. 7 root root 1024 Dec 18 20:42 .. sh-4.4# lsinitrd /boot/ostree/rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f/initramfs-4.18.0-147.3.1.el8_1.x86_64.img | grep 'etc/system-fips' -rw-r--r-- 1 root root 40 Jan 1 1970 etc/system-fips sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062