Bug 2107952 - Error in GnuTLS initialization during boot after FIPS is enabled
Summary: Error in GnuTLS initialization during boot after FIPS is enabled
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: gnutls
Version: 8.6
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-18 00:34 UTC by Romano Silva
Modified: 2023-07-31 15:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-7927 0 None None None 2022-07-19 12:22:30 UTC
Red Hat Issue Tracker RHELPLAN-127947 0 None None None 2022-07-18 00:36:00 UTC

Description Romano Silva 2022-07-18 00:34:26 UTC 
Description of problem:
After fips is enabled in RHEL 8, a GnuTLS initialization error is displayed during boot:

>> Jul 17 20:08:16 nlb01 dracut-cmdline[474]: Error in GnuTLS initialization: Error while performing self checks.


Jul 17 20:08:15 nlb01 systemd-modules-load[368]: Inserted module 'fuse'
Jul 17 20:08:15 nlb01 systemd[1]: systemd-vconsole-setup.service: Succeeded.
Jul 17 20:08:15 nlb01 systemd[1]: Started Setup Virtual Console.
Jul 17 20:08:15 nlb01 systemd[1]: Starting dracut cmdline hook...
Jul 17 20:08:15 nlb01 dracut-cmdline[395]: dracut-8.6 (Ootpa) dracut-049-202.git20220511.el8_6
Jul 17 20:08:15 nlb01 systemd[1]: Started Apply Kernel Variables.
Jul 17 20:08:15 nlb01 dracut-cmdline[395]: Using kernel command line parameters: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-372.16.1.el8_6.x86_64 root=/dev/mapper/vg00-lvroot ro crashkernel=auto resume=/dev/mapper/vg00-lvswap rd.lvm.lv=vg00/lvroot rd.lvm.lv=vg00/lvswap rd.lvm.lv=vg00/lvusr rhgb quiet fips=1 boot=UUID=b808273f-c1d8-4478-8ce8-c807a204e01f
Jul 17 20:08:16 nlb01 dracut-cmdline[474]: Error in GnuTLS initialization: Error while performing self checks.
Jul 17 20:08:16 nlb01 systemd[1]: Started dracut cmdline hook.
Jul 17 20:08:16 nlb01 systemd[1]: Starting dracut pre-udev hook...
Jul 17 20:08:16 nlb01 dracut-pre-udev[478]: Loading and integrity checking all crypto modules
Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha1_mb (sha1) passed
Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha256_mb (sha256) passed
Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha512_mb (sha512) passed
Jul 17 20:08:16 nlb01 kernel: alg: self-tests for sha3-224-generic (sha3-224) passed
Jul 17 20:08:17 nlb01 kernel: alg: self-tests for sha3-256-generic (sha3-256) passed
Jul 17 20:08:17 nlb01 kernel: alg: self-tests for sha3-384-generic (sha3-384) passed

Version-Release number of selected component (if applicable):
#uname -a
Linux spctp-unxhpp-nlb01 4.18.0-372.16.1.el8_6.x86_64 #1 SMP Tue Jun 28 03:02:21 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep dracut
dracut-049-202.git20220511.el8_6.x86_64
dracut-squash-049-202.git20220511.el8_6.x86_64
dracut-config-rescue-049-202.git20220511.el8_6.x86_64
dracut-network-049-202.git20220511.el8_6.x86_64
# rpm -qa | grep fips
# rpm -qa | grep gnutls
rsyslog-gnutls-8.2102.0-7.el8_6.1.x86_64
gnutls-utils-3.6.16-4.el8.x86_64
gnutls-3.6.16-4.el8.x86_64
gnutls-dane-3.6.16-4.el8.x86_64


How reproducible:
Always after FIPS is enabled

Steps to Reproduce:
1. fips-mode-setup --enable
2. reboot
3.

Actual results:
Error displayed during boot

Expected results:
No GnuTLS error message is displayed during boot

Additional info:
It seems to work fine after boot. Message only happens during boot. Example:
# gnutls-serv
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done
Comment 1 Daiki Ueno 2022-07-19 12:20:39 UTC 
Thank you for the report. Since this is during the early boot process, I suspect the error has something to do with DRBG.
Note You need to log in before you can comment on or make changes to this bug.