Description of problem: Images built with image-builder on-prem using the ospp, cui & stig profiles won't boot. The issue is that these profiles enable fips mode and the images won't boot with /boot on a separate partition. Version-Release number of selected component (if applicable): 0.1.63 How reproducible: Steps to Reproduce: 1. using osbuild-composer to build an image on-prem, create a blueprint with the following customizations: [customizations.openscap] profile_id = "ospp" # or cui datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" 2. Attempt to boot the image Actual results: Image won't boot Expected results: Image boots Additional info: A workaround for this is to add /boot/<PARTITION> to the kernel arguments. Upstream issue: https://github.com/ComplianceAsCode/content/issues/9559
We modified the CaC content in a way that it won't try to enable the FIPS mode in the ImageBuilder pipeline as the result won't FIPS-compliant due to lack of support for FIPS in IB workers. https://github.com/ComplianceAsCode/content/pull/10245