1. Please describe the problem: Cannot boot 6.16 with fips=1. [ 2.486829] dracut-pre-udev[223]: fips-load-crypto: start [ 2.487747] dracut-pre-udev[223]: Loading and integrity checking all crypto modules [ 2.642389] dracut-pre-udev[223]: Self testing crypto algorithms [ 2.644128] d[ 2.766184] dracut: FATAL: FIPS integrity test failed racut-pre-udev[2[ 2.766842] dracut: Refusing to continue 96]: modprobe: FATAL: Module tcrypt not found in directory /lib/modules/6.16.0-0.rc0.250530gf66bc387efbe.7.fc43.x86_64 2. What is the Version-Release number of the kernel: 6.16.0-0.rc0.250530gf66bc387efbe.7.fc43 3. Did it work previously in Fedora? If so, what kernel version did the issue *first* appear? Old kernels are available for download at https://koji.fedoraproject.org/koji/packageinfo?packageID=8 : Yep, used to work with 6.15.0-0.rc7.58.fc43, stopped working with kernel-6.16.0-0.rc0.250527g914873bc7df9.3.fc43 4. Can you reproduce this issue? If so, please provide the steps to reproduce the issue below: Boot with fips=1, boom. 5. Does this problem occur with the latest Rawhide kernel? To install the Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by ``sudo dnf update --enablerepo=rawhide kernel``: Yes. 6. Are you running any modules that not shipped with directly Fedora's kernel?: No. 7. Please attach the kernel logs. You can get the complete kernel log for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the issue occurred on a previous boot, use the journalctl ``-b`` flag. Look, it's just a module that stopped being built with 6.16, and I think I know why: https://github.com/torvalds/linux/commit/3357b6c94569095f87a350bffa5a0a6e0c19c962 : crypto: tcrypt - rename CRYPTO_TEST to CRYPTO_BENCHMARK https://src.fedoraproject.org/rpms/kernel/c/6682e4676156d6dad9ad33cd35ace288b5ab5eb0?branch=rawhide : +# CONFIG_CRYPTO_BENCHMARK is not set Reproducible: Always
[root@fedora-rawhide ~]# uname -a Linux fedora-rawhide 6.16.0-0.rc0.250530gf66bc387efbe.7.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 30 14:07:58 UTC 2025 x86_64 GNU/Linux [root@fedora-rawhide ~]# cat /proc/sys/crypto/fips_enabled cat: /proc/sys/crypto/fips_enabled: No such file or directory 6.16 might be even more broken than I've originally anticipated
also 40b99697 (crypto: testmgr - replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS). this is handled in https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3886 i'll ask maintainers to give some priority for merging this.
Just in case the comment #1 does not state this (I'm not sure I understood it correctly from 'uname -a' output), the file is missing even on a machine which did not try to load/start under FIPS mode. We use 'sysctl crypto.fips_enabled' in our tests to see what is the current FIPS settings in the environment, which fails with 'No such file or directory'. Kernel-core version: kernel-core-6.16.0-0.rc0.250602gcd2e103d57e5.10.fc43.x86_64
*** Bug 2369823 has been marked as a duplicate of this bug. ***
thank you for the update/input, Zdenek, Alexander. i'm qute sure this is due to 40b99697 which says: diff --git a/crypto/Kconfig b/crypto/Kconfig @@ -25,7 +25,7 @@ menu "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" - depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS + depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS so the "/proc/sys/crypto/fips_enabled: No such file or directory" issue is fixed by the same MR3886.
the fix is in the kernel: https://gitlab.com/cki-project/kernel-ark/-/commit/21de02086d746ff8f1fb93d22572ea2a8aef9d81 tags containing: kernel-6.16.0-0.rc0.8630c59e9936.16 kernel-6.16.0-0.rc0.bdc7f8c5adad.15 kernel-6.16.0-0.rc0.e271ed52b344.14 kernel-6.16.0-0.rc0.ec7714e49479.13 kernel-6.16.0-0.rc1.17 i'm not sure which of the above is a released Fedora kernel version please, test and close if ok.
(Just acknowledging that I do see the request to re-test, but so far I could not figure out how to satisfy the dependencies for those recent kernel builds, so I guess I'm gonna wait for a more recent rawhide compose or something.)
kernel-6.16.0-0.rc2.24.fc43.x86_64, still failing to switch to FIPS mode: [ 1.782931] dracut-pre-udev[249]: Self testing crypto algorithms [ 1.786118] dracut-pre-udev[3[ 1.983141] dracut: FATAL: FIPS integrity test failed 23]: modprobe: F[ 1.984379] dracut: Refusing to continue [ 1.984379] dracut: Refusing to continue ATAL: Module tcrypt not found in directory /lib/modules/6.16.0-0.rc2.24.fc43.x86_64 And the option is off: # grep -E 'CRYPTO_(TEST|BENCH)' /boot/config-6.16.0-0.rc2.24.fc43.x86_64 # CONFIG_CRYPTO_BENCHMARK is not set
i'm not very well into Fedora build and release process, so i'm not sure when and how ARK changes get into a released Fedora kernel. probably the CONFIG_CRYPTO_BENCHMARK change will get into the Fedora kernel with a0354e1907fa ("Fedora configs for 6.16"). i'm not sure which of the released Fedora kernel versions will have this commit, could you please monitor and then re-test?
Sure, I occasionally re-test that.
kernel-6.16.0-0.rc4.38.fc43: still broken, but now I'm getting something new: Starting dracut-pre-udev.service - dracut pre-udev hook... [ 0.842020] dracut-pre-udev[249]: fips-load-crypto: start [ 0.842527] dracut-pre-udev[249]: Loading and integrity checking all crypto modules [ 0.936881] dracut-pre-udev[249]: Self testing crypto algorithms [ 0.985586] dracut-pre-udev[322]: modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable [ 1.056321] dracut: FATAL: FIPS integrity test failed [ 1.056803] dracut: Refusing to continue --- 8< --- [ 1.147074] reboot: Power down
kernel-6.16.0-0.rc3.38.fc43: still broken, but now I'm getting something new: Starting dracut-pre-udev.service - dracut pre-udev hook... [ 0.842020] dracut-pre-udev[249]: fips-load-crypto: start [ 0.842527] dracut-pre-udev[249]: Loading and integrity checking all crypto modules [ 0.936881] dracut-pre-udev[249]: Self testing crypto algorithms [ 0.985586] dracut-pre-udev[322]: modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable [ 1.056321] dracut: FATAL: FIPS integrity test failed [ 1.056803] dracut: Refusing to continue --- 8< --- [ 1.147074] reboot: Power down
Sorry for the accidental duplication above; rc3 and rc4 do error out the same though.
Thanks, Alexander, for your report, most appreciated your help and attention. I'm looking into this issue.
rc5's the charm! kernel-6.16.0-0.rc5.250712g379f604cc3dc.50.fc43: [ 1.173901] dracut-pre-udev[354]: fips-load-crypto: start [ 1.174391] dracut-pre-udev[354]: Loading and integrity checking all crypto modules [ 1.246583] alg: self-tests for sha1-ssse3 (sha1) passed [ 1.246621] alg: self-tests for sha1-avx (sha1) passed ... # rpm -ql kernel-modules-core | grep tcrypt /lib/modules/6.15.5-200.fc42.x86_64/kernel/crypto/tcrypt.ko.xz /lib/modules/6.16.0-0.rc5.250712g379f604cc3dc.50.fc43.x86_64/kernel/crypto/tcrypt.ko.xz # cat /proc/sys/crypto/fips_enabled 1 Seems fixed to me now, thank you!
Thanks, Alexander, for testing, I was just going to ask you for the same. kernel-core-6.16.0-0.rc6.52.fc43 seems to have all the needed configs in a correct state: $ cat ./lib/modules/6.16.0-0.rc6.52.fc43.x86_64/config | grep -e CRYPTO_BENCHMARK -e CRYPTO_SELFTESTS CONFIG_CRYPTO_SELFTESTS=y # CONFIG_CRYPTO_SELFTESTS_FULL is not set CONFIG_CRYPTO_BENCHMARK=m
I would like just to quote a couple of points Justin (the Fedora maintainer) underlined to me re: FIPS mode in Fedora: ...I strip all of the FIPS related [ RHEL-only ] patches out of stable Fedora, so while you should be able to enable FIPS mode, it matches what upstream does, not what RHEL does. ...As I noted earlier though, FIPS testing on Rawhide is not exactly like testing in RHEL. ELN is the rawhide kernel built for RHEL and is what should be tested as RHEL upstream. When patches come in which change code, they often include changes enclosed inside of #ifdef CONFIG_RHEL_DIFFERENCES which is disabled on Fedora configs. This means that the code is there, but the code path is ignored for Fedora rawhide, and only used in Fedora ELN. In stable Fedora releases, these patches are dropped all together, because we do not build a RHEL variant of stable Fedora releases. ...I certainly have no problem with people using FIPS mode in Fedora and am happy to keep configs enabled to allow it. I just am not willing to carry patches that upstream will not take for FIPS mode, and I know RHEL has a few. That means that Fedora's FIPS mode may not behave 100% like RHEL FIPS mode does. I figured that might be an important detail for people testing if they were expecting RHEL like FIPS behavior. JFYI. With that said above, closing.