Bug 737081 - mkinitrd's FIPS support for dmraid is missing
Summary: mkinitrd's FIPS support for dmraid is missing
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mkinitrd
Version: 5.7
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Brian Lane
QA Contact: Release Test Team
Depends On:
TreeView+ depends on / blocked
Reported: 2011-09-09 14:28 UTC by Leon Fauster
Modified: 2013-01-08 07:06 UTC (History)
6 users (show)

Fixed In Version: mkinitrd-
Doc Type: Release Note
Doc Text:
FIPS Mode Support for dmraid Red Hat Enterprise Linux 5.9 adds support for using FIPS mode with dmraid root devices. A dmraid device is now activated before the FIPS checksum is checked.
Clone Of:
Last Closed: 2013-01-08 07:06:07 UTC
Target Upstream Version:

Attachments (Terms of Use)
init-script with FIPS (3.98 KB, text/plain)
2011-09-09 14:28 UTC, Leon Fauster
no flags Details
init-script without FIPS (2.39 KB, text/plain)
2011-09-09 14:29 UTC, Leon Fauster
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0027 0 normal SHIPPED_LIVE mkinitrd bug fix and enhancement update 2013-01-07 15:28:51 UTC

Description Leon Fauster 2011-09-09 14:28:56 UTC
Created attachment 522346 [details]
init-script with FIPS


$ df -h
/dev/md0          251M   34M  215M  14% /boot
/dev/md2          140G   6,7G  132G    5% /

$ rpm -q kernel-xen mkinitrd

$ mkinitrd --with-fips -f /boot/initrd-2.6.18-274.3.1.el5xen.with-fips.img 2.6.18-274.3.1.el5xen

$ cat /boot/grub/grub.conf |tail -18 |head -7

title CentOS (2.6.18-274.3.1.el5xen) with FIPS
        root (hd0,0)
        kernel /xen.gz-2.6.18-274.3.1.el5 console=vga
        module /vmlinuz-2.6.18-274.3.1.el5xen ro root=/dev/md2 elevator=deadline xencons=tty fips=1
        module /initrd-2.6.18-274.3.1.el5xen.with-fips.img

$ cat /proc/sys/crypto/fips_enabled

Description of problem:

mkinitrd generates a initrd.img file that has a unsuitable "init"-script-sequence, 
if the boot partition is on one dmraid e.g. /dev/md0 

In FIPS Mode the init script of the initrd tries to check the /boot/.vmlinuz-$(uname -r).hmac file
while doing this it tries to mount the boot partition. At that stage the system is unable to mount 
a md device e.g. /dev/md0 because corresponding kernel modules are not already loaded.

How reproducible:

Steps to Reproduce:

0. Setup a dmraid based boot partition
1. Boot the system
2. Recreate the initrd:
3. $ mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
4. Add “fips=1” to grub kernel boot line
5. Reboot

Actual results:
Boot process will be interrupted and the system reboots.

Expected results:
System boots with fips mode enabled

Additional info:
as attachments:


packaging the initrd manually with a changed init-script 
sequence helps me to boot the system in fips mode. 
The changes:
all md-, raid-, scsi-, blockdev-related modules
are loaded before the hmac checks starts

Comment 1 Leon Fauster 2011-09-09 14:29:40 UTC
Created attachment 522347 [details]
init-script without FIPS

Comment 2 RHEL Program Management 2012-04-02 09:00:56 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 7 Ľuboš Kardoš 2012-09-26 11:15:34 UTC
Verified on RHEL5.9 mkinitrd-

Comment 9 errata-xmlrpc 2013-01-08 07:06:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.