Created attachment 522346 [details] init-script with FIPS --------------------------------------------- Context: --------------------------------------------- $ df -h /dev/md0 251M 34M 215M 14% /boot /dev/md2 140G 6,7G 132G 5% / $ rpm -q kernel-xen mkinitrd kernel-xen-2.6.18-274.3.1.el5 mkinitrd-5.1.19.6-71.el5 $ mkinitrd --with-fips -f /boot/initrd-2.6.18-274.3.1.el5xen.with-fips.img 2.6.18-274.3.1.el5xen $ cat /boot/grub/grub.conf |tail -18 |head -7 title CentOS (2.6.18-274.3.1.el5xen) with FIPS root (hd0,0) kernel /xen.gz-2.6.18-274.3.1.el5 console=vga module /vmlinuz-2.6.18-274.3.1.el5xen ro root=/dev/md2 elevator=deadline xencons=tty fips=1 module /initrd-2.6.18-274.3.1.el5xen.with-fips.img $ cat /proc/sys/crypto/fips_enabled 0 --------------------------------------------- Description of problem: --------------------------------------------- mkinitrd generates a initrd.img file that has a unsuitable "init"-script-sequence, if the boot partition is on one dmraid e.g. /dev/md0 In FIPS Mode the init script of the initrd tries to check the /boot/.vmlinuz-$(uname -r).hmac file while doing this it tries to mount the boot partition. At that stage the system is unable to mount a md device e.g. /dev/md0 because corresponding kernel modules are not already loaded. --------------------------------------------- How reproducible: --------------------------------------------- Steps to Reproduce: 0. Setup a dmraid based boot partition 1. Boot the system 2. Recreate the initrd: 3. $ mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) 4. Add “fips=1” to grub kernel boot line 5. Reboot --------------------------------------------- Actual results: --------------------------------------------- Boot process will be interrupted and the system reboots. --------------------------------------------- Expected results: --------------------------------------------- System boots with fips mode enabled --------------------------------------------- Additional info: --------------------------------------------- as attachments: init-initrd-2.6.18-274.3.1.el5xen.img.txt init-NOFIPS-initrd-2.6.18-274.3.1.el5xen.img.txt packaging the initrd manually with a changed init-script sequence helps me to boot the system in fips mode. The changes: all md-, raid-, scsi-, blockdev-related modules are loaded before the hmac checks starts
Created attachment 522347 [details] init-script without FIPS
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Verified on RHEL5.9 mkinitrd-5.1.19.6-78.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0027.html