RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 831598 - FATAL: Module aes-xts not found (FIPS integrity check failed)
Summary: FATAL: Module aes-xts not found (FIPS integrity check failed)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dracut
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: beta
: 7.0
Assignee: dracut-maint
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks: 717789
TreeView+ depends on / blocked
 
Reported: 2012-06-13 12:01 UTC by Ondrej Moriš
Modified: 2014-06-13 11:57 UTC (History)
4 users (show)

Fixed In Version: dracut-018-65.git20120612.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:57:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
/run/initramfs/init.log (101.99 KB, text/plain)
2012-06-13 12:02 UTC, Ondrej Moriš 		no flags Details
dracut -f --debug (5.05 MB, text/plain)
2012-06-13 12:03 UTC, Ondrej Moriš 		no flags Details
Fix xts module name (971 bytes, patch)
2012-06-27 14:33 UTC, Milan Broz 		no flags Details | Diff
Fix module names (1.30 KB, patch)
2012-06-29 11:49 UTC, Milan Broz 		no flags Details | Diff
Show Obsolete (1) View All

Description Ondrej Moriš 2012-06-13 12:01:32 UTC 
Description of problem:

FIPS integrity check provided by dracut fails in RHEL7. It causes that dracut dies during boot and kernel panics. When all 'die' in dracut-fips are replaced by 'warn' system boots into FIPS mode and you can see its init log file:

...
//sbin/fips.sh@53(do_fips): info 'Checking integrity of kernel'
//lib/dracut-lib.sh@316(info): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@317(info): echo '<30>dracut: Checking integrity of kernel'
//lib/dracut-lib.sh@318(info): '[' yes '!=' yes ']'
//sbin/fips.sh@54(do_fips): newroot=/sysroot
///sbin/fips.sh@55(do_fips): uname -r
//sbin/fips.sh@55(do_fips): KERNEL=3.3.0-0.13.el7.x86_64
//sbin/fips.sh@57(do_fips): '[' -e /sysroot/boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac ']'
//sbin/fips.sh@57(do_fips): unset newroot
//sbin/fips.sh@59(do_fips): ls -la /boot
total 24246
dr-xr-xr-x  5 root root     1024 Jun 12  2012 .
drwxr-xr-x 13 root root        0 Jun 12 13:37 ..
-rw-r--r--  1 root root      166 May 31 14:06 .vmlinuz-3.3.0-0.13.el7.x86_64.hmac
-rw-------  1 root root  2743548 May 31 14:06 System.map-3.3.0-0.13.el7.x86_64
-rw-r--r--  1 root root   113682 May 31 14:06 config-3.3.0-0.13.el7.x86_64
drwxr-xr-x  2 root root     1024 Jun  6 11:34 grub
drwxr-xr-x  6 root root     1024 Jun  6 11:41 grub2
-rw-r--r--  1 root root 16969413 Jun 12  2012 initramfs-3.3.0-0.13.el7.x86_64.img
drwx------  2 root root    12288 Jun  6 11:31 lost+found
-rwxr-xr-x  1 root root  4973104 May 31 14:06 vmlinuz-3.3.0-0.13.el7.x86_64
//sbin/fips.sh@60(do_fips): '[' -e /boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac ']'
//sbin/fips.sh@65(do_fips): sha512hmac -c /boot/.vmlinuz-3.3.0-0.13.el7.x86_64.hmac
/boot/vmlinuz-3.3.0-0.13.el7.x86_64: OK
///sbin/fips.sh@67(do_fips): cat /etc/fipsmodules
//sbin/fips.sh@67(do_fips): FIPSMODULES='aead
aes_generic
aes-xts
aes-x86_64
ansi_cprng
cbc
ccm
chainiv
ctr
des
deflate
ecb
eseqiv
hmac
seqiv
sha256
sha512
cryptomgr
crypto_null
tcrypt
dm-mod
dm-crypt'
//sbin/fips.sh@69(do_fips): info 'Loading and integrity checking all crypto modules'
//lib/dracut-lib.sh@316(info): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@317(info): echo '<30>dracut: Loading and integrity checking all crypto modules'
//lib/dracut-lib.sh@318(info): '[' yes '!=' yes ']'
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aead '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aead
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aes_generic '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes_generic
//sbin/fips.sh@70(do_fips): for module in '$FIPSMODULES'
//sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes-xts
FATAL: Module aes-xts not found.
//sbin/fips.sh@72(do_fips): return 1
///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS integrity test failed'
//lib/dracut-lib.sh@310(warn): check_quiet
//lib/dracut-lib.sh@301(check_quiet): '[' -z yes ']'
//lib/dracut-lib.sh@311(warn): echo '<28>dracut Warning: FIPS integrity test failed'
//lib/dracut-lib.sh@312(warn): echo 'dracut Warning: FIPS integrity test failed'
dracut Warning: FIPS integrity test failed
...

Obviously, the problems is caused by:

FATAL: Module aes-xts not found.

Version-Release number of selected component (if applicable):

dracut-fips-018-53.git20120605.el7.noarch
dracut-018-53.git20120605.el7.noarch
kernel-3.3.0-0.13.el7.x86_64

How reproducible:

100%

Steps to Reproduce:

1. uninstall of disable prelink
2. install dracut-fips
3. perl -pi -e 's#die #warn #g' /usr/lib/dracut/modules.d/01fips/*
4. dracut -f 
5. reboot and enter grub menu
6. add kernel parameters: rd.debug fips=1 boot=/dev/sda1 
   (or whatever your boot partition is) 
7. boot and see /run/initramfs/init.log
  
Actual results:

...
FATAL: Module aes-xts not found.
...
dracut Warning: FIPS integrity test failed
...

Expected results:

...
dracut: FIPS integrity test passed
...

Additional info:

See attachments.
Comment 1 Ondrej Moriš 2012-06-13 12:02:06 UTC 
Created attachment 591456 [details]
/run/initramfs/init.log
Comment 2 Ondrej Moriš 2012-06-13 12:03:57 UTC 
Created attachment 591457 [details]
dracut -f --debug
Comment 3 Harald Hoyer 2012-06-13 12:16:23 UTC 
https://admin.fedoraproject.org/updates/dracut-018-65.git20120612.fc17
Comment 4 Ondrej Moriš 2012-06-13 14:39:05 UTC 
Hm, I still see it:

dracut-018-65.git20120612.el7.noarch

...
//sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
//sbin/fips.sh@72(do_fips): modprobe aes-xts
FATAL: Module aes-xts not found.
//sbin/fips.sh@72(do_fips): return 1
///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS integrity test failed'
//lib/dracut-lib.sh@310(warn): check_quiet
...
Comment 5 Harald Hoyer 2012-06-18 11:42:22 UTC 
(In reply to comment #4)
> Hm, I still see it:
> 
> dracut-018-65.git20120612.el7.noarch
> 
> ...
> //sbin/fips.sh@71(do_fips): '[' aes-xts '!=' tcrypt ']'
> //sbin/fips.sh@72(do_fips): modprobe aes-xts
> FATAL: Module aes-xts not found.
> //sbin/fips.sh@72(do_fips): return 1
> ///lib/dracut/hooks/pre-trigger/01fips-boot.sh@10(source): warn 'FIPS
> integrity test failed'
> //lib/dracut-lib.sh@310(warn): check_quiet
> ...

are you sure, that you regenerated the initramfs after updating?
Comment 6 Milan Broz 2012-06-27 14:33:34 UTC 
Created attachment 594801 [details]
Fix xts module name

Harald, I think this is just bug in dracut, there was never aes-xts module.

It should be xts (like in RHEL6).

See attached patch - I think it should be fixed upstream.
Comment 7 Milan Broz 2012-06-29 11:49:02 UTC 
Created attachment 595281 [details]
Fix module names

In F18/rawhide is also sha256 module compiled in, so modprobe fails - use aes256_generic which works always.
Comment 8 Milan Broz 2012-06-29 11:50:47 UTC 
Can the attached patch be committed upstream and for rawhide/F17 dracut please?
Comment 9 Paul Wouters 2012-07-17 22:19:54 UTC 
dracut-020-96.git20120717.fc17 but there haven't been any builds of dracut in a while, so it is still on dracut 0.18 in Fedora....

Is there any reason why this isn't being built in rawhide/f17?
Comment 10 Harald Hoyer 2012-07-18 10:27:15 UTC 
(In reply to comment #9)
> dracut-020-96.git20120717.fc17 but there haven't been any builds of dracut
> in a while, so it is still on dracut 0.18 in Fedora....
> 
> Is there any reason why this isn't being built in rawhide/f17?


huh? dracut-020-96.git20120717.fc17? Where is this? Built 
dracut-020-96.git20120717.fc18 to rawhide http://koji.fedoraproject.org/koji/buildinfo?buildID=330901 but not F17!
Comment 11 Harald Hoyer 2012-07-18 10:41:33 UTC 
will backport some fixes to F17 today.
Comment 12 Harald Hoyer 2012-07-19 13:33:34 UTC 
https://admin.fedoraproject.org/updates/dracut-018-93.git20120719.fc17
Comment 14 Harald Hoyer 2013-02-26 09:24:40 UTC 
fixed with dracut-024-25.git20130205.el7
Comment 15 Jan Stodola 2013-07-09 12:43:02 UTC 
Retested with dracut-029-1.el7, system booted successfully in fips mode, no errors reported.

Moving to VERIFIED.
Comment 16 Ludek Smid 2014-06-13 11:57:55 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.