Bug 857310 - RHEL5.9 kernel fails to boot in fips mode
RHEL5.9 kernel fails to boot in fips mode
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kvm (Show other bugs)
5.9
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Virtualization Maintenance
Virtualization Bugs
: TestBlocker
Depends On:
Blocks: 805676
  Show dependency treegraph
 
Reported: 2012-09-14 01:21 EDT by Shaolong Hu
Modified: 2012-09-16 23:25 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-16 23:25:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dmidecode output (17.38 KB, application/octet-stream)
2012-09-14 01:21 EDT, Shaolong Hu
no flags Details
sosreport (1.00 MB, application/x-bzip2)
2012-09-14 01:41 EDT, Shaolong Hu
no flags Details

  None (edit)
Description Shaolong Hu 2012-09-14 01:21:47 EDT
Created attachment 612722 [details]
dmidecode output

Description of problem:
------------------------
After enable FIPS on RHEL5.9 host, kernel fails to boot.


Version-Release number of selected component (if applicable):
---------------------------------------------------------------
2.6.18-339.el5


How reproducible:
------------------
100%


Steps to Reproduce:
----------------------
1. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
2. Add “fips=1” to grub kernel boot line
3. reboot host


Actual results:
----------------
Warning: pci_mmcfg_init marking 256MB space uncacheable.
�Red Hat nash version 5.1.19.6 starting
SELF TEST FAILED (/usr/lib64/hmaKernel panic - not syncing: Attempted to kill init!
ccalc/sha512hmac .hmac)


Additional info:
-------------------
This happens on some hosts, i try two hosts, both hit the problem, my colleague's host works fine anyway, so i think this is hardware related problem, my host dmidecode output is in attachment.

By the way, i am verifying:
Bug 805676 - FIPS 140-2 kernel and KVM

So this is a blocker.
Comment 1 Shaolong Hu 2012-09-14 01:41:38 EDT
Created attachment 612726 [details]
sosreport
Comment 2 Paul Moore 2012-09-14 08:29:33 EDT
Did you follow all of the steps described in the article below?

 * https://access.redhat.com/knowledge/articles/38655

Common problems you may want to verify on your test system:

1. FIPS mode requires a separate /boot partition.
2. Prelinking must be disabled.
Comment 3 Eduard Benes 2012-09-14 09:51:20 EDT
Hello Hu, one observation in addition to suggestions from Paul in previous comment. By inspecting your sosreport, I see you have in /etc/sysconfig/prelink  still enabled prelinking. Even if you undo prelink, you should disable it at all so a cron job doesn't run it again and break your system.
Comment 4 Shaolong Hu 2012-09-16 23:25:01 EDT
OK, thanks for specification, this is NOTABUG, close it.

Note You need to log in before you can comment on or make changes to this bug.