Bug 857310 - RHEL5.9 kernel fails to boot in fips mode
RHEL5.9 kernel fails to boot in fips mode
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kvm (Show other bugs)
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Virtualization Maintenance
Virtualization Bugs
: TestBlocker
Depends On:
Blocks: 805676
  Show dependency treegraph
Reported: 2012-09-14 01:21 EDT by Shaolong Hu
Modified: 2012-09-16 23:25 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-16 23:25:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
dmidecode output (17.38 KB, application/octet-stream)
2012-09-14 01:21 EDT, Shaolong Hu
no flags Details
sosreport (1.00 MB, application/x-bzip2)
2012-09-14 01:41 EDT, Shaolong Hu
no flags Details

  None (edit)
Description Shaolong Hu 2012-09-14 01:21:47 EDT
Created attachment 612722 [details]
dmidecode output

Description of problem:
After enable FIPS on RHEL5.9 host, kernel fails to boot.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
2. Add “fips=1” to grub kernel boot line
3. reboot host

Actual results:
Warning: pci_mmcfg_init marking 256MB space uncacheable.
�Red Hat nash version starting
SELF TEST FAILED (/usr/lib64/hmaKernel panic - not syncing: Attempted to kill init!
ccalc/sha512hmac .hmac)

Additional info:
This happens on some hosts, i try two hosts, both hit the problem, my colleague's host works fine anyway, so i think this is hardware related problem, my host dmidecode output is in attachment.

By the way, i am verifying:
Bug 805676 - FIPS 140-2 kernel and KVM

So this is a blocker.
Comment 1 Shaolong Hu 2012-09-14 01:41:38 EDT
Created attachment 612726 [details]
Comment 2 Paul Moore 2012-09-14 08:29:33 EDT
Did you follow all of the steps described in the article below?

 * https://access.redhat.com/knowledge/articles/38655

Common problems you may want to verify on your test system:

1. FIPS mode requires a separate /boot partition.
2. Prelinking must be disabled.
Comment 3 Eduard Benes 2012-09-14 09:51:20 EDT
Hello Hu, one observation in addition to suggestions from Paul in previous comment. By inspecting your sosreport, I see you have in /etc/sysconfig/prelink  still enabled prelinking. Even if you undo prelink, you should disable it at all so a cron job doesn't run it again and break your system.
Comment 4 Shaolong Hu 2012-09-16 23:25:01 EDT
OK, thanks for specification, this is NOTABUG, close it.

Note You need to log in before you can comment on or make changes to this bug.