(In reply to comment #0)
> Description of problem:
> 
> Dracut refuse to continue:
> Warning: dracut: FATAL: FIPS integrity test failed
> Warning: dracut: Refusing to continue
> 
> Test with:
> [root@localhost ~]# uname -a
> Linux localhost 3.9.0-0.rc7.git3.1.fc19.x86_64 #1 SMP Thu Apr 18 20:29:47
> UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> [root@localhost ~]# rpm -qa|grep dracut
> dracut-network-027-36.git20130418.fc19.x86_64
> dracut-fips-027-36.git20130418.fc19.x86_64
> dracut-027-36.git20130418.fc19.x86_64
> 
> 
> In dracut shell, manually run below command fails(boot part mounted ok):
> sha512hmac -c /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac
> fails with:
> Error ensuring FIPS mode.
> 


So, manually running
# sha512hmac -c /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac

fails, too?

Sure, it fails with manually running.
BTW, kernel boot with "fips=1 boot=/dev/vda1 1"

So, if /boot/.vmlinuz-3.9.0-0.rc7.git3.1.fc19.x86_64.hmac is corrupt/wrong, dracut does the right thing.

Does it fail, if you boot without fips, in the real root also?

It work well in non-fips mode real root.

dracut-027-39.git20130425.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/dracut-027-39.git20130425.fc19

Hi, Harald

Thanks for the quick fix for this. I believe you have passed the test on physical machines.

But there's still issues in kvm guest, see below:

dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'camellia_aesni_avx_x86_64': No such device
dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'crc32c_intel': No such device

Above two modules return -ENODEV in module_init, I'm not sure why fips.sh fail for modprobe failure in below code:

    for module in $FIPSMODULES; do
        if [ "$module" != "tcrypt" ]; then
            modprobe ${module} || return 1
        fi
    done

How about only return 1 when modprobe tctypt failing? for other modules just go ahead?

I guess there's probably similar problem in arches other then X86. 

Thanks
Dave

Package dracut-027-39.git20130425.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dracut-027-39.git20130425.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6673/dracut-027-39.git20130425.fc19
then log in and leave karma (feedback).

Hi Harald,

I tested local PC, it failed either. It seems the same reason as Dave's caused this problem.

Baoquan
Thanks

(In reply to comment #6)
> Hi, Harald
> 
> Thanks for the quick fix for this. I believe you have passed the test on
> physical machines.
> 
> But there's still issues in kvm guest, see below:
> 
> dracut-pre-trigger[130]: modprobe: ERROR: could not insert
> 'camellia_aesni_avx_x86_64': No such device
> dracut-pre-trigger[130]: modprobe: ERROR: could not insert 'crc32c_intel':
> No such device
> 
> Above two modules return -ENODEV in module_init, I'm not sure why fips.sh
> fail for modprobe failure in below code:
> 
>     for module in $FIPSMODULES; do
>         if [ "$module" != "tcrypt" ]; then
>             modprobe ${module} || return 1
>         fi
>     done
> 
> How about only return 1 when modprobe tctypt failing? for other modules just
> go ahead?

Yeah, will do that.

dracut-027-45.git20130430.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/dracut-027-45.git20130430.fc19

dracut-027-39.git20130425.fc19 has been pushed to the Fedora 19 obsolete repository.  If problems still persist, please make note of it in this bug report.