Closed richm closed 1 year ago
Patch and project coverage have no change.
Comparison is base (
bdb5b3d
) 13.90% compared to head (8d5eea3
) 13.90%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
@vojtechtrefny I could not get rhel7 to work in FIPS mode - I got this error from blivet:
Failed to commit changes to disk: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
not sure if it is due to using aes-xts-plain64, but that works fine with FIPS in rhel 8 and 9 and fedora, and works fine without FIPS on all platforms.
[citest]
This is actually not related to LUKS. Full traceback looks like this:
File "/usr/lib/python2.7/site-packages/blivet3/formats/fs.py", line 488, in system_mountpoint
getattr(self, "subvolspec", None))[-1]
File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 109, in get_mountpoints
self._cache_check()
File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 171, in _cache_check
md5hash = util.md5_file("/proc/mounts")
File "/usr/lib/python2.7/site-packages/blivet3/util.py", line 567, in md5_file
md5 = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
MD5 is not available in FIPS mode and we used to use hashlib.md5
in blivet, we fixed this few years ago (see https://github.com/storaged-project/blivet/pull/825), but the fix is available only in blivet 3.1.7 and newer and we have only 3.1.3 in RHEL 7.
This is actually not related to LUKS. Full traceback looks like this:
File "/usr/lib/python2.7/site-packages/blivet3/formats/fs.py", line 488, in system_mountpoint getattr(self, "subvolspec", None))[-1] File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 109, in get_mountpoints self._cache_check() File "/usr/lib/python2.7/site-packages/blivet3/mounts.py", line 171, in _cache_check md5hash = util.md5_file("/proc/mounts") File "/usr/lib/python2.7/site-packages/blivet3/util.py", line 567, in md5_file md5 = hashlib.md5() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
MD5 is not available in FIPS mode and we used to use
hashlib.md5
in blivet, we fixed this few years ago (see storaged-project/blivet#825), but the fix is available only in blivet 3.1.7 and newer and we have only 3.1.3 in RHEL 7.
ok - then is this proposed fix ok?
Can test with FIPS by setting the environment variable
SYSTEM_ROLES_TEST_FIPS=true
before running the LUKS tests. Can set the LUKS cipher withSYSTEM_ROLES_LUKS_CIPHER
- the default isaes-xts-plain64
Signed-off-by: Rich Megginson rmeggins@redhat.com