gurevichmark
commented
2 years ago @kjhee43 After adding fips to $dracutmodulelist in genimage and running genimage/packimage, does anything else need to be added to the image? I ran the genimage on RH8.4 x86 node where fips is not enabled.
I then tried chdef <node> addkcmdline=fips=1 and then rinstall the node with that image .
The console showed:
Starting dracut pre-udev hook...
[ 2.791191] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'sha1_mb': No such device
[ 2.865332] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'sha256_mb': No such device
[ 2.920812] alg: self-tests for sha512-generic (sha512) passed
[ 2.956034] alg: self-tests for sha384-generic (sha384) passed
[ 3.046229] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'sha512_mb': No such device
[ 3.083392] alg: self-tests for sha3-224-generic (sha3-224) passed
[ 3.119172] alg: self-tests for sha3-256-generic (sha3-256) passed
[ 3.154726] alg: self-tests for sha3-384-generic (sha3-384) passed
[ 3.189836] alg: self-tests for sha3-512-generic (sha3-512) passed
[ 3.375248] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'crc32c_intel': No such device
[ 3.447180] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'crct10dif_pclmul': No such device
[ 3.522201] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'ghash_clmulni_intel': No such device
[ 3.595673] alg: self-tests for des3_ede-generic (des3_ede) passed
[ 3.632991] alg: self-tests for des3_ede-asm (des3_ede) passed
[ 3.668177] alg: self-tests for ecb-des3_ede-asm (ecb(des3_ede)) passed
[ 3.703283] alg: self-tests for cbc-des3_ede-asm (cbc(des3_ede)) passed
[ 3.738525] alg: self-tests for ctr-des3_ede-asm (ctr(des3_ede)) passed
[ 3.824586] dracut-pre-udev[249]: modprobe: ERROR: could not insert 'padlock_aes': No such device
[ 4.027888] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[ 4.137212] alg: self-tests for sha1 (sha1) passedAnd then:
[ 30.323823] dracut: FATAL: FIPS integrity test failed
[ 30.323776] dracut-pre-pivot[753]: [ 30.325471] dracut: Refusing to continue
Warning: /boot//.vmlinuz-4.18.0-305.el8.x86_64.hmac does not exist
:
:
:
[ 30.973663] reboot: System halted
kjhee43
lmkrousenick
Currently, the list of modules/drivers to add to the initrd is hard coded in the genimage script. Currently,
/opt/xcat/share/xcat/netboot/rh/genimagereads
1148 my $dracutmodulelist = "xcat nfs base network kernel-modules syslog";I need to enable fips on my diskless rhel8 nodes. In rhel7, dracut-fips could be used, but dracut-fips no longer exists in rhel8. Therefore one of 2 methods needs to be used to enable fips for diskless in rhel8
Add a custom dracut.conf to the image. This, however, requires the image to be generated, then packed(assuming your custim dracut.conf is in your synclist), then the initrd generated again to ensure the custom dracut config is used during initrd generation
Modify genimage script directly and add fips on the hard coded line
1148 my $dracutmodulelist = "fips xcat nfs base network kernel-modules syslog";A built in way to modify this default list would simplify this process and allow for simpler updates in the future.