View Issue Details

IDProjectCategoryView StatusLast Update
0014855CentOS-7openscappublic2018-09-20 19:00
Reporterjthilo 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014855: UEFI installation with Security Profile fails to boot
DescriptionWhen I deploy a CentOS 7.5 host (physical or virtual, from media or PXE) in UEFI mode with a Security Profile, installation completes but the host fails to boot successfully. Console output includes:

-------------------------------------------------------------------------------
dracut: FATAL: FIPS integrity test failed
dracut: Refusing to continue
Warning: /boot/.vmlinuz-3.10.0-862.el7.x86_64.hmac does not exist
-------------------------------------------------------------------------------

Steps To ReproduceBoot the host in UEFI mode and select a security profile in the installer. Or if using a kickstart configuration file enable it there, e.g.:

%addon org_fedora_oscap
    content-type = scap-security-guide
    profile = xccdf_org.ssgproject.content_profile_nist-800-171-cui
%end

After installation completes, the host will not reboot successfully.
Additional InformationI can remediate the problem thus:
* reboot
* use 'e' at the EFI GRUB menu to remove the "fips=1" parameter from the "linuxefi" line
* press Ctrl-x to boot
* log in as (or sudo to) root
* run "grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg"
* (optional) observe that /etc/grub2-efi.cfg is a valid symlink (to ../boot/efi/EFI/centos/grub.cfg)
* reboot

While performing these steps, I observe that /etc/grub2.cfg is a symbolic link to ../boot/grub2/grub.cfg (which does not exist in a UEFI installation) and /etc/grub2-efi.cfg does not exist. After I run grub2-mkconfig, /etc/grub2-efi.cfg is a symbolic link to ../boot/efi/EFI/centos/grub.cfg.

The configurations where I don't experience the problem include:

1. BIOS-based installation
2. Installing CentOS 7.4
3. UEFI-based installation with no security profile selected

I also observe that this broke some time during 7.4: if I kickstart with only 7.4 media the installation is successful, but if I enable the updates repository I experience the problem described above.

It seems that the OpenSCAP script(s) to modify the kernel parameters were modified during 7.4 and do not point to the correct partition. The "boot=" argument selects the EFI (/boot/efi) partition, whereas grub2-mkconfig correctly selects the /boot partition.
TagsNo tags attached.
abrt_hash
URL

Activities

Falk0n

Falk0n

2018-07-03 22:08

reporter   ~0032170

I saw this same issue with a new installation using /boot on a separate partition and FIPS mode enabled. Selected the DoD STIG security profile. In addition, I had issues with LUKS not decrypting the LVM PV on boot.

Steps I used to remedy the LUKS and FIPS problems:
1. Boot system from CentOS media and enter rescue mode
2. Mount detected CentOS system image
3. chroot to mounted system image
4. Back up /etc/default/grub
5. Back up /boot/efi/EFI/centos/grub.cfg
6. Edit /etc/default/grub and add "rd.driver.post=drbg boot=/dev/sdaX" to the kernel command line where /dev/sdaX is the device name of the partition where /boot is mounted
7. Install dracut-fips-aesni package
8. Execute "dracut --force"
9. Execute grub2-mkconfig /boot/efi/EFI/centos/grub.cfg

My partition scheme is as follows:
/dev/sda1 => /boot/efi
/dev/sda2 => /boot
/dev/sda3 => LUKS encrypted LVM PV
   => /
   => swap
   => /home
   => /var
   => /var/log
   => /var/log/audit
   => /tmp

Hope this helps!
tgfruth1

tgfruth1

2018-08-22 15:37

reporter   ~0032569

Still broken after applying latest updates:

dracut-fips-033-535.el7_5.1.x86_64
dracut-033-535.el7_5.1.x86_64
dracut-fips-aesni-033-535.el7_5.1.x86_64
dracut-network-033-535.el7_5.1.x86_64
dracut-config-rescue-033-535.el7_5.1.x86_64

I'm wondering if the only way to get it to work is with MBR on legacy BIOS instead of GPT on UEFI. I'm using VMware 6.x, but I don't think the platform should matter. Maybe the new packages will work if installing from scratch. What frustrates me the most is that dracut says the hmac file doesn't exist, but if I edit GRUB on boot, removing fips=1, the system boots and I can run a directory listing and clearly see the file that dracut says doesn't exist.
brentil

brentil

2018-09-20 19:00

reporter   ~0032766

I can confirm this is still happening with the latest CentOS 7 1804 ISO from the website (downloaded 2018.09.19). I can do normal installations but as soon as I apply the "DISA STIG for CentOS Linux 7" Security Policy this happens. Dell OptiPlex 3040 with UEFI with Secure Boot on or off. Make the machine Legacy BIOS and disable UEFI completely and it works.

dracut-pre-trigger[263]: modprobe: FATAL: Module sha1 not found.
dracut-pre-trigger[263]: Warning: /boot/.vmlinuz-3.10.0-862.el7.x86_64.hmac does not exist
dracut: FATAL: FIPS integrity test failed
dracut: Refusing to continue

As mentioned hitting e on boot and removing fips=1 lets the machine boot but an out of box configuration should work out of the box.

Issue History

Date Modified Username Field Change
2018-05-23 13:35 jthilo New Issue
2018-07-03 22:08 Falk0n Note Added: 0032170
2018-08-22 15:37 tgfruth1 Note Added: 0032569
2018-09-20 19:00 brentil Note Added: 0032766