Server will not boot when fips=1 is in the kernel parameter and /boot is a separate partition.
This document (7016546) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 (SLES 12)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Federal Information Processing Standards (FIPS)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Federal Information Processing Standards (FIPS)
Situation
After install FIPS pattern and add fips=1 in the kernel line, your server will not boot again. It will only happen if you are using a separate /boot partition
Errors observed:
"dracut: FATAL: FIPS integrity test failed"
"dracut: Refusing to continue"
The command mount | grep boot shows:
/dev/sda1 on /boot ...
/dev/sda2 on /boot/efi ...
Errors observed:
"dracut: FATAL: FIPS integrity test failed"
"dracut: Refusing to continue"
The command mount | grep boot shows:
/dev/sda1 on /boot ...
/dev/sda2 on /boot/efi ...
Resolution
1 - Boot your server again; when boot screen shows up, press 'e' to edit boot options.
2 - Look for the fips=1 parameter and right after that add this parameter boot=/dev/<boot-partition> (i.e: /dev/sda1)
3 - Press F10 to boot.
In order to avoid this situation. Please edit the /etc/default/grub file, and add boot=/dev/<boot-partition> to the GRUB_CMDLINE_LINUX_DEFAULT variable. It will look like that:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/sda2 quiet splash=silent showopts fips=1 boot=/dev/sda1"
After that you need to execute this command grub2-mkconfig -o /boot/grub2/grub.cfg
WARNING:
If mount | grep boot shows something like:
/dev/sda1 on /boot/efi ...
/dev/sda3 on /boot/grub2/i386-pc ...
/dev/sda3 on /boot/grub2/x86_64-efi ...
It does NOT list a /boot partition by itself, then boot= will cause a server boot failure with the same FIPS errors. Only use the boot= option if you have a separate /boot partition from the /boot/efi partition.
2 - Look for the fips=1 parameter and right after that add this parameter boot=/dev/<boot-partition> (i.e: /dev/sda1)
3 - Press F10 to boot.
In order to avoid this situation. Please edit the /etc/default/grub file, and add boot=/dev/<boot-partition> to the GRUB_CMDLINE_LINUX_DEFAULT variable. It will look like that:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/sda2 quiet splash=silent showopts fips=1 boot=/dev/sda1"
After that you need to execute this command grub2-mkconfig -o /boot/grub2/grub.cfg
WARNING:
If mount | grep boot shows something like:
/dev/sda1 on /boot/efi ...
/dev/sda3 on /boot/grub2/i386-pc ...
/dev/sda3 on /boot/grub2/x86_64-efi ...
It does NOT list a /boot partition by itself, then boot= will cause a server boot failure with the same FIPS errors. Only use the boot= option if you have a separate /boot partition from the /boot/efi partition.
Cause
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016546
- Creation Date: 29-May-2015
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
