Kernel panic after making Red Hat Enterprise Linux 6 FIPS 140-2 compliant.

Environment

• Red Hat Enterprise Linux 6
• kernel-2.6.32-358.0.1.el6.x86_64
• FIPS 140-2 compliant

Issue

• Kernel panic with following error messages on console.

dracut: Mounted root filesystem /dev/vda3
dracut: Checking integrity of kernel
dracut Warning: /boot/.vmlinuz-2.6.32-358.0.1.el6.x86_64.hmac does not exist
dracut: FATAL: FIPS integrity test failed
dracut: Refusing to continue
dracut Warning: Signal caught!

dracut Warning: dracut: FATAL: FIPS integrity test failed
dracut Warning: dracut: Refusing to continue
Kernle panic - not syncing: Attempted to kill init !
pid: 1, comm: init Not tainted 2.6.32-358.0.1.el6.x86_64 #1
Call Trace:
[<ffffffff8150d0a8>] ? panic+0xa7/0x16f
[<ffffffff81073ae2>] ? do_exit+0x862/0x870
[<ffffffff81182965>] ? fput+0x25/0x30
[<ffffffff81073b48>] ? do_group_exit+0x58/0xd0
[<ffffffff81073bd7>] ? sys_exit_group+0x17/0x20
[<ffffffff8100b072>] ? system_call_fastpath+0x16/0x1b

Resolution

• Add kernel parameter "boot= partition of /boot" at the end of kernel line in /boot/grub/grub.conf file.
  Eg:

# vim /boot/grub/grub.conf 
         kernel /vmlinuz-2.6.32-358.0.1.el6.x86_64 ro root=UUID=0bca468a-ec14-4a4d-85c4-41b4683f3c15 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto fips=1 boot=/dev/vda1 <<<-----

Root Cause

• Kernel parameter "boot= partition of /boot " is not set at the end of kernel line in /boot/grub/grub.conf file.

# grep "fips" /boot/grub/grub.conf 
	kernel /vmlinuz-2.6.32-358.0.1.el6.x86_64 ro root=UUID=0bca468a-ec14-4a4d-85c4-41b4683f3c15 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto fips=1   

• On a FIPS 140-2 compliant Red Hat Enterprise Linux 6 system, if /boot or /boot/efi resides on a separate partition then the kernel parameter "boot= partition of /boot " must be added at the end of kernel line in /boot/grub/grub.conf file.

Diagnostic Steps

• Check whether /boot or /boot/efi resides on a separate partition.
  Eg:

# grep boot /proc/mounts 
/dev/vda1 on /boot type ext4 (rw)

• Check and verify "fips" and "boot" kernel parameters in /boot/grub/grub.conf file.
  Eg:

# grep "fips" /boot/grub/grub.conf 
	kernel /vmlinuz-2.6.32-358.0.1.el6.x86_64 ro root=UUID=0bca468a-ec14-4a4d-85c4-41b4683f3c15 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto fips=1   

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.