RHEL8.1 + FIPS: Clevis fails to unlock automatically the devices at boot with message "JWE is missing the required 'clevis.pin' header property!"

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 8.1
    • Clevis
    • LUKS1
    • FIPS

Issue

  • After upgrading a Clevis enabled system from RHEL8.0 to RHEL8.1 or installing a brand new RHEL8.1 system with Clevis and FIPS enabled, unlocking doesn't happen and the following message is seen on the console

    JWE is missing the required 'clevis.pin' header property!

Resolution

Resolution

  • RHEL8.1.z: Upgrade luksmeta to 9-3.el8_1.1 (released with RHBA-2020:1357) or later, which contains fixes for this issue.
  • RHEL8.2: Upgrade luksmeta to 9-4.el8 (released with RHBA-2020:1695) or later, which contains fixes for this issue. This fix is part of RHEL8.2GA and later, and was investigated in This content is not included.BZ 1770395.

Workaround

  1. Edit line 61 of /usr/libexec/clevis-luks-askpass as shown below (add pipe command tail -n 1)

    • Original line

      if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then

    • Modified line

      if pt="`luksmeta load -d $d -s $slot -u $UUID | tail -n 1 | clevis decrypt`"; then

  2. Create the dracut drop-in configuration file /etc/dracut.conf.d/99-kcs4570501.conf as shown below

    # echo 'install_items+=" tail"' > /etc/dracut.conf.d/99-kcs4570501.conf

  3. Rebuild the initramfs

    # dracut -f --regenerate-all

Root Cause

  • A bug in the libcryptsetup library makes the library print Running in FIPS mode. to standard output all the time, causing tools parsing the output to fail

Diagnostic Steps

  • Verify that the system is running in FIPS mode (expected return code value is 0)

    # fips-mode-setup --is-enabled; echo $?
0

  • Verify that libcryptsetup library prints the Running in FIPS mode. message on standard output

    # luksmeta show -d /dev/rhel/00 | grep FIPS
Running in FIPS mode.

    In the example above, the LUKS1 device was hosted on the rhel LVM volume group and 00 LVM logical volume.

SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.