Server will not boot when fips=1 is in the kernel parameter and /boot is a separate partition.

  • 7016546
  • 29-May-2015
  • 25-Mar-2016

Environment

SUSE Linux Enterprise Server 12 (SLES 12)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Federal Information Processing Standards (FIPS)

Situation

After install FIPS pattern and add fips=1 in the kernel line, your server will not boot again. It will only happen if you are using a separate /boot partition

Errors observed:
"dracut: FATAL: FIPS integrity test failed"
"dracut: Refusing to continue"

The command mount | grep boot shows:
/dev/sda1 on /boot ...
/dev/sda2 on /boot/efi ...

Resolution

1 - Boot your server again; when boot screen shows up, press 'e' to edit boot options.

2 - Look for the fips=1 parameter and right after that add this parameter boot=/dev/<boot-partition> (i.e: /dev/sda1)

3 - Press F10 to boot.

 In order to avoid this situation. Please edit the /etc/default/grub file, and add boot=/dev/<boot-partition> to the GRUB_CMDLINE_LINUX_DEFAULT variable. It will look like that:

GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/sda2 quiet splash=silent showopts fips=1 boot=/dev/sda1"

 After that you need to execute this command grub2-mkconfig -o /boot/grub2/grub.cfg

WARNING:

If mount | grep boot shows something like:

/dev/sda1 on /boot/efi ...
/dev/sda3 on /boot/grub2/i386-pc ...
/dev/sda3 on /boot/grub2/x86_64-efi ...

It does NOT list a /boot partition by itself, then boot= will cause a server boot failure with the same FIPS errors. Only use the boot= option if you have a separate /boot partition from the /boot/efi partition.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.