0000155: Cannot boot after finished minimal installations with NIST 800-171 policy - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0000155	AlmaLinux-8	-OTHER	public	2021-11-19 06:54	2021-11-22 08:56

Reporter	nikk2000	Assigned To
Priority	normal	Severity	block	Reproducibility	always
Status	new	Resolution	open
Platform	x86_64	OS	AlmaLinux	OS Version	8.5

Summary	0000155: Cannot boot after finished minimal installations with NIST 800-171 policy
Description	After finished installations, boot failed because modprobe is blocked.
Steps To Reproduce	1) Minimal installations 2) Use LVM partitions 3) Use NIST 800-171 security policy
Tags	boot
Attached Files	Screenshot_20211119_141112.png (32,186 bytes) Screenshot_20211119_141112.png (32,186 bytes)

abrt_hash
URL

nikk2000 2021-11-19 10:21 reporter ~0000406	I have tried disable fapolicyd and SELinux (by mounting and editing config files), but still cannot boot.

nikk2000 2021-11-20 09:20 reporter ~0000407	I guess boot got lockup because I don't have TPM module. I have tested on machines with TPM module and found no issues.

nikk2000 2021-11-20 20:32 reporter ~0000408	I've just found the problem, I need to remove `fips=1` from kernel option. Also I already have HMAC file in /boot/. Perhaps, AMD Ryzen 2700 doesn't support FIPS? Because Intel Core i7-10750H boot just fine with `fips=1`. Probably related to: * https://almalinux.discourse.group/t/kernel-4-18-0-240-22-1-with-fips-1-will-not-boot/88

alukoshko 2021-11-22 08:38 administrator ~0000409	Hello. Thanks for report and investigation. No, it's not related to issues with 4.18.0-240.22.1, that was broken kernel version and since then all kernel versions are checked to not repeat that problem. Usually we ask to check on CentOS or RHEL to find out if this AlmaLinux specific or upstream problem. If it's upstream one then the best option would be check on CentOS Stream to find out if the problem is fixed already. If not, then you can open a bug to CentOS Stream bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%208&version=CentOS%20Stream Of course it's up to you. But it would be great if you could check it because working with CentOS Stream bugs helps the whole EL community.

nikk2000 2021-11-22 08:56 reporter ~0000410	You're welcome. Thank you for reply. Noted, I'll try and check on CentOS Stream.

Date Modified	Username	Field	Change
2021-11-19 06:54	nikk2000	New Issue
2021-11-19 06:54	nikk2000	Tag Attached: boot
2021-11-19 06:54	nikk2000	File Added: Screenshot_20211119_141112.png
2021-11-19 10:21	nikk2000	Note Added: 0000406
2021-11-20 09:20	nikk2000	Note Added: 0000407
2021-11-20 20:32	nikk2000	Note Added: 0000408
2021-11-22 08:38	alukoshko	Note Added: 0000409
2021-11-22 08:56	nikk2000	Note Added: 0000410