Server will not boot when fips=1 is in the kernel parameter and /boot is a separate partition.

This document (7016546) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 (SLES 12)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Federal Information Processing Standards (FIPS)

Situation

After install FIPS pattern and add fips=1 in the kernel line, your server will not boot again. It will only happen if you are using a separate /boot partition

Errors observed:
"dracut: FATAL: FIPS integrity test failed"
"dracut: Refusing to continue"

The command mount | grep boot shows:
/dev/sda1 on /boot ...
/dev/sda2 on /boot/efi ...

Resolution

1 - Boot your server again; when boot screen shows up, press 'e' to edit boot options.

2 - Look for the fips=1 parameter and right after that add this parameter boot=/dev/<boot-partition> (i.e: /dev/sda1)

3 - Press F10 to boot.

 In order to avoid this situation. Please edit the /etc/default/grub file, and add boot=/dev/<boot-partition> to the GRUB_CMDLINE_LINUX_DEFAULT variable. It will look like that:

GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/sda2 quiet splash=silent showopts fips=1 boot=/dev/sda1"

 After that you need to execute this command grub2-mkconfig -o /boot/grub2/grub.cfg

WARNING:

If mount | grep boot shows something like:

/dev/sda1 on /boot/efi ...
/dev/sda3 on /boot/grub2/i386-pc ...
/dev/sda3 on /boot/grub2/x86_64-efi ...

It does NOT list a /boot partition by itself, then boot= will cause a server boot failure with the same FIPS errors. Only use the boot= option if you have a separate /boot partition from the /boot/efi partition.

Cause


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016546
  • Creation Date: 29-May-2015
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center