Server will not boot when fips=1 is in the kernel parameter and /boot is a separate partition.
This document (7016546) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Federal Information Processing Standards (FIPS)
"dracut: FATAL: FIPS integrity test failed"
"dracut: Refusing to continue"
The command mount | grep boot shows:
/dev/sda1 on /boot ...
/dev/sda2 on /boot/efi ...
2 - Look for the fips=1 parameter and right after that add this parameter boot=/dev/<boot-partition> (i.e: /dev/sda1)
3 - Press F10 to boot.
In order to avoid this situation. Please edit the /etc/default/grub file, and add boot=/dev/<boot-partition> to the GRUB_CMDLINE_LINUX_DEFAULT variable. It will look like that:
GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/sda2 quiet splash=silent showopts fips=1 boot=/dev/sda1"
After that you need to execute this command grub2-mkconfig -o /boot/grub2/grub.cfg
If mount | grep boot shows something like:
/dev/sda1 on /boot/efi ...
/dev/sda3 on /boot/grub2/i386-pc ...
/dev/sda3 on /boot/grub2/x86_64-efi ...
It does NOT list a /boot partition by itself, then boot= will cause a server boot failure with the same FIPS errors. Only use the boot= option if you have a separate /boot partition from the /boot/efi partition.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016546
- Creation Date: 29-May-2015
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: firstname.lastname@example.org