cvuqdisk doesn't install on FIPS-enabled system

Question

cvuqdisk doesn't install on FIPS-enabled system

ThiloSolbrig opened this issue 5 months ago · 5 comments

cvuqdisk.rpm is missing a few digests and thus doesn't install on FIPS-enabled systems. Use rpm as a workaround.

# rpm --checksig --verbose /u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm
/u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm:
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    MD5 digest: NOTFOUND

# fips-mode-setup --check
FIPS mode is enabled.
# yum -y install /u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm
Last metadata expiration check: 0:36:11 ago on Tue 16 Apr 2024 07:17:46 PM CEST.
Dependencies resolved.
=============================================================================================================================================================
 Package                              Architecture                       Version                              Repository                                Size
=============================================================================================================================================================
Installing:
 cvuqdisk                             x86_64                             1.0.10-1                             @commandline                              11 k

Transaction Summary
=============================================================================================================================================================
Install  1 Package

Total size: 11 k
Installed size: 22 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Error: Transaction test error:
  package cvuqdisk-1.0.10-1.x86_64 does not verify: no digest

Going to provide a fix shortly.

Answer 1 · 2024-04-21T09:13:51.000Z

Hi Thilo,
I tried to reproduce the issue but can't find the correct FIPS setup.

yum-config-manager --enable ol7_security_validation
yum install -y dracut-fips dracut-fips-aesni

dracut -f

Add fips=1 to grub /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot system.

cat /proc/sys/crypto/fips_enabled
1

ansible all -m setup  | grep ansible_fips
        "ansible_fips": true,

I can install thr RPM with yum without any problem.
Do you know what I skipped in my test setup?

Answer 2 · 2024-04-23T15:01:02.000Z

Hi Thorsten,
what does fips-mode-setup --check return for your test setup? If it's not FIPS mode is enabled. there likely isn't a fully FIPS enabled system. In my opinion, FIPS mode should better be enabled by fips-mode-setup --enable. Also I'm not sure if the rpm fails on OEL7, too. I had this issue with OEL8 and OEL9.

Answer 3 · 2024-05-24T01:47:04.000Z

This issue is stale because it has been open for 30 days with no activity. Auto close in 30 days.

Answer 4 · 2024-07-05T01:49:24.000Z

This issue is stale because it has been open for 30 days with no activity. Auto close in 30 days.