On 08/29/2013 10:35 AM, Benjamin Kingston wrote:
> I'm playing around with fips at the moment and currently have kernel
> fips off, to my knowledge the fips dracut module does nothing unless
> kernel fips is on. Essentially I'm trying to get dracut to ignore the
> boot partition device since all needed information to boot and unlock
> (/etc/cryptab and the keyfile) are embedded in the initramfs. It
> appears that upon dracut generating the initramfs image, it assumes
> that the volume that boot is on is required to boot the system.
>
> I know the system unlocks the drive because if I allow systemd to
> timeout while waiting for the volume UUID to appear, I can see the
> LUKS volume in /dev/mapper in the dracut shell. Essentially the only
> thing preventing the system from booting is the fact that there is a
> systemd target that is requiring the boot partition to be made active
> (not mounted, as far as I can tell by interrupting dracut pre-pivot
> after unlocking the flash volume the 2nd time).
>
> I also had it working smoothly in fedora 17 at one point, where it
> would unlock the luks disk according to the embedded crypttab with the
> embedded keyfile and boot the system with out having to unlock the
> flash drive just so systemd can see it. I'm not sure what could have
> changed since fedora 18 since my experience is in systems
> administration rather than software development, so I really
> appreciate you sharing some of your time.
>
Attached patch for /usr/bin/dracut should help to boot without the /boot device.
The fips module on the other hand _requires_ having /boot and checking vmlinuz.
diff --git a/dracut.sh b/dracut.sh
index 7481ac0..8ee40a3 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -838,7 +838,7 @@ if [[ $hostonly ]]; then
"/usr/sbin" \
"/usr/lib" \
"/usr/lib64" \
- "/boot";
+ ;
do
mountpoint "$mp" >/dev/null 2>&1 || continue
push host_devs $(readlink -f "/dev/block/$(find_block_device "$mp")")
