Ok thank you, I'll check this when I get home. I've also got the vmlinuz and .vmlinuz.hmac embedded in the initramfs, so hopefully that will avoid the need when rdfips checks, but shouldn't rd.fips.skipkernel prevent that even if the vmlinuz isn't embedded in the initramfs? On Thu, Aug 29, 2013 at 2:02 AM, Harald Hoyer <harald@xxxxxxxxxx> wrote: > On 08/29/2013 10:35 AM, Benjamin Kingston wrote: >> I'm playing around with fips at the moment and currently have kernel >> fips off, to my knowledge the fips dracut module does nothing unless >> kernel fips is on. Essentially I'm trying to get dracut to ignore the >> boot partition device since all needed information to boot and unlock >> (/etc/cryptab and the keyfile) are embedded in the initramfs. It >> appears that upon dracut generating the initramfs image, it assumes >> that the volume that boot is on is required to boot the system. >> >> I know the system unlocks the drive because if I allow systemd to >> timeout while waiting for the volume UUID to appear, I can see the >> LUKS volume in /dev/mapper in the dracut shell. Essentially the only >> thing preventing the system from booting is the fact that there is a >> systemd target that is requiring the boot partition to be made active >> (not mounted, as far as I can tell by interrupting dracut pre-pivot >> after unlocking the flash volume the 2nd time). >> >> I also had it working smoothly in fedora 17 at one point, where it >> would unlock the luks disk according to the embedded crypttab with the >> embedded keyfile and boot the system with out having to unlock the >> flash drive just so systemd can see it. I'm not sure what could have >> changed since fedora 18 since my experience is in systems >> administration rather than software development, so I really >> appreciate you sharing some of your time. >> > > > Attached patch for /usr/bin/dracut should help to boot without the /boot device. > > The fips module on the other hand _requires_ having /boot and checking vmlinuz. -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
