SUSE / openSUSEThis Forum is for the discussion of Suse Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sysctl.conf is not a shell script. It contains assignments as documented on the man page.
fips_enabled seems to be a read-only parameter. To set it, you need to boot the system with kernel parameter fips=1. However, this is not sufficient; see instructions at https://www.suse.com/support/kb/doc/?id=7023789 (this is for SLES, not OpenSUSE).
Last edited by berndbausch; 07-30-2019 at 01:27 AM.
fips_enabled seems to be a read-only parameter. To set it, you need to boot the system with kernel parameter fips=1. However, this is not sufficient; see instructions at https://www.suse.com/support/kb/doc/?id=7023789 (this is for SLES, not OpenSUSE).
Thks, I've already read about Suse Entreprise Serveur, and am now asking for a way to activate it on Leap as it is (even if partially) based on SLES
I've DL'd all modules "fips related" from standard repos and pacman, including the dracut-fips ...
Last edited by eric.vanh; 07-30-2019 at 08:25 AM.
Reason: typo
MK (/proc/sys/) Crypto should be somewhere in there, as it has to be "mounted" (created, actually) at kernel boot
And therefore fips_enabled created at boot too
And set to 1 thks to the boot parameter fips=1 (which is useless as long as I don't have /crypto/fips_enabled)
I've set the boot parameter to fips=1 in YAST, reboot,
I've seen two failure in the boot sequence code
I'll give it some time and then will probably have to reboot -e to remove the fips=1 in code
Edit /etc/default/grub and add fips=1 to end of line. If this system has a separate boot partition, it is REQUIRED to add boot=/dev/sda1 (use the correct path to your boot partition) or fips will fail and the system may not boot. In the following example, there is not a separate boot partition:
here is my nano /etc/default/grub:
Indeed I didn't read carefully enough, thks for pointing that out.
Code:
# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.
# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent fips=1 resume=/dev/disk/by-uuid/e0221bcd-7f4a-4cbc-a14e-8719$
GRUB_CMDLINE_LINUX=""
# Uncomment to automatically save last booted menu entry in GRUB2 environment
# variable `saved_entry'
# GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)
GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="auto"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries
# GRUB_DISABLE_RECOVERY="true"
#Uncomment to get a beep at grub start
# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"
# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.
# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent resume=/dev/disk/by-uuid/e0221bcd-7f4a-4cbc-a14e-8719$ quiet mitigations=auto boot=/dev/sda1 fips=1"
GRUB_CMDLINE_LINUX=""
# Uncomment to automatically save last booted menu entry in GRUB2 environment
# variable `saved_entry'
# GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)
GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="auto"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries
# GRUB_DISABLE_RECOVERY="true"
#Uncomment to get a beep at grub start
# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"
Last edited by eric.vanh; 07-30-2019 at 02:50 PM.
Reason: found my error
Failed to apply kernel ... something (goes too fast to read it all)
If this is a kernel message, you should see it in the message buffer (the dmesg command). You may also want to remove the splash and quiet options from the Linux command line so that you get more information (however in your case it may be counterproductive, since you seem to get too much information already).
Before we continue, allow me to ask: Is this a correct summary of your problem?
You include fips=1 and boot=/dev/sda1 in the Linux command line, but:
After booting, fips_enabled is 0
At boot time, you seem to get an error message that you think is related to FIPS, but you can't read it fully
Last edited by berndbausch; 07-30-2019 at 06:04 PM.
If this is a kernel message, you should see it in the message buffer (the dmesg command). You may also want to remove the splash and quiet options from the Linux command line so that you get more information (however in your case it may be counterproductive, since you seem to get too much information already).
I will, at least to make sure the (red) message is indeed related to crypto (fips=1)
Quote:
Originally Posted by berndbausch
Before we continue, allow me to ask: Is this a correct summary of your problem?
You include fips=1 and boot=/dev/sda1 in the Linux command line, but:
Yes.
Quote:
Originally Posted by berndbausch
After booting, fips_enabled is 0
No, I don't have /proc/sys/fips_enabled created as the system doesn't boot (I have to -e at boot to set fips=0 in a way to be able to boot).
Quote:
Originally Posted by berndbausch
At boot time, you seem to get an error message that you think is related to FIPS, but you can't read it fully
yes, and since the system boot when I set fips=0 I take it the boot failure is due to boot=1
I removed the splash and quiet options
I still can't read (too fast) the "red" error message.
The bash screen then stop and I can read the bottom:
Code:
Starting dracut pre-pivot and cleanup hook...
888 dracut: FATAL: FIPS integrity test failed
888 dracut: Refusing to continue
888 dracut:-pre-pivot(435): Warning: /boot/.vmlinuz-4.12(...)-default.hmac does not exist
888 systemd-shutdown:
....
888 stoping disk
888 reboot: System halted
once I -e the grub code to set fips=1 to fips=0,
then I can boot,
and dmesg show me some errors (about one of my partition in fat) but none "red" error message, and nothing about crypto nor fips
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.