FIPS 140-2 Kernel fails to boot

Issue:
Fresh install of SLES 15 on x86_64 hardware using ‘SLE-15-SP1-Installer-DVD-x86_64-QU2-DVD2.iso’ install media from a few days ago. Registered during install and packages were also updated during install. FIPS 140-2 pattern was selected at install under Software Details. Grub Bootloader adjusted to reflect fips=1 for kernel. Everything updates and installs fine. Upon reboot, system halts. Why? Several dracut modprobe errors state that modules are missing for aes_s390 des_s390 and ghash_s390 (all state modules not found in directory /lib/modules/4.12.14-197.34-default/). A fourth dracut modprobe error states that sha1-mb module can’t load. Fatal fips integrity error is next, then system is halted. (Please Note, there is no separate boot partition, we’ve run into that issue as well in the past but this is a different issue).

Question:
Why would x86_64 kernel fips-1 mode require s390 encryption modules?

Did you read the FIPS 140-2 Security Policies for SLES15?

https://forums.suse.com/showthread.php?12171-Loading-graphical-environment-is-slow-when-FIPS-is-enabled&p=52864#post52864

https://forums.suse.com/showthread.php?13161-systemd-gets-stuck-with-FIPS-enabled&p=56436#post56436

Hi AndreasMeyer,

Thanks for the response. I’m aware SLES 15 is not yet validated for FIPS 140-2 and I’m not sure how your SLED 12 thread applies here. FIPS mode has been possible for SLES 15 without validation since GA. We know validation is in process and that’s acceptable for some compliance scenarios (although SUSE better hurry, at their current pace they may not make the 140-2 deadline and they’ll have to go through the new FIPS 140-3). So what’s changed? From the SLES 15 GA Release Notes;

[QUOTE]7.5 Security

7.5.1 libica Supports FIPS 140-2 Mode

The FIPS PUB 140-2 Security Requirements for Cryptographic Modules specify that cryptographic modules in FIPS mode must only use NIST-approved algorithms and perform integrity checks and a self-test upon activation.

In SLES 15, libica is enabled for FIPS 140-2 certification and supports a FIPS mode. To enable this mode, add the boot parameter fips=1 which will set the flag /proc/sys/crypto/fips_enabled to 1
[/QUOTE]

For an exercise, I decided to try the same procedure on a new SLES 12 SP5 system. Interestingly, the exact same errors appear!

Same kernel is in use between SLES 15 SP1 and SLES 12 SP5 - 4.12.14-122.17-default

FIPS mode seems to be broken everywhere…

?

Just to clean this up, the issue was a bug (multiple actually). A patch applied this morning to dracut under SLES 15 SP1 (also available for SLES 12 SP4/5) fixes it all;

Reference https://www.suse.com/support/update/announcement/2020/suse-ru-20200662-1/

[QUOTE]SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

dracut-044.2-18.51.1
dracut-debuginfo-044.2-18.51.1
dracut-debugsource-044.2-18.51.1
dracut-fips-044.2-18.51.1
dracut-ima-044.2-18.51.1

[/QUOTE]