Just a prelim question here, still putting together the test case. This applies primarily to building initrd or initramfs images that will load with fips and selinux enabled.
I was under the impression that, after the merger of dracut-fips into dracut, the .hmac checksums would always get included in any initrd or initramfs build. Anyone know of any cases where dracut would include, say, /usr/lib/dracut/lib[ssl,crypto]* but not include /usr/lib/dracut/*.hmac* ?
By way of example, the following three pxe image trees have the same customizations, no grub, and fips enabled. In a local chroot (bindmounted /sys and /proc, temporary random/urandom node) they dracut a new initramfs with the same command line and the latest kernel. The two EL7 images install dracut and dracut-fips. The EL8 image only installs dracut, dracut-fips no longer being a standalone package. The EL7 dracuts include both the sha512hmac helper utility and the hmac checksums for libcrypto and libssl, which in turn must pass fipscheck when dracut cranks up in preinit during pxeboot. The EL8 image doesn’t get any HMAC support.
[root@admin ~]# lsinitrd /var/image/phoenix/20220211-compute-gtx1080.x86_64.el8/rootfs/boot/initramfs-4.18.0-348.20.1.el8_5.x86_64.img |grep -E ‘libcrypto|libssl|hmac’
-rwxr-xr-x 1 root root 3079016 Nov 9 09:43 usr/lib64/libcrypto.so.1.1.1k
lrwxrwxrwx 1 root root 19 Nov 9 09:43 usr/lib64/libcrypto.so.1.1 → libcrypto.so.1.1.1k
-rwxr-xr-x 1 root root 615144 Nov 9 09:43 usr/lib64/libssl.so.1.1.1k
lrwxrwxrwx 1 root root 16 Nov 9 09:43 usr/lib64/libssl.so.1.1 → libssl.so.1.1.1k
[root@admin ~]# lsinitrd /var/image/phoenix/20220311-login.x86_64.el7/rootfs/boot/initramfs-3.10.0-1160.59.1.el7.x86_64.img |grep -E ‘libcrypto|libssl|hmac’
-rwxr-xr-x 1 root root 24184 Jun 9 2014 usr/bin/sha512hmac
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/fipscheck/fipscheck.hmac
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/fipscheck/libfipscheck.so.1.2.1.hmac
lrwxrwxrwx 1 root root 26 Mar 19 22:09 usr/lib64/fipscheck/libfipscheck.so.1.hmac → libfipscheck.so.1.2.1.hmac
drwxr-xr-x 2 root root 0 Mar 19 22:09 usr/lib64/hmaccalc
-rw-r–r-- 1 root root 128 Jun 9 2014 usr/lib64/hmaccalc/sha512hmac.hmac
-rwxr-xr-x 1 root root 2520744 Jan 18 08:56 usr/lib64/libcrypto.so.1.0.2k
-rw-r–r-- 1 root root 65 Jan 18 08:56 usr/lib64/.libcrypto.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 25 Mar 19 22:09 usr/lib64/.libcrypto.so.10.hmac → .libcrypto.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 19 Mar 19 22:09 usr/lib64/libcrypto.so.10 → libcrypto.so.1.0.2k
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/.libgcrypt.so.11.hmac
-rwxr-xr-x 1 root root 412984 Dec 3 12:57 usr/lib64/libssl3.so
-rwxr-xr-x 1 root root 470328 Jan 18 08:56 usr/lib64/libssl.so.1.0.2k
-rw-r–r-- 1 root root 65 Jan 18 08:56 usr/lib64/.libssl.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 22 Mar 19 22:09 usr/lib64/.libssl.so.10.hmac → .libssl.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 16 Mar 19 22:09 usr/lib64/libssl.so.10 → libssl.so.1.0.2k
[root@admin ~]# lsinitrd /var/image/phoenix/20210226-compute-gtx1080.x86_64.el7/rootfs/boot/initramfs-3.10.0-1160.59.1.el7.x86_64.img |grep -E ‘libcrypto|libssl|hmac’
-rwxr-xr-x 1 root root 24184 Jun 9 2014 usr/bin/sha512hmac
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/fipscheck/fipscheck.hmac
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/fipscheck/libfipscheck.so.1.2.1.hmac
lrwxrwxrwx 1 root root 26 Mar 18 21:14 usr/lib64/fipscheck/libfipscheck.so.1.hmac → libfipscheck.so.1.2.1.hmac
drwxr-xr-x 2 root root 0 Mar 18 21:14 usr/lib64/hmaccalc
-rw-r–r-- 1 root root 128 Jun 9 2014 usr/lib64/hmaccalc/sha512hmac.hmac
-rwxr-xr-x 1 root root 2520744 Jan 18 08:56 usr/lib64/libcrypto.so.1.0.2k
-rw-r–r-- 1 root root 65 Jan 18 08:56 usr/lib64/.libcrypto.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 25 Mar 18 21:14 usr/lib64/.libcrypto.so.10.hmac → .libcrypto.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 19 Mar 18 21:14 usr/lib64/libcrypto.so.10 → libcrypto.so.1.0.2k
-rw-r–r-- 1 root root 65 Aug 2 2017 usr/lib64/.libgcrypt.so.11.hmac
-rwxr-xr-x 1 root root 412984 Dec 3 12:57 usr/lib64/libssl3.so
-rwxr-xr-x 1 root root 470328 Jan 18 08:56 usr/lib64/libssl.so.1.0.2k
-rw-r–r-- 1 root root 65 Jan 18 08:56 usr/lib64/.libssl.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 22 Mar 18 21:14 usr/lib64/.libssl.so.10.hmac → .libssl.so.1.0.2k.hmac
lrwxrwxrwx 1 root root 16 Mar 18 21:14 usr/lib64/libssl.so.10 → libssl.so.1.0.2k
Looks like fips-mode-setup doesn’t support passing anything through to initramfs construction and doesn’t honor or preserve any preexisting custom dracut event hooks. So running it wipes out your required event hooks and running dracut directly wipes out your fips support. (Note: this is a system image, not a system booting a system image. The nodes being booted aren’t available because they’re in production on the previous generation of the system image.)
Because dracut, now with embedded non-optional fips support, running on a system with fips enabled, in a chroot environment inside an image with fips enabled, has to be told to INCLUDE THE DRACUT FIPS MODULE ANYWAY. Much like having problems supporting module inclusion unless explicitly told to INCLUDE ITS OWN BASE.
# dracut ... add_dracutmodules+='nfs network base fips' ...