Issue

Description of problem: Images built with composer/image builder fail to boot with an error: Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist FATAL: FIPS integrity test failed Refusing to continue Version-Release number of selected component (if applicable): osbuild-composer-core-62-3.el8_7.x86_64 osbuild-composer-dnf-json-62-3.el8_7.x86_64 osbuild-composer-worker-62-3.el8_7.x86_64 cockpit-composer-41-1.el8.noarch osbuild-composer-62-3.el8_7.x86_64 genisoimage-1.1.11-39.el8.x86_64 How reproducible: Every time an image is built with xccdf_org.ssgproject.content_profile_stig profile Steps to Reproduce: 1. Create a blueprint with the following: [customizations.openscap] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml" profile_id = "xccdf_org.ssgproject.content_profile_stig" 2. Build the image (tested with both qcow2 and vmdk) 3. Boot the image Actual results: System fails to boot with an error that the .hmac for the kernel does not exist Expected results: The system should boot Additional info: I've tested with and without a scap user and got the same results: [[customizations.user]] name = "scap-security-guide" description = "Admin account" password = "hash" home = "/home/scap-security-guide" group = ["wheel"] I booted the system from an ISO and confirmed that the .hmac file does exist, as does the scap user. However the scap user is not part of the wheel group, not sure why or if that's relevant to the issue. System boots fine if FIPS is disabled. Manually enabling FIPS after installation with "fips-mode-setup --enable" works fine. Since the error message says the system is looking for an hmac at /boot//.vmlinuz, I'm wondering if this is an issue with the path it's using?

Release Notes

No. of Comments

Resolution

Unresolved