missing /usr/lib64/.libgcrypt.so.20.hmac

[Jay Nitikman]

I am using kiwi v7.03.108-60.1 to build a SLES 12 SP2 image with that boots with fips=1.  When it boots, the initrd fails:

libgcrypt selftest: binary (0): No such file or directory (/usr/lib64/.libgcrypt.so.20.hmac)

/usr/lib64/.libgcrypt.so.20.hmac is provided by package libgcrypt20-hmac.

My config.xml contains the following:

                <package name="libgcrypt20" bootinclude="true"/>

                <package name="libgcrypt20-hmac" bootinclude="true"/>

I have examined the kiwi create-log and I see:

Installing: libgcrypt20-hmac-1.6.1-16.45.1.x86_64 ..............[done]

But I do not see where it deletes the package libgcrypt20-hmac or the file /usr/lib64/.libgcrypt.so.20.hmac.

I can confirm that /sysroot/usr/lib64/.libgcrypt.so.20.hmac does exist.

I have attached the kiwi create-log.

-----------------

Jay Nitikman | Principal Engineer
Virtual Instruments, Inc.
jay.ni...@virtualinstruments.com

--

---

The contents of this message, together with any attachments, are intended only for the use of the individual or entity to which they are addressed and may contain confidential information. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message, or any attachment, is strictly prohibited. If you have received this message in error, please contact the sender immediately and permanently delete or destroy the material/information.

[Jay Nitikman]

I found Erik Henrikson’s thread in the email archives regarding booting with fips=1.  His issue was caused by a hidden file (/boot/.vmlinuz-3.12.44-52.18-default.hmac).  Could this be a similar issue?

-----------------
Jay Nitikman | Principal Engineer
Virtual Instruments, Inc.
jay.ni...@virtualinstruments.com

--
You received this message because you are subscribed to the Google Groups "kiwi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kiwi-images...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<pa-pxe-jay-sles-12.99.0.0-101.create.log>

[Jay Nitikman]

I got past this by following Erik’s example and using dracut-fips.

In addition, I have to add boot=/dev/sda1 to kernelcmdline to successfully boot.

______________________

Jay Nitikman | Principal Engineer | Virtual Instruments

jay.ni...@virtualinstruments.com

[Marcus Schäfer]

Hi,

> boots with fips=1. When it boots, the initrd fails:
> libgcrypt selftest: binary (0): No such file or directory
> (/usr/lib64/.libgcrypt.so.20.hmac)

I think the kiwi strip code has deleted the lib when it could not
find a linked reference. You could add the following to your
system image XML description:

<strip type="libs">
<file name=".libgcrypt"/>
</strip>

It should protect this lib from being deleted. However I did
not test it with hidden files

Regards,
Marcus
--
Public Key available via: https://keybase.io/marcus_schaefer/key.asc
keybase search marcus_schaefer
-------------------------------------------------------
Marcus Schäfer (Res. & Dev.) SUSE Linux GmbH
Tel: 0911-740 53 0 Maxfeldstrasse 5
FAX: 0911-740 53 479 D-90409 Nürnberg
HRB: 21284 (AG Nürnberg) Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton
http://www.suse.de
-------------------------------------------------------