[BUG] Specifying a `boot=` token when enabling FIPS-mode may break hosts where `/` and `/boot` are not separate

[ferricoxide]

Describe the bug

If the hardened AMI does not have separate / and /boot filesystems, the fips_enable action's default of adding a /boot partition may result in FIPS-related reboot-failures

Severity

• Completely Broken (No work-around evident)
• Severely Broken (Work-around possible but difficult)
• Moderately Broken (Trivial work-around)
• Nuisance (Functions but untrapped errors can slip through)

To Reproduce
Steps to reproduce the behavior:

1. Select a non FIPS-enabled EL7 AMI with /boot on /
2. Launch the AMI as an EC2
3. Apply forumula such that fips_enable is run and enables FIPS-mode
4. Reboot instance (on success)
5. Wait for reboot to hang
6. Use aws ec2 get-console-output … to get console-logged boot-log output

Expected behavior

System reboots and executing cat /proc/sys/crypto/fips_enabled results in 1

Deviance Description

EC2 wholly fails to reboot

Log Snippet

[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1160.24.1.el7.x86_64 root=UUID=6f15c206-f516-4ee8-a4b7-89ad880647db ro console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=/dev/nvme0n1p1
[    0.000000] e820: BIOS-provided physical RAM map:
<…elided…>
[    0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-3.10.0-1160.24.1.el7.x86_64 root=UUID=6f15c206-f516-4ee8-a4b7-89ad880647db ro console=tty0 crashkernel=auto console=ttyS0,115200 fips=1 boot=/dev/nvme0n1p1
[    0.000000] fips mode: enabled
<…ELIDED…>          Starting dracut initqueue hook...
[    5.646204] nvme nvme0: pci function 0000:00:04.0
[    5.651788] 6alg: self-tests for crct10dif-pclmul (crct10dif) passed
[    5.661645] ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11
[    5.669773] ena: Elastic Network Adapter (ENA) v2.0.3K
[    5.676900] ena 0000:00:05.0: Elastic Network Adapter (ENA) v2.0.3K
[    5.684249] ena: ena device version: 0.10
[    5.689229] ena: ena controller version: 0.0.1 implementation version 1
[    5.736269] ena 0000:00:05.0: LLQ is not supported Fallback to host mode policy.
[    5.745788] ena 0000:00:05.0: creating 2 io queues. queue size: 1024. LLQ is DISABLED
[    5.757551] ena 0000:00:05.0: Elastic Network Adapter (ENA) found at mem febf4000, mac addr 12:0e:b1:a6:43:31 Queues 2, 
Placement policy: Regular
[    5.875498]  nvme0n1: p1
[  OK  ] Found device Amazon Elastic Block Store 1.
[  OK  ] Started dracut initqueue hook.
         Starting dracut pre-mount hook...
[  OK  ] Reached target Remote File Systems (Pre).
[  OK  ] Reached target Remote File Systems.
         Starting File System Check on /dev/...6-f516-4ee8-a4b7-89ad880647db...
[  OK  ] Started File System Check on /dev/d...206-f516-4ee8-a4b7-89ad880647db.
[    5.996420] SGI XFS with ACLs, security attributes, no debug enabled
[    6.005297] XFS (nvme0n1p1): Mounting V5 Filesystem
[    6.031293] XFS (nvme0n1p1): Ending clean mount
[    6.042423] dracut: FATAL: FIPS integrity test failed
[    6.048004] dracut: Refusing to continue
[    3.790229] dracut-pre-mount[692]: Warning: /boot/.vmlinuz-3.10.0-1160.24.1.el7.x86_64.hmac does not exist
[    6.086735] systemd-shutdown[1]: Syncing filesystems and block devices.

Additional context

Fix Suggestions

Update _modules/ash_linux.py's _modify_grub_file function to perform a grub_args.append operation IFF /boot and / are on different partitions.

[lorengordon]

Fixed in #320