Use the `/boot` UUID, not `/boot/efi`, when both are separate

[padili-metrostar]

Have you checked ReadtheDocs?: Yes

Describe the Issue
When I try to create an EC2 instance using an AMI created after running Ansible Lockdown on either RHEL 8 or OL 8, it fails to start with dracut: FATAL: FIPS integrity test failed and dracut-pre-trigger[466]: Warning: /boot//.vmlinuz-4.18.0-553.74.1.el8_10.x86_64.hmac does not exist in the system log.

Expected Behavior
A successful start and all intgerity checks of EC2 instance pass from newly created AMI after Ansible Lockdown remediation.

Actual Behavior

dracut: FATAL: FIPS integrity test failed

dracut-pre-trigger[466]: Warning: /boot//.vmlinuz-4.18.0-553.74.1.el8_10.x86_64.hmac does not exist

Control(s) Affected
RHEL-08-010020

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: 2.11.12
• Host Python Version: 3.6.8
• Ansible Server Python Version: 3.6.8
• Additional Details:

Additional Notes
This task is likely where things get mixed up because the boot UUID of /boot gets changed to that of /boot/efi. On systems with FIPS enabled and a separate /boot, the boot= kernel argument should point to the /boot partition, not the EFI system partition mounted at /boot/efi. With FIPS, dracut performs integrity checks at early boot and may need to mount /boot to verify kernel HMACs, so if /boot points to the wrong device (/boot/efi instead of /boot), then I may hit FIPS integrity failures. This has been my workaround for the time being, after running Ansible Lockdown, that way FIPS still being enabled:

BOOT_UUID=$(findmnt --noheadings --output UUID /boot)
sudo grubby --update-kernel=ALL --remove-args="boot" --args="boot=UUID=$BOOT_UUID"
sudo sed -E -i.bak \
  -e 's@(^[[:space:]]*GRUB_CMDLINE_LINUX="[^"]*)[[:space:]]*boot=[^" ]*([^"]*")@\1 boot=UUID='"$BOOT_UUID"'\2@' \
  -e 't' \
  -e 's@(^[[:space:]]*GRUB_CMDLINE_LINUX="[^"]*)"$@\1 boot=UUID='"$BOOT_UUID"'"@' \
  /etc/default/grub
if [ -d /sys/firmware/efi ]; then
  sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
else
  sudo grub2-mkconfig -o /boot/grub2/grub.cfg
fi

Possible Solution
I believe the boot UUID of /boot should be used, not that of /boot/efi, when both are separate.

[frederickw082922]

Thank you for your inquiry @padili-metrostar . We pulled that part of the code regarding /boot validation in later releases. Closing.

[padili-metrostar]

Thank you for your inquiry @padili-metrostar . We pulled that part of the code regarding /boot validation in later releases. Closing.

Please clarify what exactly you mean that you "pulled that part of the code regarding /boot validation in later releases". Has such a fix already been implemented? If so, in which release or when was the commit made?

[frederickw082922]

@padili-metrostar I'll re-open, until the main branch is updated. Thank you