Skip to content

[rhcos-4.14] tests: add fips.hmac to verify VM will fail to reboot with FIPS and wrong hmac#4474

Merged
HuijingHei merged 1 commit intocoreos:rhcos-4.14from
openshift-cherrypick-robot:cherry-pick-4437-to-rhcos-4.14
Mar 11, 2026
Merged

[rhcos-4.14] tests: add fips.hmac to verify VM will fail to reboot with FIPS and wrong hmac#4474
HuijingHei merged 1 commit intocoreos:rhcos-4.14from
openshift-cherrypick-robot:cherry-pick-4437-to-rhcos-4.14

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Mar 6, 2026

This is an automated cherry-pick of #4437

/assign HuijingHei

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Mar 6, 2026
Merged
@openshift-ci
Copy link

openshift-ci bot commented Mar 6, 2026

Hi @openshift-cherrypick-robot. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@HuijingHei
Copy link
Member

HuijingHei commented Mar 6, 2026

/ok-to-test

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new test, fips.hmac, to verify that a VM with FIPS enabled will fail to reboot if the kernel's HMAC file is corrupted. The changes include adding a new test flag NoDracutFatalCheck to bypass generic dracut failure checks, and the implementation of the test itself. The overall approach is sound. I have one suggestion in the new test file to improve maintainability by replacing a magic number with a named constant.

mantle/kola/tests/fips/hmac.go
// Wait for the boot to fail. Since the HMAC is corrupted, the machine
// will fail FIPS integrity check and never come back online.
// Using a 90 second timeout to allow enough time for boot attempt to fail.
time.Sleep(90 * time.Second)
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The 90-second sleep duration is a magic number. It's better to define it as a named constant to improve readability and make it easier to adjust if needed. This is particularly important for timeouts in tests, as they can be a source of flakiness if not chosen carefully.

Consider defining it as a constant, for example at the top of the function:

func runFipsHMACTest(c cluster.TestCluster) {
    const bootFailTimeout = 90 * time.Second
    // ...
    time.Sleep(bootFailTimeout)
    // ...
}

@HuijingHei
Copy link
Member

HuijingHei commented Mar 6, 2026

/approve

@HuijingHei HuijingHei merged commit 78bb6c1 into coreos:rhcos-4.14 Mar 11, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HuijingHei HuijingHei HuijingHei approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@HuijingHei HuijingHei

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@openshift-cherrypick-robot @HuijingHei