Kernel Panic in FIPS mode
From: Tapas Sarangi <hidden>
Date: 2016-02-23 23:02:56
Thanks. I am taking the kernel from kernel.org not the one provided by Red Hat or any other OS. AFAIU, certification or module signatures are done during kernel compilation (by turning on MODULE_SIG*). On Tue, Feb 23, 2016 at 2:02 PM, Leo Silva (a.k.a kirotawa) [off-list ref] wrote:
If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend to ask for them support/bugzilla. Regarding FIPS/fipsmode, it's a kind of certification that is done by these company with focus on specific hardware and Kernels, if just a bit is different on a crypto algorithm it'll probably fail, since test certification, fips, was not done using this 'new algorithm' as base. []'s On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi [off-list ref] wrote:quoted
I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is enabled by checking the following configs: CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_TEST=y Following RH docs, initramfs was regenerated using dracut-fips (el6). I also generated hmac signed vmlinuz during the compilation. During boot, kernel panics with the following trace: kernel line has the arguments, 'fips=1 boot=/dev/sda1'. "end Kernel Panic - not syncing: Module crc32c_intel signature verification failed in FIPS mode" Some additional info: It seems under fips mode, initrd runs, './sbin/fips.sh' which then runs 'modprobe tcrypt'. I tried running modprobe tcrypt without the fips mode on the same kernel, but it fails with this message. FATAL: Error inserting tcrypt (/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown symbol in module, or unknown parameter (see dmesg) Looking at dmesg: [ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation [ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation [ 31.407674] alg: No test for crc32 (crc32-pclmul) [ 31.408410] alg: No test for crc32 (crc32-table) [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 [ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng) [ 31.440281] tcrypt: one or more tests failed! Now, one of these messages, [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 comes, most likely from : linux-3.18.27/crypto/tcrypt.c (L1498) case 110: ret += tcrypt_test("hmac(crc32)"); break; and also from linux-3.18.27/crypto/testmgr.c .alg = "hmac(crc32)", .test = alg_test_hash, .suite = { .hash = { .vecs = bfin_crc_tv_template, .count = BFIN_CRC_TEST_VECTORS } } Any suggestion on how to solve this problem would be appreciated. Please let me know if I can provide more info. I am ready to help on that. _______________________________________________ Kernelnewbies mailing list Kernelnewbies at kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies-- ---------------------------------------------- Le?nidas S. Barbosa (Kirotawa) blog: corecode.wordpress.com