Kernel Panic in FIPS mode
Leo Silva (a.k.a kirotawa)
kirotawa at gmail.com
Tue Feb 23 15:02:37 EST 2016
If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend
to ask for them support/bugzilla.
Regarding FIPS/fipsmode, it's a kind of certification that is done by these
company with focus on specific hardware and Kernels, if just a bit is
different on a crypto algorithm it'll probably fail, since test
certification, fips, was not done using this 'new algorithm' as base.
[]'s
On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi <tapas.sarangi at gmail.com>
wrote:
> I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is
> enabled by checking the following configs:
>
> CONFIG_CRYPTO_FIPS=y
> CONFIG_CRYPTO_TEST=y
>
> Following RH docs, initramfs was regenerated using dracut-fips (el6).
> I also generated hmac signed vmlinuz during the compilation.
>
> During boot, kernel panics with the following trace:
> kernel line has the arguments, 'fips=1 boot=/dev/sda1'.
>
>
> "end Kernel Panic - not syncing: Module crc32c_intel signature
> verification failed in FIPS mode"
>
> Some additional info:
> It seems under fips mode, initrd runs, './sbin/fips.sh' which then
> runs 'modprobe tcrypt'.
>
> I tried running modprobe tcrypt without the fips mode on the same
> kernel, but it fails with this message.
>
> FATAL: Error inserting tcrypt
> (/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown
> symbol in module, or unknown parameter (see dmesg)
>
> Looking at dmesg:
>
> [ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation
>
> [ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation
>
> [ 31.407674] alg: No test for crc32 (crc32-pclmul)
>
> [ 31.408410] alg: No test for crc32 (crc32-table)
>
> [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
>
> [ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
>
> [ 31.440281] tcrypt: one or more tests failed!
>
>
> Now, one of these messages,
>
> [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
>
> comes, most likely from :
>
>
> linux-3.18.27/crypto/tcrypt.c (L1498)
>
> case 110:
>
> ret += tcrypt_test("hmac(crc32)");
>
> break;
>
>
> and also from
>
> linux-3.18.27/crypto/testmgr.c
>
> .alg = "hmac(crc32)",
>
> .test = alg_test_hash,
>
> .suite = {
>
> .hash = {
>
> .vecs = bfin_crc_tv_template,
>
> .count = BFIN_CRC_TEST_VECTORS
>
> }
>
> }
>
>
> Any suggestion on how to solve this problem would be appreciated.
> Please let me know if I can provide more info. I am ready to help on
> that.
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
--
----------------------------------------------
Leônidas S. Barbosa (Kirotawa)
blog: corecode.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160223/400c1952/attachment.html
More information about the Kernelnewbies
mailing list