Kernel Panic in FIPS mode

Tapas Sarangi tapas.sarangi at gmail.com
Tue Feb 23 18:02:56 EST 2016


Thanks. I am taking the kernel from kernel.org not the one provided by
Red Hat or any other OS. AFAIU, certification or module signatures are
done during kernel compilation (by turning on MODULE_SIG*).

On Tue, Feb 23, 2016 at 2:02 PM, Leo Silva (a.k.a kirotawa)
<kirotawa at gmail.com> wrote:
> If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend
> to ask for them support/bugzilla.
>
> Regarding FIPS/fipsmode, it's a kind of certification that is done by these
> company with focus on specific hardware and Kernels, if just a bit is
> different on a crypto algorithm it'll probably fail, since test
> certification, fips, was not done using this 'new algorithm' as base.
>
> []'s
>
> On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi <tapas.sarangi at gmail.com>
> wrote:
>>
>> I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is
>> enabled by checking the following configs:
>>
>> CONFIG_CRYPTO_FIPS=y
>> CONFIG_CRYPTO_TEST=y
>>
>> Following RH docs, initramfs was regenerated using dracut-fips (el6).
>> I also generated hmac signed vmlinuz during the compilation.
>>
>> During boot, kernel panics with the following trace:
>> kernel line has the arguments, 'fips=1 boot=/dev/sda1'.
>>
>>
>> "end Kernel Panic - not syncing: Module crc32c_intel signature
>> verification failed in FIPS mode"
>>
>> Some additional  info:
>> It seems under fips mode, initrd runs, './sbin/fips.sh' which then
>> runs 'modprobe tcrypt'.
>>
>> I tried running modprobe tcrypt without the fips mode on the same
>> kernel, but it fails with this message.
>>
>> FATAL: Error inserting tcrypt
>> (/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown
>> symbol in module, or unknown parameter (see dmesg)
>>
>> Looking at dmesg:
>>
>> [   31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation
>>
>> [   31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation
>>
>> [   31.407674] alg: No test for crc32 (crc32-pclmul)
>>
>> [   31.408410] alg: No test for crc32 (crc32-table)
>>
>> [   31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
>>
>> [   31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
>>
>> [   31.440281] tcrypt: one or more tests failed!
>>
>>
>> Now, one of these messages,
>>
>> [   31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
>>
>> comes, most likely from :
>>
>>
>> linux-3.18.27/crypto/tcrypt.c (L1498)
>>
>>         case 110:
>>
>>                 ret += tcrypt_test("hmac(crc32)");
>>
>>                 break;
>>
>>
>> and also from
>>
>> linux-3.18.27/crypto/testmgr.c
>>
>>      .alg = "hmac(crc32)",
>>
>>                 .test = alg_test_hash,
>>
>>                 .suite = {
>>
>>                         .hash = {
>>
>>                                 .vecs = bfin_crc_tv_template,
>>
>>                                 .count = BFIN_CRC_TEST_VECTORS
>>
>>                        }
>>
>>                 }
>>
>>
>> Any suggestion on how to solve this problem would be appreciated.
>> Please let me know if I can provide more info. I am ready to help on
>> that.
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
>
>
> --
>
> ----------------------------------------------
> Leônidas S. Barbosa (Kirotawa)
> blog: corecode.wordpress.com



More information about the Kernelnewbies mailing list