<div dir="ltr">If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend to ask for them support/bugzilla.<div><br></div><div>Regarding FIPS/fipsmode, it's a kind of certification that is done by these company with focus on specific hardware and Kernels, if just a bit is different on a crypto algorithm it'll probably fail, since test certification, fips, was not done using this 'new algorithm' as base.<br><br>[]'s</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi <span dir="ltr"><<a href="mailto:tapas.sarangi@gmail.com" target="_blank">tapas.sarangi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is<br>
enabled by checking the following configs:<br>
<br>
CONFIG_CRYPTO_FIPS=y<br>
CONFIG_CRYPTO_TEST=y<br>
<br>
Following RH docs, initramfs was regenerated using dracut-fips (el6).<br>
I also generated hmac signed vmlinuz during the compilation.<br>
<br>
During boot, kernel panics with the following trace:<br>
kernel line has the arguments, 'fips=1 boot=/dev/sda1'.<br>
<br>
<br>
"end Kernel Panic - not syncing: Module crc32c_intel signature<br>
verification failed in FIPS mode"<br>
<br>
Some additional info:<br>
It seems under fips mode, initrd runs, './sbin/fips.sh' which then<br>
runs 'modprobe tcrypt'.<br>
<br>
I tried running modprobe tcrypt without the fips mode on the same<br>
kernel, but it fails with this message.<br>
<br>
FATAL: Error inserting tcrypt<br>
(/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown<br>
symbol in module, or unknown parameter (see dmesg)<br>
<br>
Looking at dmesg:<br>
<br>
[ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation<br>
<br>
[ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation<br>
<br>
[ 31.407674] alg: No test for crc32 (crc32-pclmul)<br>
<br>
[ 31.408410] alg: No test for crc32 (crc32-table)<br>
<br>
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2<br>
<br>
[ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)<br>
<br>
[ 31.440281] tcrypt: one or more tests failed!<br>
<br>
<br>
Now, one of these messages,<br>
<br>
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2<br>
<br>
comes, most likely from :<br>
<br>
<br>
linux-3.18.27/crypto/tcrypt.c (L1498)<br>
<br>
case 110:<br>
<br>
ret += tcrypt_test("hmac(crc32)");<br>
<br>
break;<br>
<br>
<br>
and also from<br>
<br>
linux-3.18.27/crypto/testmgr.c<br>
<br>
.alg = "hmac(crc32)",<br>
<br>
.test = alg_test_hash,<br>
<br>
.suite = {<br>
<br>
.hash = {<br>
<br>
.vecs = bfin_crc_tv_template,<br>
<br>
.count = BFIN_CRC_TEST_VECTORS<br>
<br>
}<br>
<br>
}<br>
<br>
<br>
Any suggestion on how to solve this problem would be appreciated.<br>
Please let me know if I can provide more info. I am ready to help on<br>
that.<br>
<br>
_______________________________________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org">Kernelnewbies@kernelnewbies.org</a><br>
<a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" rel="noreferrer" target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><br>----------------------------------------------<br>Leônidas S. Barbosa (Kirotawa)<br>blog: <a href="http://corecode.wordpress.com" target="_blank">corecode.wordpress.com</a></div>
</div>