Re: RSA key size not allowed in FIPS

[Tapas Sarangi <TSarangi@trustwave.com>]

Hi Stephan,

If I understand this correctly, this (CONFIG_MODULE_SIG_HASH=“sha256")
tells about the key size used.
I am using “sha256”. Initially, I was using “sha512” which I thought could
be causing problem, but I am getting same error when change it to
“sha256”.

[root@localhost ~]# grep MODULE_SIG /boot/config-4.7.0-1.tos2_5

CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks


-Tapas


On 8/9/16, 9:29 AM, "Stephan Mueller" <smueller@chronox.de> wrote:

>Am Dienstag, 9. August 2016, 14:10:33 CEST schrieb Tapas Sarangi:
>
>Hi Tapas,
>
>> Hello,
>>
>> I am using vanilla kernel-4.7 source. It crashes with the following when
>> booted with ³fips=1 boot=/dev/sda1² option at the kernel command line
>> argument.
>
>The kernel only allows 2k and 3k RSA keys in FIPS mode. Please check your
>RSA
>key used for signatures.
>
>                /* In FIPS mode only allow key size 2K & 3K */
>                if (n_sz != 256 && n_sz != 384) {
>                        pr_err("RSA: key size not allowed in FIPS
>mode\n");
>                        return -EINVAL;
>                }
>
>Ciao
>Stephan


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.