Re: RSA key size not allowed in FIPS

[Tapas Sarangi <TSarangi@trustwave.com>]

Looking at the kernel compilation log, it seems to be generating a 4k
(4096 bits) private key, although I am specifying
CONFIG_MODULE_SIG_HASH=“sha256”. How can I generate RSA key that is within
2k-3k bits ?

Here is a snippet from the compilation log:

### Now generating an X.509 key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the
### background to keep the supply of entropy topped up.  It
### needs to be run as root, and uses a hardware random
### number generator if one is available.
###
Generating a 4096 bit RSA private key

Thanks a lot.
-Tapas





On 8/9/16, 9:39 AM, "Tapas Sarangi" <TSarangi@trustwave.com> wrote:

>Hi Stephan,
>
>If I understand this correctly, this (CONFIG_MODULE_SIG_HASH=“sha256")
>tells about the key size used.
>I am using “sha256”. Initially, I was using “sha512” which I thought could
>be causing problem, but I am getting same error when change it to
>“sha256”.
>
>[root@localhost ~]# grep MODULE_SIG /boot/config-4.7.0-1.tos2_5
>
>CONFIG_MODULE_SIG=y
># CONFIG_MODULE_SIG_FORCE is not set
>CONFIG_MODULE_SIG_ALL=y
># CONFIG_MODULE_SIG_SHA1 is not set
># CONFIG_MODULE_SIG_SHA224 is not set
>CONFIG_MODULE_SIG_SHA256=y
># CONFIG_MODULE_SIG_SHA384 is not set
># CONFIG_MODULE_SIG_SHA512 is not set
>CONFIG_MODULE_SIG_HASH="sha256"
>CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>
>Thanks
>
>
>-Tapas
>
>
>On 8/9/16, 9:29 AM, "Stephan Mueller" <smueller@chronox.de> wrote:
>
>>Am Dienstag, 9. August 2016, 14:10:33 CEST schrieb Tapas Sarangi:
>>
>>Hi Tapas,
>>
>>> Hello,
>>>
>>> I am using vanilla kernel-4.7 source. It crashes with the following
>>>when
>>> booted with ³fips=1 boot=/dev/sda1² option at the kernel command line
>>> argument.
>>
>>The kernel only allows 2k and 3k RSA keys in FIPS mode. Please check your
>>RSA
>>key used for signatures.
>>
>>                /* In FIPS mode only allow key size 2K & 3K */
>>                if (n_sz != 256 && n_sz != 384) {
>>                        pr_err("RSA: key size not allowed in FIPS
>>mode\n");
>>                        return -EINVAL;
>>                }
>>
>>Ciao
>>Stephan
>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.