* Kernel Panic in FIPS mode
@ 2016-02-23 19:41 Tapas Sarangi
2016-02-23 20:02 ` Greg KH
2016-02-23 20:02 ` Leo Silva (a.k.a kirotawa)
0 siblings, 2 replies; 7+ messages in thread
From: Tapas Sarangi @ 2016-02-23 19:41 UTC (permalink / raw)
To: kernelnewbies
I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is
enabled by checking the following configs:
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_TEST=y
Following RH docs, initramfs was regenerated using dracut-fips (el6).
I also generated hmac signed vmlinuz during the compilation.
During boot, kernel panics with the following trace:
kernel line has the arguments, 'fips=1 boot=/dev/sda1'.
"end Kernel Panic - not syncing: Module crc32c_intel signature
verification failed in FIPS mode"
Some additional info:
It seems under fips mode, initrd runs, './sbin/fips.sh' which then
runs 'modprobe tcrypt'.
I tried running modprobe tcrypt without the fips mode on the same
kernel, but it fails with this message.
FATAL: Error inserting tcrypt
(/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown
symbol in module, or unknown parameter (see dmesg)
Looking at dmesg:
[ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation
[ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation
[ 31.407674] alg: No test for crc32 (crc32-pclmul)
[ 31.408410] alg: No test for crc32 (crc32-table)
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
[ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[ 31.440281] tcrypt: one or more tests failed!
Now, one of these messages,
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
comes, most likely from :
linux-3.18.27/crypto/tcrypt.c (L1498)
case 110:
ret += tcrypt_test("hmac(crc32)");
break;
and also from
linux-3.18.27/crypto/testmgr.c
.alg = "hmac(crc32)",
.test = alg_test_hash,
.suite = {
.hash = {
.vecs = bfin_crc_tv_template,
.count = BFIN_CRC_TEST_VECTORS
}
}
Any suggestion on how to solve this problem would be appreciated.
Please let me know if I can provide more info. I am ready to help on
that.
^ permalink raw reply [flat|nested] 7+ messages in thread* Kernel Panic in FIPS mode 2016-02-23 19:41 Kernel Panic in FIPS mode Tapas Sarangi @ 2016-02-23 20:02 ` Greg KH 2016-02-23 20:41 ` Tapas Sarangi 2016-02-23 20:02 ` Leo Silva (a.k.a kirotawa) 1 sibling, 1 reply; 7+ messages in thread From: Greg KH @ 2016-02-23 20:02 UTC (permalink / raw) To: kernelnewbies On Tue, Feb 23, 2016 at 01:41:50PM -0600, Tapas Sarangi wrote: > I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is > enabled by checking the following configs: > > CONFIG_CRYPTO_FIPS=y > CONFIG_CRYPTO_TEST=y <snip> If you are using a RHEL system, you need to contact Red Hat for support as that is what you are paying for. Their kernel is a very "odd" one. Also note that 3.18 is very old and obsolete as well, please use a "modern" kernel release, the community can't support old kernels like that. best of luck, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Kernel Panic in FIPS mode 2016-02-23 20:02 ` Greg KH @ 2016-02-23 20:41 ` Tapas Sarangi 2016-02-23 21:14 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Tapas Sarangi @ 2016-02-23 20:41 UTC (permalink / raw) To: kernelnewbies Thanks for the reply. I am using and compiling kernel from kernel.org. I believe 3.18.27 with patches is as new as in January of this year. Sent from my iPhone > On Feb 23, 2016, at 2:02 PM, Greg KH <greg@kroah.com> wrote: > >> On Tue, Feb 23, 2016 at 01:41:50PM -0600, Tapas Sarangi wrote: >> I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is >> enabled by checking the following configs: >> >> CONFIG_CRYPTO_FIPS=y >> CONFIG_CRYPTO_TEST=y > > <snip> > > If you are using a RHEL system, you need to contact Red Hat for support > as that is what you are paying for. Their kernel is a very "odd" one. > > Also note that 3.18 is very old and obsolete as well, please use a > "modern" kernel release, the community can't support old kernels like > that. > > best of luck, > > greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Kernel Panic in FIPS mode 2016-02-23 20:41 ` Tapas Sarangi @ 2016-02-23 21:14 ` Greg KH 2016-02-23 23:01 ` Tapas Sarangi 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2016-02-23 21:14 UTC (permalink / raw) To: kernelnewbies On Tue, Feb 23, 2016 at 02:41:37PM -0600, Tapas Sarangi wrote: > Thanks for the reply. > I am using and compiling kernel from kernel.org. I believe 3.18.27 > with patches is as new as in January of this year. The 3.18 kernel was released in December of 2014, the .y patches on the end of that release are for people who for some reason or another are stuck with that kernel release, and are part of the longterm releases. The overall kernel is over a year old, please upgrade. greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Kernel Panic in FIPS mode 2016-02-23 21:14 ` Greg KH @ 2016-02-23 23:01 ` Tapas Sarangi 0 siblings, 0 replies; 7+ messages in thread From: Tapas Sarangi @ 2016-02-23 23:01 UTC (permalink / raw) To: kernelnewbies Thanks. I understand your point, but I am one of those people who simply can't do an upgrade to the LTS kernel. Again, I think this doesn't necessarily answer my question about FIPS and kernel panic. An additional note, older kernels (2.6.x) and its RH derivatives, works fine when started under FIPS mode. I am sure I am missing some basics when turning the OS to run under FIPS mode, which is why this email to the experts :-) On Tue, Feb 23, 2016 at 3:14 PM, Greg KH <greg@kroah.com> wrote: > On Tue, Feb 23, 2016 at 02:41:37PM -0600, Tapas Sarangi wrote: >> Thanks for the reply. >> I am using and compiling kernel from kernel.org. I believe 3.18.27 >> with patches is as new as in January of this year. > > The 3.18 kernel was released in December of 2014, the .y patches on the > end of that release are for people who for some reason or another are > stuck with that kernel release, and are part of the longterm releases. > > The overall kernel is over a year old, please upgrade. > > greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Kernel Panic in FIPS mode 2016-02-23 19:41 Kernel Panic in FIPS mode Tapas Sarangi 2016-02-23 20:02 ` Greg KH @ 2016-02-23 20:02 ` Leo Silva (a.k.a kirotawa) 2016-02-23 23:02 ` Tapas Sarangi 1 sibling, 1 reply; 7+ messages in thread From: Leo Silva (a.k.a kirotawa) @ 2016-02-23 20:02 UTC (permalink / raw) To: kernelnewbies If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend to ask for them support/bugzilla. Regarding FIPS/fipsmode, it's a kind of certification that is done by these company with focus on specific hardware and Kernels, if just a bit is different on a crypto algorithm it'll probably fail, since test certification, fips, was not done using this 'new algorithm' as base. []'s On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi <tapas.sarangi@gmail.com> wrote: > I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is > enabled by checking the following configs: > > CONFIG_CRYPTO_FIPS=y > CONFIG_CRYPTO_TEST=y > > Following RH docs, initramfs was regenerated using dracut-fips (el6). > I also generated hmac signed vmlinuz during the compilation. > > During boot, kernel panics with the following trace: > kernel line has the arguments, 'fips=1 boot=/dev/sda1'. > > > "end Kernel Panic - not syncing: Module crc32c_intel signature > verification failed in FIPS mode" > > Some additional info: > It seems under fips mode, initrd runs, './sbin/fips.sh' which then > runs 'modprobe tcrypt'. > > I tried running modprobe tcrypt without the fips mode on the same > kernel, but it fails with this message. > > FATAL: Error inserting tcrypt > (/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown > symbol in module, or unknown parameter (see dmesg) > > Looking at dmesg: > > [ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation > > [ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation > > [ 31.407674] alg: No test for crc32 (crc32-pclmul) > > [ 31.408410] alg: No test for crc32 (crc32-table) > > [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 > > [ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng) > > [ 31.440281] tcrypt: one or more tests failed! > > > Now, one of these messages, > > [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 > > comes, most likely from : > > > linux-3.18.27/crypto/tcrypt.c (L1498) > > case 110: > > ret += tcrypt_test("hmac(crc32)"); > > break; > > > and also from > > linux-3.18.27/crypto/testmgr.c > > .alg = "hmac(crc32)", > > .test = alg_test_hash, > > .suite = { > > .hash = { > > .vecs = bfin_crc_tv_template, > > .count = BFIN_CRC_TEST_VECTORS > > } > > } > > > Any suggestion on how to solve this problem would be appreciated. > Please let me know if I can provide more info. I am ready to help on > that. > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > -- ---------------------------------------------- Le?nidas S. Barbosa (Kirotawa) blog: corecode.wordpress.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160223/400c1952/attachment.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* Kernel Panic in FIPS mode 2016-02-23 20:02 ` Leo Silva (a.k.a kirotawa) @ 2016-02-23 23:02 ` Tapas Sarangi 0 siblings, 0 replies; 7+ messages in thread From: Tapas Sarangi @ 2016-02-23 23:02 UTC (permalink / raw) To: kernelnewbies Thanks. I am taking the kernel from kernel.org not the one provided by Red Hat or any other OS. AFAIU, certification or module signatures are done during kernel compilation (by turning on MODULE_SIG*). On Tue, Feb 23, 2016 at 2:02 PM, Leo Silva (a.k.a kirotawa) <kirotawa@gmail.com> wrote: > If it's a kernel provide by a company, such as RHEL or SUSE, I'd recommend > to ask for them support/bugzilla. > > Regarding FIPS/fipsmode, it's a kind of certification that is done by these > company with focus on specific hardware and Kernels, if just a bit is > different on a crypto algorithm it'll probably fail, since test > certification, fips, was not done using this 'new algorithm' as base. > > []'s > > On Tue, Feb 23, 2016 at 4:41 PM, Tapas Sarangi <tapas.sarangi@gmail.com> > wrote: >> >> I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is >> enabled by checking the following configs: >> >> CONFIG_CRYPTO_FIPS=y >> CONFIG_CRYPTO_TEST=y >> >> Following RH docs, initramfs was regenerated using dracut-fips (el6). >> I also generated hmac signed vmlinuz during the compilation. >> >> During boot, kernel panics with the following trace: >> kernel line has the arguments, 'fips=1 boot=/dev/sda1'. >> >> >> "end Kernel Panic - not syncing: Module crc32c_intel signature >> verification failed in FIPS mode" >> >> Some additional info: >> It seems under fips mode, initrd runs, './sbin/fips.sh' which then >> runs 'modprobe tcrypt'. >> >> I tried running modprobe tcrypt without the fips mode on the same >> kernel, but it fails with this message. >> >> FATAL: Error inserting tcrypt >> (/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown >> symbol in module, or unknown parameter (see dmesg) >> >> Looking at dmesg: >> >> [ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation >> >> [ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation >> >> [ 31.407674] alg: No test for crc32 (crc32-pclmul) >> >> [ 31.408410] alg: No test for crc32 (crc32-table) >> >> [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 >> >> [ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng) >> >> [ 31.440281] tcrypt: one or more tests failed! >> >> >> Now, one of these messages, >> >> [ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2 >> >> comes, most likely from : >> >> >> linux-3.18.27/crypto/tcrypt.c (L1498) >> >> case 110: >> >> ret += tcrypt_test("hmac(crc32)"); >> >> break; >> >> >> and also from >> >> linux-3.18.27/crypto/testmgr.c >> >> .alg = "hmac(crc32)", >> >> .test = alg_test_hash, >> >> .suite = { >> >> .hash = { >> >> .vecs = bfin_crc_tv_template, >> >> .count = BFIN_CRC_TEST_VECTORS >> >> } >> >> } >> >> >> Any suggestion on how to solve this problem would be appreciated. >> Please let me know if I can provide more info. I am ready to help on >> that. >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies at kernelnewbies.org >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > > > > -- > > ---------------------------------------------- > Le?nidas S. Barbosa (Kirotawa) > blog: corecode.wordpress.com ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-23 23:02 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-02-23 19:41 Kernel Panic in FIPS mode Tapas Sarangi 2016-02-23 20:02 ` Greg KH 2016-02-23 20:41 ` Tapas Sarangi 2016-02-23 21:14 ` Greg KH 2016-02-23 23:01 ` Tapas Sarangi 2016-02-23 20:02 ` Leo Silva (a.k.a kirotawa) 2016-02-23 23:02 ` Tapas Sarangi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).