[bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[Jan Stancek]

Hi,

We are seeing 2 errors with recent Fedora & ELN kernels that may be
related to same issue:
[1] alg: sig: test 1 failed for pkcs1(rsa-generic,sha256): err -38
[2] Kernel panic - not syncing: Certs RSA selftest:
pkcs7_validate_trust() = -126

Last known good kernel was commit 158f238aa69d, commit fcc79e1714e8 is
exhibiting the problem. Builds (and configs) can be found on Fedora
koji: https://koji.fedoraproject.org/koji/packageinfo?packageID=8

I did try to run this alg test manually from a dummy module, and while
it worked on older kernels as:
  int ret = alg_test("pkcs1pad(rsa-generic,sha256)",
"pkcs1pad(rsa,sha256)", CRYPTO_ALG_INSTANCE|CRYPTO_ALG_TYPE_SIG,
CRYPTO_ALG_TESTED);

this now doesn't work (HEAD at commit 0393dda270e3):
  int ret = alg_test("pkcs1(rsa-generic,sha256)", "pkcs1(rsa,sha256)",
CRYPTO_ALG_INSTANCE|CRYPTO_ALG_TYPE_SIG, CRYPTO_ALG_TESTED);

I'll continue with bisect, unless someone can spot the problem sooner.

Thanks,
Jan

[1][2]
[    2.039909] registered taskstats version 1
[    2.041881] Loading compiled-in X.509 certificates
[    2.044931] Loaded X.509 cert 'Red Hat Enterprise Linux kernel
signing key: d02591e7d874078d39c0a63aa29d0f3481a45682'
[    2.048828] alg: sig: sign test failed: err -38
[    2.050391] alg: sig: test 1 failed for pkcs1(rsa-generic,sha256): err -38
[    2.052618] alg: self-tests for pkcs1(rsa,sha256) using
pkcs1(rsa-generic,sha256) failed (rc=-38)
[    2.052624] ------------[ cut here ]------------
[    2.057056] alg: self-tests for pkcs1(rsa,sha256) using
pkcs1(rsa-generic,sha256) failed (rc=-38)
[    2.057083] WARNING: CPU: 0 PID: 113 at crypto/testmgr.c:6048
alg_test.cold+0xb7/0xe0
[    2.062500] Modules linked in:
[    2.063598] CPU: 0 UID: 0 PID: 113 Comm: cryptomgr_test Not tainted
6.12.0-8.test.eln.x86_64 #1
[    2.066405] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
[    2.068579] RIP: 0010:alg_test.cold+0xb7/0xe0
[    2.070047] Code: c7 c7 c0 54 89 95 e8 52 b4 fe ff 41 83 fe fe 0f
84 3d 53 81 ff 44 89 f1 48 89 ea 4c 89 e6 48 c7 c7 f8 54 89 95 e8 93
42 2e ff <0f> 0b e9 21 53 81 ff 48 c7 c1 a6 6c 93 95 4c 89 e2 48 89 ee
48 c7
[    2.075865] RSP: 0000:ffffab19004cfdf8 EFLAGS: 00010286
[    2.077577] RAX: 0000000000000000 RBX: 00000000000000b5 RCX: 00000000ffff7fff
[    2.079864] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
[    2.082156] RBP: ffff902b417e9800 R08: 0000000000000000 R09: ffffffff963e2aa8
[    2.084431] R10: ffffffff96322a68 R11: 0000000000000003 R12: ffff902b417e9880
[    2.086694] R13: 00000000000000af R14: 00000000ffffffda R15: 00000000ffffffff
[    2.088983] FS:  0000000000000000(0000) GS:ffff902e6a800000(0000)
knlGS:0000000000000000
[    2.091601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.093460] CR2: ffff902d0f401000 CR3: 00000002cde22001 CR4: 0000000000370ef0
[    2.095734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.098017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.100280] Call Trace:
[    2.101197]  <TASK>
[    2.102026]  ? show_trace_log_lvl+0x1b0/0x2f0
[    2.103487]  ? show_trace_log_lvl+0x1b0/0x2f0
[    2.104966]  ? cryptomgr_test+0x24/0x40
[    2.106282]  ? alg_test.cold+0xb7/0xe0
[    2.107564]  ? __warn.cold+0x93/0xf4
[    2.108809]  ? alg_test.cold+0xb7/0xe0
[    2.110091]  ? report_bug+0xff/0x140
[    2.111330]  ? handle_bug+0x53/0x90
[    2.112539]  ? exc_invalid_op+0x17/0x70
[    2.113844]  ? asm_exc_invalid_op+0x1a/0x20
[    2.115253]  ? alg_test.cold+0xb7/0xe0
[    2.116534]  ? alg_test.cold+0xb7/0xe0
[    2.117824]  ? __call_rcu_common.constprop.0+0xa9/0x2f0
[    2.119528]  ? __schedule+0x265/0x570
[    2.120811]  ? __pfx_cryptomgr_test+0x10/0x10
[    2.122270]  cryptomgr_test+0x24/0x40
[    2.123532]  kthread+0xd2/0x100
[    2.124643]  ? __pfx_kthread+0x10/0x10
[    2.125947]  ret_from_fork+0x34/0x50
[    2.127174]  ? __pfx_kthread+0x10/0x10
[    2.128464]  ret_from_fork_asm+0x1a/0x30
[    2.129813]  </TASK>
[    2.130633] ---[ end trace 0000000000000000 ]---
[    2.132283] Problem loading in-kernel X.509 certificate (-80)
[    2.134310] Problem loading in-kernel X.509 certificate (-80)
[    2.136231] Loaded X.509 cert 'Nvidia GPU OOT signing 001:
55e1cef88193e60419f0b0ec379c49f77545acf0'
[    2.177928] Loaded X.509 cert 'Fedora IMA CA:
a8a00c31663f853f9c6ff2564872e378af026b28'
[    2.183693] usb 2-1: new high-speed USB device number 2 using ehci-pci
[    2.185954] Demotion targets for Node 0: null
[    2.187689] page_owner is disabled
[    2.189469] Key type .fscrypt registered
[    2.190849] Key type fscrypt-provisioning registered
[    2.192642] Key type big_key registered
[    2.194112] Key type trusted registered
[    2.217055] Key type encrypted registered
[    2.218516] Loading compiled-in module X.509 certificates
[    2.220817] Loaded X.509 cert 'Red Hat Enterprise Linux kernel
signing key: d02591e7d874078d39c0a63aa29d0f3481a45682'
[    2.224230] ima: Allocated hash algorithm: sha256
[    2.284425] ima: No architecture policies found
[    2.286106] evm: Initialising EVM extended attributes:
[    2.287807] evm: security.selinux
[    2.288981] evm: security.SMACK64 (disabled)
[    2.290418] evm: security.SMACK64EXEC (disabled)
[    2.291980] evm: security.SMACK64TRANSMUTE (disabled)
[    2.293646] evm: security.SMACK64MMAP (disabled)
[    2.295185] evm: security.apparmor (disabled)
[    2.296657] evm: security.ima
[    2.297732] evm: security.capability
[    2.298971] evm: HMAC attrs: 0x1
[    2.303465] Running certificate verification RSA selftest
[    2.312640] Problem loading in-kernel X.509 certificate (-80)
[    2.318523] usb 2-1: New USB device found, idVendor=0627,
idProduct=0001, bcdDevice= 0.00
[    2.321349] usb 2-1: New USB device strings: Mfr=1, Product=3,
SerialNumber=10
[    2.323821] usb 2-1: Product: QEMU USB Tablet
[    2.325327] usb 2-1: Manufacturer: QEMU
[    2.326665] usb 2-1: SerialNumber: 28754-0000:00:05.7-1
[    2.330363] Kernel panic - not syncing: Certs RSA selftest:
pkcs7_validate_trust() = -126
[    2.333231] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Tainted: G
W         -------  ---  6.12.0-8.test.eln.x86_64 #1
[    2.336670] Tainted: [W]=WARN
[    2.337729] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
[    2.339918] Call Trace:
[    2.340826]  <TASK>
[    2.341632]  dump_stack_lvl+0x4e/0x70
[    2.343196]  panic+0x113/0x2dd
[    2.344290]  fips_signature_selftest+0x12a/0x148
[    2.345917]  ? __pfx_fips_signature_selftest_init+0x10/0x10
[    2.347744]  fips_signature_selftest_rsa+0x3a/0x40
[    2.349321]  fips_signature_selftest_init+0xe/0x20
[    2.351058]  do_one_initcall+0x5b/0x300
[    2.352439]  do_initcalls+0xdf/0x100
[    2.353691]  ? __pfx_kernel_init+0x10/0x10
[    2.355075]  kernel_init_freeable+0x147/0x1a0
[    2.356540]  kernel_init+0x1a/0x140
[    2.357753]  ret_from_fork+0x34/0x50
[    2.359058]  ? __pfx_kernel_init+0x10/0x10
[    2.360435]  ret_from_fork_asm+0x1a/0x30
[    2.361762]  </TASK>
[    2.362730] Kernel Offset: 0x13000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    2.366169] ---[ end Kernel panic - not syncing: Certs RSA
selftest: pkcs7_validate_trust() = -126 ]---

Re: [bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[Jan Stancek]

On Mon, Nov 25, 2024 at 3:52 PM Jan Stancek <jstancek@redhat.com> wrote:
>
> Hi,
>
> We are seeing 2 errors with recent Fedora & ELN kernels that may be
> related to same issue:
> [1] alg: sig: test 1 failed for pkcs1(rsa-generic,sha256): err -38
> [2] Kernel panic - not syncing: Certs RSA selftest:
> pkcs7_validate_trust() = -126
>
> Last known good kernel was commit 158f238aa69d, commit fcc79e1714e8 is
> exhibiting the problem. Builds (and configs) can be found on Fedora
> koji: https://koji.fedoraproject.org/koji/packageinfo?packageID=8
>
> I did try to run this alg test manually from a dummy module, and while
> it worked on older kernels as:
>   int ret = alg_test("pkcs1pad(rsa-generic,sha256)",
> "pkcs1pad(rsa,sha256)", CRYPTO_ALG_INSTANCE|CRYPTO_ALG_TYPE_SIG,
> CRYPTO_ALG_TESTED);
>
> this now doesn't work (HEAD at commit 0393dda270e3):
>   int ret = alg_test("pkcs1(rsa-generic,sha256)", "pkcs1(rsa,sha256)",
> CRYPTO_ALG_INSTANCE|CRYPTO_ALG_TYPE_SIG, CRYPTO_ALG_TESTED);
>
> I'll continue with bisect, unless someone can spot the problem sooner.

Please disregard as this appears to be specific issue to Fedora.
Apologies for noise.

>
> Thanks,
> Jan
>
> [1][2]
> [    2.039909] registered taskstats version 1
> [    2.041881] Loading compiled-in X.509 certificates
> [    2.044931] Loaded X.509 cert 'Red Hat Enterprise Linux kernel
> signing key: d02591e7d874078d39c0a63aa29d0f3481a45682'
> [    2.048828] alg: sig: sign test failed: err -38
> [    2.050391] alg: sig: test 1 failed for pkcs1(rsa-generic,sha256): err -38
> [    2.052618] alg: self-tests for pkcs1(rsa,sha256) using
> pkcs1(rsa-generic,sha256) failed (rc=-38)
> [    2.052624] ------------[ cut here ]------------
> [    2.057056] alg: self-tests for pkcs1(rsa,sha256) using
> pkcs1(rsa-generic,sha256) failed (rc=-38)
> [    2.057083] WARNING: CPU: 0 PID: 113 at crypto/testmgr.c:6048
> alg_test.cold+0xb7/0xe0
> [    2.062500] Modules linked in:
> [    2.063598] CPU: 0 UID: 0 PID: 113 Comm: cryptomgr_test Not tainted
> 6.12.0-8.test.eln.x86_64 #1
> [    2.066405] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
> [    2.068579] RIP: 0010:alg_test.cold+0xb7/0xe0
> [    2.070047] Code: c7 c7 c0 54 89 95 e8 52 b4 fe ff 41 83 fe fe 0f
> 84 3d 53 81 ff 44 89 f1 48 89 ea 4c 89 e6 48 c7 c7 f8 54 89 95 e8 93
> 42 2e ff <0f> 0b e9 21 53 81 ff 48 c7 c1 a6 6c 93 95 4c 89 e2 48 89 ee
> 48 c7
> [    2.075865] RSP: 0000:ffffab19004cfdf8 EFLAGS: 00010286
> [    2.077577] RAX: 0000000000000000 RBX: 00000000000000b5 RCX: 00000000ffff7fff
> [    2.079864] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
> [    2.082156] RBP: ffff902b417e9800 R08: 0000000000000000 R09: ffffffff963e2aa8
> [    2.084431] R10: ffffffff96322a68 R11: 0000000000000003 R12: ffff902b417e9880
> [    2.086694] R13: 00000000000000af R14: 00000000ffffffda R15: 00000000ffffffff
> [    2.088983] FS:  0000000000000000(0000) GS:ffff902e6a800000(0000)
> knlGS:0000000000000000
> [    2.091601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    2.093460] CR2: ffff902d0f401000 CR3: 00000002cde22001 CR4: 0000000000370ef0
> [    2.095734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [    2.098017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [    2.100280] Call Trace:
> [    2.101197]  <TASK>
> [    2.102026]  ? show_trace_log_lvl+0x1b0/0x2f0
> [    2.103487]  ? show_trace_log_lvl+0x1b0/0x2f0
> [    2.104966]  ? cryptomgr_test+0x24/0x40
> [    2.106282]  ? alg_test.cold+0xb7/0xe0
> [    2.107564]  ? __warn.cold+0x93/0xf4
> [    2.108809]  ? alg_test.cold+0xb7/0xe0
> [    2.110091]  ? report_bug+0xff/0x140
> [    2.111330]  ? handle_bug+0x53/0x90
> [    2.112539]  ? exc_invalid_op+0x17/0x70
> [    2.113844]  ? asm_exc_invalid_op+0x1a/0x20
> [    2.115253]  ? alg_test.cold+0xb7/0xe0
> [    2.116534]  ? alg_test.cold+0xb7/0xe0
> [    2.117824]  ? __call_rcu_common.constprop.0+0xa9/0x2f0
> [    2.119528]  ? __schedule+0x265/0x570
> [    2.120811]  ? __pfx_cryptomgr_test+0x10/0x10
> [    2.122270]  cryptomgr_test+0x24/0x40
> [    2.123532]  kthread+0xd2/0x100
> [    2.124643]  ? __pfx_kthread+0x10/0x10
> [    2.125947]  ret_from_fork+0x34/0x50
> [    2.127174]  ? __pfx_kthread+0x10/0x10
> [    2.128464]  ret_from_fork_asm+0x1a/0x30
> [    2.129813]  </TASK>
> [    2.130633] ---[ end trace 0000000000000000 ]---
> [    2.132283] Problem loading in-kernel X.509 certificate (-80)
> [    2.134310] Problem loading in-kernel X.509 certificate (-80)
> [    2.136231] Loaded X.509 cert 'Nvidia GPU OOT signing 001:
> 55e1cef88193e60419f0b0ec379c49f77545acf0'
> [    2.177928] Loaded X.509 cert 'Fedora IMA CA:
> a8a00c31663f853f9c6ff2564872e378af026b28'
> [    2.183693] usb 2-1: new high-speed USB device number 2 using ehci-pci
> [    2.185954] Demotion targets for Node 0: null
> [    2.187689] page_owner is disabled
> [    2.189469] Key type .fscrypt registered
> [    2.190849] Key type fscrypt-provisioning registered
> [    2.192642] Key type big_key registered
> [    2.194112] Key type trusted registered
> [    2.217055] Key type encrypted registered
> [    2.218516] Loading compiled-in module X.509 certificates
> [    2.220817] Loaded X.509 cert 'Red Hat Enterprise Linux kernel
> signing key: d02591e7d874078d39c0a63aa29d0f3481a45682'
> [    2.224230] ima: Allocated hash algorithm: sha256
> [    2.284425] ima: No architecture policies found
> [    2.286106] evm: Initialising EVM extended attributes:
> [    2.287807] evm: security.selinux
> [    2.288981] evm: security.SMACK64 (disabled)
> [    2.290418] evm: security.SMACK64EXEC (disabled)
> [    2.291980] evm: security.SMACK64TRANSMUTE (disabled)
> [    2.293646] evm: security.SMACK64MMAP (disabled)
> [    2.295185] evm: security.apparmor (disabled)
> [    2.296657] evm: security.ima
> [    2.297732] evm: security.capability
> [    2.298971] evm: HMAC attrs: 0x1
> [    2.303465] Running certificate verification RSA selftest
> [    2.312640] Problem loading in-kernel X.509 certificate (-80)
> [    2.318523] usb 2-1: New USB device found, idVendor=0627,
> idProduct=0001, bcdDevice= 0.00
> [    2.321349] usb 2-1: New USB device strings: Mfr=1, Product=3,
> SerialNumber=10
> [    2.323821] usb 2-1: Product: QEMU USB Tablet
> [    2.325327] usb 2-1: Manufacturer: QEMU
> [    2.326665] usb 2-1: SerialNumber: 28754-0000:00:05.7-1
> [    2.330363] Kernel panic - not syncing: Certs RSA selftest:
> pkcs7_validate_trust() = -126
> [    2.333231] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Tainted: G
> W         -------  ---  6.12.0-8.test.eln.x86_64 #1
> [    2.336670] Tainted: [W]=WARN
> [    2.337729] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
> [    2.339918] Call Trace:
> [    2.340826]  <TASK>
> [    2.341632]  dump_stack_lvl+0x4e/0x70
> [    2.343196]  panic+0x113/0x2dd
> [    2.344290]  fips_signature_selftest+0x12a/0x148
> [    2.345917]  ? __pfx_fips_signature_selftest_init+0x10/0x10
> [    2.347744]  fips_signature_selftest_rsa+0x3a/0x40
> [    2.349321]  fips_signature_selftest_init+0xe/0x20
> [    2.351058]  do_one_initcall+0x5b/0x300
> [    2.352439]  do_initcalls+0xdf/0x100
> [    2.353691]  ? __pfx_kernel_init+0x10/0x10
> [    2.355075]  kernel_init_freeable+0x147/0x1a0
> [    2.356540]  kernel_init+0x1a/0x140
> [    2.357753]  ret_from_fork+0x34/0x50
> [    2.359058]  ? __pfx_kernel_init+0x10/0x10
> [    2.360435]  ret_from_fork_asm+0x1a/0x30
> [    2.361762]  </TASK>
> [    2.362730] Kernel Offset: 0x13000000 from 0xffffffff81000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [    2.366169] ---[ end Kernel panic - not syncing: Certs RSA
> selftest: pkcs7_validate_trust() = -126 ]---

Re: [bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[Alexander Egorenkov]

Hi Jan,

i hit this problem on Fedora 42 x86 and s390x now but with "keyctl
pkey_sign". My Fedora kernel releases: 6.15.9-201.fc42.x86_64 and 6.15.9-201.fc42.s390x.
Do you know what is the problem and how to fix it ?

It seems to work with the latest vanilla Linux kernel on s390x (and i
assume on x86 would too, but not tested), so i assume Fedora's kernel is
somehow different here.

Kernel's PKCS1 sig algorithm seems to call sig_default_sign() instead of
rsassa_pkcs1_sign() and the former returns -ENOSYS which is propagated
to user space, in my case keyctl.

Regards
Alex

Re: [bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[Alexander Egorenkov]

Okay, i identified the code which is at fault, and it is indeed
Fedora's kernel fault. And it explains why PKCS1's sign callback returns -ENOSYS.

https://src.fedoraproject.org/rpms/kernel/blob/f42/f/patch-6.15-redhat.patch#_510

But why was this change made ?
All signing callbacks seem to be overrided with sig_prepare_alg() for some reason.
We would like to use PKCS1 signing algorithm provided by kernel. 

Regards
Alex

Re: [bug] pkcs1(rsa-generic,sha256) sign test and RSA selftest failures, possibly related to sig_alg backend changes

[Justin Forbes]

On Wed, Aug 13, 2025 at 6:37 AM Alexander Egorenkov
<egorenar@linux.ibm.com> wrote:
>
>
> Okay, i identified the code which is at fault, and it is indeed
> Fedora's kernel fault. And it explains why PKCS1's sign callback returns -ENOSYS.
>
> https://src.fedoraproject.org/rpms/kernel/blob/f42/f/patch-6.15-redhat.patch#_510
>
> But why was this change made ?
> All signing callbacks seem to be overrided with sig_prepare_alg() for some reason.
> We would like to use PKCS1 signing algorithm provided by kernel.

Thanks for the catch, and sorry for the noise there. We do carry that
patch in rawhide, along with several other that change Crypto for RHEL
FIPS which upstream isn't interested in.  I typically drop those (and
many other RHEL specific patches) when I rebase stable Fedora.  But
those are poorly labelled and I suppose I missed it with the 6.15
rebase.  In normal rawhide, that is part of a larger patch series and
makes more sense.
Anyway, the patch should be dropped from the next stable Fedora releases.

Justin

> Regards
> Alex
>