kernel panic in FIPS mode (3.18.27)
From: Tapas Sarangi
Date: Tue Feb 23 2016 - 11:20:45 EST
I am recompiling 3.18.27 on a platform derived from el6. FIPS mode is
enabled by checking the following configs:
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_TEST=y
Following RH docs, initramfs was regenerated using dracut-fips (el6).
I also generated hmac signed vmlinuz during the compilation.
During boot, kernel panics with the following trace:
kernel line has the arguments, 'fips=1 boot=/dev/sda1'.
"end Kernel Panic - not syncing: Module crc32c_intel signature
verification failed in FIPS mode"
Some additional info:
It seems under fips mode, initrd runs, './sbin/fips.sh' which then
runs 'modprobe tcrypt'.
I tried running modprobe tcrypt without the fips mode on the same
kernel, but it fails with this message.
FATAL: Error inserting tcrypt
(/lib/modules/3.18.27-1.timbuktu/kernel/crypto/tcrypt.ko.gz): Unknown
symbol in module, or unknown parameter (see dmesg)
Looking at dmesg:
[ 31.248054] sha256_ssse3: Using AVX optimized SHA-256 implementation
[ 31.308174] sha512_ssse3: Using AVX optimized SHA-512 implementation
[ 31.407674] alg: No test for crc32 (crc32-pclmul)
[ 31.408410] alg: No test for crc32 (crc32-table)
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
[ 31.413155] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[ 31.440281] tcrypt: one or more tests failed!
Now, one of these messages,
[ 31.409086] alg: hash: Failed to load transform for hmac(crc32): -2
comes, most likely from :
linux-3.18.27/crypto/tcrypt.c (L1498)
case 110:
ret += tcrypt_test("hmac(crc32)");
break;
and also from
linux-3.18.27/crypto/testmgr.c
.alg = "hmac(crc32)",
.test = alg_test_hash,
.suite = {
.hash = {
.vecs = bfin_crc_tv_template,
.count = BFIN_CRC_TEST_VECTORS
}
}
Any suggestion on how to solve this problem would be appreciated.
Please let me know if I can provide more info. I am ready to help on
that.
TIA