RE: v5.12.0-rc5: the kernel panics if FIPS mode is on
From: Dexuan Cui
Date: Tue Mar 30 2021 - 02:57:54 EST
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
> Sent: Monday, March 29, 2021 6:26 PM
> ...
> It looks like your userspace is using tcrypt.ko to request that the kernel test
> "ofb(aes)", but your kernel doesn't have CONFIG_CRYPTO_OFB enabled so the
> test fails as expected.
Hi Eric,
Thanks for the explanation! Yes, that's it!
Sorry for the false alarm! Actually the kernel is faultless here.
> Are you sure that anything changed on the kernel side
> besides the kconfig you are using? It looks like this was always the behavior
> when tcrypt.ko is used to test a non-existing algorithm.
After I rebuilt the kernel with the 3 options:
CONFIG_CRYPTO_OFB=y
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
CONFIG_CRYPTO_ANSI_CPRNG=y
and generated the .hmac file:
sha512hmac /boot/vmlinuz-5.12.0-rc5+ > /boot/.vmlinuz-5.12.0-rc5+.hmac
now the kernel boots up successfully with fips=1. :-)
> Is your userspace code intentionally trying to test "ofb(aes)", or is it
> accidental?
>
> - Eric
I'm not sure. This is a CentOS 8.3 VM, and I use the default configuration.
I have been trying to build & run a v5.12.0-rc5+ kernel with fips=1, and
now this is working for me, thanks to your explanation. Thanks again!
Thanks,
-- Dexuan