From: Vladis Dronov <vdronov@xxxxxxxxxx> [redhat] Enable CONFIG_CRYPTO_CFB=y so cfb(aes) is available in FIPS mode Currently the CFB algo is built as a module in Fedora and is not build in ARK. This results in a panic while booting in a FIPS mode: [ 3.347092] alg: skcipher: failed to allocate transform for cfb(aes): -2 [ 3.347918] Kernel panic - not syncing: alg: self-tests for cfb(aes) (cfb(aes)) failed in fips mode! Fix this by embedding the CFB code into a kernel, the same way as CTS and CBC algos already do. The reason why the CFB code is embedded and is not built as a module is that dracut must add the module to an initramfs image. This is not always the case. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1915290 Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx> diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_CFB b/redhat/configs/ark/generic/CONFIG_CRYPTO_CFB --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_CFB +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_CFB is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_CFB b/redhat/configs/common/generic/CONFIG_CRYPTO_CFB --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_CFB @@ -0,0 +1 @@ +CONFIG_CRYPTO_CFB=y diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_CFB b/redhat/configs/fedora/generic/CONFIG_CRYPTO_CFB --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_CFB +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_CFB=m -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1040 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
