On Thu, Feb 28, 2013 at 9:02 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > On Thu, 28 Feb 2013 12:38:46 +0530 > Suresh Jayaraman <sjayaraman@xxxxxxxxxx> wrote: > >> Hi all, >> >> I was told that (haven't checked myself, yet) that booting in FIPS >> (Federal Information Processing Standard) mode by adding "fips=1" to >> grub.conf breaks CIFS mounts by returning -ENOENT. >> >> I thought I'd ask if this is a known problem before I spend more time on >> this. >> >> >> Thanks >> > > Yep, known problem. We try to load several crypto routines during the > mount process, and that fails in FIPS mode since they aren't allowed. > The fix is to only load those routines once we know that we actually > need them and only fail in those cases. There are no patches for that > yet, AFAIK. > > Note that enabling FIPS mode will almost certainly break both NTLMv1 > and NTLMv2 auth, since those require md4 and md5. It might be nice to > update the manpage with what sec= options actually work after enabling > FIPS mode once the main problem is fixed. Any good reference to this? Would be good to track this via a bug report. Although presumably we would be fine with SMB2/SMB3 and krb5, it wasn't immediately obvious to me why MD5 would not be allowed since I see it in various lists of FIPS algorithm certifications but not for RHEL 6.2 which listed the following: -FIPS-approved algorithms: AES (Certs. #1968, #1969, #1970, #1971 and #1972); Triple-DES (Certs. #1278 and #1279); SHS (Certs. #1725 and #1726); HMAC (Certs. #1187, #1188, #1199 and #1200); RNG (Certs. #1033, #1034, #1035, #1036 and #1037); DSA (Certs #628, #629, #634 and #635) -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
