On Thu, 28 Feb 2013 09:10:28 -0600 Steve French <smfrench@xxxxxxxxx> wrote: > On Thu, Feb 28, 2013 at 9:02 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > On Thu, 28 Feb 2013 12:38:46 +0530 > > Suresh Jayaraman <sjayaraman@xxxxxxxxxx> wrote: > > > >> Hi all, > >> > >> I was told that (haven't checked myself, yet) that booting in FIPS > >> (Federal Information Processing Standard) mode by adding "fips=1" to > >> grub.conf breaks CIFS mounts by returning -ENOENT. > >> > >> I thought I'd ask if this is a known problem before I spend more time on > >> this. > >> > >> > >> Thanks > >> > > > > Yep, known problem. We try to load several crypto routines during the > > mount process, and that fails in FIPS mode since they aren't allowed. > > The fix is to only load those routines once we know that we actually > > need them and only fail in those cases. There are no patches for that > > yet, AFAIK. > > > > Note that enabling FIPS mode will almost certainly break both NTLMv1 > > and NTLMv2 auth, since those require md4 and md5. It might be nice to > > update the manpage with what sec= options actually work after enabling > > FIPS mode once the main problem is fixed. > > Any good reference to this? Would be good to track this via a bug report. > Although presumably we would be fine with SMB2/SMB3 and krb5, > it wasn't immediately obvious to me why MD5 would not be allowed since > I see it in various lists of FIPS algorithm certifications but not for > RHEL 6.2 which listed the following: > > -FIPS-approved algorithms: AES (Certs. #1968, #1969, #1970, #1971 and > #1972); Triple-DES (Certs. #1278 and #1279); SHS (Certs. #1725 and > #1726); HMAC (Certs. #1187, #1188, #1199 and #1200); RNG (Certs. > #1033, #1034, #1035, #1036 and #1037); DSA (Certs #628, #629, #634 and > #635) > > I'm pretty sure md5 is proscribed by FIPS, though all the info I have on this is second hand. The fact that md5 was blacklisted was one of the reasons I avoided using it for the nfsd reboot recovery work that was recently merged. -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
