RE: v5.12.0-rc5: the kernel panics if FIPS mode is on

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Eric Biggers <ebiggers@xxxxxxxxxx>
> Sent: Monday, March 29, 2021 6:26 PM
> ...
> It looks like your userspace is using tcrypt.ko to request that the kernel test
> "ofb(aes)", but your kernel doesn't have CONFIG_CRYPTO_OFB enabled so the
> test fails as expected.  

Hi Eric,
Thanks for the explanation! Yes, that's it! 

Sorry for the false alarm! Actually the kernel is faultless here.

> Are you sure that anything changed on the kernel side
> besides the kconfig you are using? It looks like this was always the behavior
> when tcrypt.ko is used to test a non-existing algorithm.

After I rebuilt the kernel with the 3 options:
CONFIG_CRYPTO_OFB=y
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
CONFIG_CRYPTO_ANSI_CPRNG=y

and generated the .hmac file:
sha512hmac /boot/vmlinuz-5.12.0-rc5+  > /boot/.vmlinuz-5.12.0-rc5+.hmac
 
now the kernel boots up successfully with fips=1. :-)

> Is your userspace code intentionally trying to test "ofb(aes)", or is it
> accidental?
> 
> - Eric

I'm not sure. This is a CentOS 8.3 VM, and I use the default configuration.
I have been trying to build & run a v5.12.0-rc5+ kernel with fips=1, and
now this is working for me, thanks to your explanation. Thanks again!

Thanks,
-- Dexuan




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux