Resending in plain text
Hello,
We are currently migrating to kernel 6.6.14 and encountering intermittent EHEALTH errors that cause a kernel panic in initrd (FIPS mode). The error occurs in the following section of the code:
crypto/jitterentropy.c
722 /* Validate health test result */
723 if (jent_health_failure(&ec))
724 return JENT_EHEALTH;
This is called from jent_mod_init():
337 ret = jent_entropy_init(desc);
338 shash_desc_zero(desc);
339 crypto_free_shash(tfm);
340 if (ret) {
341 /* Handle permanent health test error */
342 if (fips_enabled)
343 panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret);
We are experiencing up to a 90% failure rate.
In my troubleshooting efforts, I followed the call to jent_condition_data() and attempted to increase the SHA3_HASH_LOOP to give the CPU more work, hoping to collect more entropy:
356
-#define SHA3_HASH_LOOP (1<<3)
+#define SHA3_HASH_LOOP (1<<4)
This adjustment reduced the failure rate to 40-50%, but the issue persists. It is intermittent. It is also intermittent without the change. Sometimes I get a 90% failure rate on 10 reboots, sometimes 0%.
Given the difficulty in reproducing the kernel panic consistently, is there a more effective workaround or solution for this problem?
Your assistance is greatly appreciated.
Best regards,
Jeff Barnes
