Am Mittwoch, 7. August 2024, 14:50:32 MESZ schrieb Jeff Barnes:
Hi Jeff,
> Hello,
>
> We are currently migrating to kernel 6.6.14 and encountering intermittent
> EHEALTH errors that cause a kernel panic in initrd (FIPS mode). The error
> occurs in the following section of the code:
>
> crypto/jitterentropy.c
> 722 /* Validate health test result */
> 723 if (jent_health_failure(&ec))
> 724 return JENT_EHEALTH;
>
> This is called from jent_mod_init():
>
> 337 ret = jent_entropy_init(desc);
> 338 shash_desc_zero(desc);
> 339 crypto_free_shash(tfm);
> 340 if (ret) {
> 341 /* Handle permanent health test error */
> 342 if (fips_enabled)
> 343 panic("jitterentropy: Initialization failed with
> host not compliant with requirements: %d\n", ret);
>
> We are experiencing up to a 90% failure rate.
>
> In my troubleshooting efforts, I followed the call to jent_condition_data()
> and attempted to increase the SHA3_HASH_LOOP to give the CPU more work,
> hoping to collect more entropy:
The proper way to handle it is the following: set
CONFIG_CRYPTO_JITTERENTROPY_OSR to a higer value as it is - like 3 (the
default is 1). The higher you set it the slower the collection will get as
more samples are collected.
>
> 356
> -#define SHA3_HASH_LOOP (1<<3)
> +#define SHA3_HASH_LOOP (1<<4)
>
> This adjustment reduced the failure rate to 40-50%, but the issue persists.
> It is intermittent. It is also intermittent without the change. Sometimes I
> get a 90% failure rate on 10 reboots, sometimes 0%.
>
> Given the difficulty in reproducing the kernel panic consistently, is there
> a more effective workaround or solution for this problem?
>
> Your assistance is greatly appreciated.
>
> Best regards,
> Jeff Barnes
Ciao
Stephan
