By setting the configuration option +CONFIG_CRYPTO_JITTERENTROPY_OSR=3, I ran the following ad hoc test. 50 consecutive boots with fips=1 on the command line with the same image. No jitterentropy health check failure. Booted successfully. Thanks for the help. I plan to try a value of 2 to see if that will fix it too. Jeff ________________________________________ From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, August 8, 2024 2:20 AM To: Stephan Mueller Cc: linux-crypto@xxxxxxxxxxxxxxx; Jeff Barnes; Vladis Dronov; marcelo.cerri@xxxxxxxxxxxxx; Tyler Hicks; Shyam Saini Subject: [EXTERNAL] Re: Intermittent EHEALTH Failure in FIPS Mode - jitterentropy jent_entropy_init() in Kernel 6.6.14 [You don't often get email from herbert@xxxxxxxxxxxxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Thu, Aug 08, 2024 at 08:13:56AM +0200, Stephan Mueller wrote: > > However, the heart of the problem is the following: This failure mode is > probabilistic in nature. A number of folks trying to push rules that the > failure does not need to be handled with a panic. > > A changed OSR only changes the probability, but that probability is always > strictly higher than zero. That's fine. There are many places in the kernel that will fail with a probably that is non-zero. It is considered to be acceptable as long as the value is negligible (e.g., equal or less than the probablility of cosmic rays hitting DRAM). But if it happens reproducibly it clearly is not acceptable. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
