| Summary: | Support for FIPS dropped from the Kernel in Fedora-15 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Elio Maldonado Batiz <emaldona> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | aquini, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, rrelyea, sgrubb, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-2.6.38.8-35.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-12 05:25:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
ugh, this has been accidentally disabled because we don't enable an option that it's dependant on. (CRYPTO_MANAGER_DISABLE_TESTS) kernel-2.6.38.8-35.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/kernel-2.6.38.8-35.fc15 Package kernel-2.6.38.8-35.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kernel-2.6.38.8-35.fc15' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/kernel-2.6.38.8-35.fc15 then log in and leave karma (feedback). kernel-2.6.38.8-35.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: FIPS support has been dropped from the kernel configuration. It had been present since Fedora 13. Version-Release number of selected component (if applicable): Fedora 15 How reproducible: Always Steps to Reproduce: 1. As root execute: ipsec setup start Actual results: ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.38.8-32.fc15.i686... ipsec_setup: no default routes detected ipsec_setup: /usr/libexec/ipsec/addconn Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode Expected results: Pluto should have been able to find /proc/sys/crypto/fips_enabled, and seen a 1 if the kernel was configured with FIPS support, or 0 if configured without it, as was the case with Fedora 14. Passing fips=1 (or fips=0) is a documented parameter to the kernel that a user in single user mode could pass it early in the boot process. Additional info: This is troubling to because several of our security packages, such as openssl, openswan, and nss-sofokn, depend on code such as f = fopen("/proc/sys/crypto/fips_enabled", "r"); to determine whether the kernel has been compiled with FIPS enabled or not and act accordingly.