Bug 839239

Summary: kernel fails to boot in fips mode when AES-NI hardware instructions are available
Product: [Fedora] Fedora Reporter: Milan Broz <mbroz>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: gansalmon, herbert.xu, itamar, jforbes, jonathan, kernel-maint, madhu.chinakonda, maurizio.antillon, mbroz, mitr, pvrabec, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 830898 Environment:
Last Closed: 2012-07-19 09:13:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milan Broz 2012-07-11 10:36:15 UTC 
Please can we add these two patches below to F17 kernel, so there is possible
at least basic FIPS mode testing?

+++ This bug was initially created as a clone of Bug #830898 +++

Created attachment 590970 [details]
kernel patch for aesni fips test

Description of problem:
There are no crypto tests for fips mode in crypto/testmgr.c for the aesni drivers, so they are 'failing' fips testing.

...


--- Additional comment from mbroz on 2012-07-11 03:35:53 EDT ---

Patch in crypto dev tree upstream
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=6c79294f44fd7d1122cbaabff3b9815b074c0dd0

For debug kernel we need also this one
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=bf084d8f6eb4ded3f90a6ab79bb682db00ebfbd4
Comment 1 Josh Boyer 2012-07-11 12:40:43 UTC 
(In reply to comment #0)
> Please can we add these two patches below to F17 kernel, so there is possible
> at least basic FIPS mode testing?

Probably.  If we add them, it would be across all branches though.

> --- Additional comment from mbroz on 2012-07-11 03:35:53 EDT ---
> 
> Patch in crypto dev tree upstream
> http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;
> a=commitdiff;h=6c79294f44fd7d1122cbaabff3b9815b074c0dd0


> For debug kernel we need also this one
> http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;
> a=commitdiff;h=bf084d8f6eb4ded3f90a6ab79bb682db00ebfbd4

I'm guessing these are both queued for 3.6?  They seem like it could be sent to Linus for 3.5 still.  Do you know if that is the plan?
Comment 2 Justin M. Forbes 2012-07-11 16:32:02 UTC 
This is applied for F16, F17, and Rawhide and should make the next builds of each.
Comment 3 Fedora Update System 2012-07-17 12:42:45 UTC 
kernel-3.4.5-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/kernel-3.4.5-2.fc17
Comment 4 Fedora Update System 2012-07-17 12:46:34 UTC 
kernel-3.4.5-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.4.5-1.fc16
Comment 5 Paul Wouters 2012-07-17 16:08:54 UTC 
the f16 is giving me:


[paul@bofh ~]$ sudo rpm -hiv kernel-3.4.5-1.fc16.x86_64.rpm
Preparing...                ########################################### [100%]
   1:kernel                 ########################################### [100%]
grubby fatal error: unable to find a suitable template
grubby fatal error: unable to find a suitable template
grubby: doing this would leave no kernel entries. Not writing out new config.

However, I did get a new entry in /boot/grub/menu.lst

title Fedora (3.4.5-1.fc16.x86_64)
        root (hd0,0)
        kernel /vmlinuz-3.4.5-1.fc16.x86_64 ro root=UUID=697aee55-b0bc-4824-be3a-14e9ebea85b2 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
        initrd /initramfs-3.4.5-1.fc16.x86_64.img

I think these are grub vs grub2 messages and harmless. I will have to reboot the machine I'm typing on to verify fips mode works.

On f17 thinkpad with AESNI, 2.4.5-2 works in fips mode! f17 VM also works fine.
Comment 6 Paul Wouters 2012-07-17 18:55:34 UTC 
Confirmed f16 works with fips mode. left karma
Comment 7 Fedora Update System 2012-07-19 08:57:23 UTC 
Package kernel-3.4.5-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-3.4.5-1.fc16'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10764/kernel-3.4.5-1.fc16
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-07-19 09:13:22 UTC 
kernel-3.4.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-07-24 11:13:07 UTC 
kernel-3.4.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.4.6-1.fc16
Comment 10 Fedora Update System 2012-07-27 09:53:01 UTC 
kernel-3.4.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.