830898 – kernel fails to boot in fips mode when AES-NI hardware instructions are available

Bug 830898 - kernel fails to boot in fips mode when AES-NI hardware instructions are available

Summary: kernel fails to boot in fips mode when AES-NI hardware instructions are avail...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Milan Broz
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	717789 808744
TreeView+	depends on / blocked

Reported:	2012-06-11 15:22 UTC by Paul Wouters
Modified:	2013-03-01 04:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel-3.6.0-0.27.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	839239 (view as bug list)
Environment:
Last Closed:	2012-10-03 15:54:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
kernel patch for aesni fips test (939 bytes, patch) 2012-06-11 15:22 UTC, Paul Wouters	no flags	Details \| Diff
testmgr.c patch to allow more modules in fips mode (1.94 KB, patch) 2012-06-13 15:53 UTC, Paul Wouters	no flags	Details \| Diff
Proposed patch (2.75 KB, patch) 2012-06-29 12:31 UTC, Milan Broz	no flags	Details \| Diff
Show Obsolete (2) View All

Description Paul Wouters 2012-06-11 15:22:15 UTC

Created attachment 590970 [details]
kernel patch for aesni fips test

Description of problem:
There are no crypto tests for fips mode in crypto/testmgr.c for the aesni drivers, so they are 'failing' fips testing.

Version-Release number of selected component (if applicable):
linus kernel git still does not have these.

Attached is a patch that resolves this, though it does call the tests which might not actually be needed.

Comment 1 Paul Wouters 2012-06-13 15:53:05 UTC

Created attachment 591553 [details]
testmgr.c patch to allow more modules in fips mode

This is an updated version of the patch to make it work for me. I can now boot the kernel in fips mode (with one dracut patch to remove aes-xts from the fipsmodule list) - including using aesni and full disk encryption.

Comment 2 Miloslav Trmač 2012-06-19 15:34:09 UTC

Please build this fix also as an F17 update, to make it easy to test application behavior in FIPS mode in a current-ish but reasonably stable environment.

Comment 3 Milan Broz 2012-06-27 14:29:42 UTC

I do not understand why should "modprobe tcrypt" in dracut fips seflcheck test all these algorithms

This is done in dracut:

    info "Self testing crypto algorithms"
    modprobe tcrypt || return 1
    rmmod tcrypt
    info "All initrd crypto checks done"

Herbert, is there a reason why it checks e.g. LRW mode?

IMHO the proper fix is that tcrypt does not test these in FIPS mode, not mark them "fips allowed"...

Comment 4 Milan Broz 2012-06-29 12:31:25 UTC

Created attachment 595295 [details]
Proposed patch

Proposed patch which doesn't add new modes and allows for me boot in fips mode (both rawhide/F17).

Comment 5 Milan Broz 2012-07-11 07:35:53 UTC

Patch in crypto dev tree upstream
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=6c79294f44fd7d1122cbaabff3b9815b074c0dd0

For debug kernel we need also this one
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=bf084d8f6eb4ded3f90a6ab79bb682db00ebfbd4

Comment 7 Milan Broz 2012-10-03 15:54:05 UTC

Fixed in kernel-3.6.0-0.27.el7 with rebase to 3.6, no more separate patches needed.

Note You need to log in before you can comment on or make changes to this bug.