Bug 839239 - kernel fails to boot in fips mode when AES-NI hardware instructions are available
kernel fails to boot in fips mode when AES-NI hardware instructions are avail...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-11 06:36 EDT by Milan Broz
Modified: 2013-02-28 23:11 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 830898
Environment:
Last Closed: 2012-07-19 05:13:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Broz 2012-07-11 06:36:15 EDT
Please can we add these two patches below to F17 kernel, so there is possible
at least basic FIPS mode testing?

+++ This bug was initially created as a clone of Bug #830898 +++

Created attachment 590970 [details]
kernel patch for aesni fips test

Description of problem:
There are no crypto tests for fips mode in crypto/testmgr.c for the aesni drivers, so they are 'failing' fips testing.

...


--- Additional comment from mbroz@redhat.com on 2012-07-11 03:35:53 EDT ---

Patch in crypto dev tree upstream
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=6c79294f44fd7d1122cbaabff3b9815b074c0dd0

For debug kernel we need also this one
http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;a=commitdiff;h=bf084d8f6eb4ded3f90a6ab79bb682db00ebfbd4
Comment 1 Josh Boyer 2012-07-11 08:40:43 EDT
(In reply to comment #0)
> Please can we add these two patches below to F17 kernel, so there is possible
> at least basic FIPS mode testing?

Probably.  If we add them, it would be across all branches though.

> --- Additional comment from mbroz@redhat.com on 2012-07-11 03:35:53 EDT ---
> 
> Patch in crypto dev tree upstream
> http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;
> a=commitdiff;h=6c79294f44fd7d1122cbaabff3b9815b074c0dd0


> For debug kernel we need also this one
> http://git.kernel.org/?p=linux/kernel/git/herbert/cryptodev-2.6.git;
> a=commitdiff;h=bf084d8f6eb4ded3f90a6ab79bb682db00ebfbd4

I'm guessing these are both queued for 3.6?  They seem like it could be sent to Linus for 3.5 still.  Do you know if that is the plan?
Comment 2 Justin M. Forbes 2012-07-11 12:32:02 EDT
This is applied for F16, F17, and Rawhide and should make the next builds of each.
Comment 3 Fedora Update System 2012-07-17 08:42:45 EDT
kernel-3.4.5-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/kernel-3.4.5-2.fc17
Comment 4 Fedora Update System 2012-07-17 08:46:34 EDT
kernel-3.4.5-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.4.5-1.fc16
Comment 5 Paul Wouters 2012-07-17 12:08:54 EDT
the f16 is giving me:


[paul@bofh ~]$ sudo rpm -hiv kernel-3.4.5-1.fc16.x86_64.rpm
Preparing...                ########################################### [100%]
   1:kernel                 ########################################### [100%]
grubby fatal error: unable to find a suitable template
grubby fatal error: unable to find a suitable template
grubby: doing this would leave no kernel entries. Not writing out new config.

However, I did get a new entry in /boot/grub/menu.lst

title Fedora (3.4.5-1.fc16.x86_64)
        root (hd0,0)
        kernel /vmlinuz-3.4.5-1.fc16.x86_64 ro root=UUID=697aee55-b0bc-4824-be3a-14e9ebea85b2 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
        initrd /initramfs-3.4.5-1.fc16.x86_64.img

I think these are grub vs grub2 messages and harmless. I will have to reboot the machine I'm typing on to verify fips mode works.

On f17 thinkpad with AESNI, 2.4.5-2 works in fips mode! f17 VM also works fine.
Comment 6 Paul Wouters 2012-07-17 14:55:34 EDT
Confirmed f16 works with fips mode. left karma
Comment 7 Fedora Update System 2012-07-19 04:57:23 EDT
Package kernel-3.4.5-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-3.4.5-1.fc16'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10764/kernel-3.4.5-1.fc16
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-07-19 05:13:22 EDT
kernel-3.4.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-07-24 07:13:07 EDT
kernel-3.4.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kernel-3.4.6-1.fc16
Comment 10 Fedora Update System 2012-07-27 05:53:01 EDT
kernel-3.4.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.