| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <MW2PR2101MB08925B7CAAE1019D7809D460BF7D9@MW2PR2101MB0892.namprd21.prod.outlook.com>
Date: Tue, 30 Mar 2021 06:56:50 +0000
From: Dexuan Cui <decui@...rosoft.com>
To: Eric Biggers <ebiggers@...nel.org>
CC: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: v5.12.0-rc5: the kernel panics if FIPS mode is on
> From: Eric Biggers <ebiggers@...nel.org>
> Sent: Monday, March 29, 2021 6:26 PM
> ...
> It looks like your userspace is using tcrypt.ko to request that the kernel test
> "ofb(aes)", but your kernel doesn't have CONFIG_CRYPTO_OFB enabled so the
> test fails as expected.
Hi Eric,
Thanks for the explanation! Yes, that's it!
Sorry for the false alarm! Actually the kernel is faultless here.
> Are you sure that anything changed on the kernel side
> besides the kconfig you are using? It looks like this was always the behavior
> when tcrypt.ko is used to test a non-existing algorithm.
After I rebuilt the kernel with the 3 options:
CONFIG_CRYPTO_OFB=y
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
CONFIG_CRYPTO_ANSI_CPRNG=y
and generated the .hmac file:
sha512hmac /boot/vmlinuz-5.12.0-rc5+ > /boot/.vmlinuz-5.12.0-rc5+.hmac
now the kernel boots up successfully with fips=1. :-)
> Is your userspace code intentionally trying to test "ofb(aes)", or is it
> accidental?
>
> - Eric
I'm not sure. This is a CentOS 8.3 VM, and I use the default configuration.
I have been trying to build & run a v5.12.0-rc5+ kernel with fips=1, and
now this is working for me, thanks to your explanation. Thanks again!
Thanks,
-- Dexuan
Powered by blists - more mailing lists