Can't get Kernel 4.9 to work with FIPS

[danethepain83]

*It looks like I posted this in the wrong area. I should have posted in the CentOS 7 forum. Sorry!*

I am required to use CentOS 7 for my work and also need it to work alongside FIPS and be running Kernel 4.9 or higher to allow Google BBR functionality. The problem is I cannot get it to boot once I have enabled FIPS. Has anyone had any experience with getting 4.9 kernel to work with FIPS? I have tried with both a VM and an actual machine. Thanks for any help!

[TrevorH]

https://bugzilla.redhat.com/show_bug.cgi?id=1115112

If not that then google the error "sha3-224 alg self test failed"

[danethepain83]

https://bugzilla.redhat.com/show_bug.cgi?id=1115112

If not that then google the error "sha3-224 alg self test failed"

Thanks for replying. I've unfortunately tried both that first link you posted and all of the results from that google search.

[TrevorH]

So you have the dracut-fips package installed and you have edited /lib/dracut/modules.d/01fips/module-setup.sh and added the modules to that that it suggests and then you've rebuilt your initramfs afterwards?

Might also be useful to tell us the other things you've already tried and haven't helped because those will be the next suggestions...

[danethepain83]

Yes, I do have dracut-fips package installed and I have modified that file to include those two things. I'll attach an image so you can see. I have scoured all through the internet, but I mostly couldn't find any helpful things to try other than what you've posted. That's why I'm posting here. I did also explicitly set the boot in the grub file to a UUID.

[TrevorH]

That too many open files messages looks familiar. You don't have some modprobe.d config file that tries to load something and loops trying? The sort of thing I've seen in the past is install mymodule /sbin/modprobe mymodule which sends it into a loop loading itself until it uses up all available filehandles and kills itself.

Actually, it's worse than that. You can't even modprobe tcrypt at all even when not trying to use fips. On either CentOS 7 (alg: hash: Failed to load transform for hmac(crc32): -2) or on CentOS 8 (alg: hash: Failed to load transform for sm3: -2 & alg: skcipher: Failed to load transform for ecb(sm4): -2).

[danethepain83]

This is a fresh centos 7.7 install with kernel 4.9. I haven't modified any files outside of adding FIPS requirements. I'm wondering if it's just not possible to have a kernel version of 4.9 or greater with FIPS. Sigh. Thanks for looking into this. I am not sure what else to try.

I ran across this post yesterday:
viewtopic.php?f=47&t=71757&p=304899#p301806
Amy chance that Dracut FIPS has been deprecated and we should use something else? Sorry, I'm pretty new to Linux overall. I appreciate your help.

[TrevorH]

My tests were run with the distro kernel and you cannot load the tcrypt module even on that. Try it yourself on your 4.9 kernel and see if it works for you in non-fips mode. If you can't load tcrypt then the fips self tests will fail.

[danethepain83]

Can you explain how I can do that? If you just mean turning off fips (fips = 0), I am able to do that and boot up 4.9 just fine. I am not familiar with loading a tcrypt module. Thanks so much!

[TrevorH]

So I booted without fips=1 (I presume fips=0 is default) and just ran modprobe tcrypt and got errors on the ssh session about it failing and then there was more info in /var/log/messages that gave more clues about why.