Can't get Kernel 4.9 to work with FIPS
-
- Posts: 8
- Joined: 2019/11/11 17:23:08
Can't get Kernel 4.9 to work with FIPS
*It looks like I posted this in the wrong area. I should have posted in the CentOS 7 forum. Sorry!*
I am required to use CentOS 7 for my work and also need it to work alongside FIPS and be running Kernel 4.9 or higher to allow Google BBR functionality. The problem is I cannot get it to boot once I have enabled FIPS. Has anyone had any experience with getting 4.9 kernel to work with FIPS? I have tried with both a VM and an actual machine. Thanks for any help!
I am required to use CentOS 7 for my work and also need it to work alongside FIPS and be running Kernel 4.9 or higher to allow Google BBR functionality. The problem is I cannot get it to boot once I have enabled FIPS. Has anyone had any experience with getting 4.9 kernel to work with FIPS? I have tried with both a VM and an actual machine. Thanks for any help!
- Attachments
-
- FIPSError.png (27 KiB) Viewed 1627 times
Last edited by danethepain83 on 2019/11/11 19:05:05, edited 1 time in total.
Re: Can't get Kernel 4.9 to work with FIPS
https://bugzilla.redhat.com/show_bug.cgi?id=1115112
If not that then google the error "sha3-224 alg self test failed"
If not that then google the error "sha3-224 alg self test failed"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 8
- Joined: 2019/11/11 17:23:08
Re: Can't get Kernel 4.9 to work with FIPS
Thanks for replying. I've unfortunately tried both that first link you posted and all of the results from that google search.TrevorH wrote: ↑2019/11/11 19:04:45https://bugzilla.redhat.com/show_bug.cgi?id=1115112
If not that then google the error "sha3-224 alg self test failed"
Re: Can't get Kernel 4.9 to work with FIPS
So you have the dracut-fips package installed and you have edited /lib/dracut/modules.d/01fips/module-setup.sh and added the modules to that that it suggests and then you've rebuilt your initramfs afterwards?
Might also be useful to tell us the other things you've already tried and haven't helped because those will be the next suggestions...
Might also be useful to tell us the other things you've already tried and haven't helped because those will be the next suggestions...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 8
- Joined: 2019/11/11 17:23:08
Re: Can't get Kernel 4.9 to work with FIPS
Yes, I do have dracut-fips package installed and I have modified that file to include those two things. I'll attach an image so you can see. I have scoured all through the internet, but I mostly couldn't find any helpful things to try other than what you've posted. That's why I'm posting here. I did also explicitly set the boot in the grub file to a UUID.
- Attachments
-
- A bit of a different error now, but still failing
- fips_error_2.png (19.51 KiB) Viewed 1601 times
-
- This is the setup file where I added those two things
- Dracut_Module-setup_sh.png (129.57 KiB) Viewed 1601 times
Re: Can't get Kernel 4.9 to work with FIPS
That too many open files messages looks familiar. You don't have some modprobe.d config file that tries to load something and loops trying? The sort of thing I've seen in the past is install mymodule /sbin/modprobe mymodule which sends it into a loop loading itself until it uses up all available filehandles and kills itself.
Actually, it's worse than that. You can't even modprobe tcrypt at all even when not trying to use fips. On either CentOS 7 (alg: hash: Failed to load transform for hmac(crc32): -2) or on CentOS 8 (alg: hash: Failed to load transform for sm3: -2 & alg: skcipher: Failed to load transform for ecb(sm4): -2).
Actually, it's worse than that. You can't even modprobe tcrypt at all even when not trying to use fips. On either CentOS 7 (alg: hash: Failed to load transform for hmac(crc32): -2) or on CentOS 8 (alg: hash: Failed to load transform for sm3: -2 & alg: skcipher: Failed to load transform for ecb(sm4): -2).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 8
- Joined: 2019/11/11 17:23:08
Re: Can't get Kernel 4.9 to work with FIPS
This is a fresh centos 7.7 install with kernel 4.9. I haven't modified any files outside of adding FIPS requirements. I'm wondering if it's just not possible to have a kernel version of 4.9 or greater with FIPS. Sigh. Thanks for looking into this. I am not sure what else to try.
I ran across this post yesterday:
viewtopic.php?f=47&t=71757&p=304899#p301806
Amy chance that Dracut FIPS has been deprecated and we should use something else? Sorry, I'm pretty new to Linux overall. I appreciate your help.
I ran across this post yesterday:
viewtopic.php?f=47&t=71757&p=304899#p301806
Amy chance that Dracut FIPS has been deprecated and we should use something else? Sorry, I'm pretty new to Linux overall. I appreciate your help.
Re: Can't get Kernel 4.9 to work with FIPS
My tests were run with the distro kernel and you cannot load the tcrypt module even on that. Try it yourself on your 4.9 kernel and see if it works for you in non-fips mode. If you can't load tcrypt then the fips self tests will fail.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 8
- Joined: 2019/11/11 17:23:08
Re: Can't get Kernel 4.9 to work with FIPS
Can you explain how I can do that? If you just mean turning off fips (fips = 0), I am able to do that and boot up 4.9 just fine. I am not familiar with loading a tcrypt module. Thanks so much!
Re: Can't get Kernel 4.9 to work with FIPS
So I booted without fips=1 (I presume fips=0 is default) and just ran modprobe tcrypt and got errors on the ssh session about it failing and then there was more info in /var/log/messages that gave more clues about why.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke