Can't get Kernel 4.9 to work with FIPS

[TrevorH]

I also just installed the latest ELRepo kernel-ml package (5.3.10) on my test VM and wasn't able to modprobe tcrypt on that either. That attempt gave a different error:

Code: Select all

[root@centos7 ~]# modprobe tcrypt
modprobe: ERROR: could not insert 'tcrypt': Resource temporarily unavailable

and nothing useful was in dmesg other than these which just look like information, not errors:

[ 21.253004] AVX2 instructions are not detected.
[ 21.271739] AVX2 instructions are not detected.
[ 21.534049] AVX2 or AES-NI instructions are not detected.
[ 21.555468] AVX2 or AES-NI instructions are not detected.

So that one looks more hopeful but still doesn't work though doesn't give any clue as to why...

Ah, a bit more Googling led me to a place that said to use modprobe tcrypt sec=2 mode=402 as a bypass for the very error that you were getting before about hmac(crc32). I tried that here on the 5.3.10 kernel and it runs for a very long time before it returns with the same failure that it did for me before on 5.3.10 but dmesg now contains a lot more

[root@centos7 ~]# grep -i tcrypt /var/log/messages
Nov 12 00:15:47 centos7 kernel: tcrypt: one or more tests failed!
Nov 12 16:50:19 centos7 kernel: tcrypt: test 0 ( 16 byte blocks, 16 bytes per update, 1 updates):
Nov 12 16:50:21 centos7 kernel: tcrypt: test 1 ( 64 byte blocks, 16 bytes per update, 4 updates): 1820360 opers/sec, 116503040 bytes/sec
Nov 12 16:50:23 centos7 kernel: tcrypt: test 2 ( 64 byte blocks, 64 bytes per update, 1 updates):
Nov 12 16:50:25 centos7 kernel: tcrypt: test 3 ( 256 byte blocks, 16 bytes per update, 16 updates): 604540 opers/sec, 154762240 bytes/sec
Nov 12 16:50:27 centos7 kernel: tcrypt: test 4 ( 256 byte blocks, 64 bytes per update, 4 updates): 1064915 opers/sec, 272618368 bytes/sec
Nov 12 16:50:29 centos7 kernel: tcrypt: test 5 ( 256 byte blocks, 256 bytes per update, 1 updates):
Nov 12 16:50:31 centos7 kernel: tcrypt: test 6 ( 1024 byte blocks, 16 bytes per update, 64 updates): 166633 opers/sec, 170632192 bytes/sec
Nov 12 16:50:33 centos7 kernel: tcrypt: test 7 ( 1024 byte blocks, 256 bytes per update, 4 updates): 463078 opers/sec, 474192384 bytes/sec
Nov 12 16:50:35 centos7 kernel: tcrypt: test 8 ( 1024 byte blocks, 1024 bytes per update, 1 updates):
Nov 12 16:50:37 centos7 kernel: tcrypt: test 9 ( 2048 byte blocks, 16 bytes per update, 128 updates): 83981 opers/sec, 171994112 bytes/sec
Nov 12 16:50:39 centos7 kernel: tcrypt: test 10 ( 2048 byte blocks, 256 bytes per update, 8 updates): 244948 opers/sec, 501654528 bytes/sec
Nov 12 16:50:41 centos7 kernel: tcrypt: test 11 ( 2048 byte blocks, 1024 bytes per update, 2 updates): 274518 opers/sec, 562213888 bytes/sec
Nov 12 16:50:43 centos7 kernel: tcrypt: test 12 ( 2048 byte blocks, 2048 bytes per update, 1 updates):
Nov 12 16:50:45 centos7 kernel: tcrypt: test 13 ( 4096 byte blocks, 16 bytes per update, 256 updates): 42092 opers/sec, 172408832 bytes/sec
Nov 12 16:50:47 centos7 kernel: tcrypt: test 14 ( 4096 byte blocks, 256 bytes per update, 16 updates): 124606 opers/sec, 510386176 bytes/sec
Nov 12 16:50:48 centos7 kernel: tcrypt: test 15 ( 4096 byte blocks, 1024 bytes per update, 4 updates):
Nov 12 16:50:51 centos7 kernel: tcrypt: test 16 ( 4096 byte blocks, 4096 bytes per update, 1 updates):
Nov 12 16:50:53 centos7 kernel: tcrypt: test 17 ( 8192 byte blocks, 16 bytes per update, 512 updates): 20751 opers/sec, 169996288 bytes/sec
Nov 12 16:50:55 centos7 kernel: tcrypt: test 18 ( 8192 byte blocks, 256 bytes per update, 32 updates): 63433 opers/sec, 519643136 bytes/sec
Nov 12 16:50:57 centos7 kernel: tcrypt: test 19 ( 8192 byte blocks, 1024 bytes per update, 8 updates): 72494 opers/sec, 593870848 bytes/sec
Nov 12 16:50:59 centos7 kernel: tcrypt: test 20 ( 8192 byte blocks, 4096 bytes per update, 2 updates): 75929 opers/sec, 622014464 bytes/sec
Nov 12 16:51:01 centos7 kernel: tcrypt: test 21 ( 8192 byte blocks, 8192 bytes per update, 1 updates):

Edit: oh, further down the same mailing list thread (https://linux-crypto.vger.kernel.narkiv ... tcrypt-bug) it says

> ERROR: could not insert 'tcrypt': Resource temporarily unavailable
Tcrypt fails to load after running tests, that's expected.

[danethepain83]

I see the same thing you are seeing. That seems concerning. So you seem like a pretty knowledgeable guy... Is there any possibility I'm going to get FIPS working on >= 4.9 kernel or do I just need to inform my org we'll need to wait and use CentOS 8?
Thanks!

[TrevorH]

I've never used fips at all and even if you do get it to work, it's not FIPS certified as that costs $$$ and thus only happens for RHEL. I suspect that any and all RH testing of FIPS would happen with the distro kernel so that may be a problem for you.

[danethepain83]

I installed RHEL 7 and put 4.9 on it for fun and it still doesn't work (even though I knew it wouldn't). I bet you're on to something with it only working on distro kernels. Thanks for all of your help.

[TrevorH]

Even CentOS itself is not FIPS certified. You should be able to make it work but it won't be certified or tested or sufficient to be used in something that requires a FIPS certification.