The patch quoted below causes the kernel to panic when fips is enabled with:
       alg: ecdh: test failed on vector 2, err=-14
       Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) 
failed in fips mode!
This test fails because jitterentropy hasn’t been initialized yet. The 
assumption that the patch makes, that jitter is not used by the crypto 
self-tests, does not hold with fips enabled.
With the patch reverted, i.e. with jitter initialized with module_init, the 
kernel is able to boot. How can this best be handled to allow the kernel to 
boot with fips enabled without running into issues with certain clocksources?
From 9c5b34c2f7eb01976a5aa29ccdb786a634e3d1e0 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebigg...@google.com>
Date: Tue, 21 May 2019 11:46:22 -0700
Subject: [PATCH] crypto: jitterentropy - change back to module_init()
"jitterentropy_rng" doesn't have any other implementations, nor is it
tested by the crypto self-tests.  So it was unnecessary to change it to
subsys_initcall.  Also it depends on the main clocksource being
initialized, which may happen after subsys_initcall, causing this error:
    jitterentropy: Initialization failed with host not compliant with 
requirements: 2
Change it back to module_init().
Fixes: c4741b230597 ("crypto: run initcalls for generic implementations 
Reported-by: Geert Uytterhoeven <ge...@linux-m68k.org>
Signed-off-by: Eric Biggers <ebigg...@google.com>
Tested-by: Geert Uytterhoeven <geert+rene...@glider.be>
Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au>
crypto/jitterentropy-kcapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 6ea1a270b8dc..787dccca3715 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -198,7 +198,7 @@ static void __exit jent_mod_exit(void)

Reply via email to