While kernel enable fips mode, it start alg self-test, and there is a kernel panic at ecdh-generic ... [ 0.311313] alg: ecdh: test failed on vector 2, err=-14 [ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! ...
Continue without Jitter RNG for fips to workaround alg self-tests failure, after applying the fix: ... [ 0.306633] DRBG: Continuing without Jitter RNG [ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed ... Refer: https://lore.kernel.org/patchwork/patch/568693/ Signed-off-by: Hongxu Jia <hongxu....@windriver.com> --- .../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++++++++++++++++++++++ recipes-kernel/linux/files/crypto_fips.scc | 1 + 2 files changed, 35 insertions(+) create mode 100644 recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch diff --git a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch new file mode 100644 index 0000000..140d6a1 --- /dev/null +++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch @@ -0,0 +1,34 @@ +From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu....@windriver.com> +Date: Sun, 22 Sep 2019 10:57:02 +0800 +Subject: [PATCH] fips: continuing without Jitter RNG + +Continue without Jitter RNG for fips to workaround alg self-tests failure +... +[ 0.311313] alg: ecdh: test failed on vector 2, err=-14 +[ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! +... + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +--- + crypto/drbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/drbg.c b/crypto/drbg.c +index b6929eb..d677da5 100644 +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, + if (IS_ERR(drbg->jent)) { + ret = PTR_ERR(drbg->jent); + drbg->jent = NULL; +- if (fips_enabled || ret != -ENOENT) ++ if (ret != -ENOENT) + goto free_everything; + pr_info("DRBG: Continuing without Jitter RNG\n"); + } +-- +2.7.4 + diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc index f64380a..85f8f44 100644 --- a/recipes-kernel/linux/files/crypto_fips.scc +++ b/recipes-kernel/linux/files/crypto_fips.scc @@ -1 +1,2 @@ kconf non-hardware crypto_fips.cfg +patch 0001-fips-continuing-without-Jitter-RNG.patch -- 2.7.4 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto