[yocto] [meta-openssl102-fips][PATCH 7/15] kernel: workaround alg self-tests failure in fips mode
Hongxu Jia
hongxu.jia at windriver.com
Sun Sep 22 07:57:00 PDT 2019
While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[ 0.311313] alg: ecdh: test failed on vector 2, err=-14
[ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
...
Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[ 0.306633] DRBG: Continuing without Jitter RNG
[ 0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...
Refer: https://lore.kernel.org/patchwork/patch/568693/
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
.../0001-fips-continuing-without-Jitter-RNG.patch | 34 ++++++++++++++++++++++
recipes-kernel/linux/files/crypto_fips.scc | 1 +
2 files changed, 35 insertions(+)
create mode 100644 recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
diff --git a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 0000000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia at windriver.com>
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[ 0.311313] alg: ecdh: test failed on vector 2, err=-14
+[ 0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
+ if (IS_ERR(drbg->jent)) {
+ ret = PTR_ERR(drbg->jent);
+ drbg->jent = NULL;
+- if (fips_enabled || ret != -ENOENT)
++ if (ret != -ENOENT)
+ goto free_everything;
+ pr_info("DRBG: Continuing without Jitter RNG\n");
+ }
+--
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
--
2.7.4
More information about the yocto
mailing list