[yocto] [meta-openssl102-fips][PATCH 7/16] kernel: workaround alg self-tests failure in fips mode

Hongxu Jia hongxu.jia at windriver.com
Wed Sep 25 00:24:04 PDT 2019 

While kernel enable fips mode, it start alg self-test, and there is
a kernel panic at ecdh-generic
...
[    0.311313] alg: ecdh: test failed on vector 2, err=-14
[    0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
...

Continue without Jitter RNG for fips to workaround alg self-tests failure,
after applying the fix:
...
[    0.306633] DRBG: Continuing without Jitter RNG
[    0.310550] alg: self-tests for ecdh-generic (ecdh) passed
...

Refer: https://lore.kernel.org/patchwork/patch/568693/

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 .../0001-fips-continuing-without-Jitter-RNG.patch  | 34 ++++++++++++++++++++++
 recipes-kernel/linux/files/crypto_fips.scc         |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch

diff --git a/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
new file mode 100644
index 0000000..140d6a1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-fips-continuing-without-Jitter-RNG.patch
@@ -0,0 +1,34 @@
+From fd82384acc0405ead38ea0d9712c9a1b57913c35 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia at windriver.com>
+Date: Sun, 22 Sep 2019 10:57:02 +0800
+Subject: [PATCH] fips: continuing without Jitter RNG
+
+Continue without Jitter RNG for fips to workaround alg self-tests failure
+...
+[    0.311313] alg: ecdh: test failed on vector 2, err=-14
+[    0.311898] Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ crypto/drbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index b6929eb..d677da5 100644
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1577,7 +1577,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
+ 		if (IS_ERR(drbg->jent)) {
+ 			ret = PTR_ERR(drbg->jent);
+ 			drbg->jent = NULL;
+-			if (fips_enabled || ret != -ENOENT)
++			if (ret != -ENOENT)
+ 				goto free_everything;
+ 			pr_info("DRBG: Continuing without Jitter RNG\n");
+ 		}
+-- 
+2.7.4
+
diff --git a/recipes-kernel/linux/files/crypto_fips.scc b/recipes-kernel/linux/files/crypto_fips.scc
index f64380a..85f8f44 100644
--- a/recipes-kernel/linux/files/crypto_fips.scc
+++ b/recipes-kernel/linux/files/crypto_fips.scc
@@ -1 +1,2 @@
 kconf non-hardware crypto_fips.cfg
+patch 0001-fips-continuing-without-Jitter-RNG.patch
-- 
2.7.4

More information about the yocto mailing list