On Mon, Apr 19, 2021 at 04:16:13AM +0000, Mothershead, Hailey wrote:
> Hello,
>  
> The patch quoted below causes the kernel to panic when fips is enabled with:
>         
>        alg: ecdh: test failed on vector 2, err=-14
>        Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) 
> failed in fips mode!
>  
> This test fails because jitterentropy hasn’t been initialized yet. The 
> assumption that the patch makes, that jitter is not used by the crypto 
> self-tests, does not hold with fips enabled.
>  
> With the patch reverted, i.e. with jitter initialized with module_init, the 
> kernel is able to boot. How can this best be handled to allow the kernel to 
> boot with fips enabled without running into issues with certain clocksources?
>  
> Best, 
> Hailey

I'd recommend looking into why the self-tests would be calling into
jitterentropy in the first place.  That shouldn't be necessary; it doesn't make
sense for known-answer tests to be consuming random numbers.

- Eric

Reply via email to