Module integrity check in FIPS mode

GayathriAlma · February 10, 2023, 1:37pm

Hi All,

Looks like when AlmaLinux is in FIPS mode, it mandates all the modules FIPS integrity check. Please let me know is it possible to avoid this check using any flags.

Thanks,
Gayathri

sej7278 · February 10, 2023, 3:12pm

if you mean the power-on self tests shown in dmesg like:

[    1.775560] alg: self-tests for sha256-generic (sha256) passed
[    1.776973] alg: sha1 (sha1-generic) is disabled due to FIPS
[    1.778271] alg: md5 (md5-generic) is disabled due to FIPS
[    1.779475] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed
[    1.780899] alg: digest_null (digest_null-generic) is disabled due to FIPS
[    1.782338] alg: compress_null (compress_null-generic) is disabled due to FIPS
[    1.783909] alg: self-tests for cipher_null-generic (cipher_null) passed
[    1.785317] alg: ecdsa-nist-p384 (ecdsa-nist-p384-generic) is disabled due to FIPS
[    1.787070] alg: ecdsa-nist-p256 (ecdsa-nist-p256-generic) is disabled due to FIPS
[    1.790282] alg: ecdsa-nist-p192 (ecdsa-nist-p192-generic) is disabled due to FIPS
[    1.792183] alg: dh (dh-generic) is disabled due to FIPS
[    4.005155] alg: self-tests for crc32c-intel (crc32c) passed
[    4.010173] alg: self-tests for crct10dif-pclmul (crct10dif) passed
[    4.017400] alg: ghash (ghash-clmulni) is disabled due to FIPS
[    4.025296] alg: des3_ede (des3_ede-asm) is disabled due to FIPS
[    4.029177] alg: ecb(des3_ede) (ecb-des3_ede-asm) is disabled due to FIPS

then that’s how its supposed to work, it does slow down boot a bit, but what’s the point of enabling fips mode otherwise?

GayathriAlma · February 13, 2023, 4:31am

Thanks for the reply.

One of our module is not having integrated verification and hence getting kernel panic with below message -“not syncing. Module xxx signature verification failed in FIPS mode”. In that module not included any of the nonFIPS compliant algorithm. But there is no signature verification code added. So wanted to know is there any way to skip verification only for a particular module.

Thanks,
Gayathri

sej7278 · February 13, 2023, 9:28am

need much more info. do you mean module as in openssl, kernel, gnutls, nss, libgcrypt. or do you mean a kernel module like nvidia.ko ?

GayathriAlma · February 13, 2023, 12:06pm

Its for kernel module which will do the functionality of kernel crypto apis.

Topic		Replies	Views
Module verification failed Support	2	369	June 22, 2023
Kernel-4.18.0-240.22.1 with fips=1 will not boot	4	2331	April 25, 2021
Secure boot fails with invalid signature on 4.18.0-477.10.1.el8_8 Support	3	483	June 6, 2023
[8.6] OpenSCAP anssi bp28 high broken -> No boot Security	7	1716	April 24, 2023
Kernel dump: dmesg perf buffer not large enough Support	1	621	March 20, 2022

Module integrity check in FIPS mode

Related Topics