Module integrity check in FIPS mode

Hi All,

Looks like when AlmaLinux is in FIPS mode, it mandates all the modules FIPS integrity check. Please let me know is it possible to avoid this check using any flags.


if you mean the power-on self tests shown in dmesg like:

[    1.775560] alg: self-tests for sha256-generic (sha256) passed
[    1.776973] alg: sha1 (sha1-generic) is disabled due to FIPS
[    1.778271] alg: md5 (md5-generic) is disabled due to FIPS
[    1.779475] alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed
[    1.780899] alg: digest_null (digest_null-generic) is disabled due to FIPS
[    1.782338] alg: compress_null (compress_null-generic) is disabled due to FIPS
[    1.783909] alg: self-tests for cipher_null-generic (cipher_null) passed
[    1.785317] alg: ecdsa-nist-p384 (ecdsa-nist-p384-generic) is disabled due to FIPS
[    1.787070] alg: ecdsa-nist-p256 (ecdsa-nist-p256-generic) is disabled due to FIPS
[    1.790282] alg: ecdsa-nist-p192 (ecdsa-nist-p192-generic) is disabled due to FIPS
[    1.792183] alg: dh (dh-generic) is disabled due to FIPS
[    4.005155] alg: self-tests for crc32c-intel (crc32c) passed
[    4.010173] alg: self-tests for crct10dif-pclmul (crct10dif) passed
[    4.017400] alg: ghash (ghash-clmulni) is disabled due to FIPS
[    4.025296] alg: des3_ede (des3_ede-asm) is disabled due to FIPS
[    4.029177] alg: ecb(des3_ede) (ecb-des3_ede-asm) is disabled due to FIPS

then that’s how its supposed to work, it does slow down boot a bit, but what’s the point of enabling fips mode otherwise?

Thanks for the reply.

One of our module is not having integrated verification and hence getting kernel panic with below message -“not syncing. Module xxx signature verification failed in FIPS mode”. In that module not included any of the nonFIPS compliant algorithm. But there is no signature verification code added. So wanted to know is there any way to skip verification only for a particular module.


need much more info. do you mean module as in openssl, kernel, gnutls, nss, libgcrypt. or do you mean a kernel module like nvidia.ko ?

Its for kernel module which will do the functionality of kernel crypto apis.