FIPS 140-2 Kernel fails to boot

salisburyksalisburyk Established Member
Issue:
Fresh install of SLES 15 on x86_64 hardware using 'SLE-15-SP1-Installer-DVD-x86_64-QU2-DVD2.iso' install media from a few days ago. Registered during install and packages were also updated during install. FIPS 140-2 pattern was selected at install under Software Details. Grub Bootloader adjusted to reflect fips=1 for kernel. Everything updates and installs fine. Upon reboot, system halts. Why? Several dracut modprobe errors state that modules are missing for aes_s390 des_s390 and ghash_s390 (all state modules not found in directory /lib/modules/4.12.14-197.34-default/). A fourth dracut modprobe error states that sha1-mb module can't load. Fatal fips integrity error is next, then system is halted. (Please Note, there is no separate boot partition, we've run into that issue as well in the past but this is a different issue).

Question:
Why would x86_64 kernel fips-1 mode require s390 encryption modules?

Comments

  • salisburyksalisburyk Established Member
    Hi AndreasMeyer,

    Thanks for the response. I'm aware SLES 15 is not yet validated for FIPS 140-2 and I'm not sure how your SLED 12 thread applies here. FIPS mode has been possible for SLES 15 without validation since GA. We know validation is in process and that's acceptable for some compliance scenarios (although SUSE better hurry, at their current pace they may not make the 140-2 deadline and they'll have to go through the new FIPS 140-3). So what's changed? From the SLES 15 GA Release Notes;
    7.5 Security

    7.5.1 libica Supports FIPS 140-2 Mode

    The FIPS PUB 140-2 Security Requirements for Cryptographic Modules specify that cryptographic modules in FIPS mode must only use NIST-approved algorithms and perform integrity checks and a self-test upon activation.

    In SLES 15, libica is enabled for FIPS 140-2 certification and supports a FIPS mode. To enable this mode, add the boot parameter fips=1 which will set the flag /proc/sys/crypto/fips_enabled to 1
  • salisburyksalisburyk Established Member
    For an exercise, I decided to try the same procedure on a new SLES 12 SP5 system. Interestingly, the exact same errors appear!

    Same kernel is in use between SLES 15 SP1 and SLES 12 SP5 - 4.12.14-122.17-default

    FIPS mode seems to be broken everywhere...

    ?
  • salisburyksalisburyk Established Member
    Just to clean this up, the issue was a bug (multiple actually). A patch applied this morning to dracut under SLES 15 SP1 (also available for SLES 12 SP4/5) fixes it all;

    Reference https://www.suse.com/support/update/announcement/2020/suse-ru-20200662-1/
    SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

    dracut-044.2-18.51.1
    dracut-debuginfo-044.2-18.51.1
    dracut-debugsource-044.2-18.51.1
    dracut-fips-044.2-18.51.1
    dracut-ima-044.2-18.51.1
Sign In or Register to comment.