View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001044 | channel: kernel/el7 | kernel-lt | public | 2020-10-16 22:36 | 2021-08-19 19:10 |
| Reporter | mkdir-zz | Assigned To | burakkucat | ||
| Priority | normal | Severity | trivial | Reproducibility | always |
| Status | closed | Resolution | won't fix | ||
| Summary | 0001044: set CONFIG_CRYPTO_FIPS=y in el7/el8 for kernel-lt | ||||
| Description | Currently it is not possible to configure a RHEL/CentOS 7 host to operate in FIPS mode without a kernel panic at boot. setting CONFIG_CRYPTO_FIPS=y will resolve this. | ||||
| Tags | No tags attached. | ||||
| related to | 0001127 | resolved | burakkucat | channel: kernel/el8 | Kernel missing CONFIG_CRYPTO_FIPS=y |
|
|
I have some queries -- (1) In the summary, you state "set CONFIG_CRYPTO_FIPS=y in el7/el8 for kernel-lt". I presume that is a typo, as there is no kernel-lt for el8 and assume you intended kernel-ml. (2) Likewise the category, under which this has been created, is kernel-lt. Again, I assume kernel-ml. (3) In the description, you state "setting CONFIG_CRYPTO_FIPS=y will resolve this." Have you configured, built and tested a kernel with that option set? If yes, please share your configuration file. With the current kernel-ml configuration, CRYPTO_FIPS cannot be enabled without enabling MODULE_SIG. The MODULE_SIG option can be set but the end result will not be signed modules for the package set without significant changes to the kernel-ml specification file. Currently we are in the -rc phase of the latest (upstream, kernel.org) linux-5.10 source code development. If I were to create a kernel-ml-5.10.0-0.rcX.el{7|8} package set, would you be able to test it, please? |
|
|
There are kernel-ml-5.10.0-0.rc2.el{7|8}.elrepo package sets available for testing from the following locations -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ Please test, when convenient. |
|
|
Now updated to the kernel-ml-5.10.0-0.rc3.el{7|8}.elrepo package sets -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ |
|
|
Now updated to the kernel-ml-5.10.0-0.rc4.el{7|8}.elrepo package sets -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ |
|
|
Now updated to the kernel-ml-5.10.0-0.rc5.el{7|8}.elrepo package sets -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ Without: (a) answers to my questions (b) testing of the -rc candidates the configuration changes will _not_ appear in the next new releases of the kernel-ml package sets. |
|
|
Now updated to the kernel-ml-5.10.0-0.rc6.el{7|8}.elrepo package sets -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ |
|
|
Now updated to the kernel-ml-5.10.0-0.rc7.el{7|8}.elrepo package sets -- https://elrepo.org/people/ajb/devel/kernel-ml/el7/x86_64/RPMS/ https://elrepo.org/people/ajb/devel/kernel-ml/el8/x86_64/RPMS/ |
|
|
This is a FIPS Kernel? I'll test it! |
|
|
Please see note 7274 above. Further, this request is now old, and as the OP never returned to test, the rc packages are long since gone. |
|
|
Here follows some comments on the concept of FIPS compliance, written by Eric Biggers, a kernel developer. URL -- https://lkml.org/lkml/2021/3/30/1307 [quote] I'm by no means an expert on this, but the main thing I have in mind is that (IIUC) the "fips" option is only useful if your whole kernel binary is certified as a "FIPS cryptographic module", *and* you actually need the FIPS compliance. And the upstream kernel doesn't have a FIPS certification out of the box; that's a task for specific Linux distributors like Red Hat, SUSE, Ubuntu, who get specific kernel binaries certified. So, compiling a kernel and using the "fips" option is useless by itself, as your kernel image won't actually have a FIPS certification in that case anyway. So, I would expect an explanation like that about under what circumstances the "fips" option is actually useful and intended for. The people who actually use this option should be able to explain it properly though; the above is just my understanding... - Eric [/quote] |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-10-16 22:36 | mkdir-zz | New Issue | |
| 2020-10-16 22:36 | mkdir-zz | Status | new => assigned |
| 2020-10-16 22:36 | mkdir-zz | Assigned To | => burakkucat |
| 2020-10-31 13:46 | burakkucat | Note Added: 0007274 | |
| 2020-11-01 19:47 | burakkucat | Status | assigned => feedback |
| 2020-11-01 19:47 | burakkucat | Note Added: 0007275 | |
| 2020-11-09 13:53 | burakkucat | Note Added: 0007279 | |
| 2020-11-16 10:24 | burakkucat | Note Added: 0007287 | |
| 2020-11-23 17:22 | burakkucat | Note Added: 0007302 | |
| 2020-11-30 09:35 | burakkucat | Note Added: 0007311 | |
| 2020-12-12 12:00 | burakkucat | Note Added: 0007323 | |
| 2021-03-18 20:57 | derekm | Note Added: 0007511 | |
| 2021-03-19 04:31 | pperry | Note Added: 0007512 | |
| 2021-03-19 04:32 | pperry | Note Edited: 0007512 | |
| 2021-03-19 04:33 | pperry | Note Edited: 0007512 | |
| 2021-04-29 16:28 | burakkucat | Note Added: 0007569 | |
| 2021-04-29 16:29 | burakkucat | Status | feedback => closed |
| 2021-04-29 16:29 | burakkucat | Resolution | open => won't fix |
| 2021-08-19 19:10 | pperry | Relationship added | related to 0001127 |
