Loading graphical environment is slow when FIPS is enabled

As a requirement for our machines that will be deployed in secure areas, all SLES 12 hosts must boot with FIPS enabled. We have successfully done so for BIOS- and UEFI-booted machines.

However, we’ve noticed a significant difference in load times of GDM (the graphical desktop environment) when FIPS is or is not enabled. We’ve tested this on a build server (Xeon 10-core/20-thread CPU with 32GB RAM and iSCSI boot on a RAID 6 NAS), toggling FIPS by removing the boot option at the Grub menu.

Without FIPS, a user who has logged in successfully will see their desktop after 4 seconds.

With FIPS, a user who has logged in successfully will see their desktop after 2 minutes.

This difference is not acceptable as it slows down workflow. Application load times are consistent with or without FIPS enabled.

I’ve been assigned to troubleshoot this. I cannot see anything immediately from the logs that would indicate fault (missing packages, kernel issues, driver problems, etc.). I will research how to increase verbosity for gnome/gdm logs and will compare differences.

Any suggestions on what could be slowing down due to FIPS?

Ok, further troubleshooting shows that gnome-keyring-d is getting stuck at 100% CPU and killing it immediately loads the desktop environment. Since we only have the SLES 12 SP3 discs and haven’t downloaded any updates, I’ll see if updating GNOME and all related packages leads to any resolution.

Doesn’t look like an update has been released. We’ve instead decided to disable gnome-keyring by following the instructions here. This appears to resolve the issue.

Thank you for sharing your solution!


Ken

SUSE Linux Enterprise Desktop 12 doesn’t support FIPS-mode. So probably SLES 12 Workstation Extension (and gnome-keyring) doesn’t support FIPS-mode properly.

https://www.suse.com/support/security/certifications/

https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list

Please read careful the instruction in chapter “Guidance” of each “FIPS 140-2 Security Policy” for SUSE Linux Enterprise Server 12. For example:

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2464.pdf

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2435.pdf

For each cryptographic modul is a own “FIPS 140-2 Security Policy” available: Kernel, OpenSSH, OpenSSHd, libgcrypt/GnuPG, Mozilla NSS/Firefox, openssl, strongswan (VPN) and so one.

The power up test and integrity tests of each cryptographic modul slow down the boot and login process. See chapter “Self Tests” of each “FIPS 140-2”-“Security Policy” for SUSE Linux Enterprise Server 12.

Please open a Service Request to receive a patch/solution/response from SUSE:
https://forums.suse.com/showthread.php?12156-how-to-report-an-issue

https://www.suse.com/documentation/sled-12/book_sle_admin/data/sec_admsupport_submit.html