systemd gets stuck with FIPS enabled

bugraturhan · January 31, 2019, 12:22pm

Hello everyone,

I am trying to enable FIPS on a Suse Linux Enterprise Server 15 and systemd gets stuck really early on. If I wait a bit I can see ‘random: systemd: uninitialized urandom read’ logs, so I’ve tried to generate some entropy before running systemd. To test this, I’ve added ‘rngd’ to my initrd, changed init to a shell, started rngd manually and then started systemd, it worked.

This is easily reproducible in a virtual machine, I was also able to reproduce it on a Supermicro SYS-E300-8D. Just install ‘fips’ pattern and add ‘fips=1’ to kernel parameters.

If my Googling is correct, this related to kernel changes for CVE-2018-1108, it was intentional.

So,

Is there any additional steps I should be taking to make it work on a machines that doesn’t use hardware rng? Or is there an easy way to generate entropy without intervening boot process? What do you think?

Thanks in advance,
BuÄra

Andreas1 · January 31, 2019, 10:42pm

Did you read the FIPS documentation for SLES15 (post #5):
https://forums.suse.com/showthread.php?12171-Loading-graphical-environment-is-slow-when-FIPS-is-enabled&p=52864#post52864

Professional virtual machine solutions like VMware give guest os access to the hardware random number generator (HRNG/TRNG) of the host os (or physical machine).

https://communities.vmware.com/thread/471512

https://kb.vmware.com/s/article/1003746

https://en.wikipedia.org/wiki/RdRand

https://en.wikipedia.org/wiki/Hardware_random_number_generator

If the guest os has no access to the hardware random number generator or the guest os has no access to the hardware acceleration for encryption or decryption (like AES-NI) you shouldn’t acctivate FIPS mode for a guest os.

https://en.wikipedia.org/wiki/AES_instruction_set

Andreas1 · January 31, 2019, 10:58pm

I can’t find any FIPS 140-2 certificate for SLE15:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

Andreas1 · January 31, 2019, 11:08pm

[QUOTE=bugraturhan;56427]Is there any additional steps I should be taking to make it work on a machines that doesn’t use hardware rng? Or is there an easy way to generate entropy without intervening boot process? What do you think?[/QUOTE]See:

https://wiki.archlinux.org/index.php/Rng-tools

and “Virtual machines”:

https://wiki.archlinux.org/index.php/Haveged

Andreas1 · January 31, 2019, 11:36pm

[QUOTE=bugraturhan;56427]I can see ‘random: systemd: uninitialized urandom read’ logs[/QUOTE]ArchWiki is an excellent source for Linux related information:
https://wiki.archlinux.org/index.php/Random_number_generation

bugraturhan · February 1, 2019, 4:20pm

Hi AndreasMeyer,

Thanks a ton for pointing me to right direction. Also it did not occur to me to check certification, thanks for that, too.

Topic		Replies	Views
FIPS 140-2 Kernel fails to boot SLES Updates	4	710	March 17, 2020
Strange etc/sysconfig/kernel issue after updating SLES Install-Boot	3	248	February 27, 2012
SLES12 SP3 LTSS running on vmware stuck for 20min before starting SLES Install-Boot	5	694	January 13, 2021
Patched - Server Will Not Boot SLES Updates	7	348	November 7, 2019
Cannot start ssh server SLES Networking	5	267	January 13, 2016

systemd gets stuck with FIPS enabled

Related Topics