Hello everyone,
I am trying to enable FIPS on a Suse Linux Enterprise Server 15 and systemd gets stuck really early on. If I wait a bit I can see ‘random: systemd: uninitialized urandom read’ logs, so I’ve tried to generate some entropy before running systemd. To test this, I’ve added ‘rngd’ to my initrd, changed init to a shell, started rngd manually and then started systemd, it worked.
This is easily reproducible in a virtual machine, I was also able to reproduce it on a Supermicro SYS-E300-8D. Just install ‘fips’ pattern and add ‘fips=1’ to kernel parameters.
If my Googling is correct, this related to kernel changes for CVE-2018-1108, it was intentional.
So,
Is there any additional steps I should be taking to make it work on a machines that doesn’t use hardware rng? Or is there an easy way to generate entropy without intervening boot process? What do you think?
Thanks in advance,
BuÄra
Did you read the FIPS documentation for SLES15 (post #5):
https://forums.suse.com/showthread.php?12171-Loading-graphical-environment-is-slow-when-FIPS-is-enabled&p=52864#post52864
Professional virtual machine solutions like VMware give guest os access to the hardware random number generator (HRNG/TRNG) of the host os (or physical machine).
https://communities.vmware.com/thread/471512
https://kb.vmware.com/s/article/1003746
https://en.wikipedia.org/wiki/RdRand
https://en.wikipedia.org/wiki/Hardware_random_number_generator
If the guest os has no access to the hardware random number generator or the guest os has no access to the hardware acceleration for encryption or decryption (like AES-NI) you shouldn’t acctivate FIPS mode for a guest os.
https://en.wikipedia.org/wiki/AES_instruction_set
[QUOTE=bugraturhan;56427]Is there any additional steps I should be taking to make it work on a machines that doesn’t use hardware rng? Or is there an easy way to generate entropy without intervening boot process? What do you think?[/QUOTE]See:
https://wiki.archlinux.org/index.php/Rng-tools
and “Virtual machines”:
https://wiki.archlinux.org/index.php/Haveged
[QUOTE=bugraturhan;56427]I can see ‘random: systemd: uninitialized urandom read’ logs[/QUOTE]ArchWiki is an excellent source for Linux related information:
https://wiki.archlinux.org/index.php/Random_number_generation
Hi AndreasMeyer,
Thanks a ton for pointing me to right direction. Also it did not occur to me to check certification, thanks for that, too.