lustre-2.12.6_4.llnl-2.t4.x86_64
4.18.0-240.22.1.1toss.t4.x86_64
fips=1

For my records, my internal ticket is TOSS5190

This looks related to LU-13355, but according to patch https://review.whamcloud.com/38205 "LU-13355 crypto: crypto engine wrappers in libcfs" the crc32 crypto wrapper should be fixed since 2.12.5.

Possibly something has changed in how FIPS is being checked in the 4.18 kernel?

Olaf, since it looks like you are building your own patched "1toss" client kernel, you could potentially disable this check until the problem is understood and fixed.

The fact that it does not crash with 2.14 is due to patch https://review.whamcloud.com/35342, only landed to master in early January 2020. This patch is a (very) big one, whose objective was to simplify the Lustre code by removing obsolete config checks. Among those was cfs_crypto_crc32_register() and all the Lustre specific crc32 implementation done in libcfs/libcfs/linux/linux-crypto-crc32.c.

No crc32, no crash

I can try to see why the digest test is failing (the fact that it fails is not due to FIPS, it always fails, but with FIPS enabled it triggers a panic). But maybe the most obvious move would be to remove the call to cfs_crypto_crc32_register(). Any suggestion adilger?

Hi Sebastian,

When you say "it [the digest test] always fails", do you mean it always fails under the RHEL 8.3 kernel, but succeeds under the RHEL 7 kernel?

thanks

Hi Olaf,

Sorry for the confusion, I meant:

• it fails on RHEL8.3, no matter FIPS is enabled or not, but only panics when FIPS is enabled;
• it does not fail on RHEL7.

The special crc32 handling is left overs from the RHEL6 days which is why it was removed in newer lustre versions. All the special crc32 handling Lustre did is now apart of the supported kernels.

Maybe the most straightforward way to get rid of this problem is to not call LIBCFS_HAVE_CRC32 config check in libcfs/autoconf/lustre-libcfs.m4, resulting in built-in crc32 not being used. I tested this quick solution, it works.

A cleaner approach is to backport patch https://review.whamcloud.com/35342 to b2_12, I just pushed a patch for this:
https://review.whamcloud.com/43623

Patch https://review.whamcloud.com/35342 has been abandoned as we cannot drop RHEL6 support in 2.12.

An even cleaner approach is to fix the root cause of the error:

alg: hash: digest failed on test 1 for crc32-table: ret=126

Errno 126 is:

#define ENOKEY          126     /* Required key not available */

And it appears that crc32 needs to set the CRYPTO_ALG_OPTIONAL_KEY flag to work properly. I will push a patch to fix this.

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/43653
Subject: LU-14673 sec: annotate algorithms taking optional key
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 2
Commit: cc066c79a26d927e11dcfdef96eb5ab77dc7025a

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/43656
Subject: LU-14673 sec: annotate algorithms taking optional key
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 9b32694f26424030024a16c91a7e4575d5b281c2

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/43656/
Subject: LU-14673 sec: annotate algorithms taking optional key
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: b161e7b777e63bb4328aeab9e50560f919fedc31

Landed for 2.15

Keeping the topllnl label until the patch lands to b2_12

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/43653/
Subject: LU-14673 sec: annotate algorithms taking optional key
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 0aefae53fb03eaca7229d9d4b3e48c4a8c33de1a