Bug 217293

Summary: Kernel panic, CONFIG_FIPS_SIGNATURE_SELFTEST, missing dependency
Product: Linux Reporter: sephora (o6irnndpcv7)
Component: KernelAssignee: Virtual assignee for kernel bugs (linux-kernel)
Status: NEW ---    
Severity: blocking Flags: mricon: bugbot+
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 6.1.19 Subsystem: KERNEL SELFTEST FRAMEWORK
Regression: No Bisected commit-id:
Attachments: Kernel config for 6.2.9

Description sephora 2023-04-03 12:00:42 UTC 
Hello and good day!

I think I found a missing dependency.
In case of setting CONFIG_FIPS_SIGNATURE_SELFTEST, CONFIG_CRYPTO_SHA256 also needs to be set. But not as module.
Failing to do so results in an early kernel panic during boot. 

Tested on linux-6.1.12-gentoo and linux-6.1.19-gentoo.


Thanks,
  sephora
Comment 1 Bugspray Bot 2023-04-03 16:34:27 UTC 
Randy Dunlap <rdunlap@infradead.org> writes:

Hi sephora,

On 4/3/23 07:29, Kernel.org Bugbot wrote:
> o6irnndpcv7 writes via Kernel.org Bugzilla:
> 
> Hello and good day!
> 
> I think I found a missing dependency.
> In case of setting CONFIG_FIPS_SIGNATURE_SELFTEST, CONFIG_CRYPTO_SHA256 also
> needs to be set. But not as module.
> Failing to do so results in an early kernel panic during boot. 

Please tell us what the kernel panic message is.

> 
> Tested on linux-6.1.12-gentoo and linux-6.1.19-gentoo.
> 

Have you tested this on a mainline kernel, without gentoo patches?

Does gentoo add any patches in this area?

Thanks.

> 
> Thanks,
>   sephora
> 
> View: https://bugzilla.kernel.org/show_bug.cgi?id=217293#c0
> You can reply to this message to join the discussion.

(via https://msgid.link/92be7194-b02b-5380-7d33-9bd44e6aaf88@infradead.org)
Comment 2 sephora 2023-04-03 20:00:17 UTC 
Hi Randy!

(In reply to Bugbot from comment #1)
> Randy Dunlap <rdunlap@infradead.org> writes:
>
> Please tell us what the kernel panic message is.
> 

There is no message. I'm sorry.
I just get a black screen.

I'm using EFI to boot my machine. And I can get some output if I enable 'earlycon=efifb' via CMDLINE. 

The output stops at:
Console: colour dummy device 80x25
printk: console [tty0] enabled
printk: bootconsole [efifb0] disabled

At this point the machine freezes. No error message.

And when I set:
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_PANIC_TIMEOUT=-1

That gives me a reboot loop.

> 
> Have you tested this on a mainline kernel, without gentoo patches?
> 
> Does gentoo add any patches in this area?
>

Unfortunately I don't know if Gentoo is adding any patches that may affect this.

But I can confirm that the problem persists while using vanilla-sources for kernel 6.2.9.

Thanks,
   sephora

> 
> Thanks.
Comment 3 Bugspray Bot 2023-04-03 20:25:13 UTC 
Randy Dunlap <rdunlap@infradead.org> replies to comment #2:

On 4/3/23 13:04, Kernel.org Bugbot wrote:
> o6irnndpcv7 writes via Kernel.org Bugzilla:
> 
> Hi Randy!
> 
> (In reply to Bugbot from comment #1)
>> Randy Dunlap <rdunlap@infradead.org> writes:
>>
>> Please tell us what the kernel panic message is.
>>
> 
> There is no message. I'm sorry.
> I just get a black screen.
> 
> I'm using EFI to boot my machine. And I can get some output if I enable
> 'earlycon=efifb' via CMDLINE. 
> 
> The output stops at:
> Console: colour dummy device 80x25
> printk: console [tty0] enabled
> printk: bootconsole [efifb0] disabled
> 
> At this point the machine freezes. No error message.
> 
> And when I set:
> CONFIG_PANIC_ON_OOPS=y
> CONFIG_PANIC_ON_OOPS_VALUE=1
> CONFIG_PANIC_TIMEOUT=-1
> 
> That gives me a reboot loop.
> 
>>
>> Have you tested this on a mainline kernel, without gentoo patches?
>>
>> Does gentoo add any patches in this area?
>>
> 
> Unfortunately I don't know if Gentoo is adding any patches that may affect
> this.
> 
> But I can confirm that the problem persists while using vanilla-sources for
> kernel 6.2.9.

Please put your kernel .config file on the bugzilla entry.

What makes you think that this is related to FIPS_SIGNATURE_SELFTEST?

thanks.

(via https://msgid.link/1d7e238b-7e8f-9ce0-1ecb-68e2b80b6d92@infradead.org)
Comment 4 Bugspray Bot 2023-04-04 04:47:37 UTC 
Randy Dunlap <rdunlap@infradead.org> replies to comment #3:

Hi again,

On 4/3/23 13:19, Randy Dunlap wrote:
> 
> 
> On 4/3/23 13:04, Kernel.org Bugbot wrote:
>> o6irnndpcv7 writes via Kernel.org Bugzilla:
>>
>> Hi Randy!
>>
>> (In reply to Bugbot from comment #1)
>>> Randy Dunlap <rdunlap@infradead.org> writes:
>>>
>>> Please tell us what the kernel panic message is.
>>>
>>
>> There is no message. I'm sorry.
>> I just get a black screen.
>>
>> I'm using EFI to boot my machine. And I can get some output if I enable
>> 'earlycon=efifb' via CMDLINE. 
>>
>> The output stops at:
>> Console: colour dummy device 80x25
>> printk: console [tty0] enabled
>> printk: bootconsole [efifb0] disabled
>>
>> At this point the machine freezes. No error message.
>>

I can reproduce this or at least something very similar to it, but it
doesn't matter if FIPS_SIGNATURE_SELFTEST is set or not.


>> And when I set:
>> CONFIG_PANIC_ON_OOPS=y
>> CONFIG_PANIC_ON_OOPS_VALUE=1
>> CONFIG_PANIC_TIMEOUT=-1
>>
>> That gives me a reboot loop.
>>
>>>
>>> Have you tested this on a mainline kernel, without gentoo patches?
>>>
>>> Does gentoo add any patches in this area?
>>>
>>
>> Unfortunately I don't know if Gentoo is adding any patches that may affect
>> this.
>>
>> But I can confirm that the problem persists while using vanilla-sources for
>> kernel 6.2.9.
> 
> Please put your kernel .config file on the bugzilla entry.

I'll test with your .config file...

> What makes you think that this is related to FIPS_SIGNATURE_SELFTEST?

and still that question...

(via https://msgid.link/1c880cd5-b3f1-46b9-fc66-f7743e068c7a@infradead.org)
Comment 5 sephora 2023-04-04 06:04:10 UTC 
Created attachment 304083 [details]
Kernel config for 6.2.9

This is a kernel config for 6.2.9, with:

# CONFIG_FIPS_SIGNATURE_SELFTEST is not set
# CONFIG_CRYPTO_SHA256 is not set
Comment 6 sephora 2023-04-04 06:13:33 UTC 
Hi Randy!

I submitted an example config. 
That config works fine for me, until I set: 

CONFIG_FIPS_SIGNATURE_SELFTEST=y

And it starts working well again if I set:

CONFIG_FIPS_SIGNATURE_SELFTEST=y
CONFIG_CRYPTO_SHA256=y

That's why I think it is related to FIPS_SIGNATURE_SELFTEST.


Thanks,
  sephora
Comment 7 Bugspray Bot 2023-04-05 03:19:41 UTC 
Randy Dunlap <rdunlap@infradead.org> replies to comment #6:

[adding linux-crypto and dhowells]


On 4/3/23 23:17, Kernel.org Bugbot wrote:
> o6irnndpcv7 writes via Kernel.org Bugzilla:
> 
> Hi Randy!
> 
> I submitted an example config. 
> That config works fine for me, until I set: 
> 
> CONFIG_FIPS_SIGNATURE_SELFTEST=y
> 
> And it starts working well again if I set:
> 
> CONFIG_FIPS_SIGNATURE_SELFTEST=y
> CONFIG_CRYPTO_SHA256=y
> 
> That's why I think it is related to FIPS_SIGNATURE_SELFTEST.
> 
> 
> Thanks,
>   sephora
> 
> View: https://bugzilla.kernel.org/show_bug.cgi?id=217293#c6
> You can reply to this message to join the discussion.

I'm not making any progress on this bug, so asking others for help.


Is there anything in the FIPS_SIGNATURE_SELFTEST code (selftest.c)
or code that it calls that requires CRYPTO_SHA256?

(via https://msgid.link/15521c65-1501-9394-8845-4d4ef983e6b6@infradead.org)