-
Notifications
You must be signed in to change notification settings - Fork 95
FIPS mode
When FIPS mode is enabled on a host, then certain algorithms used by the TPM 2 emulation need to either be disabled or OpenSSL FIPS mode needs to be disabled so that the TPM 2 can work. The following are notes from findings of behavior on different Linux installations where enablement of FIPS mode seems to have different impact on algorithms that OpenSSL allows to use.
To avoid swtpm v0.8 from disabling OpenSSL FIPS mode the following patch was applied:
index e67adcb..d3c4bf4 100644
--- a/src/swtpm/fips.c
+++ b/src/swtpm/fips.c
@@ -67,6 +67,7 @@ bool fips_mode_enabled(void)
#else
int mode = FIPS_mode();
#endif
+ mode = 0;
return mode != 0;
}
Then the following commands were run as non-root user:
# mkdir -p /tmp/myvtpm
# swtpm_setup --tpmstate /tmp/myvtpm/ --overwrite --tpm2
# swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init
# export TPM_COMMAND_PORT=2321 TPM_PLATFORM_PORT=2322 TPM_SERVER_NAME=localhost TPM_INTERFACE_TYPE=socsim TPM_SERVER_TYPE=raw
# tssstartup -st
To detect all failing algorithms the TPM 2 code needed to be detected to continue the selftest once a failure was detected.
The following error occurred due to scheme 0x10 (TPM_ALG_NULL):
libtpms/tpm2: Entering failure mode; code: 6, location: TestRsaEncryptDecrypt line 417
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0b 00 00 01 43 01
The following error occurred due to modes 0x41-0x44 for symmetric crypto algorithms 0x03 and 0x26 (TDES, CAMELLIA):
libtpms/tpm2: Entering failure mode; code: 6, location: TestSymmetricAlgorithm line 236
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0b 00 00 01 43 01
The following error occurred due to scheme 0x15 (RSAES):
libtpms/tpm2: Entering failure mode; code: 6, location: TestRsaEncryptDecrypt line 470
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0b 00 00 01 43 01
No errors were detected, neither when swtpm was run as non-root user nor as root user.
# fips-mode-setup --check
FIPS mode is enabled.
Initramfs fips module is enabled.
The current crypto policy (FIPS) is based on the FIPS policy.
Could not enable FIPS mode.
# fips-mode-setup --check
Installation of FIPS modules is not completed.
cat: /proc/sys/crypto/fips_enabled: No such file or directory
FIPS mode is .