REJECTED/Cmnt: [SRU][Focal][PATCH 0/1] DRBG initialization failed on some AMD EPYC series CPU and lead to kernel panic

Stefan Bader stefan.bader at canonical.com
Tue Jul 9 06:22:52 UTC 2024 

On 08.07.24 09:26, Gerald Yang wrote:
> Hi Stefan,
> 
> Sorry for the late reply and confusion.
> I used the wrong word, it was a clean cherry-pick from the upstream 
> commit, not a backport.
> Should I submit a v2 for this?

Hi Gerald,

you will have to. This thread is no longer being looked at. And to be 
clear what got submitted failed to apply to focal with "git am". Don't 
use "git cherry pick" from upstream into our trees to decide whether to 
call it backport or cherry pick. Git can do context adjustments and not 
declare it.
Better use "git format-patch" and test apply with "git am". Yes this can 
fail more often but that gives at least also some opportunity to be sure 
something really fits in the older series.

-Stefan

> 
> Thanks,
> Gerald
> 
> On Fri, Jun 21, 2024 at 10:01 PM Stefan Bader 
> <stefan.bader at canonical.com <mailto:stefan.bader at canonical.com>> wrote:
> 
>     On 18.06.24 14:49, Gerald Yang wrote:
>      > BugLink: https://bugs.launchpad.net/bugs/2069715
>     <https://bugs.launchpad.net/bugs/2069715>
>      >
>      > [Impact]
>      >
>      > Install Focal with FIPS enabled on AMD EPYC 7262 8-Core
>     Processor, kernel panic happens during boot:
>      > [ 3.430477] ima: Allocated hash algorithm: sha1
>      > [ 3.433358] ima: No architecture policies found
>      > [ 3.435785] evm: Initialising EVM extended attributes:
>      > [ 3.438271] evm: security.selinux
>      > [ 3.440265] evm: security.SMACK64
>      > [ 3.442532] evm: security.SMACK64EXEC
>      > [ 3.444753] evm: security.SMACK64TRANSMUTE
>      > [ 3.446900] evm: security.SMACK64MMAP
>      > [ 3.448912] evm: security.apparmor
>      > [ 3.452277] evm: security.ima
>      > [ 3.455549] evm: security.capability
>      > [ 3.457537] evm: HMAC attrs: 0x1
>      > [ 3.461049] PM: Magic number: 12:438:677
>      > [ 3.463502] rtc_cmos 00:03: setting system clock to
>     2024-06-18T09:40:59 UTC (1718703659)
>      > [ 3.467750] Kernel panic - not syncing: random: Failed to reset
>     DRBG (drbg_nopr_ctr_aes256): -2
>      > [ 3.471060] CPU: 2 PID: 1 Comm: swapper/0 Not tainted
>     5.4.0-1100-fips #110-Ubuntu
>      > [ 3.474288] Hardware name: QEMU Standard PC (Q35 + ICH9,
>     2009)/LXD, BIOS 0.0.0 02/06/2015
>      > [ 3.478191] Call Trace:
>      > [ 3.480175] dump_stack+0x6d/0x8b
>      > [ 3.482652] panic+0x114/0x2f6
>      > [ 3.490069] fips_drbg_init+0xa7/0xbd
>      > [ 3.492169] ? chr_dev_init+0x148/0x148
>      > [ 3.494330] do_one_initcall+0x4a/0x200
>      > [ 3.496396] kernel_init_freeable+0x1e6/0x289
>      > [ 3.498967] ? rest_init+0xb0/0xb0
>      > [ 3.500965] kernel_init+0xe/0x110
>      > [ 3.502983] ret_from_fork+0x35/0x40
>      > [ 3.505305] Kernel Offset: 0x35c00000 from 0xffffffff81000000
>     (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
>      > [ 3.509544] ACPI MEMORY or I/O RESET_REG.
>      >
>      > It fails to initialize DRBG, this issue doesn't happen on Intel
>     CPU, only on some AMD EPYC series CPU.
>      > Also Jammy with FIPS enabled doesn't have this issue.
>      >
>      > [Fix]
>      >
>      > It's been fixed by this upstream commit:
>      > commit 552d03a223eda3df84526ab2c1f4d82e15eaee7a
>      > Author: Stephan M<C3><BC>ller <smueller at chronox.de
>     <mailto:smueller at chronox.de>>
>      > Date: Sun Nov 21 15:14:20 2021 +0100
>      >
>      >      crypto: jitter - consider 32 LSB for APT
>      >
>      >      The APT compares the current time stamp with a pre-set
>     value. The
>      >      current code only considered the 4 LSB only. Yet, after
>     reviews by
>      >      mathematicians of the user space Jitter RNG version >=
>     3.1.0, it was
>      >      concluded that the APT can be calculated on the 32 LSB of
>     the time
>      >      delta. Thi change is applied to the kernel.
>      >
>      >      This fixes a bug where an AMD EPYC fails this test as its
>     RDTSC value
>      >      contains zeros in the LSB. The most appropriate fix would
>     have been to
>      >      apply a GCD calculation and divide the time stamp by the
>     GCD. Yet, this
>      >      is a significant code change that will be considered for a
>     future
>      >      update. Note, tests showed that constantly the GCD always
>     was 32 on
>      >      these systems, i.e. the 5 LSB were always zero (thus failing
>     the APT
>      >      since it only considered the 4 LSB for its calculation).
>      >
>      >      Signed-off-by: Stephan Mueller <smueller at chronox.de
>     <mailto:smueller at chronox.de>>
>      >      Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au
>     <mailto:herbert at gondor.apana.org.au>>
>      >
>      > [Testcase]
>      >
>      > On AMD EPYC 7262 8-Core Processor, create a VM and enable FIPS
>     can also reproduce the issue.
>      > I backported the upstream commit to Focal FIPS kernel
>     (5.4.0-1100.110-fips) for testing, the DRBG init failed message is gone:
> 
>     You mention here that you *backported* the upstream change to focal but
>     the submitted patch is a cherry pick (it also looks like this is the
>     case). It does not apply to focal at all.
>     Please submit a v2 with the actual backport. Thanks.
> 
>     -Stefan
> 
>      > [ 3.267954] rtc_cmos 00:03: setting system clock to
>     2024-06-18T06:58:53 UTC (1718693933)
>      > [ 3.275683] random: random: DRBG (drbg_nopr_ctr_aes256) initialized!
>      > [ 3.279309] md: Waiting for all devices to be available before
>     autodetect
>      >
>      > [Where problems could occur]
>      >
>      > This commit considers AMD EPYC CPU's RDTSC contains zero in LSB,
>     this won't affect other cases.
>      >
>      > [Other Info]
>      >
>      > Users also reported the issue here:
>      > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045322
>     <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045322>
>      >
>     https://askubuntu.com/questions/1509977/fips-kernel-panics-with-failed-to-reset-drbg-during-boot <https://askubuntu.com/questions/1509977/fips-kernel-panics-with-failed-to-reset-drbg-during-boot>
>      >
>      > Stephan Müller (1):
>      >    crypto: jitter - consider 32 LSB for APT
>      >
>      >   crypto/jitterentropy.c | 3 +--
>      >   1 file changed, 1 insertion(+), 2 deletions(-)
>      >
> 
>     -- 
>     - Stefan
> 

-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240709/fb20e5fd/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240709/fb20e5fd/attachment-0001.sig>

More information about the kernel-team mailing list