Kernel panic "not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!" when installing or upgrading to vCenter Server 8.0U2
Article ID: 320000
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
RNG: Failed to allocated Jitter entropy RNG
alg: ecdh: Party A: compute shared secret test failed. err -14
alg: ecdh: test failed on vector 1, err=-14
Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
CPU: 2 PID: 123 Comm: cryptomgr_test Not tainted 5.10.175-6.ph4 #1-photon
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
dump_stack+0x70/0x8f
panic+0x104/0x2da
alg_test+0x580/0x5a0
cryptomgr_test+0x27/0x60
kthread+0x12f/0x150
? pkcs1pad_verify+0x1e0/0x1e0
? __kthread_bind_mask+0x70/0x70
ret_from_fork+0x22/0x30
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- The installation of a new vCenter Server 8.0U2 may show Waiting for RPM installation to start. This may take several minutes and fail at ~80% during the stage 1 Deploy vCenter Server process.
- During an upgrade/update or installation of vCenter Server 8.0U2 you encounter a kernel panic within the Photon GuestOS which appears similar to the following:
RNG: Failed to allocated Jitter entropy RNG
alg: ecdh: Party A: compute shared secret test failed. err -14
alg: ecdh: test failed on vector 1, err=-14
Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
CPU: 2 PID: 123 Comm: cryptomgr_test Not tainted 5.10.175-6.ph4 #1-photon
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
dump_stack+0x70/0x8f
panic+0x104/0x2da
alg_test+0x580/0x5a0
cryptomgr_test+0x27/0x60
kthread+0x12f/0x150
? pkcs1pad_verify+0x1e0/0x1e0
? __kthread_bind_mask+0x70/0x70
ret_from_fork+0x22/0x30
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server 8.0.2
Cause
FIPs health tests failing for successive CPU Timestamp Counter (TSC) readings on some hardware models.
Resolution
The fix is available in vSphere 8.0U2b / PO3
Workaround:
Workaround:
- For fresh installations attempt to install the vCenter Server 8.0U2 on hardware with alternative physical CPU if available.
- Similarly for updates/upgrades migrate the vCenter Server Virtual Machine to an ESXi host with different physical CPU if available prior to the update/upgrade attempt.
- It is not recommended to disable FIPS as a workaround.
Additional Information
The following CPU have been confirmed as being impacted by this issue to date:
AMD EPYC 7343
AMD EPYC 7262
AMD EPYC 7F72
AMD EPYC 74F3
Impact/Risks:
AMD EPYC 7343
AMD EPYC 7262
AMD EPYC 7F72
AMD EPYC 74F3
Impact/Risks:
- Unable to upgrade to or install vCenter Server 8.0U2
- VMware has determined that the FIPS self-test failures are a defect in the self-test and not in random number generation itself. There is no security risk from this failure.
- Disabling FIPS (and the failing self-test) is an untested configuration which VMware does not support.
Feedback
Yes
No
Powered by
