Understanding FIPS Error States and System Panic
A switch operating Junos OS in FIPS mode has certain operational restrictions such as the ability to load only integrity-checked software files and use only FIPS-approved cryptographic algorithms. To ensure correct operation, the switch performs a series of FIPS self-tests.
The switch performs additional tests as needed—for example, to ensure that randomly generated numbers are truly random and to verify manually entered keys (passwords).
If it fails a test, the switch enters a FIPS error state known as system panic.
FIPS errors that occur early in the boot cycle can prevent the system from successfully starting up. For this reason, keep alternate boot media up to date.
For details, see:
FIPS System Panic
If a switch fails a FIPS self-test, the switch enters a FIPS error state known as system panic. The panic condition halts all cryptographic processing and stops all data output from the switch. To clear the FIPS error, the switch reboots, runs the FIPS self-tests, and if it passes all the tests, returns to normal operation.
If the switch fails a self-test during a reboot from panic mode, the system stops booting and attempts to reboot. If the reboot is unsuccessful, the switch attempts again to reboot, this time from available boot media.
During a system panic, only status messages are displayed on the console. For example, a FIPS error is logged as follows:
panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
The reboot after panic displays the following error message on the console:
savecore: reboot after panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
The following error states create a system panic:
These errors have only an extremely small chance of occurring.
The switch failed a known answer test (KAT).
The random number is not random.
Signature generation failed.
Signature verification failed.
Certificate verification failed.
Encryption or decryption failed.
An environment error occurred.
An error occurred in a pair-wise conditional test.
Error Recovery from Alternate Boot Media
An EX Series switch running Junos OS in FIPS mode performs KATs self-tests at startup. If the switch fails a KAT, the boot process stops and the switch attempts to reboot. If the reboot is unsuccessful, the switch attempts again to reboot, this time from available boot media.
If the alternate media are not functional, the switch might not be able to start up at all. In that case, the Crypto Officer must remove the tamper-evident seal from the USB port and insert the removable boot media so that the system can boot normally and install Junos OS.
However, if the seal is broken, the switch is no longer a FIPS cryptographic module. You as Crypto Officer must reinstall and reconfigure Junos OS and enable FIPS mode.
For this reason, be sure to keep the alternate media on the switch in a functional state by running the request system snapshot command after a successful upgrade.