Understanding FIPS Error States and System Panic
A router running Junos OS in FIPS mode has certain operational restrictions such as the ability to load only integrity-checked software files and use only FIPS-approved cryptographic algorithms. To ensure correct operation, the router performs a series of FIPS self-tests.
The router performs additional tests as needed—for example, to ensure that randomly generated numbers are truly random and to verify manually entered keys (passwords).
If it fails a test, the router enters a FIPS error state known as system panic.
When a low-level cryptographic function cannot complete for lack of memory or another resource, a memory allocation error occurs. This error does not result in system panic.
FIPS errors that occur early in the boot cycle can prevent the system from successfully starting up. For this reason, keep alternate boot media up to date.
FIPS System Panic
If a router fails a FIPS self-test, the router enters a FIPS error state known as system panic. The panic condition halts all cryptographic processing and stops all data output from the router. To clear the FIPS error, the router reboots, runs the FIPS self-tests, and if it passes all the tests, returns to normal operation.
If the router fails a self-test during a reboot from panic mode, the system stops booting and attempts to reboot. If the reboot is unsuccessful, the router attempts again to reboot, this time from available boot media.
During a system panic, only status messages are displayed on the console. For example, a FIPS error is logged as shown in the following example:
panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
The reboot after panic displays the following error message on the console:
savecore: reboot after panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
The following error states create a system panic:
These errors have only an extremely small chance of occurring.
The router failed a known answer test (KAT).
The random number is not random.
Signature generation failed.
Signature verification failed.
Certificate verification failed.
Encryption or decryption failed.
An environment error occurred.
An error occurred in a pair-wise conditional test.
Memory Allocation Error
A FIPS memory allocation error occurs when a low-level cryptographic function cannot finish processing for lack of memory or of another resource. This error causes the affected process to be terminated, but does not result in system panic.
FIPS memory failures are logged as follows:
Apr 15 23:08:15 shmoo /kernel: pid 6374 (fips-error), uid 0, FIPS error 9: RSA verify memory allocation failed
Terminating the process clears the error so that the process can be run again.
Error Recovery from Alternate Boot Media
A Juniper Networks router running Junos OS in FIPS mode performs KAT self-tests at startup. If the router fails a KAT, the boot process stops and the router attempts to reboot. If the reboot is unsuccessful, the router attempts again to reboot, this time from available boot media.
For this reason, be sure to keep the alternate media on the router in a functional state by running the request system snapshot recovery command after enabling FIPS mode.