Performing Self-Test
The cryptographic module enforces security rules to ensure that the Juniper Networks Junos OS Evolved in FIPS mode meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs series of known answer test (KAT) self-tests.
The KAT self-tests are performed automatically at startup.
If the KATs are completed successfully, the dmesg log is updated to display the tests
that are executed. You can view the logs by executing journalctl | grep
self-test on the device shell.
[vrf:none] root@host:~# journalctl | grep self-test May 21 10:27:34 host kernel: alg: self-tests for rsa-generic (rsa) passed May 21 10:27:34 host kernel: alg: self-tests for cipher_null-generic (cipher_null) passed May 21 10:27:34 host kernel: alg: self-tests for ecb-cipher_null (ecb(cipher_null)) passed May 21 10:27:34 host kernel: alg: self-tests for sha1-generic (sha1) passed May 21 10:27:34 host kernel: alg: self-tests for sha256-generic (sha256) passed May 21 10:27:34 host kernel: alg: self-tests for sha224-generic (sha224) passed May 21 10:27:34 host kernel: alg: self-tests for sha512-generic (sha512) passed May 21 10:27:34 host kernel: alg: self-tests for aes-generic (aes) passed May 21 10:27:34 host kernel: alg: self-tests for crc32c-generic (crc32c) passed May 21 10:27:34 host kernel: alg: self-tests for crct10dif-generic (crct10dif) passed May 21 10:27:34 host kernel: alg: self-tests for ctr(aes-generic) (ctr(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_ctr_aes128 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_ctr_aes192 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_ctr_aes256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_sha1 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_sha512 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_sha256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_hmac_sha1 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_hmac_sha512 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for hmac(sha256-generic) (hmac(sha256)) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_pr_hmac_sha256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_ctr_aes128 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_ctr_aes192 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_ctr_aes256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_sha1 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_sha512 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_sha256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_hmac_sha1 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_hmac_sha512 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for drbg_nopr_hmac_sha256 (stdrng) passed May 21 10:27:34 host kernel: alg: self-tests for aes-asm (aes) passed May 21 10:27:34 host kernel: alg: self-tests for crc32c-intel (crc32c) passed May 21 10:27:34 host kernel: alg: self-tests for sha1-ssse3 (sha1) passed May 21 10:27:34 host kernel: alg: self-tests for sha1-avx (sha1) passed May 21 10:27:34 host kernel: alg: self-tests for sha1-avx2 (sha1) passed May 21 10:27:34 host kernel: alg: self-tests for sha256-ssse3 (sha256) passed May 21 10:27:34 host kernel: alg: self-tests for sha224-ssse3 (sha224) passed May 21 10:27:34 host kernel: alg: self-tests for sha256-avx (sha256) passed May 21 10:27:34 host kernel: alg: self-tests for sha224-avx (sha224) passed May 21 10:27:34 host kernel: alg: self-tests for sha256-avx2 (sha256) passed May 21 10:27:34 host kernel: alg: self-tests for sha224-avx2 (sha224) passed May 21 10:27:34 host kernel: alg: self-tests for sha512-ssse3 (sha512) passed May 21 10:27:34 host kernel: alg: self-tests for sha384-ssse3 (sha384) passed May 21 10:27:34 host kernel: alg: self-tests for sha512-avx (sha512) passed May 21 10:27:34 host kernel: alg: self-tests for sha384-avx (sha384) passed May 21 10:27:34 host kernel: alg: self-tests for sha512-avx2 (sha512) passed May 21 10:27:34 host kernel: alg: self-tests for sha384-avx2 (sha384) passed May 21 10:27:34 host kernel: alg: self-tests for crct10dif-pclmul (crct10dif) passed May 21 10:27:34 host kernel: alg: self-tests for jitterentropy_rng (jitterentropy_rng) passed May 21 10:27:34 host kernel: lrng_selftest: LRNG self-tests passed May 21 10:27:34 host kernel: alg: self-tests for aes-aesni (aes) passed May 21 10:27:34 host kernel: alg: self-tests for ecb-aes-aesni (ecb(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for cbc-aes-aesni (cbc(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for ctr-aes-aesni (ctr(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for xts-aes-aesni (xts(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for rfc4106-gcm-aesni (rfc4106(gcm(aes))) passed May 21 10:27:34 host kernel: alg: self-tests for generic-gcm-aesni (gcm(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for pkcs1pad(rsa-generic,sha256) (pkcs1pad(rsa,sha256)) passed May 21 10:27:34 host kernel: alg: self-tests for hmac(sha1-avx2) (hmac(sha1)) passed May 21 10:27:34 host kernel: alg: self-tests for cbc(aes-aesni) (cbc(aes)) passed May 21 10:27:34 host kernel: alg: self-tests for cmac(aes-aesni) (cmac(aes)) passed [vrf:none] root@host:~#
Self-test failure results in a FIPS error state and the device automatically reboots after encountering a FIPS error state.
Integrity Validation
To validate the integrity, set the FIPS level and reboot the device and verify the integrity logs.
If there is an integrity failure, the modules stops and generates a FIPS error state.
You can check the logs for a successful integrity. For example:
[vrf:none] root@re0:~# journalctl | grep "FIPS integrity" Sep 23 22:10:18 re0 unknown: FIPS integrity check passed for bzImage-re-64b.bin Sep 23 22:10:18 re0 unknown: FIPS integrity check passed for initrd_Yocto_2.2_x86_64.fs