SUMMARY SystemTap with FIPS

Latest response

Hi,

Earlier today, I was hitting problem with SystemTap on RHEL 8.3 server with enabled FIPS mode:

# stap -v -e 'probe kernel.function("vfs_read") {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 479 library scripts using 239264virt/82780res/13708shr/68584data kb, in 170usr/60sys/521real ms.
Pass 2: analyzed script: 2 probes, 1 function, 0 embeds, 0 globals using 295484virt/139616res/14508shr/124804data kb, in 1190usr/350sys/3145real ms.
Pass 3: translated to C into "/tmp/stape2efXw/stap_48416b96270ab836169c5b0167cdbce3_1362_src.c" using 295484virt/139936res/14828shr/124804data kb, in 20usr/70sys/96real ms.

Pass 4: compiled C into "stap_48416b96270ab836169c5b0167cdbce3_1362.ko" in 13250usr/3290sys/10921real ms.
Pass 5: starting run.
ERROR: Couldn't insert module in FIPS mode '/tmp/stape2efXw/stap_48416b96270ab836169c5b0167cdbce3_1362.ko': Operation not permitted
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run completed in 10usr/10sys/19real ms.
Pass 5: run failed.  [man error::pass5]

It was reporting problem in Pass 5 "ERROR: Couldn't insert module in FIPS mode ...".

After some debugging and search, a simple solution was found - force staprun to attempt module loads, by setting the STAP_FIPS_OVERRIDE environment variable:

# export STAP_FIPS_OVERRIDE=1 && stap -v -k -e 'probe kernel.function("vfs_read") {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 479 library scripts using 239268virt/82932res/13856shr/68588data kb, in 150usr/40sys/194real ms.
Pass 2: analyzed script: 2 probes, 1 function, 0 embeds, 0 globals using 295488virt/139960res/14852shr/124808data kb, in 1150usr/110sys/1261real ms.
Pass 3: translated to C into "/tmp/stapidlrrY/stap_49293_src.c" using 295488virt/140088res/14980shr/124808data kb, in 30usr/70sys/101real ms.
Pass 4: compiled C into "stap_49293.ko" in 2760usr/1040sys/3255real ms.
Pass 5: starting run.
read performed
Pass 5: run completed in 20usr/40sys/377real ms.
Keeping temporary directory "/tmp/stapidlrrY

Maybe this helps somebody...

Regards,

Dusan Baljevic (amateur radio VK2COT)

Dusan Baljevic's picture

Responses