Last Modified: May 29, 2024
Affected Product(s):
F5OS F5OS
Known Affected Versions:
F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1, F5OS-A 1.5.2
Opened: Mar 18, 2023 Severity: 1-Blocking
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE. The driver state can be checked with the below command on the host system. [root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state HSM 0:SECURE_OPERATIONAL_STATE [root@appliance-1 ~]#
FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.
The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A. The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card. [ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting [ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue. Below are the steps to follow: 1. Power off 2. Wait for 5 minutes 3. Power on
None