Bug ID 1273221: On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state

Last Modified: Jan 23, 2024

Affected Product(s):
F5OS F5OS(all modules)

Known Affected Versions:
F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1

Opened: Mar 18, 2023

Severity: 1-Blocking

Symptoms

After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE. The driver state can be checked with the below command on the host system. [root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state HSM 0:SECURE_OPERATIONAL_STATE [root@appliance-1 ~]#

Impact

FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.

Conditions

The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A. The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card. [ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting [ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Workaround

As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue. Below are the steps to follow: 1. Power off 2. Wait for 5 minutes 3. Power on

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips