Symptoms
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE.
The driver state can be checked with the below command on the host system.
[root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state
HSM 0:SECURE_OPERATIONAL_STATE
[root@appliance-1 ~]#
Impact
FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.
Conditions
The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A.
The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card.
[
964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[
964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
Workaround
As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue.
Below are the steps to follow:
1. Power off
2. Wait for 5 minutes
3. Power on
