Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp2729950pxb; Mon, 31 Jan 2022 03:05:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJz7D4ToerCroPKrBXt35tZ38wRq9EiQiRxO16vSheRubeVWoHB5AhePMzc7BoeBDXdKKVAF X-Received: by 2002:a17:90b:3841:: with SMTP id nl1mr34203380pjb.50.1643627148618; Mon, 31 Jan 2022 03:05:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643627148; cv=none; d=google.com; s=arc-20160816; b=SbdMQ8EN9krQd3DmS4At7T8GKlV/GVgsBQ7myP5fPImSXoqpeGjhNJ7hVGKu1og9Tm UiMgFB+A+lkgz2hSqzcxDJQhfk4IY3rfv5CNOWq4txW9xFokFUOh4+BFIX14ixVmFiST fdXardm/pSrN8WKV807JA9IkX8vDv2wtvqF0M/y7hlGa+S6Vk0bXhd8ajJo+wli30P3g 1YPeOuX2q+0kIIo0DFiR7TSFXZAHzicavd/pnwNzVr3yPXALrYlYx/BR+QZ1ShHmaxrA pxEUHgOIRBKhVQGO9OXbmFODIdnRmwXcEn5lduaoSYnLBa5aVNIIRSbLCttSKvgumIQd L/6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:subject:cc:to :from:dkim-signature:dkim-signature; bh=CTHAmo7gQBUFA1fTDySimisIz/TBMzybVfp9a9saT4Q=; b=w0C/+jBtoAC/+qtVkEo03uve3sRfq0R4ZIfhuN4SQeouNqMxfuaq0uH3MT+pJ91FYD wFBwew5HW+PFMUrwLoUaYf4MnLBEHe8DcsRAMtAYD4X/0y1MTEwzFROMFaPUQCa36hNL qdXh7z9V5931TMx2B/858fFLsXJqH2+ujneCfKLXpjNd80V+YhTBG80sWOalfWrHdEpz KZcFx7jKp0kYAnNdihcAPgYY+DFrrnCVBGGbZ9uP7ZAkK5MDqfX35ozvPtKLzy9ppbER kLYC3xQWAr0Pq7BJVmo6xMjviuvJX1YZqS33ueY8PmTh7MyidL7G4GcmsjYTDUIvxxkq DMWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Br58rQV4; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q14si15461127plx.59.2022.01.31.03.05.36; Mon, 31 Jan 2022 03:05:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Br58rQV4; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348906AbiA1OOn (ORCPT + 99 others); Fri, 28 Jan 2022 09:14:43 -0500 Received: from smtp-out2.suse.de ([195.135.220.29]:53126 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348069AbiA1OOl (ORCPT ); Fri, 28 Jan 2022 09:14:41 -0500 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 8E2311F385; Fri, 28 Jan 2022 14:14:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1643379280; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CTHAmo7gQBUFA1fTDySimisIz/TBMzybVfp9a9saT4Q=; b=Br58rQV4TYwrowQa6637A4b+moWJk+s72s31wv5NA85IbeRSj2FH0MJoj6ejEVBC8WKOxK YFl6EuzrttQAvXfuNiI2OJI3i/IYCeKxgS0J++ahGWUoJ+NAJY70Li/l0N0tql1POs55fe nVAbj08A5zimTJHy/wwAVEeG/gEVSfI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1643379280; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CTHAmo7gQBUFA1fTDySimisIz/TBMzybVfp9a9saT4Q=; b=DCEBqbOv/dHXxtGmJWmsYD0iyk/HhW/q4LaDm9GwQF8zHLkLDu9gfb77CmRkuLk49cyx8w +LuhKOEwUzJ/ilCg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 07B3813487; Fri, 28 Jan 2022 14:14:40 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 8zpKAFD682FLHAAAMHmgww (envelope-from ); Fri, 28 Jan 2022 14:14:40 +0000 From: Nicolai Stange To: Herbert Xu Cc: Nicolai Stange , Stephan Mueller , "David S. Miller" , Hannes Reinecke , Torsten Duwe , Zaibo Xu , Giovanni Cabiddu , David Howells , Jarkko Sakkinen , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, qat-linux@intel.com, keyrings@vger.kernel.org, simo@redhat.com, Eric Biggers , Petr Vorel Subject: Re: [v2 PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1) References: <20211209090358.28231-1-nstange@suse.de> <87r1a7thy0.fsf@suse.de> <2468270.qO8rWLYou6@tauon.chronox.de> <871r1eyamd.fsf@suse.de> <87k0f2hefl.fsf@suse.de> Date: Fri, 28 Jan 2022 15:14:39 +0100 In-Reply-To: (Herbert Xu's message of "Fri, 14 Jan 2022 21:55:26 +1100") Message-ID: <87v8y4dk1c.fsf@suse.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Herbert Xu writes: > On Fri, Jan 14, 2022 at 10:09:02AM +0100, Nicolai Stange wrote: > >> This looks all good to me, but as !->fips_allowed tests aren't skipped >> over anymore now, it would perhaps make sense to make their failure >> non-fatal in FIPS mode. Because in FIPS mode a failure could mean a >> panic and some of the existing TVs might not pass because of e.g. some >> key length checks or so active only for fips_enabled... > > You mean a buggy non-FIPS algorithm that fails when tested in > FIPS mode? I guess we could skip the panic in that case if > everyone is happy with that. Stephan? One more thing I just realized: dracut's fips module ([1]) modprobes tcrypt (*) and failure is considered fatal, i.e. the system would not boot up. First of all this would mean that tcrypt_test() needs to ignore -ECANCELED return values from alg_test() in FIPS mode, in addition to the -EINVAL it is already prepared for. However, chances are that some of the !fips_allowed algorithms looped over by tcrypt are not available (i.e. not enabled at build time) and as this change here makes alg_test() to unconditionally attempt a test execution now, this would fail with -ENOENT AFAICS. One way to work around this is to make tcrypt_test() to ignore -ENOENT in addition to -EINVAL and -ECANCELED. It might be undesirable though that the test executions triggered from tcrypt would still instantiate/load a ton of !fips_allowed algorithms at boot, most of which will effectively be inaccessible (because they're not used as FIPS_INTERNAL arguments to fips_allowed =3D=3D 1 template instances). So how about making alg_test() to skip the !fips_allowed tests in FIPS mode as before, but to return -ECANCELED and eventually set FIPS_INTERNAL as implemented with this patch here. This would imply that FIPS_INTERNAL algorithms by themselves remain untested, but I think this might be Ok as they would be usable only as template arguments in fips_allowed instantiations. That is, they will still receive some form of testing when the larger construction they're part of gets tested. For example, going with the "dh" example, where "dh" and "ffdhe3072(dh)" would have fips_allowed unset and set respecively, ffdhe3072(dh) as a whole would get tested, but not the "dh" argument individually. Stephan, would this approach work from a FIPS 140-3 perspective? Thanks! Nicolai [1] https://git.kernel.org/pub/scm/boot/dracut/dracut.git/tree/modules.d/01= fips/fips.sh#n106 (*) I'm not sure why this is being done, but it is what it is. --=20 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N=C3=BCrnberg, G= ermany (HRB 36809, AG N=C3=BCrnberg), GF: Ivo Totev