Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp715634pxf; Thu, 1 Apr 2021 11:36:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzzrLfcOXVUMscBJ9DpxJkeX31vAPRgR2uqSyxpzrvpb/Oa3buB95aYyTWyvJq+20eivzn5 X-Received: by 2002:a50:e80c:: with SMTP id e12mr11502254edn.229.1617302208159; Thu, 01 Apr 2021 11:36:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617302208; cv=none; d=google.com; s=arc-20160816; b=nHGd0SUBMWKU3V5SBz59//puUS/9KGTpyZTpwvxgNBtNvxzMVulmxV8fQyBol3Xu2x saVU1XtXrlIN5m8uaG2ASp0LVsUj/6jIWCNLnzC+d2B/+JsmxYripBOSfJDs83Gdyb+H LnqieeN/ichyu3gIbmgpI5tElTB1EpRr+5D9isFMJX+1tYCVvdGQhIfeYUiPA5LSeDg1 KALdm15PrQVfYuShkfxEElq18eTPGr0rdQmajjwsoFhvec54jqZjajrJtRhXpmEKphZJ yLW1p3jYu8d6SqPpvYXhrBud9FNdev5mZYzewyp2L3r43nXcwbsoLXAl5Bgb2PmD4kmu Ppqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=NceWVRPYS7nNidFPd8tJDQfG9QQ6Am5einMv70McUlY=; b=N1qbkJ6ADeiIFcSMekr2xWLmyoe1Dn23rcOYgnQoR2W9R2woQQpmFhB0nOufjNx5xW jodSA29pIkwLtpqwtLSd1yQgG7rHyKNKHLIPe81n9ubMYdSLmyaC3vPV3igMSOuQcckv DfQyBGZKiyQXnPq2cQHjYJdrqSlV8IMRyYgOOUrO++MONmjT2QjMYNuKAgHQ0KsM04JA HNi7pmLQMj/nOeLbZZBL/FlQ3RvhaEtcACNeIUHZb9P7P1tLRl341B/4hG1fLdMAiPyj bcA0XZNhFCIikkrL5hAkypjcKzpRvVvT49+MTdeZbRNhXPEMyHi2dG0i2RSOLHOYi1wA +/hA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ga37si4987548ejc.4.2021.04.01.11.36.22; Thu, 01 Apr 2021 11:36:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235721AbhDAScB (ORCPT + 99 others); Thu, 1 Apr 2021 14:32:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237290AbhDASTE (ORCPT ); Thu, 1 Apr 2021 14:19:04 -0400 Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B855BC02FE96; Thu, 1 Apr 2021 09:02:24 -0700 (PDT) Received: by mail-oi1-x233.google.com with SMTP id w70so2300029oie.0; Thu, 01 Apr 2021 09:02:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NceWVRPYS7nNidFPd8tJDQfG9QQ6Am5einMv70McUlY=; b=qAiDjUgsiJhKQpQgHxcvrxqSzpnXMiIzfeINJLQa0z5FzehGNhAQOCvLGixbfq0gki yfXOBWwVei8e5M9Y1fd31JpTbNbYyFKNVwKNW9+yCCqzyQSzuj0hzsWAgOHWujneTWJ1 vwd9u5KZlejXJ4yzsGeUMz8Z0CbR5v46OhHtllrbAGxLO1rPF/SL3SgWWISk3QtsklR/ QBG0uD7FBX8pj60hwncr/fiFmkNnDk5dZxxi3RBtZBCwkCURbB1rRLxOcuBEMb9PEkZO q/56Y5Ef3Us7uju3SISEMnhB6KOWBErcQ1jY476lnyO4PxG4ENLXO2/tkuc6GoHPal+b 3pqw== X-Gm-Message-State: AOAM531EAPngxAHFzPBYWOo95u5s28TfiD8POXWlzRfch/u8oyNJSkk8 L2naWJ7+hLFEeOvNMdNozKrMYrRFavHKajqBwP8= X-Received: by 2002:aca:c4c5:: with SMTP id u188mr6514855oif.71.1617292943979; Thu, 01 Apr 2021 09:02:23 -0700 (PDT) MIME-Version: 1.0 References: <4e95307db43e2f7cc8516e645b81db7db0dd8ad4.camel@redhat.com> <504652e70f0a4e42e4927583b9ed47cd78590329.camel@redhat.com> In-Reply-To: From: "Rafael J. Wysocki" Date: Thu, 1 Apr 2021 18:02:12 +0200 Message-ID: Subject: Re: Fix hibernation in FIPS mode? To: Ard Biesheuvel Cc: "Rafael J. Wysocki" , Simo Sorce , Dexuan Cui , "linux-pm@vger.kernel.org" , "crecklin@redhat.com" , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Apr 1, 2021 at 3:54 PM Ard Biesheuvel wrote: > > On Thu, 1 Apr 2021 at 15:38, Rafael J. Wysocki wrote: > > > > On Thu, Apr 1, 2021 at 10:47 AM Ard Biesheuvel wrote: > > > > > > On Tue, 30 Mar 2021 at 21:56, Simo Sorce wrote: > > > > > > > > On Tue, 2021-03-30 at 21:45 +0200, Ard Biesheuvel wrote: > > > > > On Tue, 30 Mar 2021 at 20:05, Simo Sorce wrote: > > > > > > On Tue, 2021-03-30 at 16:46 +0200, Rafael J. Wysocki wrote: > > > > > > > On Tue, Mar 30, 2021 at 12:14 AM Dexuan Cui wrote: > > > > > > > > Hi, > > > > > > > > MD5 was marked incompliant with FIPS in 2009: > > > > > > > > a3bef3a31a19 ("crypto: testmgr - Skip algs not flagged fips_allowed in fips mode") > > > > > > > > a1915d51e8e7 ("crypto: testmgr - Mark algs allowed in fips mode") > > > > > > > > > > > > > > > > But hibernation_e820_save() is still using MD5, and fails in FIPS mode > > > > > > > > due to the 2018 patch: > > > > > > > > 749fa17093ff ("PM / hibernate: Check the success of generating md5 digest before hibernation") > > > > > > > > > > > > > > > > As a result, hibernation doesn't work when FIPS is on. > > > > > > > > > > > > > > > > Do you think if hibernation_e820_save() should be changed to use a > > > > > > > > FIPS-compliant algorithm like SHA-1? > > > > > > > > > > > > > > I would say yes, it should. > > > > > > > > > > > > > > > PS, currently it looks like FIPS mode is broken in the mainline: > > > > > > > > https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg49414.html > > > > > > > > > > > > FYI, SHA-1 is not a good choice, it is only permitted in HMAC > > > > > > constructions and only for specified uses. If you need to change > > > > > > algorithm you should go straight to SHA-2 or SHA-3 based hashes. > > > > > > > > > > > > > > > > What is the reason for using a [broken] cryptographic hash here? if > > > > > this is just an integrity check, better use CRC32 > > > > Not really. > > > > CRC32 is not really sufficient for integrity checking here AFAICS. It > > might be made a fallback option if MD5 is not available, but making it > > the default would be somewhat over the top IMO. > > > > > > If the integrity check is used exclusively to verify there were no > > > > accidental changes and is not used as a security measure, by all means > > > > I agree that using crc32 is a better idea. > > > > > > > > > > Looking at 62a03defeabd58f74e07ca030d6c21e069d4d88e which introduced > > > this, it is only a best effort check which is simply omitted if md5 > > > happens to be unavailable, so there is definitely no need for crypto > > > here. > > > > Yes, it is about integrity checking only. No, CRC32 is not equivalent > > to MD5 in that respect AFAICS. > > > > There are two possibilities: > - we care about an adversary attempting to forge a collision, in which > case you need a cryptographic hash which is not broken; > - we only care about integrity, in which case crypto is overkill, and > CRC32 is sufficient. (Note that the likelihood of an honest, > inadvertent modification not being caught by CRC32 is 1 in 4 billion) That depends on how you count. Surely, there are modifications caught by MD5 that will not be caught by CRC32. > MD5 does not meet either requirement, given that it is known to be > broken, and overkill for simple integrity checks. MD5 should be phased > out and removed, and moving this code onto the correct abstraction > would be a reasonable step towards that goal. This clearly is a matter of opinion. I'm not religious about it though. If there is a general consensus that CRC32 is sufficient for error detection in hibernation files, then it can be used. So is there such a consensus and if so, can you give me a pointer to some research that it is based on?