Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp721451pxf; Thu, 1 Apr 2021 11:46:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIIS9Aep0cMV/uVZcYebKJFc7aR32ob6pAGh7qgzSM8AC/Xcz57hyVgvdhtF4c1t7mPKUt X-Received: by 2002:a17:906:4407:: with SMTP id x7mr10429601ejo.546.1617302798564; Thu, 01 Apr 2021 11:46:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617302798; cv=none; d=google.com; s=arc-20160816; b=awaV0TShhM+9pXSdPzZdfKH3+8EoUhvMRjWRYg39+Oiz0CL9nRhVFf9D1zppuZKcjJ 7r5MkVP35W66Pbyn8qoaMOgbOc27HP1riys1i1YDP2t2HHCXdp740TIDlEdsknAW9QmS rBkjK8eFIcMbOQ1vJsyhTSrYLpS0BxXZNtM9AottUaRBbB7B+N/+CEHJSlCMvLZYBHH3 1JO2F8Hz+qDICkEEFSSgOfNsCfbKcdTyFIPoaTadi1UMdQ1CJEw3R1KksuZhNjmcjHMh H98011qEeyDJqXQkDH1MAPzCW2kJQ3Njjzg7WgJ1Uzh8xOOIGKX4CFe1qRgraT2v0kG/ aOGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=az0fNdxk5DqjAhFlCkonGaa7c0oBT5G6h4s8RaHP4AQ=; b=TRLpE45K46OJC8hpuA5hX+xmKoo3atg2Nt3DMsR+XQanGyS8TGtINso/h30atcDS4p Z/aYl6Mw1C+9FeU2n7QB1t7YH6elLSsPFtoC6VyQiFy7pEHyH9W/x+cZDMqxPStSQy/A QVplqAqmyeJqHRWZYveJjPWggyb9eH068fgea4wIuVroavcyeEztrj0MYZ/1iwLXw5di HU6mdCq1b8kr+e0NyuwG8DAPcpt5qLkzzock0I//MVX9V4zBL30kVxgjZSZajiwxwJ2z 4BFt6YMQne/UQilBso00Wt9mcK9Tb2c3TRSknFaiWY1IAxX91JCmEXjY96+1TTkyfZw+ IH/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pBk4gX5r; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f1si4493744ejh.95.2021.04.01.11.46.09; Thu, 01 Apr 2021 11:46:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pBk4gX5r; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236993AbhDASqE (ORCPT + 99 others); Thu, 1 Apr 2021 14:46:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:35172 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235585AbhDASnD (ORCPT ); Thu, 1 Apr 2021 14:43:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 42B006127B; Thu, 1 Apr 2021 13:54:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1617285276; bh=E1MzlRBNIUjGJaXAAgyCF+55RPXojah69hWzY81rL8c=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=pBk4gX5rfgrUemMy5yDME4Jyw/HzyUy3oVmxgTnxb79E871sCtPVOAnWY/vjCptNL SIaj7j2dZpzqpv7eYCA4iUZMUR8qeGTsZKw4RRqI7t01LFvG4lSs9dZPU0EwL1bZY5 T9ep+vhTQXFOVsK2lVLLqSLt8eBw8sxWL7mhpj8FOXSo1FFmO53pT5/IFHBn+f8Di5 bgbquLapdAAP0PL9xSH7Gj6sTrYHUKZ+kmhq+aKkBfULJo6XQBJxcKs+MGDZbDwW0F oMcolbp01BacVr4vANlxD8gQZRGJNX4GXndu2EcQb5jH7fkg/sDQR6qK3IkFrMmo+l QXUCQygpm/OBw== Received: by mail-oo1-f51.google.com with SMTP id h3-20020a4ae8c30000b02901b68b39e2d3so569315ooe.9; Thu, 01 Apr 2021 06:54:36 -0700 (PDT) X-Gm-Message-State: AOAM530+kgodvJ8gJ77+FkpKsizkHPfrLwQ2rK5D1drvtTIjKH8BzmT7 ilq23soBUwH6WNKj1Qkenuv8BTtGO9FxUdLvOQk= X-Received: by 2002:a4a:395d:: with SMTP id x29mr7229111oog.41.1617285275577; Thu, 01 Apr 2021 06:54:35 -0700 (PDT) MIME-Version: 1.0 References: <4e95307db43e2f7cc8516e645b81db7db0dd8ad4.camel@redhat.com> <504652e70f0a4e42e4927583b9ed47cd78590329.camel@redhat.com> In-Reply-To: From: Ard Biesheuvel Date: Thu, 1 Apr 2021 15:54:23 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Fix hibernation in FIPS mode? To: "Rafael J. Wysocki" Cc: Simo Sorce , Dexuan Cui , "linux-pm@vger.kernel.org" , "crecklin@redhat.com" , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 1 Apr 2021 at 15:38, Rafael J. Wysocki wrote: > > On Thu, Apr 1, 2021 at 10:47 AM Ard Biesheuvel wrote: > > > > On Tue, 30 Mar 2021 at 21:56, Simo Sorce wrote: > > > > > > On Tue, 2021-03-30 at 21:45 +0200, Ard Biesheuvel wrote: > > > > On Tue, 30 Mar 2021 at 20:05, Simo Sorce wrote: > > > > > On Tue, 2021-03-30 at 16:46 +0200, Rafael J. Wysocki wrote: > > > > > > On Tue, Mar 30, 2021 at 12:14 AM Dexuan Cui wrote: > > > > > > > Hi, > > > > > > > MD5 was marked incompliant with FIPS in 2009: > > > > > > > a3bef3a31a19 ("crypto: testmgr - Skip algs not flagged fips_allowed in fips mode") > > > > > > > a1915d51e8e7 ("crypto: testmgr - Mark algs allowed in fips mode") > > > > > > > > > > > > > > But hibernation_e820_save() is still using MD5, and fails in FIPS mode > > > > > > > due to the 2018 patch: > > > > > > > 749fa17093ff ("PM / hibernate: Check the success of generating md5 digest before hibernation") > > > > > > > > > > > > > > As a result, hibernation doesn't work when FIPS is on. > > > > > > > > > > > > > > Do you think if hibernation_e820_save() should be changed to use a > > > > > > > FIPS-compliant algorithm like SHA-1? > > > > > > > > > > > > I would say yes, it should. > > > > > > > > > > > > > PS, currently it looks like FIPS mode is broken in the mainline: > > > > > > > https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg49414.html > > > > > > > > > > FYI, SHA-1 is not a good choice, it is only permitted in HMAC > > > > > constructions and only for specified uses. If you need to change > > > > > algorithm you should go straight to SHA-2 or SHA-3 based hashes. > > > > > > > > > > > > > What is the reason for using a [broken] cryptographic hash here? if > > > > this is just an integrity check, better use CRC32 > > Not really. > > CRC32 is not really sufficient for integrity checking here AFAICS. It > might be made a fallback option if MD5 is not available, but making it > the default would be somewhat over the top IMO. > > > > If the integrity check is used exclusively to verify there were no > > > accidental changes and is not used as a security measure, by all means > > > I agree that using crc32 is a better idea. > > > > > > > Looking at 62a03defeabd58f74e07ca030d6c21e069d4d88e which introduced > > this, it is only a best effort check which is simply omitted if md5 > > happens to be unavailable, so there is definitely no need for crypto > > here. > > Yes, it is about integrity checking only. No, CRC32 is not equivalent > to MD5 in that respect AFAICS. > There are two possibilities: - we care about an adversary attempting to forge a collision, in which case you need a cryptographic hash which is not broken; - we only care about integrity, in which case crypto is overkill, and CRC32 is sufficient. (Note that the likelihood of an honest, inadvertent modification not being caught by CRC32 is 1 in 4 billion) MD5 does not meet either requirement, given that it is known to be broken, and overkill for simple integrity checks. MD5 should be phased out and removed, and moving this code onto the correct abstraction would be a reasonable step towards that goal.