Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp880012pxf; Thu, 8 Apr 2021 15:16:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhgdZWO1Q7YX89nOe89BOhJgk1/jURXSqzsdmbHWiWXMbtvb9I4C6i0owixARjj7CL6l7W X-Received: by 2002:a17:902:bd45:b029:e7:1490:9db5 with SMTP id b5-20020a170902bd45b02900e714909db5mr9752489plx.45.1617920194853; Thu, 08 Apr 2021 15:16:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617920194; cv=none; d=google.com; s=arc-20160816; b=AG0jTLeVvP6z6XIgTXbIVoaPUwIs71xFp1N8WpV4SFUn1U22Nd5cd22ndENhPd6SMW qRlG5AvJ3F/dHzVD5nZLCD1mqTvPDIY0z/KeEA0qWVHxTo2Ouql6vxV78LEDTpdubGNy 3YWdD6TowGAJKQAzovijK9WjaC52QIxb9nnp5VUUJeqRiJgkEj/h7GPXf9tumLH0+PSi HLbH530JMHHESBpr8ldd1gVEoPRZ0zOFyOLt3KZ9HKtXg1SvxZdb89a2HAwjYqB3u82y Nuu8KC/ZfrTIHZiSHHOWZ5sVg3Dta2c5905gOtL0oIZtUUkd7nEoTJTQvqrsqDs4ZtIl 85IA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=f53Jf6JjQR5CMt6Ykm4q1l2b8XVAEN4/334rnWuEa2Y=; b=wJ/OFNSCYD+22aXu58b5FPOb9GKENUbxZLnuuCztfQ8hxK7fELhsjYuw0Qx8c65TMu a1iMGG6nVR+MvnCSwBG4e5MIKIEXW7NUNJFnQZsDTlQzmDuiAQf+5FEFzS/U++vVvVy2 4UJdJIgGeuaZQ++Wlb+sG8HpR1uOhFIB3kYb+q6vp7ymyO1fxNaumQq8u6yIGKrh57R3 sdybJ1y1W3EfXOwW6FYyQ3jg2FRa6KMgtarDalD876RUG0e0qbIvx9OzYrwg25OSgkJD PnrgetMEDfBdzclMhpWTBiQkCVgtnGjk8ryiUpBjvEFtoA78cH7pDYOXPp74SCVUr/0D SZZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Rh1ayv16; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b1si651265pfl.21.2021.04.08.15.16.15; Thu, 08 Apr 2021 15:16:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Rh1ayv16; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232376AbhDHWQV (ORCPT + 99 others); Thu, 8 Apr 2021 18:16:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:35122 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232265AbhDHWQU (ORCPT ); Thu, 8 Apr 2021 18:16:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617920168; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f53Jf6JjQR5CMt6Ykm4q1l2b8XVAEN4/334rnWuEa2Y=; b=Rh1ayv16guG5Pir5SfyDP903d69yRDzmh1dttmO7qUi6afHj/EAa+tbJLJj/RtB2Jv0GVR YY5ZD4DdgPPcfhMS8DXjyFmYOhxPNGTwMkB0DIpUPISuQyfpE1jRfmhuqqqBlutj2AXfJy MpUG4uY6uCXsI0+1iM1Qkhkuhe53RiQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-56-co5dfCUxNFC3A9BXaJX4sg-1; Thu, 08 Apr 2021 18:16:06 -0400 X-MC-Unique: co5dfCUxNFC3A9BXaJX4sg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9F12B801814; Thu, 8 Apr 2021 22:16:05 +0000 (UTC) Received: from ovpn-112-53.phx2.redhat.com (ovpn-112-53.phx2.redhat.com [10.3.112.53]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A711C6A97E; Thu, 8 Apr 2021 22:16:01 +0000 (UTC) Message-ID: <5b9206d9d451de1358a2c633ebe460eeb5a84749.camel@redhat.com> Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode From: Simo Sorce To: "Jason A. Donenfeld" Cc: Hangbin Liu , Netdev , Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= , Jakub Kicinski , Ondrej Mosnacek , Linux Crypto Mailing List Date: Thu, 08 Apr 2021 18:16:00 -0400 In-Reply-To: References: <20210407113920.3735505-1-liuhangbin@gmail.com> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 2021-04-08 at 15:55 -0600, Jason A. Donenfeld wrote: > On Thu, Apr 8, 2021 at 7:55 AM Simo Sorce wrote: > > > I'm not sure this makes so much sense to do _in wireguard_. If you > > > feel like the FIPS-allergic part is actually blake, 25519, chacha, and > > > poly1305, then wouldn't it make most sense to disable _those_ modules > > > instead? And then the various things that rely on those (such as > > > wireguard, but maybe there are other things too, like > > > security/keys/big_key.c) would be naturally disabled transitively? > > > > The reason why it is better to disable the whole module is that it > > provide much better feedback to users. Letting init go through and then > > just fail operations once someone tries to use it is much harder to > > deal with in terms of figuring out what went wrong. > > Also wireguard seem to be poking directly into the algorithms > > implementations and not use the crypto API, so disabling individual > > algorithm via the regular fips_enabled mechanism at runtime doesn't > > work. > > What I'm suggesting _would_ work in basically the exact same way as > this patch. Namely, something like: > > diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c > index 288a62cd29b2..b794f49c291a 100644 > --- a/lib/crypto/curve25519.c > +++ b/lib/crypto/curve25519.c > @@ -12,11 +12,15 @@ > #include > #include > #include > +#include > > bool curve25519_selftest(void); > > static int __init mod_init(void) > { > + if (!fips_enabled) > + return -EOPNOTSUPP; > + > if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) && > WARN_ON(!curve25519_selftest())) > return -ENODEV; > > Making the various lib/crypto/* modules return EOPNOTSUPP will in turn > mean that wireguard will refuse to load, due to !fips_enabled. It has > the positive effect that all other things that use it will also be > EOPNOTSUPP. > > For example, what are you doing about big_key.c? Right now, I assume > nothing. But this way, you'd get all of the various effects for free. > Are you going to continuously audit all uses of non-FIPS crypto and > add `if (!fips_enabled)` to every new use case, always, everywhere, > from now into the boundless future? By adding `if (!fips_enabled)` to > wireguard, that's what you're signing yourself up for. Instead, by > restricting the lib/crypto/* modules to !fips_enabled, you can get all > of those transitive effects without having to do anything additional. I guess that moving the fips check down at the algorithms level is a valid option. There are some cases that will be a little iffy though, like when only certain key sizes cannot be accepted, but for the wireguard case it would be clean. > Alternatively, I agree with Eric - why not just consider this outside > your boundary? For certification purposes wireguard is not part of the module boundary (speaking only for my company in this case). But that is not the issue. There is an expectation by customers that, when the kernel is in fips mode, non-approved cryptography is not used (given those customers are required by law/regulation to use only approved/certified cryptography). So we still have a strong desire, where possible, to not allow the kernel to use non-certified cryptography, regardless of what is the crypto module boundary (we do the same in user space). HTH, Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc