Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp2736326pxb; Mon, 31 Jan 2022 03:14:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJzl1nmPIBLNYueOm7VqenTYCwQO2x5DGODS7ls0LufRGn0iJPXEZdc55jqmeW8v6os0F6Yv X-Received: by 2002:a17:90b:4b01:: with SMTP id lx1mr33600965pjb.158.1643627648085; Mon, 31 Jan 2022 03:14:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643627648; cv=none; d=google.com; s=arc-20160816; b=JmiGcwIp8jHHMKXNmed1TRCzNPE03CuMUg5N6IXyRHG8lbNSftTz0qqMBeG/HVO1JM 3knx7hIhMYy4WY5zlgZc9EyDWi5roz5+GMLlZuCTys2f1LyYRUNQtL0I0ydLcxjM1TJ9 9GKlZaGcZN1c88xpS4klSk56f+XFwqr4MaAQRA3GUq94R5qJJkIVTutfgJSn/kr7LQtx Vxmf7ZpcM/t1WGxRpQeVwdaG8RT0zgL8Ge0+BDLLqcKMHBeMl0lP8EWlszRFe9wjqTIY uV8k6qkpcOm7lGdVwcZrc/wAW2fe7ZwK8lqJgLNjzg2dinvGAJ8aLvAC065gpmjPYRpd bKbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FbbK5BCqwc+LVSOODivmoMY7VA5yrwUnCl/SUOH2vUk=; b=wrnWfhwH0Sr1lRRUQUmUuPvLegEHblPyhWxJdWhJlQYi3l/olPt77UZvk/FyAklVmR 4tJDcVTYRbJ4FCfwkd/4ff5u+TX7XgA+VfN5bjDhiGWmgXzRKCgCZgzp5fU1LJQ7NfWR b6MX9icr4xEysfcXJ8QNi0gkiMf4AtChJVb6gqNeSfa/T74g1+vRjzrg6AXtnwgKxhPS 4IA15hROuaL5n6ho0nKLoxMZEBoABPYZPndoMHh8N3BkL9tgrecicncomofgMf4NdTL3 cApYERi1nw8+gIUCBIidBGx8Acaih51FE6LPQ6YespA00BWc7OhdTtDQRbbfCjQTnmef B8Vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=FYm+mIGj; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m132si11935572pfd.160.2022.01.31.03.13.53; Mon, 31 Jan 2022 03:14:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=FYm+mIGj; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237947AbiA1PuD (ORCPT + 99 others); Fri, 28 Jan 2022 10:50:03 -0500 Received: from mo4-p02-ob.smtp.rzone.de ([85.215.255.80]:34941 "EHLO mo4-p02-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232033AbiA1PuC (ORCPT ); Fri, 28 Jan 2022 10:50:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1643384996; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=FbbK5BCqwc+LVSOODivmoMY7VA5yrwUnCl/SUOH2vUk=; b=FYm+mIGjvMuxIoWGb4E8SJnLihAlEBBxtcdxXp55elBwEY4A6sAolUt+rDPK9UxlCo ZI11nop0nQwfkl5DlPVitY6M/5DeCYyItwF6OO95XAHZto1BAhWqdstwYaUjTaJ3Vn+C QEF2k3EEC6S8iPAFs2J4vwosklPuPQr/4EpfEneRBxDI3VEDqNXIa8xvWON4rCzNUN+I vtDQ45hu2wc4zeLpdHFdfShijxwvmRw16WKBifpC8St7Xg6/cmxumj0pV4vOP3J4Tu3x uzCgMCZLaMYaaQn+w2hs1QgjcnpHWOcw/99WZ478v+JUNe06qEsvOgTBP7cudrgaapgg hBXA== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXvSOeuZzLM=" X-RZG-CLASS-ID: mo00 Received: from tauon.chronox.de by smtp.strato.de (RZmta 47.38.0 DYNA|AUTH) with ESMTPSA id v5f65ay0SFntwxY (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Fri, 28 Jan 2022 16:49:55 +0100 (CET) From: Stephan Mueller To: Herbert Xu , Nicolai Stange Cc: Nicolai Stange , "David S. Miller" , Hannes Reinecke , Torsten Duwe , Zaibo Xu , Giovanni Cabiddu , David Howells , Jarkko Sakkinen , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, qat-linux@intel.com, keyrings@vger.kernel.org, simo@redhat.com, Eric Biggers , Petr Vorel Subject: Re: [v2 PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1) Date: Fri, 28 Jan 2022 16:49:54 +0100 Message-ID: <1738803.My4pmAdfGn@tauon.chronox.de> In-Reply-To: <87v8y4dk1c.fsf@suse.de> References: <20211209090358.28231-1-nstange@suse.de> <87v8y4dk1c.fsf@suse.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Am Freitag, 28. Januar 2022, 15:14:39 CET schrieb Nicolai Stange: Hi Nicolai, > Herbert Xu writes: > > On Fri, Jan 14, 2022 at 10:09:02AM +0100, Nicolai Stange wrote: > >> This looks all good to me, but as !->fips_allowed tests aren't skipped > >> over anymore now, it would perhaps make sense to make their failure > >> non-fatal in FIPS mode. Because in FIPS mode a failure could mean a > >> panic and some of the existing TVs might not pass because of e.g. some > >> key length checks or so active only for fips_enabled... > > > > You mean a buggy non-FIPS algorithm that fails when tested in > > FIPS mode? I guess we could skip the panic in that case if > > everyone is happy with that. Stephan? > > One more thing I just realized: dracut's fips module ([1]) modprobes > tcrypt (*) and failure is considered fatal, i.e. the system would not > boot up. > > First of all this would mean that tcrypt_test() needs to ignore > -ECANCELED return values from alg_test() in FIPS mode, in addition to > the -EINVAL it is already prepared for. > > However, chances are that some of the !fips_allowed algorithms looped > over by tcrypt are not available (i.e. not enabled at build time) and as > this change here makes alg_test() to unconditionally attempt a test > execution now, this would fail with -ENOENT AFAICS. > > One way to work around this is to make tcrypt_test() to ignore -ENOENT > in addition to -EINVAL and -ECANCELED. > > It might be undesirable though that the test executions triggered from > tcrypt would still instantiate/load a ton of !fips_allowed algorithms at > boot, most of which will effectively be inaccessible (because they're > not used as FIPS_INTERNAL arguments to fips_allowed == 1 template > instances). > > So how about making alg_test() to skip the !fips_allowed tests in FIPS > mode as before, but to return -ECANCELED and eventually set > FIPS_INTERNAL as implemented with this patch here. > > This would imply that FIPS_INTERNAL algorithms by themselves remain > untested, but I think this might be Ok as they would be usable only as > template arguments in fips_allowed instantiations. That is, they will > still receive some form of testing when the larger construction they're > part of gets tested. > > For example, going with the "dh" example, where "dh" and "ffdhe3072(dh)" > would have fips_allowed unset and set respecively, ffdhe3072(dh) as > a whole would get tested, but not the "dh" argument individually. > > Stephan, would this approach work from a FIPS 140-3 perspective? Are we sure that we always will have power-up tests of the compound algorithms when we disable the lower-level algorithm testing? For example, consider the DH work you are preparing: we currently have a self test for dh - which then will be marked as FIPS_INTERNAL and not executed. Would we now have self tests for modpXXX(dh) or ffdheXXX(dh)? If not, how would it be guaranteed that DH is tested? The important part is that the algorithm testing is guaranteed. I see a number of alg_test_null in testmgr.c. I see the potential that some algorithms do not get tested at all when we skip FIPS_INTERNAL algorithms. From a FIPS perspective it is permissible that compound algo power up tests are claimed to cover respective lower-level algos. > > Thanks! > > Nicolai > > [1] > https://git.kernel.org/pub/scm/boot/dracut/dracut.git/tree/modules.d/01fips > /fips.sh#n106 (*) I'm not sure why this is being done, but it is what it is. Ciao Stephan