Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp2068940lqp; Tue, 16 Apr 2024 06:39:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX9IMJv1eE775wZU2/TEA5VZO3Z4L3RK8In33hNBCm7fb8+EPxjFIq+qybiKkDKlz1XX4j+wfgRp466sSvBuBUCEeaZ2nqPaU4yULjz0w== X-Google-Smtp-Source: AGHT+IEOZhn3oicvCpDJxsF/0sVY1r1DqqnMgZRf9RovIa6Fbzqj5Cbt8uKMRnPbbUQ33MOH5RVQ X-Received: by 2002:a17:906:d10a:b0:a52:71bf:2c4c with SMTP id b10-20020a170906d10a00b00a5271bf2c4cmr3295385ejz.0.1713274779455; Tue, 16 Apr 2024 06:39:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713274779; cv=pass; d=google.com; s=arc-20160816; b=n1xuf4U4cS7eUjYNhSNbWftGDqRUuYU2f76XXDGlO0KE6lkWHnM8eWhjU3PiSaf8kS sEVGDf3FRjSzTOZMU+SoY7nXgwyMDNWzeIirDNS5Nbnvd4hTIIUyyOC5anf4HuZ8rnHd T8yHWnw9Og08uqw4jlVRZFLHUYKWgEl+sbU2gOI6VT7OkGdlgfJB7uBaZJnRNGXPHZv6 4GkFB8MXrGo85qXf3FX6HjvuOlCp62oWf6rz2mWRl0/WBjZHex/CosAqgXXzFJLuotY6 ZBsRS9EjErSlYyKbC1f0ktrooebH9MOUwH54TcRQecTTWR2ffzlK9b7sdmJMF4aoQoco u4rA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:subject:from:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:date:message-id:dkim-signature; bh=esaXygbC442+KCXD39iKjDPtGPXa+xPJ+/bF/fJGs9I=; fh=DM/kEgcdvttMGSVwL7NCZIOCOMoYfQUgMnx9G80w+2I=; b=fN1G7TBGphCJ72DB/vnlJ5++jq9i61HRrskuqrQKFiCJVC+Y2EEHjn0W+JZ+eKiL8Y LTsa6CVzAzaIVnbsyW0l3ScGL+/pAbl6qKl7GUfKc0o2PDn+3ZrVah3iS/KuoGL4aHi9 FF21MrK16BYIDt8tiIrJQ4TCUR7RFaTgWqw6SCqcRSdxwYdE3iRWJ8xXuSFFsiQ1fLin eOWVxWcC4uq9ABmE/PTZSO/iWlcFfq190lqIn3D8PEQEHjC/0+pd4Vc18la/qG30cqwx NI37HSPyXiPW+Jyt8NYsBZFc2xR+PkyGQeswZMHE9JfTz0f7+kdiQ3+FMpVr9471nZGW 2rjw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@jvdsn.com header.s=mail header.b=L2PkLp0S; arc=pass (i=1 spf=pass spfdomain=jvdsn.com dkim=pass dkdomain=jvdsn.com dmarc=pass fromdomain=jvdsn.com); spf=pass (google.com: domain of linux-crypto+bounces-3578-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3578-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=jvdsn.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id e8-20020a170906c00800b00a51cb6f49dfsi5530648ejz.828.2024.04.16.06.39.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 06:39:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3578-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@jvdsn.com header.s=mail header.b=L2PkLp0S; arc=pass (i=1 spf=pass spfdomain=jvdsn.com dkim=pass dkdomain=jvdsn.com dmarc=pass fromdomain=jvdsn.com); spf=pass (google.com: domain of linux-crypto+bounces-3578-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3578-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=jvdsn.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1DF3A1F229BE for ; Tue, 16 Apr 2024 13:39:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0EBA112C48A; Tue, 16 Apr 2024 13:39:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=jvdsn.com header.i=@jvdsn.com header.b="L2PkLp0S" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.jvdsn.com (smtp.jvdsn.com [129.153.194.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C54D312BF2A for ; Tue, 16 Apr 2024 13:39:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=129.153.194.31 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713274774; cv=none; b=rJv1JDWZLxB/NP152tbfb+MLDYBOdA9zel8oiy7xNa+XL9cENIav2/L5vJwhETox3J6gt6HAq0Eb6V4vIbrS9f+ZWEWs49a4RsVW9oRwEG+9p0k+WtXIDsL+++fBdTiIBMvzbGMGyk6L1eBVZ2wNXUdDd9KRXhveoB4eKSqCecg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713274774; c=relaxed/simple; bh=F9OFq/z74eWlMFBmDXJjb+g1/GnbUwvIHWMar0bLRUI=; h=Message-ID:Date:MIME-Version:From:Subject:To:Cc:References: In-Reply-To:Content-Type; b=M98nfqzc5FmqR+n5bcsGsBcKweC+zxtEIZ6PHWEkkMgiKHLJxpb+1sLdZnsM+j4Uzu45Bfgj/9ueYrAqr9tIbTJkIO5rm3Pyz2zNAtmpnJ4vUEnzK6KETPS+OuSWggwY/pZJEVL8GmQ/u+X3TlQr2uL0g7rPUDj5a2GM4LOK2/E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=jvdsn.com; spf=pass smtp.mailfrom=jvdsn.com; dkim=pass (2048-bit key) header.d=jvdsn.com header.i=@jvdsn.com header.b=L2PkLp0S; arc=none smtp.client-ip=129.153.194.31 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=jvdsn.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=jvdsn.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=jvdsn.com; s=mail; t=1713274770; bh=F9OFq/z74eWlMFBmDXJjb+g1/GnbUwvIHWMar0bLRUI=; h=Date:From:Subject:To:Cc:References:In-Reply-To; b=L2PkLp0SQsZq5fzawv5SZt58Ks/G0uMgIV1v1B6xsx36aWfg8IxiITa0qo8jkGHV2 11K4n8QDgWRFp3uLnJ59xeWYAz5G87zdAPMNF5Qd/ndNjizmcqUPEOT1XrSpNy7f2R loA1RixDmcI/zuqMoJ7TwnYc4jFrP7U6qdP0Cj40uqUwb0oGk4YuuTI26x1V519k9c UEHCJndOdKIE9vwh4tiCEFpx6CssP/7QYQXnHT7QuRP9AjNoiNM5pHCiJMw+wX1y3W lJXqlH8r3OeZrBt4A9sEFouLJ2N3vusZXDb5atklppL6BYqWRbwLD4SJDt11oTT3WO fOzgQ8/CO7XdA== Message-ID: <65bb88b5-5071-4836-9923-939218d9a883@jvdsn.com> Date: Tue, 16 Apr 2024 08:39:28 -0500 Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Joachim Vandersmissen Subject: Re: [PATCH 2/2] certs: Guard RSA signature verification self-test To: Herbert Xu Cc: linux-crypto@vger.kernel.org, David Howells , Simo Sorce , Stephan Mueller References: <20240416032347.72663-1-git@jvdsn.com> <20240416032347.72663-2-git@jvdsn.com> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi Herbert, On 4/16/24 3:59 AM, Herbert Xu wrote: > On Mon, Apr 15, 2024 at 10:23:47PM -0500, Joachim Vandersmissen wrote: >> Currently it is possible to configure the kernel (albeit in a very >> contrived manner) such that CRYPTO_RSA is not set, yet >> FIPS_SIGNATURE_SELFTEST is set. This would cause a false kernel panic >> when executing the RSA PKCS#7 self-test. Guard against this by >> introducing a compile-time check. >> >> Signed-off-by: Joachim Vandersmissen > The usual way to handle this is to add a select to the Kconfig file. I did consider that initially, but I was unsure if this was the right path. From a conceptual standpoint, this module doesn't need the RSA (or ECDSA) functionality. If the algorithm is not present, it would be perfectly valid for the module to do nothing. However, I'm not opposed to removing the current check and adding the select to the Kconfig. If I add a `select CRYPTO_RSA` to FIPS_SIGNATURE_SELFTEST, do you think I should do something similar for ECDSA as well (considering the other patch in this series)? > > Thanks,