From: Eric Biggers <[email protected]>
Since the signature self-test uses RSA and SHA-256, it must only be
enabled when those algorithms are enabled. Otherwise it fails and
panics the kernel on boot-up.
Reported-by: kernel test robot <[email protected]>
Closes: https://lore.kernel.org/oe-lkp/[email protected]
Fixes: 3cde3174eb91 ("certs: Add FIPS selftests")
Cc: [email protected]
Cc: Simo Sorce <[email protected]>
Cc: David Howells <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
---
crypto/asymmetric_keys/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 59ec726b7c77..4abc58c55efa 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST
for FIPS.
depends on KEYS
depends on ASYMMETRIC_KEY_TYPE
depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER
depends on X509_CERTIFICATE_PARSER
+ depends on CRYPTO_RSA
+ depends on CRYPTO_SHA256
endif # ASYMMETRIC_KEY_TYPE
base-commit: ed30a4a51bb196781c8058073ea720133a65596f
--
2.44.0
Hi Eric,
On 4/22/24 4:10 PM, Eric Biggers wrote:
> From: Eric Biggers <[email protected]>
>
> Since the signature self-test uses RSA and SHA-256, it must only be
> enabled when those algorithms are enabled. Otherwise it fails and
> panics the kernel on boot-up.
I actually submitted two related patch recently which change the
structure of the PKCS#7 self-tests and add an ECDSA self-test. See
"[PATCH v2 1/2] certs: Move RSA self-test data to separate file" and
"[PATCH v2 2/2] certs: Add ECDSA signature verification self-test" on
2024-04-20. The explicit dependency on CRYPTO_RSA shouldn't be necessary
with those patches (I think).
However, I didn't consider CRYPTO_SHA256 there. I think it can remain
since both the RSA and proposed ECDSA self-tests use SHA-256.
>
> Reported-by: kernel test robot <[email protected]>
> Closes: https://lore.kernel.org/oe-lkp/[email protected]
> Fixes: 3cde3174eb91 ("certs: Add FIPS selftests")
> Cc: [email protected]
> Cc: Simo Sorce <[email protected]>
> Cc: David Howells <[email protected]>
> Signed-off-by: Eric Biggers <[email protected]>
> ---
> crypto/asymmetric_keys/Kconfig | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
> index 59ec726b7c77..4abc58c55efa 100644
> --- a/crypto/asymmetric_keys/Kconfig
> +++ b/crypto/asymmetric_keys/Kconfig
> @@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST
> for FIPS.
> depends on KEYS
> depends on ASYMMETRIC_KEY_TYPE
> depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER
> depends on X509_CERTIFICATE_PARSER
> + depends on CRYPTO_RSA
> + depends on CRYPTO_SHA256
>
> endif # ASYMMETRIC_KEY_TYPE
>
> base-commit: ed30a4a51bb196781c8058073ea720133a65596f
On Tue Apr 23, 2024 at 12:10 AM EEST, Eric Biggers wrote:
> From: Eric Biggers <[email protected]>
>
> Since the signature self-test uses RSA and SHA-256, it must only be
> enabled when those algorithms are enabled. Otherwise it fails and
> panics the kernel on boot-up.
>
> Reported-by: kernel test robot <[email protected]>
> Closes: https://lore.kernel.org/oe-lkp/[email protected]
> Fixes: 3cde3174eb91 ("certs: Add FIPS selftests")
> Cc: [email protected]
> Cc: Simo Sorce <[email protected]>
> Cc: David Howells <[email protected]>
> Signed-off-by: Eric Biggers <[email protected]>
> ---
> crypto/asymmetric_keys/Kconfig | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
> index 59ec726b7c77..4abc58c55efa 100644
> --- a/crypto/asymmetric_keys/Kconfig
> +++ b/crypto/asymmetric_keys/Kconfig
> @@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST
> for FIPS.
> depends on KEYS
> depends on ASYMMETRIC_KEY_TYPE
> depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER
> depends on X509_CERTIFICATE_PARSER
> + depends on CRYPTO_RSA
> + depends on CRYPTO_SHA256
>
> endif # ASYMMETRIC_KEY_TYPE
>
> base-commit: ed30a4a51bb196781c8058073ea720133a65596f
Reviewed-by: Jarkko Sakkinen <[email protected]>
Also, picked.
BR, Jarkko
On Tue Apr 23, 2024 at 7:02 AM EEST, Joachim Vandersmissen wrote:
> Hi Eric,
>
> On 4/22/24 4:10 PM, Eric Biggers wrote:
> > From: Eric Biggers <[email protected]>
> >
> > Since the signature self-test uses RSA and SHA-256, it must only be
> > enabled when those algorithms are enabled. Otherwise it fails and
> > panics the kernel on boot-up.
>
> I actually submitted two related patch recently which change the
> structure of the PKCS#7 self-tests and add an ECDSA self-test. See
> "[PATCH v2 1/2] certs: Move RSA self-test data to separate file" and
> "[PATCH v2 2/2] certs: Add ECDSA signature verification self-test" on
> 2024-04-20. The explicit dependency on CRYPTO_RSA shouldn't be necessary
> with those patches (I think).
>
> However, I didn't consider CRYPTO_SHA256 there. I think it can remain
> since both the RSA and proposed ECDSA self-tests use SHA-256.
Their how in my master branch, I'll mirror them to linux-next in day
or two.
BR, Jarkko