mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Nicolai Stange <nstange@suse.de>
To: Stephan Mueller <smueller@chronox.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Nicolai Stange <nstange@suse.de>,
	"David S. Miller" <davem@davemloft.net>,
	Hannes Reinecke <hare@suse.de>, Torsten Duwe <duwe@suse.de>,
	Zaibo Xu <xuzaibo@huawei.com>,
	Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
	David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	qat-linux@intel.com, keyrings@vger.kernel.org, simo@redhat.com,
	Eric Biggers <ebiggers@kernel.org>, Petr Vorel <pvorel@suse.cz>
Subject: Re: [v2 PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1)
Date: Wed, 02 Feb 2022 11:09:53 +0100	[thread overview]
Message-ID: <87czk5vatq.fsf@suse.de> (raw)
In-Reply-To: <1738803.My4pmAdfGn@tauon.chronox.de> (Stephan Mueller's message of "Fri, 28 Jan 2022 16:49:54 +0100")

Hi Stephan,

Stephan Mueller <smueller@chronox.de> writes:

> Am Freitag, 28. Januar 2022, 15:14:39 CET schrieb Nicolai Stange:
>
>> Herbert Xu <herbert@gondor.apana.org.au> writes:
>> > On Fri, Jan 14, 2022 at 10:09:02AM +0100, Nicolai Stange wrote:
>> >> This looks all good to me, but as !->fips_allowed tests aren't skipped
>> >> over anymore now, it would perhaps make sense to make their failure
>> >> non-fatal in FIPS mode. Because in FIPS mode a failure could mean a
>> >> panic and some of the existing TVs might not pass because of e.g. some
>> >> key length checks or so active only for fips_enabled...
>> > 
>> > You mean a buggy non-FIPS algorithm that fails when tested in
>> > FIPS mode?  I guess we could skip the panic in that case if
>> > everyone is happy with that.  Stephan?
>> 
>> One more thing I just realized: dracut's fips module ([1]) modprobes
>> tcrypt (*) and failure is considered fatal, i.e. the system would not
>> boot up.
>> 
>> First of all this would mean that tcrypt_test() needs to ignore
>> -ECANCELED return values from alg_test() in FIPS mode, in addition to
>> the -EINVAL it is already prepared for.
>> 
>> However, chances are that some of the !fips_allowed algorithms looped
>> over by tcrypt are not available (i.e. not enabled at build time) and as
>> this change here makes alg_test() to unconditionally attempt a test
>> execution now, this would fail with -ENOENT AFAICS.
>> 
>> One way to work around this is to make tcrypt_test() to ignore -ENOENT
>> in addition to -EINVAL and -ECANCELED.
>> 
>> It might be undesirable though that the test executions triggered from
>> tcrypt would still instantiate/load a ton of !fips_allowed algorithms at
>> boot, most of which will effectively be inaccessible (because they're
>> not used as FIPS_INTERNAL arguments to fips_allowed == 1 template
>> instances).
>> 
>> So how about making alg_test() to skip the !fips_allowed tests in FIPS
>> mode as before, but to return -ECANCELED and eventually set
>> FIPS_INTERNAL as implemented with this patch here.
>> 
>> This would imply that FIPS_INTERNAL algorithms by themselves remain
>> untested, but I think this might be Ok as they would be usable only as
>> template arguments in fips_allowed instantiations. That is, they will
>> still receive some form of testing when the larger construction they're
>> part of gets tested.
>> 
>> For example, going with the "dh" example, where "dh" and "ffdhe3072(dh)"
>> would have fips_allowed unset and set respecively, ffdhe3072(dh) as
>> a whole would get tested, but not the "dh" argument individually.
>> 
>> Stephan, would this approach work from a FIPS 140-3 perspective?
>
> Are we sure that we always will have power-up tests of the compound algorithms 
> when we disable the lower-level algorithm testing?

Yes. The compound algorithms having ->fips_allowed == 1 and alg_test_null
entries are:

  authenc(hmac(sha1),ctr(aes))
  authenc(hmac(sha1),rfc3686(ctr(aes)))
  authenc(hmac(sha256),ctr(aes))
  authenc(hmac(sha256),rfc3686(ctr(aes)))
  authenc(hmac(sha384),ctr(aes))
  authenc(hmac(sha384),rfc3686(ctr(aes)))
  authenc(hmac(sha512),ctr(aes))
  authenc(hmac(sha512),rfc3686(ctr(aes)))

The hmac(sha*), ctr(aes) and rfc3686(ctr(aes)) all have
->fips_allowed == 1 and proper non-alg_test_null test entries. So no
change here.

  cbc(paes)
  ctr(paes)
  ecb(paes)
  ofb(paes)
  xts(paes)
  xts4096(paes)
  xts512(paes)
  cts(cbc(paes))

As ecb(paes) has only a alg_test_null() entry, no test would have been
performed at all before this change for these. So no change here either.
  
  ecb(cipher_null)

No change here either.

  pkcs1pad(rsa,sha224)
  pkcs1pad(rsa,sha384)
  pkcs1pad(rsa,sha512)

The sha* and rsa all have ->fips_allowed == 1 and proper
non-alg_test_null test entries. So no change here.


>
> For example, consider the DH work you are preparing: we currently have a self 
> test for dh - which then will be marked as FIPS_INTERNAL and not executed. 
> Would we now have self tests for modpXXX(dh) or ffdheXXX(dh)?

Yes, exactly.

> If not, how would it be guaranteed that DH is tested?
>
> The important part is that the algorithm testing is guaranteed. I see a number 
> of alg_test_null in testmgr.c. I see the potential that some algorithms do not 
> get tested at all when we skip FIPS_INTERNAL algorithms.

See above. But of course one needs to be careful not to add
->fips_allowed + alg_test_null entries for compound algorithms where any
of the template arguments isn't approved in the future.


> From a FIPS perspective it is permissible that compound algo power up tests 
> are claimed to cover respective lower-level algos.

Perfect.

Thanks,

Nicolai

-- 
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Ivo Totev

  reply	other threads:[~2022-02-02 10:09 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-09  9:03 [PATCH v2 00/18] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 01/18] crypto: dh - remove struct dh's ->q member Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 02/18] crypto: dh - constify struct dh's pointer members Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 03/18] crypto: dh - optimize domain parameter serialization for well-known groups Nicolai Stange
2021-12-10 11:33   ` Hannes Reinecke
2021-12-13 10:06     ` Nicolai Stange
2021-12-13 10:10       ` Hannes Reinecke
2021-12-17  5:52   ` Herbert Xu
2021-12-20 15:27     ` Nicolai Stange
2021-12-29  2:14       ` Herbert Xu
2022-01-06 14:30         ` Stephan Mueller
2022-01-07  2:44           ` Herbert Xu
2022-01-07  6:37             ` Nicolai Stange
2022-01-11  6:13             ` [PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1) Herbert Xu
2022-01-11  7:50               ` Nicolai Stange
2022-01-11 10:34                 ` Herbert Xu
2022-01-14  6:16                   ` [v2 PATCH] " Herbert Xu
2022-01-14  9:09                     ` Nicolai Stange
2022-01-14 10:55                       ` Herbert Xu
2022-01-14 12:34                         ` Nicolai Stange
2022-01-14 12:35                         ` Stephan Mueller
2022-01-14 12:54                           ` James Bottomley
2022-01-26  9:01                         ` Stephan Mueller
2022-01-28 14:14                         ` Nicolai Stange
2022-01-28 15:49                           ` Stephan Mueller
2022-02-02 10:09                             ` Nicolai Stange [this message]
2022-01-07  7:01         ` [PATCH v2 03/18] crypto: dh - optimize domain parameter serialization for well-known groups Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 04/18] crypto: dh - introduce RFC 7919 safe-prime groups Nicolai Stange
2021-12-10 11:34   ` Hannes Reinecke
2021-12-09  9:03 ` [PATCH v2 05/18] crypto: testmgr - add DH RFC 7919 ffdhe3072 test vector Nicolai Stange
2021-12-10 11:34   ` Hannes Reinecke
2021-12-09  9:03 ` [PATCH v2 06/18] crypto: dh - introduce RFC 3526 safe-prime groups Nicolai Stange
2021-12-10 11:35   ` Hannes Reinecke
2021-12-09  9:03 ` [PATCH v2 07/18] crypto: testmgr - add DH RFC 3526 modp2048 test vector Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 08/18] crypto: testmgr - run only subset of DH vectors based on config Nicolai Stange
2021-12-10 11:36   ` Hannes Reinecke
2021-12-09  9:03 ` [PATCH v2 09/18] crypto: dh - implement private key generation primitive Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 10/18] crypto: dh - introduce support for ephemeral key generation to dh-generic Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 11/18] crypto: dh - introduce support for ephemeral key generation to hpre driver Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 12/18] crypto: dh - introduce support for ephemeral key generation to qat driver Nicolai Stange
2021-12-15 21:54   ` Giovanni Cabiddu
2021-12-09  9:03 ` [PATCH v2 13/18] crypto: testmgr - add DH test vectors for key generation Nicolai Stange
2021-12-10 11:37   ` Hannes Reinecke
2021-12-09  9:03 ` [PATCH v2 14/18] lib/mpi: export mpi_rshift Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 15/18] crypto: dh - store group id in dh-generic's dh_ctx Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 16/18] crypto: dh - calculate Q from P for the full public key verification Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 17/18] crypto: dh - try to match domain parameters to a known safe-prime group Nicolai Stange
2021-12-09  9:03 ` [PATCH v2 18/18] crypto: dh - accept only approved safe-prime groups in FIPS mode Nicolai Stange
2021-12-10 11:37   ` Hannes Reinecke
2021-12-10  7:56 ` [PATCH v2 00/18] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance Stephan Mueller
2021-12-10 10:00   ` Nicolai Stange
2021-12-10 11:38 ` Hannes Reinecke
2021-12-13 10:12   ` Nicolai Stange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87czk5vatq.fsf@suse.de \
    --to=nstange@suse.de \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=duwe@suse.de \
    --cc=ebiggers@kernel.org \
    --cc=giovanni.cabiddu@intel.com \
    --cc=hare@suse.de \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pvorel@suse.cz \
    --cc=qat-linux@intel.com \
    --cc=simo@redhat.com \
    --cc=smueller@chronox.de \
    --cc=xuzaibo@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome