* [PATCH] crypto: print self-test pass notices in fips mode
@ 2009-04-29 1:21 Jarod Wilson
2009-04-29 10:52 ` Neil Horman
2009-04-29 13:18 ` Herbert Xu
0 siblings, 2 replies; 7+ messages in thread
From: Jarod Wilson @ 2009-04-29 1:21 UTC (permalink / raw)
To: linux-crypto; +Cc: linux-kernel, Herbert Xu, Neil Horman
According to our FIPS CAVS testing lab guru, when we're in fips mode,
we *must* print out notices of successful self-test completion for
every alg to be compliant.
Dependent on patch 'crypto: catch base cipher self-test failures in
fips mode', which adds the test_done label.
Signed-off-by: Jarod Wilson <jarod@redhat.com>
---
crypto/testmgr.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 39ffa69..d0cc85c 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2149,6 +2149,10 @@ notest:
test_done:
if (fips_enabled && rc)
panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
+ /* fips mode requires we print out self-test success notices */
+ if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
+ printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
+ driver, alg);
return rc;
}
EXPORT_SYMBOL_GPL(alg_test);
--
Jarod Wilson
jarod@redhat.com
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode
2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson
@ 2009-04-29 10:52 ` Neil Horman
2009-04-29 13:18 ` Herbert Xu
1 sibling, 0 replies; 7+ messages in thread
From: Neil Horman @ 2009-04-29 10:52 UTC (permalink / raw)
To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Herbert Xu
On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
> According to our FIPS CAVS testing lab guru, when we're in fips mode,
> we *must* print out notices of successful self-test completion for
> every alg to be compliant.
>
> Dependent on patch 'crypto: catch base cipher self-test failures in
> fips mode', which adds the test_done label.
>
> Signed-off-by: Jarod Wilson <jarod@redhat.com>
>
> ---
> crypto/testmgr.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index 39ffa69..d0cc85c 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -2149,6 +2149,10 @@ notest:
> test_done:
> if (fips_enabled && rc)
> panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> + /* fips mode requires we print out self-test success notices */
> + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> + driver, alg);
> return rc;
> }
> EXPORT_SYMBOL_GPL(alg_test);
>
> --
> Jarod Wilson
> jarod@redhat.com
>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode
2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson
2009-04-29 10:52 ` Neil Horman
@ 2009-04-29 13:18 ` Herbert Xu
2009-04-29 13:21 ` Jarod Wilson
1 sibling, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2009-04-29 13:18 UTC (permalink / raw)
To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Neil Horman
On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
>
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index 39ffa69..d0cc85c 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -2149,6 +2149,10 @@ notest:
> test_done:
> if (fips_enabled && rc)
> panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> + /* fips mode requires we print out self-test success notices */
> + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> + driver, alg);
What is this strncmp crap for?
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode
2009-04-29 13:18 ` Herbert Xu
@ 2009-04-29 13:21 ` Jarod Wilson
2009-04-29 13:24 ` Jarod Wilson
0 siblings, 1 reply; 7+ messages in thread
From: Jarod Wilson @ 2009-04-29 13:21 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman
On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote:
> On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
> >
> > diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> > index 39ffa69..d0cc85c 100644
> > --- a/crypto/testmgr.c
> > +++ b/crypto/testmgr.c
> > @@ -2149,6 +2149,10 @@ notest:
> > test_done:
> > if (fips_enabled && rc)
> > panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> > + /* fips mode requires we print out self-test success notices */
> > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> > + driver, alg);
>
> What is this strncmp crap for?
To avoid claiming we successfully self-tested ctr(aes) when its
not actually directly testable. Was intended to go sort of hand
in hand with the other patch to suppress 'no self test' messages
for ctr(aes) when in fips mode. Of course, since at this point,
we've run ecb(aes), and that's what's suggested as the way to
test ctr(aes)[*], perhaps we don't need to
suppress it.
[*] well, along with the sign-off from the lab that the counter
code is acceptable
--
Jarod Wilson
jarod@redhat.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode
2009-04-29 13:21 ` Jarod Wilson
@ 2009-04-29 13:24 ` Jarod Wilson
2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson
0 siblings, 1 reply; 7+ messages in thread
From: Jarod Wilson @ 2009-04-29 13:24 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman
On Wednesday 29 April 2009 09:21:53 Jarod Wilson wrote:
> On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote:
> > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
> > >
> > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> > > index 39ffa69..d0cc85c 100644
> > > --- a/crypto/testmgr.c
> > > +++ b/crypto/testmgr.c
> > > @@ -2149,6 +2149,10 @@ notest:
> > > test_done:
> > > if (fips_enabled && rc)
> > > panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> > > + /* fips mode requires we print out self-test success notices */
> > > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> > > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> > > + driver, alg);
> >
> > What is this strncmp crap for?
>
> To avoid claiming we successfully self-tested ctr(aes) when its
> not actually directly testable. Was intended to go sort of hand
> in hand with the other patch to suppress 'no self test' messages
> for ctr(aes) when in fips mode. Of course, since at this point,
> we've run ecb(aes), and that's what's suggested as the way to
> test ctr(aes)[*], perhaps we don't need to
> suppress it.
>
> [*] well, along with the sign-off from the lab that the counter
> code is acceptable
So this might actually be another argument in favor of adding a "this
algo isn't really testable" flag as Neil suggested...
--
Jarod Wilson
jarod@redhat.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] crypto: print self-test pass notices in fips mode
2009-04-29 13:24 ` Jarod Wilson
@ 2009-04-30 21:25 ` Jarod Wilson
2009-05-04 11:51 ` Herbert Xu
0 siblings, 1 reply; 7+ messages in thread
From: Jarod Wilson @ 2009-04-30 21:25 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman
On Wednesday 29 April 2009 09:24:10 Jarod Wilson wrote:
> On Wednesday 29 April 2009 09:21:53 Jarod Wilson wrote:
> > On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote:
> > > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
> > > >
> > > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> > > > index 39ffa69..d0cc85c 100644
> > > > --- a/crypto/testmgr.c
> > > > +++ b/crypto/testmgr.c
> > > > @@ -2149,6 +2149,10 @@ notest:
> > > > test_done:
> > > > if (fips_enabled && rc)
> > > > panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> > > > + /* fips mode requires we print out self-test success notices */
> > > > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> > > > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> > > > + driver, alg);
> > >
> > > What is this strncmp crap for?
> >
> > To avoid claiming we successfully self-tested ctr(aes) when its
> > not actually directly testable. Was intended to go sort of hand
> > in hand with the other patch to suppress 'no self test' messages
> > for ctr(aes) when in fips mode. Of course, since at this point,
> > we've run ecb(aes), and that's what's suggested as the way to
> > test ctr(aes)[*], perhaps we don't need to
> > suppress it.
> >
> > [*] well, along with the sign-off from the lab that the counter
> > code is acceptable
>
> So this might actually be another argument in favor of adding a "this
> algo isn't really testable" flag as Neil suggested...
According to our FIPS CAVS testing lab guru, when we're in fips mode,
we must print out notices of successful self-test completion for
every alg to be compliant.
New and improved v2, without strncmp crap. Doesn't need to touch a flag
though, due to not moving the notest label around anymore.
Applies atop '[PATCH v2] crypto: catch base cipher self-test failures
in fips mode'.
Personally, I wouldn't mind seeing this info printed out regardless of
whether or not we're in fips mode, I think its useful info, but will
stick with only in fips mode for now.
---
crypto/testmgr.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index d410fad..b3ec7b9 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2245,6 +2245,10 @@ test_done:
if (fips_enabled && rc)
panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
+ if (fips_enabled && !rc)
+ printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
+ driver, alg);
+
return rc;
notest:
--
Jarod Wilson
jarod@redhat.com
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] crypto: print self-test pass notices in fips mode
2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson
@ 2009-05-04 11:51 ` Herbert Xu
0 siblings, 0 replies; 7+ messages in thread
From: Herbert Xu @ 2009-05-04 11:51 UTC (permalink / raw)
To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Neil Horman
On Thu, Apr 30, 2009 at 05:25:05PM -0400, Jarod Wilson wrote:
>
> According to our FIPS CAVS testing lab guru, when we're in fips mode,
> we must print out notices of successful self-test completion for
> every alg to be compliant.
Also applied.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-05-04 11:51 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson
2009-04-29 10:52 ` Neil Horman
2009-04-29 13:18 ` Herbert Xu
2009-04-29 13:21 ` Jarod Wilson
2009-04-29 13:24 ` Jarod Wilson
2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson
2009-05-04 11:51 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).