Re: SHAKE256 support

[Eric Biggers <ebiggers@kernel.org>]

On Wed, Sep 17, 2025 at 10:53:12PM -0500, Joachim Vandersmissen wrote:
> Hi Eric, David,
> 
> On 9/17/25 1:48 PM, Eric Biggers wrote:
> > On Wed, Sep 17, 2025 at 05:20:43PM +0100, David Howells wrote:
> > 
> > > For FIPS compliance, IIRC, you *have* to run tests on the algorithms,
> > > so wouldn't using kunit just be a waste of resources?
> > The lib/crypto/ KUnit tests are real tests, which thoroughly test each
> > algorithm.  This includes computing thousands of hashes for each hash
> > algorithm, for example.
> > 
> > FIPS pre-operational self-testing, if and when it is required, would be
> > a completely different thing.  For example, FIPS often requires only a
> > single test (with a single call to the algorithm) per algorithm.  Refer
> > to section 10.3.A of "Implementation Guidance for FIPS 140-3 and the
> > Cryptographic Module Validation Program"
> > (https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf)
> > 
> > Of course, so far the people doing FIPS certification of the whole
> > kernel haven't actually cared about FIPS pre-operational self-tests for
> > the library functions.  lib/ has had SHA-1 support since 2005, for
> > example, and it's never had a FIPS pre-operational self-test.
> I'm not too familiar with the history of lib/crypto/, but I have noticed
> over the past months that there has been a noticeable shift to moving
> in-kernel users from the kernel crypto API to the library APIs. While this
> seems to be an overall improvement, it does make FIPS compliance more
> challenging. If the kernel crypto API is the only user of lib/crypto/, it is
> possible to make an argument that the testmgr.c self-tests cover the
> lib/crypto/ implementations (since those would be called at some point).
> However since other code is now calling lib/crypto/ directly, that
> assumption may no longer hold.
> > 
> > *If* that's changing and the people doing FIPS certifications of the
> > whole kernel have decided that the library functions actually need FIPS
> > pre-operational self-tests after all, that's fine.
> 
> Currently I don't see how direct users of the lib/crypto/ APIs can be FIPS
> compliant; self-tests are only one of the requirements that are not
> implemented. It would be one of the more straightforward requirements to
> implement though, if this is something the kernel project would accept at
> that (lib/crypto/) layer.

If you find that something specific you need is missing, then send a
patch, with a real justification.  Vague concerns about unspecified
"requirements" aren't very helpful.

- Eric