From: Eric Biggers <ebiggers@kernel.org>
To: Stephan Mueller <smueller@chronox.de>
Cc: David Howells <dhowells@redhat.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Harald Freudenberger <freude@linux.ibm.com>,
Holger Dengler <dengler@linux.ibm.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Simo Sorce <simo@redhat.com>,
linux-crypto@vger.kernel.org, linux-s390@vger.kernel.org,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512, SHAKE128, SHAKE256
Date: Fri, 19 Sep 2025 15:47:49 -0500 [thread overview]
Message-ID: <20250919204749.GB8350@quark> (raw)
In-Reply-To: <5078839.1IzOArtZ34@tauon>
On Fri, Sep 19, 2025 at 09:53:17PM +0200, Stephan Mueller wrote:
> Am Freitag, 19. September 2025, 21:48:00 Mitteleuropäische Sommerzeit
> schrieb David Howells:
>
> Hi David,
>
> > > I see you also have a test in sha3_mod_init(), which doesn't make
> sense.
> > > The tests should be in the KUnit test suite(s). If you intended for
> the
> > > sha3_mod_init() test to be a FIPS pre-operational self-test, then (1)
> it
> > > would first need to be confirmed with the people doing FIPS
> > > certifications that a FIPS pre-operational self-test is actually
> > > necessary here, (2) it would need to be fixed to actually fulfill the
> > > requirements for that type of test such as panicing the kernel on
> > > failure, and (3) it would need to come in its own patch with its own
> > > explanation. But, unless you are sure you actually need the FIPS test,
> > > just omit it out for now and focus on the real tests.
> >
> > I disagree. It should have at least a single self-test. If we fail to
> load
> > any modules because the hash is broken on a particular CPU, it would be
> > useful to have a note in dmesg. Loading kunit test modules becomes
> tricky
> > in such a case.
Well, testing is supposed to be done before the kernel is released, not
on every end user's computer.
If you insist, at least keep it lightweight and make sure it doesn't
detract from the real tests.
> Just for clarifications of the FIPS requirements: One test of any of the
> SHA3/SHAKE algorithms during startup is sufficient for *one* Keccak
> implementation. FIPS wants the actual Keccak sponge being tested, it does
> not care for the miniscule differences between the different SHA/SHAKE
> definitions.
Yes. But I'm still a bit puzzled why there suddenly seems to be
interest in a FIPS pre-operational self-test for SHA-3 specifically.
lib/ has had SHA-1 for two decades without a FIPS pre-operational
self-test. If someone actually needs this, surely they would also need
it, and have already needed it, for other algorithms?
> Yet, if we have multiple Keccak sponge implementations, then each needs its
> own self test.
While lib/crypto/ often has multiple implementations of the algorithms,
only one implementation is used on a given system.
- Eric
next prev parent reply other threads:[~2025-09-19 20:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 16:31 [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512, SHAKE128, SHAKE256 David Howells
2025-09-19 19:04 ` Eric Biggers
2025-09-19 19:48 ` David Howells
2025-09-19 19:53 ` Stephan Mueller
2025-09-19 20:47 ` Eric Biggers [this message]
2025-09-19 21:20 ` Stephan Mueller
2025-09-19 20:32 ` Eric Biggers
2025-09-23 17:36 ` David Howells
2025-09-23 17:45 ` Eric Biggers
2025-09-20 10:53 ` kernel test robot
2025-09-21 19:27 ` Eric Biggers
2025-09-21 21:18 ` David Howells
2025-09-21 21:57 ` Eric Biggers
2025-09-23 14:22 ` David Howells
2025-09-23 15:32 ` Eric Biggers
2025-09-23 16:25 ` David Howells
2025-09-23 16:31 ` David Howells
2025-09-25 8:39 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250919204749.GB8350@quark \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=freude@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox