[PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Eric Biggers]

Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
Following the "Implementation Guidance for FIPS 140-3" document, to
achieve this it's sufficient to just test a single test vector for each
of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.

Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---

Since there seemed to be more interest in complaining that these are
missing than actually writing a patch, I decided to just do it.

 lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
 lib/crypto/sha1.c                   | 19 ++++++++++++++-
 lib/crypto/sha256.c                 | 19 ++++++++++++++-
 lib/crypto/sha512.c                 | 19 ++++++++++++++-
 scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
 5 files changed, 125 insertions(+), 3 deletions(-)
 create mode 100644 lib/crypto/fips.h
 create mode 100755 scripts/crypto/gen-fips-testvecs.py

diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
new file mode 100644
index 0000000000000..78a1bdd33a151
--- /dev/null
+++ b/lib/crypto/fips.h
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* This file was generated by: gen-fips-testvecs.py */
+
+#include <linux/fips.h>
+
+static const u8 fips_test_data[] __initconst __maybe_unused = {
+	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
+	0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
+};
+
+static const u8 fips_test_key[] __initconst __maybe_unused = {
+	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
+	0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
+};
+
+static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
+	0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
+	0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
+	0x99, 0xbf, 0x86, 0x78,
+};
+
+static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
+	0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
+	0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
+	0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
+	0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
+};
+
+static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
+	0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
+	0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
+	0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
+	0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
+	0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
+	0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
+	0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
+	0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
+};
diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
index 5904e4ae85d24..001059cb0fce4 100644
--- a/lib/crypto/sha1.c
+++ b/lib/crypto/sha1.c
@@ -10,10 +10,11 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
 
 static const struct sha1_block_state sha1_iv = {
 	.h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
 };
 
@@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 	hmac_sha1_update(&ctx, data, data_len);
 	hmac_sha1_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
 
-#ifdef sha1_mod_init_arch
+#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha1_mod_init(void)
 {
+#ifdef sha1_mod_init_arch
 	sha1_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA1 satisfies the test
+		 * requirement for SHA-1 too.
+		 */
+		u8 mac[SHA1_DIGEST_SIZE];
+
+		hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
+				      fips_test_data, sizeof(fips_test_data),
+				      mac);
+		if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
+			panic("sha1: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha1_mod_init);
 
 static void __exit sha1_mod_exit(void)
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 8fa15165d23e8..6b3cf105147ff 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -15,10 +15,11 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
 
 static const struct sha256_block_state sha224_iv = {
 	.h = {
 		SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
 		SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
@@ -416,14 +417,30 @@ void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 	hmac_sha256_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
 #endif /* !__DISABLE_EXPORTS */
 
-#ifdef sha256_mod_init_arch
+#if defined(sha256_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha256_mod_init(void)
 {
+#ifdef sha256_mod_init_arch
 	sha256_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA256 satisfies the
+		 * test requirement for SHA-224, SHA-256, and HMAC-SHA224 too.
+		 */
+		u8 mac[SHA256_DIGEST_SIZE];
+
+		hmac_sha256_usingrawkey(fips_test_key, sizeof(fips_test_key),
+					fips_test_data, sizeof(fips_test_data),
+					mac);
+		if (memcmp(fips_test_hmac_sha256_value, mac, sizeof(mac)) != 0)
+			panic("sha256: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha256_mod_init);
 
 static void __exit sha256_mod_exit(void)
diff --git a/lib/crypto/sha512.c b/lib/crypto/sha512.c
index d8062188be98a..65447083c0456 100644
--- a/lib/crypto/sha512.c
+++ b/lib/crypto/sha512.c
@@ -15,10 +15,11 @@
 #include <linux/module.h>
 #include <linux/overflow.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
 
 static const struct sha512_block_state sha384_iv = {
 	.h = {
 		SHA384_H0, SHA384_H1, SHA384_H2, SHA384_H3,
 		SHA384_H4, SHA384_H5, SHA384_H6, SHA384_H7,
@@ -403,14 +404,30 @@ void hmac_sha512_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 	hmac_sha512_update(&ctx, data, data_len);
 	hmac_sha512_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha512_usingrawkey);
 
-#ifdef sha512_mod_init_arch
+#if defined(sha512_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha512_mod_init(void)
 {
+#ifdef sha512_mod_init_arch
 	sha512_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA512 satisfies the
+		 * test requirement for SHA-384, SHA-512, and HMAC-SHA384 too.
+		 */
+		u8 mac[SHA512_DIGEST_SIZE];
+
+		hmac_sha512_usingrawkey(fips_test_key, sizeof(fips_test_key),
+					fips_test_data, sizeof(fips_test_data),
+					mac);
+		if (memcmp(fips_test_hmac_sha512_value, mac, sizeof(mac)) != 0)
+			panic("sha512: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha512_mod_init);
 
 static void __exit sha512_mod_exit(void)
diff --git a/scripts/crypto/gen-fips-testvecs.py b/scripts/crypto/gen-fips-testvecs.py
new file mode 100755
index 0000000000000..26e12397bceb2
--- /dev/null
+++ b/scripts/crypto/gen-fips-testvecs.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Script that generates lib/crypto/fips.h
+#
+# Copyright 2025 Google LLC
+
+import hmac
+
+fips_test_data = b"fips test data\0\0"
+fips_test_key = b"fips test key\0\0\0"
+
+def print_static_u8_array_definition(name, value):
+    print('')
+    print(f'static const u8 {name}[] __initconst __maybe_unused = {{')
+    for i in range(0, len(value), 8):
+        line = '\t' + ''.join(f'0x{b:02x}, ' for b in value[i:i+8])
+        print(f'{line.rstrip()}')
+    print('};')
+
+print('/* SPDX-License-Identifier: GPL-2.0-or-later */')
+print(f'/* This file was generated by: gen-fips-testvecs.py */')
+print()
+print('#include <linux/fips.h>')
+
+print_static_u8_array_definition("fips_test_data", fips_test_data)
+print_static_u8_array_definition("fips_test_key", fips_test_key)
+
+for alg in 'sha1', 'sha256', 'sha512':
+    ctx = hmac.new(fips_test_key, digestmod=alg)
+    ctx.update(fips_test_data)
+    print_static_u8_array_definition(f'fips_test_hmac_{alg}_value', ctx.digest())
+

base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a
-- 
2.51.0

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Ard Biesheuvel]

On Mon, 6 Oct 2025 at 19:28, Eric Biggers <ebiggers@kernel.org> wrote:
>
> Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
> Following the "Implementation Guidance for FIPS 140-3" document, to
> achieve this it's sufficient to just test a single test vector for each
> of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
>
> Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>
> Since there seemed to be more interest in complaining that these are
> missing than actually writing a patch, I decided to just do it.
>
>  lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
>  lib/crypto/sha1.c                   | 19 ++++++++++++++-
>  lib/crypto/sha256.c                 | 19 ++++++++++++++-
>  lib/crypto/sha512.c                 | 19 ++++++++++++++-
>  scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
>  5 files changed, 125 insertions(+), 3 deletions(-)
>  create mode 100644 lib/crypto/fips.h
>  create mode 100755 scripts/crypto/gen-fips-testvecs.py
>
> diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
> new file mode 100644
> index 0000000000000..78a1bdd33a151
> --- /dev/null
> +++ b/lib/crypto/fips.h
> @@ -0,0 +1,38 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +/* This file was generated by: gen-fips-testvecs.py */
> +
> +#include <linux/fips.h>
> +
> +static const u8 fips_test_data[] __initconst __maybe_unused = {
> +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> +       0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
> +};
> +
> +static const u8 fips_test_key[] __initconst __maybe_unused = {
> +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> +       0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
> +};
> +
> +static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
> +       0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
> +       0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
> +       0x99, 0xbf, 0x86, 0x78,
> +};
> +
> +static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
> +       0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
> +       0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
> +       0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
> +       0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
> +};
> +
> +static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
> +       0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
> +       0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
> +       0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
> +       0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
> +       0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
> +       0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
> +       0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
> +       0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
> +};
> diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
> index 5904e4ae85d24..001059cb0fce4 100644
> --- a/lib/crypto/sha1.c
> +++ b/lib/crypto/sha1.c
> @@ -10,10 +10,11 @@
>  #include <linux/kernel.h>
>  #include <linux/module.h>
>  #include <linux/string.h>
>  #include <linux/unaligned.h>
>  #include <linux/wordpart.h>
> +#include "fips.h"
>
>  static const struct sha1_block_state sha1_iv = {
>         .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
>  };
>
> @@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
>         hmac_sha1_update(&ctx, data, data_len);
>         hmac_sha1_final(&ctx, out);
>  }
>  EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
>
> -#ifdef sha1_mod_init_arch
> +#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
>  static int __init sha1_mod_init(void)
>  {
> +#ifdef sha1_mod_init_arch
>         sha1_mod_init_arch();
> +#endif
> +       if (fips_enabled) {
> +               /*
> +                * FIPS pre-operational self-test.  As per the FIPS
> +                * Implementation Guidance, testing HMAC-SHA1 satisfies the test
> +                * requirement for SHA-1 too.
> +                */
> +               u8 mac[SHA1_DIGEST_SIZE];
> +
> +               hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
> +                                     fips_test_data, sizeof(fips_test_data),
> +                                     mac);
> +               if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
> +                       panic("sha1: FIPS pre-operational self-test failed\n");
> +       }
>         return 0;
>  }
>  subsys_initcall(sha1_mod_init);
>

In the builtin case, couldn't this execute only after the first calls
into the library? That would mean it does not quite fit the
requirements of the pre-operational selftest.

So perhaps, we should wrap the fips test in a separate function, and
in the builtin case, add a call to it to every exported library
routine, conditional on some static key that gets set on success? With
the right macro foo, it doesn't have to be that ugly, and it can just
disappear entirely if FIPS support is disabled.

(For all I care, we don't bother with this at all, but if we add this
it should be solid)

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Eric Biggers]

On Tue, Oct 07, 2025 at 01:53:25AM +0200, Ard Biesheuvel wrote:
> On Mon, 6 Oct 2025 at 19:28, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
> > Following the "Implementation Guidance for FIPS 140-3" document, to
> > achieve this it's sufficient to just test a single test vector for each
> > of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
> >
> > Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> > ---
> >
> > Since there seemed to be more interest in complaining that these are
> > missing than actually writing a patch, I decided to just do it.
> >
> >  lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
> >  lib/crypto/sha1.c                   | 19 ++++++++++++++-
> >  lib/crypto/sha256.c                 | 19 ++++++++++++++-
> >  lib/crypto/sha512.c                 | 19 ++++++++++++++-
> >  scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
> >  5 files changed, 125 insertions(+), 3 deletions(-)
> >  create mode 100644 lib/crypto/fips.h
> >  create mode 100755 scripts/crypto/gen-fips-testvecs.py
> >
> > diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
> > new file mode 100644
> > index 0000000000000..78a1bdd33a151
> > --- /dev/null
> > +++ b/lib/crypto/fips.h
> > @@ -0,0 +1,38 @@
> > +/* SPDX-License-Identifier: GPL-2.0-or-later */
> > +/* This file was generated by: gen-fips-testvecs.py */
> > +
> > +#include <linux/fips.h>
> > +
> > +static const u8 fips_test_data[] __initconst __maybe_unused = {
> > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > +       0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
> > +};
> > +
> > +static const u8 fips_test_key[] __initconst __maybe_unused = {
> > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > +       0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
> > +};
> > +
> > +static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
> > +       0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
> > +       0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
> > +       0x99, 0xbf, 0x86, 0x78,
> > +};
> > +
> > +static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
> > +       0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
> > +       0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
> > +       0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
> > +       0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
> > +};
> > +
> > +static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
> > +       0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
> > +       0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
> > +       0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
> > +       0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
> > +       0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
> > +       0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
> > +       0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
> > +       0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
> > +};
> > diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
> > index 5904e4ae85d24..001059cb0fce4 100644
> > --- a/lib/crypto/sha1.c
> > +++ b/lib/crypto/sha1.c
> > @@ -10,10 +10,11 @@
> >  #include <linux/kernel.h>
> >  #include <linux/module.h>
> >  #include <linux/string.h>
> >  #include <linux/unaligned.h>
> >  #include <linux/wordpart.h>
> > +#include "fips.h"
> >
> >  static const struct sha1_block_state sha1_iv = {
> >         .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
> >  };
> >
> > @@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
> >         hmac_sha1_update(&ctx, data, data_len);
> >         hmac_sha1_final(&ctx, out);
> >  }
> >  EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
> >
> > -#ifdef sha1_mod_init_arch
> > +#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
> >  static int __init sha1_mod_init(void)
> >  {
> > +#ifdef sha1_mod_init_arch
> >         sha1_mod_init_arch();
> > +#endif
> > +       if (fips_enabled) {
> > +               /*
> > +                * FIPS pre-operational self-test.  As per the FIPS
> > +                * Implementation Guidance, testing HMAC-SHA1 satisfies the test
> > +                * requirement for SHA-1 too.
> > +                */
> > +               u8 mac[SHA1_DIGEST_SIZE];
> > +
> > +               hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
> > +                                     fips_test_data, sizeof(fips_test_data),
> > +                                     mac);
> > +               if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
> > +                       panic("sha1: FIPS pre-operational self-test failed\n");
> > +       }
> >         return 0;
> >  }
> >  subsys_initcall(sha1_mod_init);
> >
> 
> In the builtin case, couldn't this execute only after the first calls
> into the library? That would mean it does not quite fit the
> requirements of the pre-operational selftest.

Only if other builtin code in the kernel actually calls it before
subsys_initcall, i.e. during very early boot long before userspace
starts.  Such calls can occur only from within the FIPS module (i.e. the
kernel) itself, so arbitrary external users need not be considered here.

x86's SHA-256 microcode checksumming is the only such call I've noticed.

But even then I doubt it actually matters.  There are several possible
reasons why even that early SHA-256 could be fine.  E.g. it could be
interpreted as not being used for a security purpose, or as not
producing any output from the FIPS module (i.e. the kernel) yet
considering that lib/crypto/ is an internal interface.

And of course, the x86 microcode checksumming predated my SHA-256
cleanups in 6.16 and 6.17.  So it's not like anyone cared before...

> So perhaps, we should wrap the fips test in a separate function, and
> in the builtin case, add a call to it to every exported library
> routine, conditional on some static key that gets set on success? With
> the right macro foo, it doesn't have to be that ugly, and it can just
> disappear entirely if FIPS support is disabled.
> 
> (For all I care, we don't bother with this at all, but if we add this
> it should be solid)

I think we should try the simpler solution from this patch first, which
is already used in crypto/kdf_sp800108.c, crypto/hkdf.c,
crypto/asymmetric_keys/selftest.c, and lib/crypto/aesgcm.c.  I suspect
the FIPS labs will be fine with it; subsys_initcall is very early.  If
they were actually using an overly-strict and pedantic interpretation of
FIPS, then FIPS-certified Linux kernels would not already exist.

- Eric

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Joachim Vandersmissen]

Hi Eric,

It's a very minor change but I suggest not using "pre-operational 
self-test". That term specifically refers to a different type of 
self-test in FIPS 140-3 and it could lead to some confusion here. 
"cryptographic algorithm self-test" may be better (if you want to be 
formal), or just "self-test" or "known-answer test".

As for the initialization discussion, it is also allowed to defer the 
self-test until before the first use of the algorithm. However that 
would mean checking that the self-test has ran in the public APIs, which 
is probably more complicated and maybe more costly at runtime.

Kind regards,
Joachim

On 10/6/25 12:26 PM, Eric Biggers wrote:
> Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
> Following the "Implementation Guidance for FIPS 140-3" document, to
> achieve this it's sufficient to just test a single test vector for each
> of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
>
> Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>
> Since there seemed to be more interest in complaining that these are
> missing than actually writing a patch, I decided to just do it.
>
>   lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
>   lib/crypto/sha1.c                   | 19 ++++++++++++++-
>   lib/crypto/sha256.c                 | 19 ++++++++++++++-
>   lib/crypto/sha512.c                 | 19 ++++++++++++++-
>   scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
>   5 files changed, 125 insertions(+), 3 deletions(-)
>   create mode 100644 lib/crypto/fips.h
>   create mode 100755 scripts/crypto/gen-fips-testvecs.py
>
> diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
> new file mode 100644
> index 0000000000000..78a1bdd33a151
> --- /dev/null
> +++ b/lib/crypto/fips.h
> @@ -0,0 +1,38 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +/* This file was generated by: gen-fips-testvecs.py */
> +
> +#include <linux/fips.h>
> +
> +static const u8 fips_test_data[] __initconst __maybe_unused = {
> +	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> +	0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
> +};
> +
> +static const u8 fips_test_key[] __initconst __maybe_unused = {
> +	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> +	0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
> +};
> +
> +static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
> +	0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
> +	0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
> +	0x99, 0xbf, 0x86, 0x78,
> +};
> +
> +static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
> +	0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
> +	0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
> +	0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
> +	0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
> +};
> +
> +static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
> +	0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
> +	0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
> +	0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
> +	0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
> +	0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
> +	0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
> +	0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
> +	0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
> +};
> diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
> index 5904e4ae85d24..001059cb0fce4 100644
> --- a/lib/crypto/sha1.c
> +++ b/lib/crypto/sha1.c
> @@ -10,10 +10,11 @@
>   #include <linux/kernel.h>
>   #include <linux/module.h>
>   #include <linux/string.h>
>   #include <linux/unaligned.h>
>   #include <linux/wordpart.h>
> +#include "fips.h"
>   
>   static const struct sha1_block_state sha1_iv = {
>   	.h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
>   };
>   
> @@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
>   	hmac_sha1_update(&ctx, data, data_len);
>   	hmac_sha1_final(&ctx, out);
>   }
>   EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
>   
> -#ifdef sha1_mod_init_arch
> +#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
>   static int __init sha1_mod_init(void)
>   {
> +#ifdef sha1_mod_init_arch
>   	sha1_mod_init_arch();
> +#endif
> +	if (fips_enabled) {
> +		/*
> +		 * FIPS pre-operational self-test.  As per the FIPS
> +		 * Implementation Guidance, testing HMAC-SHA1 satisfies the test
> +		 * requirement for SHA-1 too.
> +		 */
> +		u8 mac[SHA1_DIGEST_SIZE];
> +
> +		hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
> +				      fips_test_data, sizeof(fips_test_data),
> +				      mac);
> +		if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
> +			panic("sha1: FIPS pre-operational self-test failed\n");
> +	}
>   	return 0;
>   }
>   subsys_initcall(sha1_mod_init);
>   
>   static void __exit sha1_mod_exit(void)
> diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> index 8fa15165d23e8..6b3cf105147ff 100644
> --- a/lib/crypto/sha256.c
> +++ b/lib/crypto/sha256.c
> @@ -15,10 +15,11 @@
>   #include <linux/kernel.h>
>   #include <linux/module.h>
>   #include <linux/string.h>
>   #include <linux/unaligned.h>
>   #include <linux/wordpart.h>
> +#include "fips.h"
>   
>   static const struct sha256_block_state sha224_iv = {
>   	.h = {
>   		SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
>   		SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
> @@ -416,14 +417,30 @@ void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
>   	hmac_sha256_final(&ctx, out);
>   }
>   EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
>   #endif /* !__DISABLE_EXPORTS */
>   
> -#ifdef sha256_mod_init_arch
> +#if defined(sha256_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
>   static int __init sha256_mod_init(void)
>   {
> +#ifdef sha256_mod_init_arch
>   	sha256_mod_init_arch();
> +#endif
> +	if (fips_enabled) {
> +		/*
> +		 * FIPS pre-operational self-test.  As per the FIPS
> +		 * Implementation Guidance, testing HMAC-SHA256 satisfies the
> +		 * test requirement for SHA-224, SHA-256, and HMAC-SHA224 too.
> +		 */
> +		u8 mac[SHA256_DIGEST_SIZE];
> +
> +		hmac_sha256_usingrawkey(fips_test_key, sizeof(fips_test_key),
> +					fips_test_data, sizeof(fips_test_data),
> +					mac);
> +		if (memcmp(fips_test_hmac_sha256_value, mac, sizeof(mac)) != 0)
> +			panic("sha256: FIPS pre-operational self-test failed\n");
> +	}
>   	return 0;
>   }
>   subsys_initcall(sha256_mod_init);
>   
>   static void __exit sha256_mod_exit(void)
> diff --git a/lib/crypto/sha512.c b/lib/crypto/sha512.c
> index d8062188be98a..65447083c0456 100644
> --- a/lib/crypto/sha512.c
> +++ b/lib/crypto/sha512.c
> @@ -15,10 +15,11 @@
>   #include <linux/module.h>
>   #include <linux/overflow.h>
>   #include <linux/string.h>
>   #include <linux/unaligned.h>
>   #include <linux/wordpart.h>
> +#include "fips.h"
>   
>   static const struct sha512_block_state sha384_iv = {
>   	.h = {
>   		SHA384_H0, SHA384_H1, SHA384_H2, SHA384_H3,
>   		SHA384_H4, SHA384_H5, SHA384_H6, SHA384_H7,
> @@ -403,14 +404,30 @@ void hmac_sha512_usingrawkey(const u8 *raw_key, size_t raw_key_len,
>   	hmac_sha512_update(&ctx, data, data_len);
>   	hmac_sha512_final(&ctx, out);
>   }
>   EXPORT_SYMBOL_GPL(hmac_sha512_usingrawkey);
>   
> -#ifdef sha512_mod_init_arch
> +#if defined(sha512_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
>   static int __init sha512_mod_init(void)
>   {
> +#ifdef sha512_mod_init_arch
>   	sha512_mod_init_arch();
> +#endif
> +	if (fips_enabled) {
> +		/*
> +		 * FIPS pre-operational self-test.  As per the FIPS
> +		 * Implementation Guidance, testing HMAC-SHA512 satisfies the
> +		 * test requirement for SHA-384, SHA-512, and HMAC-SHA384 too.
> +		 */
> +		u8 mac[SHA512_DIGEST_SIZE];
> +
> +		hmac_sha512_usingrawkey(fips_test_key, sizeof(fips_test_key),
> +					fips_test_data, sizeof(fips_test_data),
> +					mac);
> +		if (memcmp(fips_test_hmac_sha512_value, mac, sizeof(mac)) != 0)
> +			panic("sha512: FIPS pre-operational self-test failed\n");
> +	}
>   	return 0;
>   }
>   subsys_initcall(sha512_mod_init);
>   
>   static void __exit sha512_mod_exit(void)
> diff --git a/scripts/crypto/gen-fips-testvecs.py b/scripts/crypto/gen-fips-testvecs.py
> new file mode 100755
> index 0000000000000..26e12397bceb2
> --- /dev/null
> +++ b/scripts/crypto/gen-fips-testvecs.py
> @@ -0,0 +1,33 @@
> +#!/usr/bin/env python3
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +#
> +# Script that generates lib/crypto/fips.h
> +#
> +# Copyright 2025 Google LLC
> +
> +import hmac
> +
> +fips_test_data = b"fips test data\0\0"
> +fips_test_key = b"fips test key\0\0\0"
> +
> +def print_static_u8_array_definition(name, value):
> +    print('')
> +    print(f'static const u8 {name}[] __initconst __maybe_unused = {{')
> +    for i in range(0, len(value), 8):
> +        line = '\t' + ''.join(f'0x{b:02x}, ' for b in value[i:i+8])
> +        print(f'{line.rstrip()}')
> +    print('};')
> +
> +print('/* SPDX-License-Identifier: GPL-2.0-or-later */')
> +print(f'/* This file was generated by: gen-fips-testvecs.py */')
> +print()
> +print('#include <linux/fips.h>')
> +
> +print_static_u8_array_definition("fips_test_data", fips_test_data)
> +print_static_u8_array_definition("fips_test_key", fips_test_key)
> +
> +for alg in 'sha1', 'sha256', 'sha512':
> +    ctx = hmac.new(fips_test_key, digestmod=alg)
> +    ctx.update(fips_test_data)
> +    print_static_u8_array_definition(f'fips_test_hmac_{alg}_value', ctx.digest())
> +
>
> base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Eric Biggers]

On Mon, Oct 06, 2025 at 10:03:44PM -0500, Joachim Vandersmissen wrote:
> Hi Eric,
> 
> It's a very minor change but I suggest not using "pre-operational
> self-test". That term specifically refers to a different type of self-test
> in FIPS 140-3 and it could lead to some confusion here. "cryptographic
> algorithm self-test" may be better (if you want to be formal), or just
> "self-test" or "known-answer test".
> 

I don't think that's quite correct.  FIPS 140-3 divides self-tests into
two categories, pre-operational (executed unconditionally at start-up
time) and conditional (executed only when conditions are met, such as an
algorithm being used for the first time).  This patch chooses the first
option, pre-operational.

We could just call them algorithm self-tests if we don't want to be
specific as to what time they run at, though.

- Eric

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Joachim Vandersmissen]

Hi Eric,

FIPS 140-3 always classifies Cryptographic Algorithm Self-Tests (CASTs) 
as conditional, even if they are executed on start-up. The condition 
would then be "start-up" or "initialization" or something similar. IG 
10.3.A explains it relatively well in the background section. For 
example, the Security Policy for 
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/5036 
shows the CASTs in Table 21.

In any case the name doesn't matter too much, even if you keep it the 
way it is, it wouldn't really impact a validation.

Kind regards,
Joachim

On 10/6/25 10:27 PM, Eric Biggers wrote:
> On Mon, Oct 06, 2025 at 10:03:44PM -0500, Joachim Vandersmissen wrote:
>> Hi Eric,
>>
>> It's a very minor change but I suggest not using "pre-operational
>> self-test". That term specifically refers to a different type of self-test
>> in FIPS 140-3 and it could lead to some confusion here. "cryptographic
>> algorithm self-test" may be better (if you want to be formal), or just
>> "self-test" or "known-answer test".
>>
> I don't think that's quite correct.  FIPS 140-3 divides self-tests into
> two categories, pre-operational (executed unconditionally at start-up
> time) and conditional (executed only when conditions are met, such as an
> algorithm being used for the first time).  This patch chooses the first
> option, pre-operational.
>
> We could just call them algorithm self-tests if we don't want to be
> specific as to what time they run at, though.
>
> - Eric
>

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Ard Biesheuvel]

On Mon, 6 Oct 2025 at 18:13, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Tue, Oct 07, 2025 at 01:53:25AM +0200, Ard Biesheuvel wrote:
> > On Mon, 6 Oct 2025 at 19:28, Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
> > > Following the "Implementation Guidance for FIPS 140-3" document, to
> > > achieve this it's sufficient to just test a single test vector for each
> > > of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
> > >
> > > Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> > > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> > > ---
> > >
> > > Since there seemed to be more interest in complaining that these are
> > > missing than actually writing a patch, I decided to just do it.
> > >
> > >  lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
> > >  lib/crypto/sha1.c                   | 19 ++++++++++++++-
> > >  lib/crypto/sha256.c                 | 19 ++++++++++++++-
> > >  lib/crypto/sha512.c                 | 19 ++++++++++++++-
> > >  scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
> > >  5 files changed, 125 insertions(+), 3 deletions(-)
> > >  create mode 100644 lib/crypto/fips.h
> > >  create mode 100755 scripts/crypto/gen-fips-testvecs.py
> > >
> > > diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
> > > new file mode 100644
> > > index 0000000000000..78a1bdd33a151
> > > --- /dev/null
> > > +++ b/lib/crypto/fips.h
> > > @@ -0,0 +1,38 @@
> > > +/* SPDX-License-Identifier: GPL-2.0-or-later */
> > > +/* This file was generated by: gen-fips-testvecs.py */
> > > +
> > > +#include <linux/fips.h>
> > > +
> > > +static const u8 fips_test_data[] __initconst __maybe_unused = {
> > > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > > +       0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
> > > +};
> > > +
> > > +static const u8 fips_test_key[] __initconst __maybe_unused = {
> > > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > > +       0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
> > > +};
> > > +
> > > +static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
> > > +       0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
> > > +       0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
> > > +       0x99, 0xbf, 0x86, 0x78,
> > > +};
> > > +
> > > +static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
> > > +       0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
> > > +       0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
> > > +       0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
> > > +       0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
> > > +};
> > > +
> > > +static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
> > > +       0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
> > > +       0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
> > > +       0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
> > > +       0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
> > > +       0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
> > > +       0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
> > > +       0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
> > > +       0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
> > > +};
> > > diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
> > > index 5904e4ae85d24..001059cb0fce4 100644
> > > --- a/lib/crypto/sha1.c
> > > +++ b/lib/crypto/sha1.c
> > > @@ -10,10 +10,11 @@
> > >  #include <linux/kernel.h>
> > >  #include <linux/module.h>
> > >  #include <linux/string.h>
> > >  #include <linux/unaligned.h>
> > >  #include <linux/wordpart.h>
> > > +#include "fips.h"
> > >
> > >  static const struct sha1_block_state sha1_iv = {
> > >         .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
> > >  };
> > >
> > > @@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
> > >         hmac_sha1_update(&ctx, data, data_len);
> > >         hmac_sha1_final(&ctx, out);
> > >  }
> > >  EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
> > >
> > > -#ifdef sha1_mod_init_arch
> > > +#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
> > >  static int __init sha1_mod_init(void)
> > >  {
> > > +#ifdef sha1_mod_init_arch
> > >         sha1_mod_init_arch();
> > > +#endif
> > > +       if (fips_enabled) {
> > > +               /*
> > > +                * FIPS pre-operational self-test.  As per the FIPS
> > > +                * Implementation Guidance, testing HMAC-SHA1 satisfies the test
> > > +                * requirement for SHA-1 too.
> > > +                */
> > > +               u8 mac[SHA1_DIGEST_SIZE];
> > > +
> > > +               hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
> > > +                                     fips_test_data, sizeof(fips_test_data),
> > > +                                     mac);
> > > +               if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
> > > +                       panic("sha1: FIPS pre-operational self-test failed\n");
> > > +       }
> > >         return 0;
> > >  }
> > >  subsys_initcall(sha1_mod_init);
> > >
> >
> > In the builtin case, couldn't this execute only after the first calls
> > into the library? That would mean it does not quite fit the
> > requirements of the pre-operational selftest.
>
> Only if other builtin code in the kernel actually calls it before
> subsys_initcall, i.e. during very early boot long before userspace
> starts.  Such calls can occur only from within the FIPS module (i.e. the
> kernel) itself, so arbitrary external users need not be considered here.
>

Good point. We should probably document this, i.e., the fact that this
is before storage and network etc are even accessible and so panicking
at that point is sufficient even in the presence of even earlier
callers.

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[kernel test robot]

Hi Eric,

kernel test robot noticed the following build errors:

[auto build test ERROR on e5f0a698b34ed76002dc5cff3804a61c80233a7a]

url:    https://github.com/intel-lab-lkp/linux/commits/Eric-Biggers/lib-crypto-Add-FIPS-pre-operational-self-test-for-SHA-algorithms/20251010-085409
base:   e5f0a698b34ed76002dc5cff3804a61c80233a7a
patch link:    https://lore.kernel.org/r/20251006172612.75240-1-ebiggers%40kernel.org
patch subject: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms
config: s390-defconfig (https://download.01.org/0day-ci/archive/20251011/202510110210.5FlCrJl7-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 39f292ffa13d7ca0d1edff27ac8fd55024bb4d19)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251011/202510110210.5FlCrJl7-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510110210.5FlCrJl7-lkp@intel.com/

All errors (new ones prefixed by >>):

>> ld.lld: error: undefined symbol: fips_enabled
   >>> referenced by sha256.c
   >>>               arch/s390/purgatory/purgatory:(sha256_mod_init)
--
>> ld.lld: error: undefined symbol: hmac_sha256_usingrawkey
   >>> referenced by sha256.c
   >>>               arch/s390/purgatory/purgatory:(sha256_mod_init)
--
>> ld.lld: error: undefined symbol: panic
   >>> referenced by sha256.c
   >>>               arch/s390/purgatory/purgatory:(sha256_mod_init)

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA algorithms

[Eric Biggers]

On Tue, Oct 07, 2025 at 10:52:06AM -0700, Ard Biesheuvel wrote:
> On Mon, 6 Oct 2025 at 18:13, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Tue, Oct 07, 2025 at 01:53:25AM +0200, Ard Biesheuvel wrote:
> > > On Mon, 6 Oct 2025 at 19:28, Eric Biggers <ebiggers@kernel.org> wrote:
> > > >
> > > > Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
> > > > Following the "Implementation Guidance for FIPS 140-3" document, to
> > > > achieve this it's sufficient to just test a single test vector for each
> > > > of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
> > > >
> > > > Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> > > > ---
> > > >
> > > > Since there seemed to be more interest in complaining that these are
> > > > missing than actually writing a patch, I decided to just do it.
> > > >
> > > >  lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
> > > >  lib/crypto/sha1.c                   | 19 ++++++++++++++-
> > > >  lib/crypto/sha256.c                 | 19 ++++++++++++++-
> > > >  lib/crypto/sha512.c                 | 19 ++++++++++++++-
> > > >  scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
> > > >  5 files changed, 125 insertions(+), 3 deletions(-)
> > > >  create mode 100644 lib/crypto/fips.h
> > > >  create mode 100755 scripts/crypto/gen-fips-testvecs.py
> > > >
> > > > diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
> > > > new file mode 100644
> > > > index 0000000000000..78a1bdd33a151
> > > > --- /dev/null
> > > > +++ b/lib/crypto/fips.h
> > > > @@ -0,0 +1,38 @@
> > > > +/* SPDX-License-Identifier: GPL-2.0-or-later */
> > > > +/* This file was generated by: gen-fips-testvecs.py */
> > > > +
> > > > +#include <linux/fips.h>
> > > > +
> > > > +static const u8 fips_test_data[] __initconst __maybe_unused = {
> > > > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > > > +       0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
> > > > +};
> > > > +
> > > > +static const u8 fips_test_key[] __initconst __maybe_unused = {
> > > > +       0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
> > > > +       0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
> > > > +};
> > > > +
> > > > +static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused = {
> > > > +       0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
> > > > +       0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
> > > > +       0x99, 0xbf, 0x86, 0x78,
> > > > +};
> > > > +
> > > > +static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused = {
> > > > +       0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
> > > > +       0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
> > > > +       0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
> > > > +       0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
> > > > +};
> > > > +
> > > > +static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused = {
> > > > +       0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
> > > > +       0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
> > > > +       0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
> > > > +       0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
> > > > +       0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
> > > > +       0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
> > > > +       0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
> > > > +       0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
> > > > +};
> > > > diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
> > > > index 5904e4ae85d24..001059cb0fce4 100644
> > > > --- a/lib/crypto/sha1.c
> > > > +++ b/lib/crypto/sha1.c
> > > > @@ -10,10 +10,11 @@
> > > >  #include <linux/kernel.h>
> > > >  #include <linux/module.h>
> > > >  #include <linux/string.h>
> > > >  #include <linux/unaligned.h>
> > > >  #include <linux/wordpart.h>
> > > > +#include "fips.h"
> > > >
> > > >  static const struct sha1_block_state sha1_iv = {
> > > >         .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
> > > >  };
> > > >
> > > > @@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
> > > >         hmac_sha1_update(&ctx, data, data_len);
> > > >         hmac_sha1_final(&ctx, out);
> > > >  }
> > > >  EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
> > > >
> > > > -#ifdef sha1_mod_init_arch
> > > > +#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
> > > >  static int __init sha1_mod_init(void)
> > > >  {
> > > > +#ifdef sha1_mod_init_arch
> > > >         sha1_mod_init_arch();
> > > > +#endif
> > > > +       if (fips_enabled) {
> > > > +               /*
> > > > +                * FIPS pre-operational self-test.  As per the FIPS
> > > > +                * Implementation Guidance, testing HMAC-SHA1 satisfies the test
> > > > +                * requirement for SHA-1 too.
> > > > +                */
> > > > +               u8 mac[SHA1_DIGEST_SIZE];
> > > > +
> > > > +               hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
> > > > +                                     fips_test_data, sizeof(fips_test_data),
> > > > +                                     mac);
> > > > +               if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
> > > > +                       panic("sha1: FIPS pre-operational self-test failed\n");
> > > > +       }
> > > >         return 0;
> > > >  }
> > > >  subsys_initcall(sha1_mod_init);
> > > >
> > >
> > > In the builtin case, couldn't this execute only after the first calls
> > > into the library? That would mean it does not quite fit the
> > > requirements of the pre-operational selftest.
> >
> > Only if other builtin code in the kernel actually calls it before
> > subsys_initcall, i.e. during very early boot long before userspace
> > starts.  Such calls can occur only from within the FIPS module (i.e. the
> > kernel) itself, so arbitrary external users need not be considered here.
> >
> 
> Good point. We should probably document this, i.e., the fact that this
> is before storage and network etc are even accessible and so panicking
> at that point is sufficient even in the presence of even earlier
> callers.

I'll leave a note in the commit message, but as I mentioned the strategy
of running FIPS self-tests in an initcall is already used in other
places such as crypto/kdf_sp800108.c.  This individual patch isn't a
great place to document the strategy that the kernel is using to meet
FIPS requirements.  That's something that belongs in the (nonexistent)
documentation file for fips=1...

- Eric