From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Vegard Nossum <vegard.nossum@oracle.com>,
Joachim Vandersmissen <git@jvdsn.com>,
David Howells <dhowells@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v2] lib/crypto: Add FIPS self-tests for SHA-1 and SHA-2
Date: Mon, 13 Oct 2025 17:32:31 -0700 [thread overview]
Message-ID: <20251014003231.GB2763@sol> (raw)
In-Reply-To: <20251011001047.51886-1-ebiggers@kernel.org>
On Fri, Oct 10, 2025 at 05:10:47PM -0700, Eric Biggers wrote:
> Add FIPS cryptographic algorithm self-tests for all SHA-1 and SHA-2
> algorithms. Following the "Implementation Guidance for FIPS 140-3"
> document, to achieve this it's sufficient to just test a single test
> vector for each of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.
>
> Just run these tests in the initcalls, following the example of e.g.
> crypto/kdf_sp800108.c. Note that this should meet the FIPS self-test
> requirement even in the built-in case, given that the initcalls run
> before userspace, storage, network, etc. are accessible.
>
> This does not fix a regression, seeing as lib/ has had SHA-1 support
> since 2005 and SHA-256 support since 2018. Neither ever had FIPS
> self-tests. Moreover, fips=1 support has always been an unfinished
> feature upstream. However, with lib/ now being used more widely, it's
> now seeing more scrutiny and people seem to want these now.
>
> Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=libcrypto-next
- Eric
prev parent reply other threads:[~2025-10-14 0:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-11 0:10 [PATCH v2] lib/crypto: Add FIPS self-tests for SHA-1 and SHA-2 Eric Biggers
2025-10-11 0:17 ` Ard Biesheuvel
2025-10-14 0:32 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251014003231.GB2763@sol \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=git@jvdsn.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).