* [PATCH] crypto: print self-test pass notices in fips mode @ 2009-04-29 1:21 Jarod Wilson 2009-04-29 10:52 ` Neil Horman 2009-04-29 13:18 ` Herbert Xu 0 siblings, 2 replies; 7+ messages in thread From: Jarod Wilson @ 2009-04-29 1:21 UTC (permalink / raw) To: linux-crypto; +Cc: linux-kernel, Herbert Xu, Neil Horman According to our FIPS CAVS testing lab guru, when we're in fips mode, we *must* print out notices of successful self-test completion for every alg to be compliant. Dependent on patch 'crypto: catch base cipher self-test failures in fips mode', which adds the test_done label. Signed-off-by: Jarod Wilson <jarod@redhat.com> --- crypto/testmgr.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 39ffa69..d0cc85c 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -2149,6 +2149,10 @@ notest: test_done: if (fips_enabled && rc) panic("%s: %s alg self test failed in fips mode!\n", driver, alg); + /* fips mode requires we print out self-test success notices */ + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", + driver, alg); return rc; } EXPORT_SYMBOL_GPL(alg_test); -- Jarod Wilson jarod@redhat.com ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode 2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson @ 2009-04-29 10:52 ` Neil Horman 2009-04-29 13:18 ` Herbert Xu 1 sibling, 0 replies; 7+ messages in thread From: Neil Horman @ 2009-04-29 10:52 UTC (permalink / raw) To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Herbert Xu On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote: > According to our FIPS CAVS testing lab guru, when we're in fips mode, > we *must* print out notices of successful self-test completion for > every alg to be compliant. > > Dependent on patch 'crypto: catch base cipher self-test failures in > fips mode', which adds the test_done label. > > Signed-off-by: Jarod Wilson <jarod@redhat.com> > > --- > crypto/testmgr.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > index 39ffa69..d0cc85c 100644 > --- a/crypto/testmgr.c > +++ b/crypto/testmgr.c > @@ -2149,6 +2149,10 @@ notest: > test_done: > if (fips_enabled && rc) > panic("%s: %s alg self test failed in fips mode!\n", driver, alg); > + /* fips mode requires we print out self-test success notices */ > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", > + driver, alg); > return rc; > } > EXPORT_SYMBOL_GPL(alg_test); > > -- > Jarod Wilson > jarod@redhat.com > Acked-by: Neil Horman <nhorman@tuxdriver.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode 2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson 2009-04-29 10:52 ` Neil Horman @ 2009-04-29 13:18 ` Herbert Xu 2009-04-29 13:21 ` Jarod Wilson 1 sibling, 1 reply; 7+ messages in thread From: Herbert Xu @ 2009-04-29 13:18 UTC (permalink / raw) To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Neil Horman On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote: > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > index 39ffa69..d0cc85c 100644 > --- a/crypto/testmgr.c > +++ b/crypto/testmgr.c > @@ -2149,6 +2149,10 @@ notest: > test_done: > if (fips_enabled && rc) > panic("%s: %s alg self test failed in fips mode!\n", driver, alg); > + /* fips mode requires we print out self-test success notices */ > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", > + driver, alg); What is this strncmp crap for? -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode 2009-04-29 13:18 ` Herbert Xu @ 2009-04-29 13:21 ` Jarod Wilson 2009-04-29 13:24 ` Jarod Wilson 0 siblings, 1 reply; 7+ messages in thread From: Jarod Wilson @ 2009-04-29 13:21 UTC (permalink / raw) To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote: > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote: > > > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > > index 39ffa69..d0cc85c 100644 > > --- a/crypto/testmgr.c > > +++ b/crypto/testmgr.c > > @@ -2149,6 +2149,10 @@ notest: > > test_done: > > if (fips_enabled && rc) > > panic("%s: %s alg self test failed in fips mode!\n", driver, alg); > > + /* fips mode requires we print out self-test success notices */ > > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) > > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", > > + driver, alg); > > What is this strncmp crap for? To avoid claiming we successfully self-tested ctr(aes) when its not actually directly testable. Was intended to go sort of hand in hand with the other patch to suppress 'no self test' messages for ctr(aes) when in fips mode. Of course, since at this point, we've run ecb(aes), and that's what's suggested as the way to test ctr(aes)[*], perhaps we don't need to suppress it. [*] well, along with the sign-off from the lab that the counter code is acceptable -- Jarod Wilson jarod@redhat.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] crypto: print self-test pass notices in fips mode 2009-04-29 13:21 ` Jarod Wilson @ 2009-04-29 13:24 ` Jarod Wilson 2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson 0 siblings, 1 reply; 7+ messages in thread From: Jarod Wilson @ 2009-04-29 13:24 UTC (permalink / raw) To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman On Wednesday 29 April 2009 09:21:53 Jarod Wilson wrote: > On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote: > > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote: > > > > > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > > > index 39ffa69..d0cc85c 100644 > > > --- a/crypto/testmgr.c > > > +++ b/crypto/testmgr.c > > > @@ -2149,6 +2149,10 @@ notest: > > > test_done: > > > if (fips_enabled && rc) > > > panic("%s: %s alg self test failed in fips mode!\n", driver, alg); > > > + /* fips mode requires we print out self-test success notices */ > > > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) > > > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", > > > + driver, alg); > > > > What is this strncmp crap for? > > To avoid claiming we successfully self-tested ctr(aes) when its > not actually directly testable. Was intended to go sort of hand > in hand with the other patch to suppress 'no self test' messages > for ctr(aes) when in fips mode. Of course, since at this point, > we've run ecb(aes), and that's what's suggested as the way to > test ctr(aes)[*], perhaps we don't need to > suppress it. > > [*] well, along with the sign-off from the lab that the counter > code is acceptable So this might actually be another argument in favor of adding a "this algo isn't really testable" flag as Neil suggested... -- Jarod Wilson jarod@redhat.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] crypto: print self-test pass notices in fips mode 2009-04-29 13:24 ` Jarod Wilson @ 2009-04-30 21:25 ` Jarod Wilson 2009-05-04 11:51 ` Herbert Xu 0 siblings, 1 reply; 7+ messages in thread From: Jarod Wilson @ 2009-04-30 21:25 UTC (permalink / raw) To: Herbert Xu; +Cc: linux-crypto, linux-kernel, Neil Horman On Wednesday 29 April 2009 09:24:10 Jarod Wilson wrote: > On Wednesday 29 April 2009 09:21:53 Jarod Wilson wrote: > > On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote: > > > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote: > > > > > > > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > > > > index 39ffa69..d0cc85c 100644 > > > > --- a/crypto/testmgr.c > > > > +++ b/crypto/testmgr.c > > > > @@ -2149,6 +2149,10 @@ notest: > > > > test_done: > > > > if (fips_enabled && rc) > > > > panic("%s: %s alg self test failed in fips mode!\n", driver, alg); > > > > + /* fips mode requires we print out self-test success notices */ > > > > + if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7)) > > > > + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", > > > > + driver, alg); > > > > > > What is this strncmp crap for? > > > > To avoid claiming we successfully self-tested ctr(aes) when its > > not actually directly testable. Was intended to go sort of hand > > in hand with the other patch to suppress 'no self test' messages > > for ctr(aes) when in fips mode. Of course, since at this point, > > we've run ecb(aes), and that's what's suggested as the way to > > test ctr(aes)[*], perhaps we don't need to > > suppress it. > > > > [*] well, along with the sign-off from the lab that the counter > > code is acceptable > > So this might actually be another argument in favor of adding a "this > algo isn't really testable" flag as Neil suggested... According to our FIPS CAVS testing lab guru, when we're in fips mode, we must print out notices of successful self-test completion for every alg to be compliant. New and improved v2, without strncmp crap. Doesn't need to touch a flag though, due to not moving the notest label around anymore. Applies atop '[PATCH v2] crypto: catch base cipher self-test failures in fips mode'. Personally, I wouldn't mind seeing this info printed out regardless of whether or not we're in fips mode, I think its useful info, but will stick with only in fips mode for now. --- crypto/testmgr.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index d410fad..b3ec7b9 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -2245,6 +2245,10 @@ test_done: if (fips_enabled && rc) panic("%s: %s alg self test failed in fips mode!\n", driver, alg); + if (fips_enabled && !rc) + printk(KERN_INFO "alg: self-tests for %s (%s) passed\n", + driver, alg); + return rc; notest: -- Jarod Wilson jarod@redhat.com ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] crypto: print self-test pass notices in fips mode 2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson @ 2009-05-04 11:51 ` Herbert Xu 0 siblings, 0 replies; 7+ messages in thread From: Herbert Xu @ 2009-05-04 11:51 UTC (permalink / raw) To: Jarod Wilson; +Cc: linux-crypto, linux-kernel, Neil Horman On Thu, Apr 30, 2009 at 05:25:05PM -0400, Jarod Wilson wrote: > > According to our FIPS CAVS testing lab guru, when we're in fips mode, > we must print out notices of successful self-test completion for > every alg to be compliant. Also applied. -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-05-04 11:51 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-04-29 1:21 [PATCH] crypto: print self-test pass notices in fips mode Jarod Wilson 2009-04-29 10:52 ` Neil Horman 2009-04-29 13:18 ` Herbert Xu 2009-04-29 13:21 ` Jarod Wilson 2009-04-29 13:24 ` Jarod Wilson 2009-04-30 21:25 ` [PATCH v2] " Jarod Wilson 2009-05-04 11:51 ` Herbert Xu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox