From: Jarod Wilson <jarod@redhat.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Neil Horman <nhorman@tuxdriver.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] crypto: tcrypt: add option to not exit on success
Date: Wed, 13 May 2009 09:12:46 -0400 [thread overview]
Message-ID: <200905130912.46965.jarod@redhat.com> (raw)
In-Reply-To: <20090513113819.GA15662@gondor.apana.org.au>
On Wednesday 13 May 2009 07:38:19 Herbert Xu wrote:
> On Wed, May 13, 2009 at 07:08:26AM -0400, Neil Horman wrote:
> >
> > Not really sure I agree with the logic here. I agree that its pretty clear that
> > its major value is for quickly testing all the algorithms in a system, but
> > universally failing the loading of the module simply to save a few milliseconds
> > seems like a poor choice. In so doing you create an alias effect, as jarod
> > noted between a non-existent module and a module that failed to load. The
> > aliasing can be resolved, if you want to parse dmesg, but if speed is the issue
> > at hand, that parsing is a significant impact. If you allow the module to load
> > properly, then for the cost of an rmmod, you can tell simply from the exit code
> > of modprobe:
> > 1) If the module was found
> > 2) If the tests passed
>
> As I said, tcrypt should no longer be used to test algorithms.
> Algorithms are tested as they load, with the result available
> in /proc/crypto. tcrypt is just a relic that will be going away.
>
> Do not rely on it.
Hm... FIPS has the requirement that we test all algs before we use any
algs, self-tests on demand before first use for each alg is
insufficient. At first blush, I'm not seeing how we ensure this
happens. How can we trigger a cbc(des3_ede) self-test from userspace?
I see that modprobe'ing des.ko runs the base des and des3_ede
self-tests, but modprobe'ing cbc.ko doesn't lead to any self-tests
being run.
--
Jarod Wilson
jarod@redhat.com
next prev parent reply other threads:[~2009-05-13 13:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-11 14:06 [PATCH] crypto: tcrypt: add option to not exit on success Jarod Wilson
2009-05-12 20:02 ` Jarod Wilson
2009-05-13 0:37 ` Neil Horman
2009-05-13 1:30 ` Herbert Xu
2009-05-13 11:08 ` Neil Horman
2009-05-13 11:38 ` Herbert Xu
2009-05-13 13:12 ` Jarod Wilson [this message]
2009-05-13 13:27 ` Herbert Xu
2009-05-13 13:37 ` Jarod Wilson
2009-05-13 14:03 ` Herbert Xu
2009-05-13 16:40 ` [PATCH v2] crypto: tcrypt: do not exit on success in fips mode Jarod Wilson
2009-05-13 17:32 ` Neil Horman
2009-05-27 5:10 ` Herbert Xu
2009-05-13 14:02 ` [PATCH] crypto: tcrypt: add option to not exit on success Neil Horman
2009-05-13 16:53 ` Jarod Wilson
2009-05-13 23:45 ` Herbert Xu
2009-05-14 12:48 ` Jarod Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200905130912.46965.jarod@redhat.com \
--to=jarod@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox