Re: [PATCH] crypto: tcrypt: add option to not exit on success

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jarod Wilson <jarod@redhat.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] crypto: tcrypt: add option to not exit on success
Date: Wed, 13 May 2009 12:53:16 -0400	[thread overview]
Message-ID: <200905131253.16977.jarod@redhat.com> (raw)
In-Reply-To: <20090513140224.GB16406@hmsreliant.think-freely.org>

On Wednesday 13 May 2009 10:02:25 Neil Horman wrote:
> On Wed, May 13, 2009 at 11:27:52PM +1000, Herbert Xu wrote:
> > On Wed, May 13, 2009 at 09:12:46AM -0400, Jarod Wilson wrote:
> > > 
> > > Hm... FIPS has the requirement that we test all algs before we use any
> > > algs, self-tests on demand before first use for each alg is
> > > insufficient. At first blush, I'm not seeing how we ensure this
> > > happens. How can we trigger a cbc(des3_ede) self-test from userspace?
> > > I see that modprobe'ing des.ko runs the base des and des3_ede
> > > self-tests, but modprobe'ing cbc.ko doesn't lead to any self-tests
> > > being run.
> > 
> > Once we have a user-space interface crypto API you will be able
> > to instantiate any given algorithm.
> > 
> Thats a good idea.  Jarod, didn't you create a generic netlink socket family
> module that created just such an interface for testing purposes?

Indeed. Works quite well for my somewhat specific needs...

> That might be
> worth polishing and submitting to provide that user space crypto api

It would likely need a LOT of polish, and I'm not sure if its at all
close to what we have (Herbert has?) in mind.... At the moment, it
consists of:

1) a kernel module, which duplicates many of the functions in testmgr,
more or less, but gets its input over a generic netlink socket, rather
than from a static array, and sends the result back out over the same
socket.

2) a userspace binary that feeds very specifically formatted vectors
to the kernel via the netlink socket, listens for the result and
spits it out -- it doesn't actually verify the correctness of the
result, but adding support for passing in an expected result and
checking against it would be trivial.

I guess the place to start would be to ask exactly what sort of
user-space interface to the crypto API did we have in mind here?
i.e., what sort of user-space<->kernel-space communication is
envisioned, and what sort of functionality should be present?

I could see the desire for a simpler interface that doesn't rely upon
a specific userspace binary -- something sysfs or proc-based -- but
netlink is reasonably flexible...

-- 
Jarod Wilson
jarod@redhat.com

next prev parent reply	other threads:[~2009-05-13 16:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-11 14:06 [PATCH] crypto: tcrypt: add option to not exit on success Jarod Wilson
2009-05-12 20:02 ` Jarod Wilson
2009-05-13  0:37   ` Neil Horman
2009-05-13  1:30     ` Herbert Xu
2009-05-13 11:08       ` Neil Horman
2009-05-13 11:38         ` Herbert Xu
2009-05-13 13:12           ` Jarod Wilson
2009-05-13 13:27             ` Herbert Xu
2009-05-13 13:37               ` Jarod Wilson
2009-05-13 14:03                 ` Herbert Xu
2009-05-13 16:40                   ` [PATCH v2] crypto: tcrypt: do not exit on success in fips mode Jarod Wilson
2009-05-13 17:32                     ` Neil Horman
2009-05-27  5:10                       ` Herbert Xu
2009-05-13 14:02               ` [PATCH] crypto: tcrypt: add option to not exit on success Neil Horman
2009-05-13 16:53                 ` Jarod Wilson [this message]
2009-05-13 23:45                   ` Herbert Xu
2009-05-14 12:48                     ` Jarod Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200905131253.16977.jarod@redhat.com \
    --to=jarod@redhat.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox