| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Apr 2021 11:43:07 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: "Rafael J. Wysocki" <rafael@...nel.org>
Cc: Ard Biesheuvel <ardb@...nel.org>,
Chris von Recklinghausen <crecklin@...hat.com>,
Simo Sorce <simo@...hat.com>, Dexuan Cui <decui@...rosoft.com>,
Linux PM <linux-pm@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/1] use crc32 instead of md5 for hibernation e820
integrity check
On Thu, Apr 01, 2021 at 06:19:57PM +0200, Rafael J. Wysocki wrote:
> On Thu, Apr 1, 2021 at 3:59 PM Ard Biesheuvel <ardb@...nel.org> wrote:
> >
> > On Thu, 1 Apr 2021 at 15:34, Rafael J. Wysocki <rafael@...nel.org> wrote:
> > >
> > > On Thu, Apr 1, 2021 at 2:25 PM Chris von Recklinghausen
> > > <crecklin@...hat.com> wrote:
> > > >
> > > > Suspend fails on a system in fips mode because md5 is used for the e820
> > > > integrity check and is not available. Use crc32 instead.
> > > >
> > > > Fixes: 62a03defeabd ("PM / hibernate: Verify the consistent of e820 memory map
> > > > by md5 digest")
> > > > Signed-off-by: Chris von Recklinghausen <crecklin@...hat.com>
> > > > ---
> > > > arch/x86/power/hibernate.c | 31 +++++++++++++++++--------------
> > > > 1 file changed, 17 insertions(+), 14 deletions(-)
> > > >
> > > > diff --git a/arch/x86/power/hibernate.c b/arch/x86/power/hibernate.c
> > > > index cd3914fc9f3d..6a3f4e32e49c 100644
> > > > --- a/arch/x86/power/hibernate.c
> > > > +++ b/arch/x86/power/hibernate.c
> > > > @@ -55,31 +55,31 @@ int pfn_is_nosave(unsigned long pfn)
> > > > }
> > > >
> > > >
> > > > -#define MD5_DIGEST_SIZE 16
> > > > +#define CRC32_DIGEST_SIZE 16
> > > >
> > > > struct restore_data_record {
> > > > unsigned long jump_address;
> > > > unsigned long jump_address_phys;
> > > > unsigned long cr3;
> > > > unsigned long magic;
> > > > - u8 e820_digest[MD5_DIGEST_SIZE];
> > > > + u8 e820_digest[CRC32_DIGEST_SIZE];
> > > > };
> > >
> > > No.
> > >
> > > CRC32 was used here before and it was deemed insufficient.
> > >
> >
> > Why? The git commit log does not have an explanation of this.
>
> IIRC there was an example of a memory map that would produce the same
> CRC32 value as the original or something like that.
Collisions can easily be found for MD5 as well, as it is heavily broken.
Either you need a cryptographic hash function, *or* a (non-cryptographic)
checksum would be sufficient. There isn't really any in-between.
And if a checksum suffices, MD5 is a bad choice because it was designed as a
cryptographic hash function, so it is much slower than a checksum.
>
> But that said this code is all about failing more gracefully, so I
> guess it isn't a big deal if the failure is more graceful in fewer
> cases ...
If the 1 in 2^32 chance of a CRC-32 collision is too high, then use CRC-64 or
xxHash64 for a 1 in 2^64 chance of a collision.
- Eric
Powered by blists - more mailing lists