lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250612060931.GA200686@sol>
Date: Wed, 11 Jun 2025 23:09:31 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
	Diederik de Haas <didi.debian@...ow.org>,
	Ingo Franzki <ifranzki@...ux.ibm.com>
Subject: Re: [PATCH] crypto: testmgr - reinstate kconfig support for fast
 tests only

On Thu, Jun 12, 2025 at 01:55:21PM +0800, Herbert Xu wrote:
> On Wed, Jun 11, 2025 at 10:55:25AM -0700, Eric Biggers wrote:
> >
> > diff --git a/crypto/Kconfig b/crypto/Kconfig
> > index e9fee7818e270..8612ebf655647 100644
> > --- a/crypto/Kconfig
> > +++ b/crypto/Kconfig
> > @@ -174,20 +174,30 @@ config CRYPTO_USER
> >  	  Userspace configuration for cryptographic instantiations such as
> >  	  cbc(aes).
> >  
> >  config CRYPTO_SELFTESTS
> >  	bool "Enable cryptographic self-tests"
> > -	depends on DEBUG_KERNEL
> 
> Please restore the dependency on EXPERT.  I do not want random
> users exposed to this toggle.

It used to be:

    config CRYPTO_MANAGER_DISABLE_TESTS
            bool "Disable run-time self tests"
            default y
            help
              Disable run-time self tests that normally take place at
              algorithm registration.

So the CONFIG_EXPERT dependency for the prompt would be new.  Are you sure?

> > +config CRYPTO_SELFTESTS_FULL
> > +	bool "Enable the full set of cryptographic self-tests"
> > +	depends on CRYPTO_SELFTESTS
> > +	default y
> > +	help
> > +	  Enable the full set of cryptographic self-tests for each algorithm.
> > +
> > +	  For development and pre-release testing, leave this as 'y'.
> > +
> > +	  If you're keeping the crypto self-tests enabled in a production
> > +	  kernel, you likely want to set this to 'n' to speed up the boot.  This
> > +	  will cause the "slow" tests to be skipped.  This may suffice for a
> > +	  quick sanity check of drivers and for FIPS 140-3 pre-operational self-
> > +	  testing, but some issues can be found only by the full set of tests.
> 
> Please remove the "default y".

If you insist.  I hoped to get the people working on drivers to actually run the
tests that they are supposed to.  The default y is appropriate for anyone
actually doing development and/or testing, which is what the tests are supposed
to be for.

But I guess that doesn't really happen, and distros are expected to run the
reduced set of tests in production because upstream doesn't test the drivers.
And they will want n here.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ