| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250919204749.GB8350@quark> Date: Fri, 19 Sep 2025 15:47:49 -0500 From: Eric Biggers <ebiggers@...nel.org> To: Stephan Mueller <smueller@...onox.de> Cc: David Howells <dhowells@...hat.com>, "Jason A. Donenfeld" <Jason@...c4.com>, Ard Biesheuvel <ardb@...nel.org>, Harald Freudenberger <freude@...ux.ibm.com>, Holger Dengler <dengler@...ux.ibm.com>, Herbert Xu <herbert@...dor.apana.org.au>, Simo Sorce <simo@...hat.com>, linux-crypto@...r.kernel.org, linux-s390@...r.kernel.org, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512, SHAKE128, SHAKE256 On Fri, Sep 19, 2025 at 09:53:17PM +0200, Stephan Mueller wrote: > Am Freitag, 19. September 2025, 21:48:00 Mitteleuropäische Sommerzeit > schrieb David Howells: > > Hi David, > > > > I see you also have a test in sha3_mod_init(), which doesn't make > sense. > > > The tests should be in the KUnit test suite(s). If you intended for > the > > > sha3_mod_init() test to be a FIPS pre-operational self-test, then (1) > it > > > would first need to be confirmed with the people doing FIPS > > > certifications that a FIPS pre-operational self-test is actually > > > necessary here, (2) it would need to be fixed to actually fulfill the > > > requirements for that type of test such as panicing the kernel on > > > failure, and (3) it would need to come in its own patch with its own > > > explanation. But, unless you are sure you actually need the FIPS test, > > > just omit it out for now and focus on the real tests. > > > > I disagree. It should have at least a single self-test. If we fail to > load > > any modules because the hash is broken on a particular CPU, it would be > > useful to have a note in dmesg. Loading kunit test modules becomes > tricky > > in such a case. Well, testing is supposed to be done before the kernel is released, not on every end user's computer. If you insist, at least keep it lightweight and make sure it doesn't detract from the real tests. > Just for clarifications of the FIPS requirements: One test of any of the > SHA3/SHAKE algorithms during startup is sufficient for *one* Keccak > implementation. FIPS wants the actual Keccak sponge being tested, it does > not care for the miniscule differences between the different SHA/SHAKE > definitions. Yes. But I'm still a bit puzzled why there suddenly seems to be interest in a FIPS pre-operational self-test for SHA-3 specifically. lib/ has had SHA-1 for two decades without a FIPS pre-operational self-test. If someone actually needs this, surely they would also need it, and have already needed it, for other algorithms? > Yet, if we have multiple Keccak sponge implementations, then each needs its > own self test. While lib/crypto/ often has multiple implementations of the algorithms, only one implementation is used on a given system. - Eric
Powered by blists - more mailing lists