| Message ID | 20240422211041.322370-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | KEYS: asymmetric: Add missing dependencies of FIPS_SIGNATURE_SELFTEST | expand |
Hi Eric, On 4/22/24 4:10 PM, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Since the signature self-test uses RSA and SHA-256, it must only be > enabled when those algorithms are enabled. Otherwise it fails and > panics the kernel on boot-up. I actually submitted two related patch recently which change the structure of the PKCS#7 self-tests and add an ECDSA self-test. See "[PATCH v2 1/2] certs: Move RSA self-test data to separate file" and "[PATCH v2 2/2] certs: Add ECDSA signature verification self-test" on 2024-04-20. The explicit dependency on CRYPTO_RSA shouldn't be necessary with those patches (I think). However, I didn't consider CRYPTO_SHA256 there. I think it can remain since both the RSA and proposed ECDSA self-tests use SHA-256. > > Reported-by: kernel test robot <oliver.sang@intel.com> > Closes: https://lore.kernel.org/oe-lkp/202404221528.51d75177-lkp@intel.com > Fixes: 3cde3174eb91 ("certs: Add FIPS selftests") > Cc: stable@vger.kernel.org > Cc: Simo Sorce <simo@redhat.com> > Cc: David Howells <dhowells@redhat.com> > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > crypto/asymmetric_keys/Kconfig | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig > index 59ec726b7c77..4abc58c55efa 100644 > --- a/crypto/asymmetric_keys/Kconfig > +++ b/crypto/asymmetric_keys/Kconfig > @@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST > for FIPS. > depends on KEYS > depends on ASYMMETRIC_KEY_TYPE > depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER > depends on X509_CERTIFICATE_PARSER > + depends on CRYPTO_RSA > + depends on CRYPTO_SHA256 > > endif # ASYMMETRIC_KEY_TYPE > > base-commit: ed30a4a51bb196781c8058073ea720133a65596f
On Tue Apr 23, 2024 at 12:10 AM EEST, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Since the signature self-test uses RSA and SHA-256, it must only be > enabled when those algorithms are enabled. Otherwise it fails and > panics the kernel on boot-up. > > Reported-by: kernel test robot <oliver.sang@intel.com> > Closes: https://lore.kernel.org/oe-lkp/202404221528.51d75177-lkp@intel.com > Fixes: 3cde3174eb91 ("certs: Add FIPS selftests") > Cc: stable@vger.kernel.org > Cc: Simo Sorce <simo@redhat.com> > Cc: David Howells <dhowells@redhat.com> > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > crypto/asymmetric_keys/Kconfig | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig > index 59ec726b7c77..4abc58c55efa 100644 > --- a/crypto/asymmetric_keys/Kconfig > +++ b/crypto/asymmetric_keys/Kconfig > @@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST > for FIPS. > depends on KEYS > depends on ASYMMETRIC_KEY_TYPE > depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER > depends on X509_CERTIFICATE_PARSER > + depends on CRYPTO_RSA > + depends on CRYPTO_SHA256 > > endif # ASYMMETRIC_KEY_TYPE > > base-commit: ed30a4a51bb196781c8058073ea720133a65596f Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Also, picked. BR, Jarkko
On Tue Apr 23, 2024 at 7:02 AM EEST, Joachim Vandersmissen wrote: > Hi Eric, > > On 4/22/24 4:10 PM, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Since the signature self-test uses RSA and SHA-256, it must only be > > enabled when those algorithms are enabled. Otherwise it fails and > > panics the kernel on boot-up. > > I actually submitted two related patch recently which change the > structure of the PKCS#7 self-tests and add an ECDSA self-test. See > "[PATCH v2 1/2] certs: Move RSA self-test data to separate file" and > "[PATCH v2 2/2] certs: Add ECDSA signature verification self-test" on > 2024-04-20. The explicit dependency on CRYPTO_RSA shouldn't be necessary > with those patches (I think). > > However, I didn't consider CRYPTO_SHA256 there. I think it can remain > since both the RSA and proposed ECDSA self-tests use SHA-256. Their how in my master branch, I'll mirror them to linux-next in day or two. BR, Jarkko
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 59ec726b7c77..4abc58c55efa 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -83,7 +83,9 @@ config FIPS_SIGNATURE_SELFTEST for FIPS. depends on KEYS depends on ASYMMETRIC_KEY_TYPE depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER depends on X509_CERTIFICATE_PARSER + depends on CRYPTO_RSA + depends on CRYPTO_SHA256 endif # ASYMMETRIC_KEY_TYPE