All of lore.kernel.org
 help / color / mirror / Atom feed
* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
@ 2021-02-02 13:04 Petr Vorel
  2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
  2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
  0 siblings, 2 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-02 13:04 UTC (permalink / raw)
  To: ltp

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 include/tst_fips.h | 17 +++++++++++++++++
 include/tst_test.h |  1 +
 lib/tst_fips.c     | 22 ++++++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 include/tst_fips.h
 create mode 100644 lib/tst_fips.c

diff --git a/include/tst_fips.h b/include/tst_fips.h
new file mode 100644
index 000000000..2bc90e8e8
--- /dev/null
+++ b/include/tst_fips.h
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+ */
+
+#ifndef TST_FIPS_H__
+#define TST_FIPS_H__
+
+#define PATH_FIPS	"/proc/sys/crypto/fips_enabled"
+
+/*
+ * Detect whether FIPS enabled
+ * @return 0: FIPS not enabled, 1: FIPS enabled
+ */
+int tst_fips_enabled(void);
+
+#endif /* TST_FIPS_H__ */
diff --git a/include/tst_test.h b/include/tst_test.h
index c87251870..84cbcbb0c 100644
--- a/include/tst_test.h
+++ b/include/tst_test.h
@@ -42,6 +42,7 @@
 #include "tst_assert.h"
 #include "tst_cgroup.h"
 #include "tst_lockdown.h"
+#include "tst_fips.h"
 #include "tst_taint.h"
 
 /*
diff --git a/lib/tst_fips.c b/lib/tst_fips.c
new file mode 100644
index 000000000..c1d3e284c
--- /dev/null
+++ b/lib/tst_fips.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+ */
+
+#define TST_NO_DEFAULT_MAIN
+
+#include "tst_test.h"
+#include "tst_safe_macros.h"
+#include "tst_fips.h"
+
+int tst_fips_enabled(void)
+{
+	int fips = 0;
+
+	if (access(PATH_FIPS, R_OK) == 0) {
+		SAFE_FILE_SCANF(PATH_FIPS, "%d", &fips);
+	}
+
+	tst_res(TINFO, "FIPS: %s", fips ? "on" : "off");
+	return fips;
+}
-- 
2.30.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
  2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
@ 2021-02-02 13:04 ` Petr Vorel
  2021-02-12 16:02   ` Cyril Hrubis
  2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
  1 sibling, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2021-02-02 13:04 UTC (permalink / raw)
  To: ltp

asymmetric key test fails on FIPS with dmesg:
RSA: key size not allowed in FIPS mode

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/syscalls/keyctl/keyctl05.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/syscalls/keyctl/keyctl05.c b/testcases/kernel/syscalls/keyctl/keyctl05.c
index 55ce852b8..1cd665ba4 100644
--- a/testcases/kernel/syscalls/keyctl/keyctl05.c
+++ b/testcases/kernel/syscalls/keyctl/keyctl05.c
@@ -85,19 +85,25 @@ static void test_update_nonupdatable(const char *type,
 
 	new_session_keyring();
 
+	int is_asymmetric = !strcmp(type, "asymmetric");
+
 	TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
 	if (TST_RET < 0) {
+		if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
+			tst_res(TCONF, "key size not allowed in FIPS mode");
+			return;
+		}
 		if (TST_ERR == ENODEV) {
 			tst_res(TCONF, "kernel doesn't support key type '%s'",
 				type);
 			return;
 		}
-		if (TST_ERR == EBADMSG && !strcmp(type, "asymmetric")) {
+		if (TST_ERR == EBADMSG && is_asymmetric) {
 			tst_res(TCONF, "kernel is missing x509 cert parser "
 				"(CONFIG_X509_CERTIFICATE_PARSER)");
 			return;
 		}
-		if (TST_ERR == ENOENT && !strcmp(type, "asymmetric")) {
+		if (TST_ERR == ENOENT && is_asymmetric) {
 			tst_res(TCONF, "kernel is missing crypto algorithms "
 				"needed to parse x509 cert (CONFIG_CRYPTO_RSA "
 				"and/or CONFIG_CRYPTO_SHA256)");
-- 
2.30.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
  2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
  2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
@ 2021-02-12 16:00 ` Cyril Hrubis
  2021-02-12 18:59   ` Petr Vorel
  1 sibling, 1 reply; 6+ messages in thread
From: Cyril Hrubis @ 2021-02-12 16:00 UTC (permalink / raw)
  To: ltp

Hi!
> +#ifndef TST_FIPS_H__
> +#define TST_FIPS_H__
> +
> +#define PATH_FIPS	"/proc/sys/crypto/fips_enabled"

I'm not sure that this belongs to the header, at least it's not prefixed
with TST_.

Other than that Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
  2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
@ 2021-02-12 16:02   ` Cyril Hrubis
  2021-02-12 19:10     ` Petr Vorel
  0 siblings, 1 reply; 6+ messages in thread
From: Cyril Hrubis @ 2021-02-12 16:02 UTC (permalink / raw)
  To: ltp

Hi!
> +	int is_asymmetric = !strcmp(type, "asymmetric");
> +
>  	TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
>  	if (TST_RET < 0) {
> +		if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
                                                          ^
							  I guess that
							  we can save
							  the value in
							  test setup
							  instead of
							  re-reading it
							  on every
							  iteration.

Other than that it looks good to me.

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

> +			tst_res(TCONF, "key size not allowed in FIPS mode");
> +			return;
> +		}
>  		if (TST_ERR == ENODEV) {
>  			tst_res(TCONF, "kernel doesn't support key type '%s'",
>  				type);
>  			return;
>  		}
> -		if (TST_ERR == EBADMSG && !strcmp(type, "asymmetric")) {
> +		if (TST_ERR == EBADMSG && is_asymmetric) {
>  			tst_res(TCONF, "kernel is missing x509 cert parser "
>  				"(CONFIG_X509_CERTIFICATE_PARSER)");
>  			return;
>  		}
> -		if (TST_ERR == ENOENT && !strcmp(type, "asymmetric")) {
> +		if (TST_ERR == ENOENT && is_asymmetric) {
>  			tst_res(TCONF, "kernel is missing crypto algorithms "
>  				"needed to parse x509 cert (CONFIG_CRYPTO_RSA "
>  				"and/or CONFIG_CRYPTO_SHA256)");
> -- 
> 2.30.0
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
  2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
@ 2021-02-12 18:59   ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-12 18:59 UTC (permalink / raw)
  To: ltp

Hi,

> Hi!
> > +#ifndef TST_FIPS_H__
> > +#define TST_FIPS_H__
> > +
> > +#define PATH_FIPS	"/proc/sys/crypto/fips_enabled"

> I'm not sure that this belongs to the header, at least it's not prefixed
> with TST_.
Good catch. As it's not needed I'll move it to C source, because it's not needed
for other tests so far.

BTW the same problem is with PATH_LOCKDOWN from tst_lockdown.[ch].
It'd be better to move them to tst_lockdown.c as well.

> Other than that Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Thanks!

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
  2021-02-12 16:02   ` Cyril Hrubis
@ 2021-02-12 19:10     ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-12 19:10 UTC (permalink / raw)
  To: ltp

Hi Cyril,

> Hi!
> > +	int is_asymmetric = !strcmp(type, "asymmetric");
> > +
> >  	TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
> >  	if (TST_RET < 0) {
> > +		if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
>                                                           ^
> 							  I guess that
> 							  we can save
> 							  the value in
> 							  test setup
> 							  instead of
> 							  re-reading it
> 							  on every
> 							  iteration.

> Other than that it looks good to me.
Good point, thanks! Moved to variable set at setup and merged.

> Reviewed-by: Cyril Hrubis <chrubis@suse.cz>


Kind regards,
Petr

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-12 19:10 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
2021-02-12 16:02   ` Cyril Hrubis
2021-02-12 19:10     ` Petr Vorel
2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
2021-02-12 18:59   ` Petr Vorel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.