* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
@ 2021-02-02 13:04 Petr Vorel
2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
0 siblings, 2 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-02 13:04 UTC (permalink / raw)
To: ltp
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
include/tst_fips.h | 17 +++++++++++++++++
include/tst_test.h | 1 +
lib/tst_fips.c | 22 ++++++++++++++++++++++
3 files changed, 40 insertions(+)
create mode 100644 include/tst_fips.h
create mode 100644 lib/tst_fips.c
diff --git a/include/tst_fips.h b/include/tst_fips.h
new file mode 100644
index 000000000..2bc90e8e8
--- /dev/null
+++ b/include/tst_fips.h
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+ */
+
+#ifndef TST_FIPS_H__
+#define TST_FIPS_H__
+
+#define PATH_FIPS "/proc/sys/crypto/fips_enabled"
+
+/*
+ * Detect whether FIPS enabled
+ * @return 0: FIPS not enabled, 1: FIPS enabled
+ */
+int tst_fips_enabled(void);
+
+#endif /* TST_FIPS_H__ */
diff --git a/include/tst_test.h b/include/tst_test.h
index c87251870..84cbcbb0c 100644
--- a/include/tst_test.h
+++ b/include/tst_test.h
@@ -42,6 +42,7 @@
#include "tst_assert.h"
#include "tst_cgroup.h"
#include "tst_lockdown.h"
+#include "tst_fips.h"
#include "tst_taint.h"
/*
diff --git a/lib/tst_fips.c b/lib/tst_fips.c
new file mode 100644
index 000000000..c1d3e284c
--- /dev/null
+++ b/lib/tst_fips.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+ */
+
+#define TST_NO_DEFAULT_MAIN
+
+#include "tst_test.h"
+#include "tst_safe_macros.h"
+#include "tst_fips.h"
+
+int tst_fips_enabled(void)
+{
+ int fips = 0;
+
+ if (access(PATH_FIPS, R_OK) == 0) {
+ SAFE_FILE_SCANF(PATH_FIPS, "%d", &fips);
+ }
+
+ tst_res(TINFO, "FIPS: %s", fips ? "on" : "off");
+ return fips;
+}
--
2.30.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
@ 2021-02-02 13:04 ` Petr Vorel
2021-02-12 16:02 ` Cyril Hrubis
2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
1 sibling, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2021-02-02 13:04 UTC (permalink / raw)
To: ltp
asymmetric key test fails on FIPS with dmesg:
RSA: key size not allowed in FIPS mode
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
testcases/kernel/syscalls/keyctl/keyctl05.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/syscalls/keyctl/keyctl05.c b/testcases/kernel/syscalls/keyctl/keyctl05.c
index 55ce852b8..1cd665ba4 100644
--- a/testcases/kernel/syscalls/keyctl/keyctl05.c
+++ b/testcases/kernel/syscalls/keyctl/keyctl05.c
@@ -85,19 +85,25 @@ static void test_update_nonupdatable(const char *type,
new_session_keyring();
+ int is_asymmetric = !strcmp(type, "asymmetric");
+
TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
if (TST_RET < 0) {
+ if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
+ tst_res(TCONF, "key size not allowed in FIPS mode");
+ return;
+ }
if (TST_ERR == ENODEV) {
tst_res(TCONF, "kernel doesn't support key type '%s'",
type);
return;
}
- if (TST_ERR == EBADMSG && !strcmp(type, "asymmetric")) {
+ if (TST_ERR == EBADMSG && is_asymmetric) {
tst_res(TCONF, "kernel is missing x509 cert parser "
"(CONFIG_X509_CERTIFICATE_PARSER)");
return;
}
- if (TST_ERR == ENOENT && !strcmp(type, "asymmetric")) {
+ if (TST_ERR == ENOENT && is_asymmetric) {
tst_res(TCONF, "kernel is missing crypto algorithms "
"needed to parse x509 cert (CONFIG_CRYPTO_RSA "
"and/or CONFIG_CRYPTO_SHA256)");
--
2.30.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
@ 2021-02-12 16:00 ` Cyril Hrubis
2021-02-12 18:59 ` Petr Vorel
1 sibling, 1 reply; 6+ messages in thread
From: Cyril Hrubis @ 2021-02-12 16:00 UTC (permalink / raw)
To: ltp
Hi!
> +#ifndef TST_FIPS_H__
> +#define TST_FIPS_H__
> +
> +#define PATH_FIPS "/proc/sys/crypto/fips_enabled"
I'm not sure that this belongs to the header, at least it's not prefixed
with TST_.
Other than that Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
@ 2021-02-12 16:02 ` Cyril Hrubis
2021-02-12 19:10 ` Petr Vorel
0 siblings, 1 reply; 6+ messages in thread
From: Cyril Hrubis @ 2021-02-12 16:02 UTC (permalink / raw)
To: ltp
Hi!
> + int is_asymmetric = !strcmp(type, "asymmetric");
> +
> TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
> if (TST_RET < 0) {
> + if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
^
I guess that
we can save
the value in
test setup
instead of
re-reading it
on every
iteration.
Other than that it looks good to me.
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
> + tst_res(TCONF, "key size not allowed in FIPS mode");
> + return;
> + }
> if (TST_ERR == ENODEV) {
> tst_res(TCONF, "kernel doesn't support key type '%s'",
> type);
> return;
> }
> - if (TST_ERR == EBADMSG && !strcmp(type, "asymmetric")) {
> + if (TST_ERR == EBADMSG && is_asymmetric) {
> tst_res(TCONF, "kernel is missing x509 cert parser "
> "(CONFIG_X509_CERTIFICATE_PARSER)");
> return;
> }
> - if (TST_ERR == ENOENT && !strcmp(type, "asymmetric")) {
> + if (TST_ERR == ENOENT && is_asymmetric) {
> tst_res(TCONF, "kernel is missing crypto algorithms "
> "needed to parse x509 cert (CONFIG_CRYPTO_RSA "
> "and/or CONFIG_CRYPTO_SHA256)");
> --
> 2.30.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode
2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
@ 2021-02-12 18:59 ` Petr Vorel
0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-12 18:59 UTC (permalink / raw)
To: ltp
Hi,
> Hi!
> > +#ifndef TST_FIPS_H__
> > +#define TST_FIPS_H__
> > +
> > +#define PATH_FIPS "/proc/sys/crypto/fips_enabled"
> I'm not sure that this belongs to the header, at least it's not prefixed
> with TST_.
Good catch. As it's not needed I'll move it to C source, because it's not needed
for other tests so far.
BTW the same problem is with PATH_LOCKDOWN from tst_lockdown.[ch].
It'd be better to move them to tst_lockdown.c as well.
> Other than that Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Thanks!
Kind regards,
Petr
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH 2/2] keyctl05: TCONF on FIPS mode
2021-02-12 16:02 ` Cyril Hrubis
@ 2021-02-12 19:10 ` Petr Vorel
0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2021-02-12 19:10 UTC (permalink / raw)
To: ltp
Hi Cyril,
> Hi!
> > + int is_asymmetric = !strcmp(type, "asymmetric");
> > +
> > TEST(add_key(type, "desc", payload, plen, KEY_SPEC_SESSION_KEYRING));
> > if (TST_RET < 0) {
> > + if (TST_ERR == EINVAL && is_asymmetric && tst_fips_enabled()) {
> ^
> I guess that
> we can save
> the value in
> test setup
> instead of
> re-reading it
> on every
> iteration.
> Other than that it looks good to me.
Good point, thanks! Moved to variable set at setup and merged.
> Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Kind regards,
Petr
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-12 19:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 13:04 [LTP] [PATCH 1/2] lib: Add function to detect FIPS mode Petr Vorel
2021-02-02 13:04 ` [LTP] [PATCH 2/2] keyctl05: TCONF on " Petr Vorel
2021-02-12 16:02 ` Cyril Hrubis
2021-02-12 19:10 ` Petr Vorel
2021-02-12 16:00 ` [LTP] [PATCH 1/2] lib: Add function to detect " Cyril Hrubis
2021-02-12 18:59 ` Petr Vorel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.