linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* RE: [PATCH] crypto: jitterentropy - change back to module_init()
       [not found] ` <5289E5EC-C15F-44EB-BC5F-C5A515FFF272@amazon.com>
@ 2021-04-19  4:16   ` Mothershead, Hailey
  2021-04-19 19:57     ` Eric Biggers
  0 siblings, 1 reply; 5+ messages in thread
From: Mothershead, Hailey @ 2021-04-19  4:16 UTC (permalink / raw)
  To: linux-crypto

Hello,
 
The patch quoted below causes the kernel to panic when fips is enabled with:
        
       alg: ecdh: test failed on vector 2, err=-14
       Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
 
This test fails because jitterentropy hasn’t been initialized yet. The assumption that the patch makes, that jitter is not used by the crypto self-tests, does not hold with fips enabled.
 
With the patch reverted, i.e. with jitter initialized with module_init, the kernel is able to boot. How can this best be handled to allow the kernel to boot with fips enabled without running into issues with certain clocksources?
 
Best, 
Hailey
 
From 9c5b34c2f7eb01976a5aa29ccdb786a634e3d1e0 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 21 May 2019 11:46:22 -0700
Subject: [PATCH] crypto: jitterentropy - change back to module_init()
 
"jitterentropy_rng" doesn't have any other implementations, nor is it
tested by the crypto self-tests.  So it was unnecessary to change it to
subsys_initcall.  Also it depends on the main clocksource being
initialized, which may happen after subsys_initcall, causing this error:
 
    jitterentropy: Initialization failed with host not compliant with requirements: 2
 
Change it back to module_init().
 
Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier")
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
crypto/jitterentropy-kcapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
 
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 6ea1a270b8dc..787dccca3715 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -198,7 +198,7 @@ static void __exit jent_mod_exit(void)
               crypto_unregister_rng(&jent_alg);
}
-subsys_initcall(jent_mod_init);
+module_init(jent_mod_init);
module_exit(jent_mod_exit);
 MODULE_LICENSE("Dual BSD/GPL");
-- 
2.16.6
 


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] crypto: jitterentropy - change back to module_init()
  2021-04-19  4:16   ` [PATCH] crypto: jitterentropy - change back to module_init() Mothershead, Hailey
@ 2021-04-19 19:57     ` Eric Biggers
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Biggers @ 2021-04-19 19:57 UTC (permalink / raw)
  To: Mothershead, Hailey; +Cc: linux-crypto

On Mon, Apr 19, 2021 at 04:16:13AM +0000, Mothershead, Hailey wrote:
> Hello,
>  
> The patch quoted below causes the kernel to panic when fips is enabled with:
>         
>        alg: ecdh: test failed on vector 2, err=-14
>        Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode!
>  
> This test fails because jitterentropy hasn’t been initialized yet. The assumption that the patch makes, that jitter is not used by the crypto self-tests, does not hold with fips enabled.
>  
> With the patch reverted, i.e. with jitter initialized with module_init, the kernel is able to boot. How can this best be handled to allow the kernel to boot with fips enabled without running into issues with certain clocksources?
>  
> Best, 
> Hailey

I'd recommend looking into why the self-tests would be calling into
jitterentropy in the first place.  That shouldn't be necessary; it doesn't make
sense for known-answer tests to be consuming random numbers.

- Eric

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] crypto: jitterentropy - change back to module_init()
  2019-05-21 18:46 ` [PATCH] crypto: jitterentropy - change back to module_init() Eric Biggers
  2019-05-22  7:21   ` Geert Uytterhoeven
@ 2019-05-30 13:42   ` Herbert Xu
  1 sibling, 0 replies; 5+ messages in thread
From: Herbert Xu @ 2019-05-30 13:42 UTC (permalink / raw)
  To: Eric Biggers
  Cc: linux-crypto, Geert Uytterhoeven, Thomas Gleixner,
	Daniel Lezcano, Linux Kernel Mailing List, Linux-Renesas,
	Linux ARM

On Tue, May 21, 2019 at 11:46:22AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> "jitterentropy_rng" doesn't have any other implementations, nor is it
> tested by the crypto self-tests.  So it was unnecessary to change it to
> subsys_initcall.  Also it depends on the main clocksource being
> initialized, which may happen after subsys_initcall, causing this error:
> 
>     jitterentropy: Initialization failed with host not compliant with requirements: 2
> 
> Change it back to module_init().
> 
> Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier")
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  crypto/jitterentropy-kcapi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] crypto: jitterentropy - change back to module_init()
  2019-05-21 18:46 ` [PATCH] crypto: jitterentropy - change back to module_init() Eric Biggers
@ 2019-05-22  7:21   ` Geert Uytterhoeven
  2019-05-30 13:42   ` Herbert Xu
  1 sibling, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2019-05-22  7:21 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Linux Crypto Mailing List, Herbert Xu, Thomas Gleixner,
	Daniel Lezcano, Linux Kernel Mailing List, Linux-Renesas,
	Linux ARM

On Tue, May 21, 2019 at 8:46 PM Eric Biggers <ebiggers@kernel.org> wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> "jitterentropy_rng" doesn't have any other implementations, nor is it
> tested by the crypto self-tests.  So it was unnecessary to change it to
> subsys_initcall.  Also it depends on the main clocksource being
> initialized, which may happen after subsys_initcall, causing this error:
>
>     jitterentropy: Initialization failed with host not compliant with requirements: 2
>
> Change it back to module_init().
>
> Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier")
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH] crypto: jitterentropy - change back to module_init()
  2019-05-21 18:34 crypto: run initcalls for generic implementations earlier Eric Biggers
@ 2019-05-21 18:46 ` Eric Biggers
  2019-05-22  7:21   ` Geert Uytterhoeven
  2019-05-30 13:42   ` Herbert Xu
  0 siblings, 2 replies; 5+ messages in thread
From: Eric Biggers @ 2019-05-21 18:46 UTC (permalink / raw)
  To: linux-crypto, Herbert Xu
  Cc: Geert Uytterhoeven, Thomas Gleixner, Daniel Lezcano,
	Linux Kernel Mailing List, Linux-Renesas, Linux ARM

From: Eric Biggers <ebiggers@google.com>

"jitterentropy_rng" doesn't have any other implementations, nor is it
tested by the crypto self-tests.  So it was unnecessary to change it to
subsys_initcall.  Also it depends on the main clocksource being
initialized, which may happen after subsys_initcall, causing this error:

    jitterentropy: Initialization failed with host not compliant with requirements: 2

Change it back to module_init().

Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier")
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/jitterentropy-kcapi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 6ea1a270b8dc2..787dccca37159 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -198,7 +198,7 @@ static void __exit jent_mod_exit(void)
 	crypto_unregister_rng(&jent_alg);
 }
 
-subsys_initcall(jent_mod_init);
+module_init(jent_mod_init);
 module_exit(jent_mod_exit);
 
 MODULE_LICENSE("Dual BSD/GPL");
-- 
2.21.0.1020.gf2820cf01a-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-19 19:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <9A0645BD-E7B0-4A7B-BB8F-80C5616502FE@amazon.com>
     [not found] ` <5289E5EC-C15F-44EB-BC5F-C5A515FFF272@amazon.com>
2021-04-19  4:16   ` [PATCH] crypto: jitterentropy - change back to module_init() Mothershead, Hailey
2021-04-19 19:57     ` Eric Biggers
2019-05-21 18:34 crypto: run initcalls for generic implementations earlier Eric Biggers
2019-05-21 18:46 ` [PATCH] crypto: jitterentropy - change back to module_init() Eric Biggers
2019-05-22  7:21   ` Geert Uytterhoeven
2019-05-30 13:42   ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).