smuellerDD
`drbg_pr_hmac_sha512` and `drbg_nopr_hmac_sha512` start up self tests not running
Hi Stephan,
We are attempting to get FIPS certification on a device and need for drbg_pr_hmac_sha512 and drbg_nopr_hmac_sha512 startup self tests to run. We are running in FIPS mode with a fips=1. Unfortunately, while other startup self tests are running, those for drbg are not. What could we be missing?
We are pretty sure that drbg_nopr_hmac_sha512 is actually loaded, given that we see it on the device:
root@X70262255:/home/axuser# cat /proc/lrng_type
DRNG name: drbg_nopr_hmac_sha512
LRNG security strength in bits: 256
number of DRNG instances: 1
Standards compliance:
Entropy Sources: JitterRNG Auxiliary
LRNG minimally seeded: true
LRNG fully seeded: true
Auxiliary ES properties:
Hash for operating entropy pool: sha512
JitterRNG ES properties:
Enabled: true
We are using linux version ARM OpenWrt Linux-4.4.60
We have applied the v43 version of this repo.
Here are the LRNG items from zcat /proc/config.gz:
CONFIG_LRNG=y
# CONFIG_LRNG_OVERSAMPLE_ENTROPY_SOURCES is not set
CONFIG_LRNG_OVERSAMPLE_ES_BITS=0
CONFIG_LRNG_SEED_BUFFER_INIT_ADD_BITS=0
# CONFIG_LRNG_IRQ is not set
CONFIG_LRNG_RCT_CUTOFF=31
CONFIG_LRNG_APT_CUTOFF=325
CONFIG_LRNG_JENT=y
CONFIG_LRNG_JENT_ENTROPY_RATE=256
# CONFIG_LRNG_CPU is not set
CONFIG_LRNG_CPU_FULL_ENT_MULTIPLIER=1
CONFIG_LRNG_DRNG_SWITCH=y
CONFIG_LRNG_KCAPI_HASH=y
CONFIG_LRNG_DRBG=m
CONFIG_LRNG_KCAPI=m
# CONFIG_LRNG_TESTING_MENU is not set
CONFIG_LRNG_SELFTEST=y
# CONFIG_LRNG_SELFTEST_PANIC is not set
Here are the CRYPTO items from zcat /proc/config.gz:
# CONFIG_BLK_DEV_CRYPTOLOOP is not set
CONFIG_CRYPTO=y
# Crypto core or helper
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_PCOMP2=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
# CONFIG_CRYPTO_RSA is not set
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
# CONFIG_CRYPTO_USER is not set
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
# CONFIG_CRYPTO_PCRYPT is not set
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
# CONFIG_CRYPTO_MCRYPTD is not set
CONFIG_CRYPTO_AUTHENC=m
CONFIG_CRYPTO_TEST=m
CONFIG_CRYPTO_ABLK_HELPER=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
# CONFIG_CRYPTO_CHACHA20POLY1305 is not set
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=m
CONFIG_CRYPTO_CTR=y
# CONFIG_CRYPTO_CTS is not set
CONFIG_CRYPTO_ECB=m
# CONFIG_CRYPTO_LRW is not set
# CONFIG_CRYPTO_PCBC is not set
CONFIG_CRYPTO_XTS=m
# CONFIG_CRYPTO_KEYWRAP is not set
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_XCBC is not set
# CONFIG_CRYPTO_VMAC is not set
CONFIG_CRYPTO_CRC32C=y
# CONFIG_CRYPTO_CRC32 is not set
# CONFIG_CRYPTO_CRCT10DIF is not set
CONFIG_CRYPTO_GHASH=y
# CONFIG_CRYPTO_POLY1305 is not set
# CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=m
# CONFIG_CRYPTO_MICHAEL_MIC is not set
# CONFIG_CRYPTO_RMD128 is not set
# CONFIG_CRYPTO_RMD160 is not set
# CONFIG_CRYPTO_RMD256 is not set
# CONFIG_CRYPTO_RMD320 is not set
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
# CONFIG_CRYPTO_TGR192 is not set
# CONFIG_CRYPTO_WP512 is not set
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_ANUBIS is not set
CONFIG_CRYPTO_ARC4=y
# CONFIG_CRYPTO_BLOWFISH is not set
# CONFIG_CRYPTO_CAMELLIA is not set
# CONFIG_CRYPTO_CAST5 is not set
# CONFIG_CRYPTO_CAST6 is not set
CONFIG_CRYPTO_DES=m
# CONFIG_CRYPTO_FCRYPT is not set
# CONFIG_CRYPTO_KHAZAD is not set
# CONFIG_CRYPTO_SALSA20 is not set
# CONFIG_CRYPTO_CHACHA20 is not set
# CONFIG_CRYPTO_SEED is not set
# CONFIG_CRYPTO_SERPENT is not set
# CONFIG_CRYPTO_TEA is not set
# CONFIG_CRYPTO_TWOFISH is not set
CONFIG_CRYPTO_DEFLATE=y
# CONFIG_CRYPTO_ZLIB is not set
CONFIG_CRYPTO_LZO=y
# CONFIG_CRYPTO_842 is not set
# CONFIG_CRYPTO_LZ4 is not set
# CONFIG_CRYPTO_LZ4HC is not set
CONFIG_CRYPTO_XZ=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
# CONFIG_CRYPTO_DRBG_HASH is not set
# CONFIG_CRYPTO_DRBG_CTR is not set
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=m
CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=y
# CONFIG_CRYPTO_USER_API_AEAD is not set
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_HW=y
# CONFIG_CRYPTO_DEV_HIFN_795X is not set
# CONFIG_CRYPTO_DEV_OTA_CRYPTO is not set
# CONFIG_CRYPTO_DEV_QCEDEV is not set
CONFIG_CRYPTO_DEV_QCOM_ICE=y
# CONFIG_CRYPTO_DEV_QCOM_MSM_QCE is not set
# CONFIG_CRYPTO_DEV_QCRYPTO is not set
CONFIG_CRYPTO_DEV_QCE=m
CONFIG_OCF_CRYPTODEV=m
CONFIG_OCF_CRYPTOSOFT=m
# CONFIG_OCF_CRYPTOCTEON is not set
CONFIG_ARM_CRYPTO=y
CONFIG_CRYPTO_SHA1_ARM=y
CONFIG_CRYPTO_SHA1_ARM_NEON=y
CONFIG_CRYPTO_SHA1_ARM_CE=y
CONFIG_CRYPTO_SHA2_ARM_CE=y
CONFIG_CRYPTO_SHA256_ARM=y
CONFIG_CRYPTO_SHA512_ARM=y
CONFIG_CRYPTO_AES_ARM=y
CONFIG_CRYPTO_AES_ARM_BS=y
CONFIG_CRYPTO_AES_ARM_CE=y
CONFIG_CRYPTO_GHASH_ARM_CE=y
Here are the FIPS items from zcat /proc/config.gz:
CONFIG_CRYPTO_FIPS=y
CONFIG_FIPS_ENABLE=y
CONFIG_OCF_FIPS=y
Am Freitag, 26. Juli 2024, 01:48:45 MESZ schrieb Brooking:
Hi Brooking,
Hi Stephan,
We are attempting to get FIPS certification on a device and need for
drbg_pr_hmac_sha512anddrbg_nopr_hmac_sha512startup self tests to run. We are running in FIPS mode with afips=1. Unfortunately, while other startup self tests are running, those for drbg are not. What could we be missing?
The self tests are not implemented by the LRNG at all. The DRBG is self tested via the kernel crypto API. See crypto/testmgr.c - here is the snippet from 6.10:
}, {
.alg = "drbg_nopr_hmac_sha256",
.test = alg_test_drbg,
.fips_allowed = 1,
.suite = {
.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
}
}, {
/*
* There is no need to specifically test the DRBG with every
* backend cipher -- covered by drbg_nopr_hmac_sha512 test
*/
.alg = "drbg_nopr_hmac_sha384",
.test = alg_test_null,
}, {
.alg = "drbg_nopr_hmac_sha512",
.test = alg_test_drbg,
.fips_allowed = 1,
.suite = {
.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
}
However, the issue is that the LRNG patch series does not directly use the kernel crypto API for accessing the DRBG as the LRNG performs it own seeding strategy of the DRBG - when you would use the kernel crypto API directly, it would use its seeding strategy.
Thus, the automatic self test of the kernel crypto API upon first allocation of a cipher is not triggered by the LRNG. That said, if you need that, you need to use a helper like tcrypt that you need to insmod during boot time to trigger the self tests.
Another solution could be to add the attached patch - this is currently untested code and only there for illustration. Note, if you statically link the DRBG into LRNG (which according to your config is not the case), you may run into the question that the DRBG already is used to produce output before being self-tested. But as this question is not relevant to you, you can ignore it.
We are pretty sure that
drbg_nopr_hmac_sha512is actually loaded, given that we see it on the device: ``` @.***:/home/axuser# cat /proc/lrng_type DRNG name: drbg_nopr_hmac_sha512 LRNG security strength in bits: 256 number of DRNG instances: 1 Standards compliance: Entropy Sources: JitterRNG Auxiliary LRNG minimally seeded: true LRNG fully seeded: true Auxiliary ES properties: Hash for operating entropy pool: sha512 JitterRNG ES properties: Enabled: trueWe are using linux version `ARM OpenWrt Linux-4.4.60` We have applied the `v43` version of this repo. Here are the `LRNG` items from `zcat /proc/config.gz`:CONFIG_LRNG=y
CONFIG_LRNG_OVERSAMPLE_ENTROPY_SOURCES is not set
CONFIG_LRNG_OVERSAMPLE_ES_BITS=0 CONFIG_LRNG_SEED_BUFFER_INIT_ADD_BITS=0
CONFIG_LRNG_IRQ is not set
CONFIG_LRNG_RCT_CUTOFF=31 CONFIG_LRNG_APT_CUTOFF=325 CONFIG_LRNG_JENT=y CONFIG_LRNG_JENT_ENTROPY_RATE=256
CONFIG_LRNG_CPU is not set
CONFIG_LRNG_CPU_FULL_ENT_MULTIPLIER=1 CONFIG_LRNG_DRNG_SWITCH=y CONFIG_LRNG_KCAPI_HASH=y CONFIG_LRNG_DRBG=m CONFIG_LRNG_KCAPI=m
CONFIG_LRNG_TESTING_MENU is not set
CONFIG_LRNG_SELFTEST=y
CONFIG_LRNG_SELFTEST_PANIC is not set
Here are the `CRYPTO` items from `zcat /proc/config.gz`:CONFIG_BLK_DEV_CRYPTOLOOP is not set
CONFIG_CRYPTO=y
Crypto core or helper
CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_BLKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_PCOMP2=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_RSA is not set
CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER is not set
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_PCRYPT is not set
CONFIG_CRYPTO_WORKQUEUE=y CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_MCRYPTD is not set
CONFIG_CRYPTO_AUTHENC=m CONFIG_CRYPTO_TEST=m CONFIG_CRYPTO_ABLK_HELPER=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305 is not set
CONFIG_CRYPTO_SEQIV=y CONFIG_CRYPTO_ECHAINIV=y CONFIG_CRYPTO_CBC=m CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS is not set
CONFIG_CRYPTO_ECB=m
CONFIG_CRYPTO_LRW is not set
CONFIG_CRYPTO_PCBC is not set
CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_KEYWRAP is not set
CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_XCBC is not set
CONFIG_CRYPTO_VMAC is not set
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32 is not set
CONFIG_CRYPTO_CRCT10DIF is not set
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_POLY1305 is not set
CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=m
CONFIG_CRYPTO_MICHAEL_MIC is not set
CONFIG_CRYPTO_RMD128 is not set
CONFIG_CRYPTO_RMD160 is not set
CONFIG_CRYPTO_RMD256 is not set
CONFIG_CRYPTO_RMD320 is not set
CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_TGR192 is not set
CONFIG_CRYPTO_WP512 is not set
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_ANUBIS is not set
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_BLOWFISH is not set
CONFIG_CRYPTO_CAMELLIA is not set
CONFIG_CRYPTO_CAST5 is not set
CONFIG_CRYPTO_CAST6 is not set
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_FCRYPT is not set
CONFIG_CRYPTO_KHAZAD is not set
CONFIG_CRYPTO_SALSA20 is not set
CONFIG_CRYPTO_CHACHA20 is not set
CONFIG_CRYPTO_SEED is not set
CONFIG_CRYPTO_SERPENT is not set
CONFIG_CRYPTO_TEA is not set
CONFIG_CRYPTO_TWOFISH is not set
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_ZLIB is not set
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_842 is not set
CONFIG_CRYPTO_LZ4 is not set
CONFIG_CRYPTO_LZ4HC is not set
CONFIG_CRYPTO_XZ=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_CRYPTO_DRBG_MENU=y CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG_HASH is not set
CONFIG_CRYPTO_DRBG_CTR is not set
CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y CONFIG_CRYPTO_USER_API=y CONFIG_CRYPTO_USER_API_HASH=m CONFIG_CRYPTO_USER_API_SKCIPHER=m CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD is not set
CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_HIFN_795X is not set
CONFIG_CRYPTO_DEV_OTA_CRYPTO is not set
CONFIG_CRYPTO_DEV_QCEDEV is not set
CONFIG_CRYPTO_DEV_QCOM_ICE=y
CONFIG_CRYPTO_DEV_QCOM_MSM_QCE is not set
CONFIG_CRYPTO_DEV_QCRYPTO is not set
CONFIG_CRYPTO_DEV_QCE=m CONFIG_OCF_CRYPTODEV=m CONFIG_OCF_CRYPTOSOFT=m
CONFIG_OCF_CRYPTOCTEON is not set
CONFIG_ARM_CRYPTO=y CONFIG_CRYPTO_SHA1_ARM=y CONFIG_CRYPTO_SHA1_ARM_NEON=y CONFIG_CRYPTO_SHA1_ARM_CE=y CONFIG_CRYPTO_SHA2_ARM_CE=y CONFIG_CRYPTO_SHA256_ARM=y CONFIG_CRYPTO_SHA512_ARM=y CONFIG_CRYPTO_AES_ARM=y CONFIG_CRYPTO_AES_ARM_BS=y CONFIG_CRYPTO_AES_ARM_CE=y CONFIG_CRYPTO_GHASH_ARM_CE=y
Here are the `FIPS` items from `zcat /proc/config.gz`:CONFIG_CRYPTO_FIPS=y CONFIG_FIPS_ENABLE=y CONFIG_OCF_FIPS=y
Ciao Stephan
Hey Stephan,
Your insights have helped us along (especially in clarifying that automatic kcapi self tests are NOT expected when using the LRNG patch). We are currently attempting to call directly in to alg_test from the lrng_drbg init code...no joy yet.
Also, you mentioned an attached patch, but I do not see it (and I would love to see what it suggests!)
Thanks so much!
Am Samstag, 27. Juli 2024, 04:35:05 MESZ schrieb Brooking:
Hi Brooking,
Hey Stephan,
Your insights have helped us along (especially in clarifying that automatic kcapi self tests are NOT expected when using the LRNG patch). We are currently attempting to call directly in to
alg_testfrom the lrng_drbg init code...no joy yet.Also, you mentioned an attached patch, but I do not see it (and I would love to see what it suggests!)
Thanks so much!
Strange, github does not seem to allow attachments. Here is the patch:
diff --git a/lrng_drng_drbg.c b/lrng_drng_drbg.c index f5a0b36e3506..cf7d2929ffc1 100644 --- a/lrng_drng_drbg.c +++ b/lrng_drng_drbg.c @@ -157,9 +157,28 @@ const struct lrng_drng_cb lrng_drbg_cb = { .drng_generate = lrng_drbg_drng_generate_helper, };
+static int __init lrng_drbg_selftest(void) +{
-
struct crypto_rng *drbg; -
/* Allocate the DRBG once to trigger the kernel crypto API self test
*/
-
drbg = crypto_alloc_rng(lrng_drbg_types[lrng_drbg_type].drbg_core, 0, -
0); -
if (IS_ERR(drbg)) { -
pr_err("could not allocate DRBG and trigger self-test\n"); -
return -ENOMEM; -
} -
crypto_free_rng(drng);
+} + #ifndef CONFIG_LRNG_DFLT_DRNG_DRBG static int __init lrng_drbg_init(void) {
-
int ret = lrng_drbg_selftest(); -
if (ret) -
return ret; -
if (lrng_drbg_type >= ARRAY_SIZE(lrng_drbg_types)) { pr_err("lrng_drbg_type parameter too large (given %u - max:
%lu)", lrng_drbg_type, @@ -179,4 +198,15 @@ module_exit(lrng_drbg_exit); MODULE_LICENSE("Dual BSD/GPL"); MODULE_AUTHOR("Stephan Mueller @.**>"); MODULE_DESCRIPTION("Entropy Source and DRNG Manager - SP800-90A DRBG backend"); +#else + +/
-
- Note, this call may result in the use of the DRBG before the self-test is
-
- run. However, that usage is not relevant to any FIPS-140 consideration as
-
- the data is used for non-cryptographic purposes. The call below guarantees
-
- that the self-tests are run before user space is started and thus callers
-
- with needs to comply with FIPS-140 appear.
- */ +late_initcall(lrng_drbg_selftest);
#endif /* CONFIG_LRNG_DFLT_DRNG_DRBG */
Ciao Stephan
Commit 1826d5b16a71614da5412e6db0c4722ddace246e contains a tested implementation.
Hey Stephen,
Thanks so much for the actual working copy. I imitated it best I could in our code base, but I am still having trouble. Tracking it down (via copious pr_errs) I have found that while crypto_larval_add seems to be adding the alg to crypto_alg_list, but when the crypto_alloc_tfm returns it does not have an alg that can be used. (I am sorry that my initial debug spew did not print out return values - that version is building and will take a couple more hours to build).
I am nervous that we may not have prepared the ground properly to LRNG to work with our linux (configs wrong, disabling required precursors, ...). Do you have any pointer about where else we can look for such misconfiguration?
Thanks again!
Am Dienstag, 30. Juli 2024, 06:28:33 MESZ schrieb Brooking:
Hi Brooking,
Hey Stephen,
Thanks so much for the actual working copy. I imitated it best I could in our code base, but I am still having trouble. Tracking it down (via copious
pr_errs) I have found that whilecrypto_larval_addseems to be adding the alg tocrypto_alg_list, but when thecrypto_alloc_tfmreturns it does not have an alg that can be used. (I am sorry that my initial debug spew did not print out return values - that version is building and will take a couple more hours to build).
So you are saying you get -ENOENT?
I am nervous that we may not have prepared the ground properly to LRNG to work with our linux (configs wrong, disabling required precursors, ...). Do you have any pointer about where else we can look for such misconfiguration?
Before answering, what is exactly the issue you are seeing?
Thanks again!
Ciao Stephan