Re: [PATCH v5 1/1] use crc32 instead of md5 for hibernation e820 integrity check

From: Simo Sorce
Date: Thu Apr 08 2021 - 09:42:45 EST

On Thu, 2021-04-08 at 15:32 +0200, Rafael J. Wysocki wrote:
> On Thu, Apr 8, 2021 at 3:15 PM Chris von Recklinghausen
> <crecklin@xxxxxxxxxx> wrote:
> > Suspend fails on a system in fips mode because md5 is used for the e820
> > integrity check and is not available. Use crc32 instead.
> >
> > This patch changes the integrity check algorithm from md5 to
> > crc32. This integrity check is used only to verify accidental
> > corruption of the hybernation data
>
> It isn't used for that.
>
> In fact, it is used to detect differences between the memory map used
> before hibernation and the one made available by the BIOS during the
> subsequent resume. And the check is there, because it is generally
> unsafe to load the hibernation image into memory if the current memory
> map doesn't match the one used when the image was created.
>
> > and is not intended as a cryptographic integrity check.
>
> But this is true nevertheless, so I would write:
>
> "The purpose of the integrity check is to detect possible differences
> between the memory map used at the time when the hibernation image is
> about to be loaded into memory and the memory map used at the image
> creation time, because it is generally unsafe to load the image if the
> current memory map doesn't match the one used when it was created. so
> it is not intended as a cryptographic integrity check."
>
> And please make the md5 spelling consistent.

This sounds much better thanks, feel free to add my Acked-by as well if
it is useful.

Simo.

> > Md5 is overkill in this case and also disabled in FIPS mode because it
> > is known to be broken for cryptographic purposes.
> >
> > Fixes: 62a03defeabd ("PM / hibernate: Verify the consistent of e820 memory map
> > by md5 digest")
> >
> > Tested-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
> > Reviewed-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
> > Signed-off-by: Chris von Recklinghausen <crecklin@xxxxxxxxxx>
> > ---
> > v1 -> v2
> > bump up RESTORE_MAGIC
> > v2 -> v3
> > move embelishment from cover letter to commit comments (no code change)
> > v3 -> v4
> > add note to comments that md5 isn't used for encryption here.
> > v4 -> v5
> > reword comment per Simo's suggestion
> >
> > arch/x86/power/hibernate.c | 35 +++++++++++++++++++----------------
> > 1 file changed, 19 insertions(+), 16 deletions(-)
> >
> > diff --git a/arch/x86/power/hibernate.c b/arch/x86/power/hibernate.c
> > index cd3914fc9f3d..b56172553275 100644
> > --- a/arch/x86/power/hibernate.c
> > +++ b/arch/x86/power/hibernate.c
> > @@ -55,31 +55,31 @@ int pfn_is_nosave(unsigned long pfn)
> > }
> >
> >
> > -#define MD5_DIGEST_SIZE 16
> > +#define CRC32_DIGEST_SIZE 16
> >
> > struct restore_data_record {
> > unsigned long jump_address;
> > unsigned long jump_address_phys;
> > unsigned long cr3;
> > unsigned long magic;
> > - u8 e820_digest[MD5_DIGEST_SIZE];
> > + u8 e820_digest[CRC32_DIGEST_SIZE];
> > };
> >
> > -#if IS_BUILTIN(CONFIG_CRYPTO_MD5)
> > +#if IS_BUILTIN(CONFIG_CRYPTO_CRC32)
> > /**
> > - * get_e820_md5 - calculate md5 according to given e820 table
> > + * get_e820_crc32 - calculate crc32 according to given e820 table
> > *
> > * @table: the e820 table to be calculated
> > - * @buf: the md5 result to be stored to
> > + * @buf: the crc32 result to be stored to
> > */
> > -static int get_e820_md5(struct e820_table *table, void *buf)
> > +static int get_e820_crc32(struct e820_table *table, void *buf)
> > {
> > struct crypto_shash *tfm;
> > struct shash_desc *desc;
> > int size;
> > int ret = 0;
> >
> > - tfm = crypto_alloc_shash("md5", 0, 0);
> > + tfm = crypto_alloc_shash("crc32", 0, 0);
> > if (IS_ERR(tfm))
> > return -ENOMEM;
> >
> > @@ -107,24 +107,24 @@ static int get_e820_md5(struct e820_table *table, void *buf)
> >
> > static int hibernation_e820_save(void *buf)
> > {
> > - return get_e820_md5(e820_table_firmware, buf);
> > + return get_e820_crc32(e820_table_firmware, buf);
> > }
> >
> > static bool hibernation_e820_mismatch(void *buf)
> > {
> > int ret;
> > - u8 result[MD5_DIGEST_SIZE];
> > + u8 result[CRC32_DIGEST_SIZE];
> >
> > - memset(result, 0, MD5_DIGEST_SIZE);
> > + memset(result, 0, CRC32_DIGEST_SIZE);
> > /* If there is no digest in suspend kernel, let it go. */
> > - if (!memcmp(result, buf, MD5_DIGEST_SIZE))
> > + if (!memcmp(result, buf, CRC32_DIGEST_SIZE))
> > return false;
> >
> > - ret = get_e820_md5(e820_table_firmware, result);
> > + ret = get_e820_crc32(e820_table_firmware, result);
> > if (ret)
> > return true;
> >
> > - return memcmp(result, buf, MD5_DIGEST_SIZE) ? true : false;
> > + return memcmp(result, buf, CRC32_DIGEST_SIZE) ? true : false;
> > }
> > #else
> > static int hibernation_e820_save(void *buf)
> > @@ -134,15 +134,15 @@ static int hibernation_e820_save(void *buf)
> >
> > static bool hibernation_e820_mismatch(void *buf)
> > {
> > - /* If md5 is not builtin for restore kernel, let it go. */
> > + /* If crc32 is not builtin for restore kernel, let it go. */
> > return false;
> > }
> > #endif
> >
> > #ifdef CONFIG_X86_64
> > -#define RESTORE_MAGIC 0x23456789ABCDEF01UL
> > +#define RESTORE_MAGIC 0x23456789ABCDEF02UL
> > #else
> > -#define RESTORE_MAGIC 0x12345678UL
> > +#define RESTORE_MAGIC 0x12345679UL
> > #endif
> >
> > /**
> > @@ -160,6 +160,9 @@ int arch_hibernation_header_save(void *addr, unsigned int max_size)
> > rdr->jump_address = (unsigned long)restore_registers;
> > rdr->jump_address_phys = __pa_symbol(restore_registers);
> >
> > + /* crc32 digest size is 4 but digest buffer size is 16 so zero it all */
> > + memset(rdr->e820_digest, 0, CRC32_DIGEST_SIZE);
> > +
> > /*
> > * The restore code fixes up CR3 and CR4 in the following sequence:
> > *
> > --
> > 2.18.1
> >

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc