Re: Fix hibernation in FIPS mode?

From: Chris von Recklinghausen
Date: Tue Mar 30 2021 - 10:52:50 EST

Next message: Greg KH: "Re: [PATCH v1 1/4] docs: make reporting-issues.rst official and delete reporting-bugs.rst"
Previous message: Sahil Malhotra: "[PATCH] arm64: dts: ls1028a-rdb: enable optee node"
In reply to: Rafael J. Wysocki: "Re: Fix hibernation in FIPS mode?"
Next in thread: Simo Sorce: "Re: Fix hibernation in FIPS mode?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/30/21 10:46 AM, Rafael J. Wysocki wrote:

On Tue, Mar 30, 2021 at 12:14 AM Dexuan Cui <decui@xxxxxxxxxxxxx> wrote:

Hi,
MD5 was marked incompliant with FIPS in 2009:
a3bef3a31a19 ("crypto: testmgr - Skip algs not flagged fips_allowed in fips mode")
a1915d51e8e7 ("crypto: testmgr - Mark algs allowed in fips mode")

But hibernation_e820_save() is still using MD5, and fails in FIPS mode
due to the 2018 patch:
749fa17093ff ("PM / hibernate: Check the success of generating md5 digest before hibernation")

As a result, hibernation doesn't work when FIPS is on.

Do you think if hibernation_e820_save() should be changed to use a
FIPS-compliant algorithm like SHA-1?

I would say yes, it should.

If we're not actually encrypting anything, shouldn't something like ghash work as well?

PS, currently it looks like FIPS mode is broken in the mainline:
https://www.mail-archive.com/linux-crypto@xxxxxxxxxxxxxxx/msg49414.html

Next message: Greg KH: "Re: [PATCH v1 1/4] docs: make reporting-issues.rst official and delete reporting-bugs.rst"
Previous message: Sahil Malhotra: "[PATCH] arm64: dts: ls1028a-rdb: enable optee node"
In reply to: Rafael J. Wysocki: "Re: Fix hibernation in FIPS mode?"
Next in thread: Simo Sorce: "Re: Fix hibernation in FIPS mode?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]