Commit 3cde3174 authored by David Howells's avatar David Howells

certs: Add FIPS selftests

Add some selftests for signature checking when FIPS mode is enabled.  These
need to be done before we start actually using the signature checking for
things and must panic the kernel upon failure.

Note that the tests must not check the blacklist lest this provide a way to
prevent a kernel from booting by installing a hash of a test key in the
appropriate UEFI table.
Reported-by: default avatarSimo Sorce <simo@redhat.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-by: default avatarSimo Sorce <simo@redhat.com>
Reviewed-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
Link: https://lore.kernel.org/r/165515742832.1554877.2073456606206090838.stgit@warthog.procyon.org.uk/
parent 60050ffe
...@@ -75,4 +75,14 @@ config SIGNED_PE_FILE_VERIFICATION ...@@ -75,4 +75,14 @@ config SIGNED_PE_FILE_VERIFICATION
This option provides support for verifying the signature(s) on a This option provides support for verifying the signature(s) on a
signed PE binary. signed PE binary.
config FIPS_SIGNATURE_SELFTEST
bool "Run FIPS selftests on the X.509+PKCS7 signature verification"
help
This option causes some selftests to be run on the signature
verification code, using some built in data. This is required
for FIPS.
depends on KEYS
depends on ASYMMETRIC_KEY_TYPE
depends on PKCS7_MESSAGE_PARSER
endif # ASYMMETRIC_KEY_TYPE endif # ASYMMETRIC_KEY_TYPE
...@@ -22,6 +22,7 @@ x509_key_parser-y := \ ...@@ -22,6 +22,7 @@ x509_key_parser-y := \
x509_cert_parser.o \ x509_cert_parser.o \
x509_loader.o \ x509_loader.o \
x509_public_key.o x509_public_key.o
x509_key_parser-$(CONFIG_FIPS_SIGNATURE_SELFTEST) += selftest.o
$(obj)/x509_cert_parser.o: \ $(obj)/x509_cert_parser.o: \
$(obj)/x509.asn1.h \ $(obj)/x509.asn1.h \
......
This diff is collapsed.
...@@ -40,6 +40,15 @@ struct x509_certificate { ...@@ -40,6 +40,15 @@ struct x509_certificate {
bool blacklisted; bool blacklisted;
}; };
/*
* selftest.c
*/
#ifdef CONFIG_FIPS_SIGNATURE_SELFTEST
extern int __init fips_signature_selftest(void);
#else
static inline int fips_signature_selftest(void) { return 0; }
#endif
/* /*
* x509_cert_parser.c * x509_cert_parser.c
*/ */
......
...@@ -244,9 +244,15 @@ static struct asymmetric_key_parser x509_key_parser = { ...@@ -244,9 +244,15 @@ static struct asymmetric_key_parser x509_key_parser = {
/* /*
* Module stuff * Module stuff
*/ */
extern int __init certs_selftest(void);
static int __init x509_key_init(void) static int __init x509_key_init(void)
{ {
return register_asymmetric_key_parser(&x509_key_parser); int ret;
ret = register_asymmetric_key_parser(&x509_key_parser);
if (ret < 0)
return ret;
return fips_signature_selftest();
} }
static void __exit x509_key_exit(void) static void __exit x509_key_exit(void)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment