On Thu, Apr 01, 2021 at 06:19:57PM +0200, Rafael J. Wysocki wrote: > On Thu, Apr 1, 2021 at 3:59 PM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > On Thu, 1 Apr 2021 at 15:34, Rafael J. Wysocki <rafael@xxxxxxxxxx> wrote: > > > > > > On Thu, Apr 1, 2021 at 2:25 PM Chris von Recklinghausen > > > <crecklin@xxxxxxxxxx> wrote: > > > > > > > > Suspend fails on a system in fips mode because md5 is used for the e820 > > > > integrity check and is not available. Use crc32 instead. > > > > > > > > Fixes: 62a03defeabd ("PM / hibernate: Verify the consistent of e820 memory map > > > > by md5 digest") > > > > Signed-off-by: Chris von Recklinghausen <crecklin@xxxxxxxxxx> > > > > --- > > > > arch/x86/power/hibernate.c | 31 +++++++++++++++++-------------- > > > > 1 file changed, 17 insertions(+), 14 deletions(-) > > > > > > > > diff --git a/arch/x86/power/hibernate.c b/arch/x86/power/hibernate.c > > > > index cd3914fc9f3d..6a3f4e32e49c 100644 > > > > --- a/arch/x86/power/hibernate.c > > > > +++ b/arch/x86/power/hibernate.c > > > > @@ -55,31 +55,31 @@ int pfn_is_nosave(unsigned long pfn) > > > > } > > > > > > > > > > > > -#define MD5_DIGEST_SIZE 16 > > > > +#define CRC32_DIGEST_SIZE 16 > > > > > > > > struct restore_data_record { > > > > unsigned long jump_address; > > > > unsigned long jump_address_phys; > > > > unsigned long cr3; > > > > unsigned long magic; > > > > - u8 e820_digest[MD5_DIGEST_SIZE]; > > > > + u8 e820_digest[CRC32_DIGEST_SIZE]; > > > > }; > > > > > > No. > > > > > > CRC32 was used here before and it was deemed insufficient. > > > > > > > Why? The git commit log does not have an explanation of this. > > IIRC there was an example of a memory map that would produce the same > CRC32 value as the original or something like that. Collisions can easily be found for MD5 as well, as it is heavily broken. Either you need a cryptographic hash function, *or* a (non-cryptographic) checksum would be sufficient. There isn't really any in-between. And if a checksum suffices, MD5 is a bad choice because it was designed as a cryptographic hash function, so it is much slower than a checksum. > > But that said this code is all about failing more gracefully, so I > guess it isn't a big deal if the failure is more graceful in fewer > cases ... If the 1 in 2^32 chance of a CRC-32 collision is too high, then use CRC-64 or xxHash64 for a 1 in 2^64 chance of a collision. - Eric