Re: [PATCH 2/2] certs: Guard RSA signature verification self-test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Herbert,

On 4/16/24 3:59 AM, Herbert Xu wrote:
On Mon, Apr 15, 2024 at 10:23:47PM -0500, Joachim Vandersmissen wrote:
Currently it is possible to configure the kernel (albeit in a very
contrived manner) such that CRYPTO_RSA is not set, yet
FIPS_SIGNATURE_SELFTEST is set. This would cause a false kernel panic
when executing the RSA PKCS#7 self-test. Guard against this by
introducing a compile-time check.

Signed-off-by: Joachim Vandersmissen <git@xxxxxxxxx>
The usual way to handle this is to add a select to the Kconfig file.

I did consider that initially, but I was unsure if this was the right path. From a conceptual standpoint, this module doesn't need the RSA (or ECDSA) functionality. If the algorithm is not present, it would be perfectly valid for the module to do nothing. However, I'm not opposed to removing the current check and adding the select to the Kconfig.

If I add a `select CRYPTO_RSA` to FIPS_SIGNATURE_SELFTEST, do you think I should do something similar for ECDSA as well (considering the other patch in this series)?


Thanks,




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux