On Tue, Apr 30, 2024 at 09:52:44PM -0500, Joachim Vandersmissen wrote: > > I'm currently leaning towards adding FIPS_SIGNATURE_SELFTEST_RSA (and > similarly FIPS_SIGNATURE_SELFTEST_ECDSA) as user-facing configuration > options that depend on CRYPTO_RSA (and CRYPTO_ECDSA) and > FIPS_SIGNATURE_SELFTEST. Then, it is up to the user to select the correct > self-tests they need. It would still allow the user to create the same > configuration "error" where FIPS_SIGNATURE_SELFTEST=y and > FIPS_SIGNATURE_SELFTEST_RSA=m, but I think that users which care about > FIPS_SIGNATURE_SELFTEST are doing it in the first place for FIPS compliance > reasons. In that case, a FIPS laboratory should review the configuration to > verify that the correct self-tests are executed at the correct time. If the combo results in a crash then I think we have to fix it. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
