From: Eric Biggers <ebiggers@google.com>
The negative-sense of CRYPTO_MANAGER_DISABLE_TESTS is a longstanding
mistake that regularly causes confusion. Especially bad is that you can
have CRYPTO=n && CRYPTO_MANAGER_DISABLE_TESTS=n, which is ambiguous.
Replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS which has the
expected behavior.
The tests continue to be disabled by default.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
arch/arm/configs/milbeaut_m10v_defconfig | 2 +-
arch/loongarch/configs/loongson3_defconfig | 2 +-
arch/s390/configs/debug_defconfig | 2 +-
arch/s390/configs/defconfig | 2 +-
crypto/Kconfig | 24 ++++++++++++++--------
crypto/algapi.c | 4 ++--
crypto/algboss.c | 2 +-
crypto/api.c | 3 +--
crypto/hkdf.c | 2 +-
crypto/internal.h | 5 ++---
crypto/kdf_sp800108.c | 2 +-
crypto/testmgr.c | 12 +++++------
lib/crypto/Makefile | 9 +++-----
lib/crypto/aescfb.c | 2 +-
lib/crypto/aesgcm.c | 2 +-
lib/crypto/blake2s.c | 2 +-
lib/crypto/chacha20poly1305.c | 2 +-
lib/crypto/curve25519.c | 2 +-
18 files changed, 41 insertions(+), 40 deletions(-)
diff --git a/arch/arm/configs/milbeaut_m10v_defconfig b/arch/arm/configs/milbeaut_m10v_defconfig
index 4ec21f477c63..9dd47e1d90bb 100644
--- a/arch/arm/configs/milbeaut_m10v_defconfig
+++ b/arch/arm/configs/milbeaut_m10v_defconfig
@@ -92,11 +92,11 @@ CONFIG_CONFIGFS_FS=y
CONFIG_NLS_CODEPAGE_437=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
CONFIG_KEYS=y
CONFIG_CRYPTO_MANAGER=y
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
+CONFIG_CRYPTO_SELFTESTS=y
# CONFIG_CRYPTO_ECHAINIV is not set
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_SEQIV=m
CONFIG_CRYPTO_GHASH_ARM_CE=m
CONFIG_CRYPTO_SHA1_ARM_NEON=m
diff --git a/arch/loongarch/configs/loongson3_defconfig b/arch/loongarch/configs/loongson3_defconfig
index 90f21dfe22b1..0d59af6007b7 100644
--- a/arch/loongarch/configs/loongson3_defconfig
+++ b/arch/loongarch/configs/loongson3_defconfig
@@ -1024,11 +1024,11 @@ CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_YAMA=y
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_CRYPTO_USER=m
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
+CONFIG_CRYPTO_SELFTESTS=y
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_CRYPTD=m
CONFIG_CRYPTO_ANUBIS=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_CAST5=m
diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig
index e6f7c8f4ee8b..bc960b1eabae 100644
--- a/arch/s390/configs/debug_defconfig
+++ b/arch/s390/configs/debug_defconfig
@@ -741,11 +741,11 @@ CONFIG_IMA=y
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_CRYPTO_USER=m
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
+CONFIG_CRYPTO_SELFTESTS=y
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_CRYPTD=m
CONFIG_CRYPTO_BENCHMARK=m
CONFIG_CRYPTO_DH=m
CONFIG_CRYPTO_ECDH=m
diff --git a/arch/s390/configs/defconfig b/arch/s390/configs/defconfig
index 7495bf8e483c..fda2f264e7d3 100644
--- a/arch/s390/configs/defconfig
+++ b/arch/s390/configs/defconfig
@@ -727,11 +727,11 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_USER=m
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
+CONFIG_CRYPTO_SELFTESTS=y
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_CRYPTD=m
CONFIG_CRYPTO_BENCHMARK=m
CONFIG_CRYPTO_DH=m
CONFIG_CRYPTO_ECDH=m
diff --git a/crypto/Kconfig b/crypto/Kconfig
index da352f1984ea..8f1353bbba18 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,11 +23,11 @@ if CRYPTO
menu "Crypto core or helper"
config CRYPTO_FIPS
bool "FIPS 200 compliance"
- depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
+ depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && CRYPTO_SELFTESTS
depends on (MODULE_SIG || !MODULES)
help
This option enables the fips boot option which is
required if you want the system to operate in a FIPS 200
certification. You should say no unless you know what
@@ -141,12 +141,12 @@ config CRYPTO_ACOMP
select CRYPTO_ALGAPI
select CRYPTO_ACOMP2
config CRYPTO_HKDF
tristate
- select CRYPTO_SHA256 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
- select CRYPTO_SHA512 if !CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
+ select CRYPTO_SHA256 if CRYPTO_SELFTESTS
+ select CRYPTO_SHA512 if CRYPTO_SELFTESTS
select CRYPTO_HASH2
config CRYPTO_MANAGER
tristate "Cryptographic algorithm manager"
select CRYPTO_MANAGER2
@@ -171,20 +171,26 @@ config CRYPTO_USER
select CRYPTO_MANAGER
help
Userspace configuration for cryptographic instantiations such as
cbc(aes).
-config CRYPTO_MANAGER_DISABLE_TESTS
- bool "Disable run-time self tests"
- default y
+config CRYPTO_SELFTESTS
+ bool "Enable cryptographic self-tests"
+ depends on DEBUG_KERNEL
help
- Disable run-time self tests that normally take place at
- algorithm registration.
+ Enable the cryptographic self-tests.
+
+ The cryptographic self-tests run at boot time, or at algorithm
+ registration time if algorithms are dynamically loaded later.
+
+ This is primarily intended for developer use. It should not be
+ enabled in production kernels, unless you are trying to use these
+ tests to fulfill a FIPS testing requirement.
config CRYPTO_MANAGER_EXTRA_TESTS
bool "Enable extra run-time crypto self tests"
- depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
+ depends on DEBUG_KERNEL && CRYPTO_SELFTESTS && CRYPTO_MANAGER
help
Enable extra run-time self tests of registered crypto algorithms,
including randomized fuzz tests.
This is intended for developer use only, as these tests take much
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 532d3efc3c7d..9030a30c89e8 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -273,11 +273,11 @@ static void crypto_alg_finish_registration(struct crypto_alg *alg,
static struct crypto_larval *crypto_alloc_test_larval(struct crypto_alg *alg)
{
struct crypto_larval *larval;
if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER) ||
- IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) ||
+ !IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) ||
(alg->cra_flags & CRYPTO_ALG_INTERNAL))
return NULL; /* No self-test needed */
larval = crypto_larval_alloc(alg->cra_name,
alg->cra_flags | CRYPTO_ALG_TESTED, 0);
@@ -1057,11 +1057,11 @@ EXPORT_SYMBOL_GPL(crypto_type_has_alg);
static void __init crypto_start_tests(void)
{
if (!IS_BUILTIN(CONFIG_CRYPTO_ALGAPI))
return;
- if (IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS))
+ if (!IS_ENABLED(CONFIG_CRYPTO_SELFTESTS))
return;
set_crypto_boot_test_finished();
for (;;) {
diff --git a/crypto/algboss.c b/crypto/algboss.c
index ef5c73780fc7..846f586889ee 100644
--- a/crypto/algboss.c
+++ b/crypto/algboss.c
@@ -187,11 +187,11 @@ static int cryptomgr_test(void *data)
static int cryptomgr_schedule_test(struct crypto_alg *alg)
{
struct task_struct *thread;
struct crypto_test_param *param;
- if (IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS))
+ if (!IS_ENABLED(CONFIG_CRYPTO_SELFTESTS))
return NOTIFY_DONE;
if (!try_module_get(THIS_MODULE))
goto err;
diff --git a/crypto/api.c b/crypto/api.c
index 5cd5ec105bb1..133d9b626922 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -29,12 +29,11 @@ DECLARE_RWSEM(crypto_alg_sem);
EXPORT_SYMBOL_GPL(crypto_alg_sem);
BLOCKING_NOTIFIER_HEAD(crypto_chain);
EXPORT_SYMBOL_GPL(crypto_chain);
-#if IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) && \
- !IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
+#if IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) && IS_ENABLED(CONFIG_CRYPTO_SELFTESTS)
DEFINE_STATIC_KEY_FALSE(__crypto_boot_test_finished);
#endif
static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg,
u32 type, u32 mask);
diff --git a/crypto/hkdf.c b/crypto/hkdf.c
index 2434c5c42545..f24c2a8d4df9 100644
--- a/crypto/hkdf.c
+++ b/crypto/hkdf.c
@@ -541,11 +541,11 @@ static int hkdf_test(const char *shash, const struct hkdf_testvec *tv)
static int __init crypto_hkdf_module_init(void)
{
int ret = 0, i;
- if (IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS))
+ if (!IS_ENABLED(CONFIG_CRYPTO_SELFTESTS))
return 0;
for (i = 0; i < ARRAY_SIZE(hkdf_sha256_tv); i++) {
ret = hkdf_test("hmac(sha256)", &hkdf_sha256_tv[i]);
if (ret)
diff --git a/crypto/internal.h b/crypto/internal.h
index 2ed79bf208ca..b9afd68767c1 100644
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -65,12 +65,11 @@ extern struct list_head crypto_alg_list;
extern struct rw_semaphore crypto_alg_sem;
extern struct blocking_notifier_head crypto_chain;
int alg_test(const char *driver, const char *alg, u32 type, u32 mask);
-#if !IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) || \
- IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
+#if !IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) || !IS_ENABLED(CONFIG_CRYPTO_SELFTESTS)
static inline bool crypto_boot_test_finished(void)
{
return true;
}
static inline void set_crypto_boot_test_finished(void)
@@ -85,11 +84,11 @@ static inline bool crypto_boot_test_finished(void)
static inline void set_crypto_boot_test_finished(void)
{
static_branch_enable(&__crypto_boot_test_finished);
}
#endif /* !IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) ||
- * IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
+ * !IS_ENABLED(CONFIG_CRYPTO_SELFTESTS)
*/
#ifdef CONFIG_PROC_FS
void __init crypto_init_proc(void);
void __exit crypto_exit_proc(void);
diff --git a/crypto/kdf_sp800108.c b/crypto/kdf_sp800108.c
index c3f9938e1ad2..b7a6bf9da773 100644
--- a/crypto/kdf_sp800108.c
+++ b/crypto/kdf_sp800108.c
@@ -125,11 +125,11 @@ static const struct kdf_testvec kdf_ctr_hmac_sha256_tv_template[] = {
static int __init crypto_kdf108_init(void)
{
int ret;
- if (IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS))
+ if (!IS_ENABLED(CONFIG_CRYPTO_SELFTESTS))
return 0;
ret = kdf_test(&kdf_ctr_hmac_sha256_tv_template[0], "hmac(sha256)",
crypto_kdf108_setkey, crypto_kdf108_ctr_generate);
if (ret) {
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 1c71616ae2cf..3a624c9b5525 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -53,11 +53,11 @@ MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");
static unsigned int fuzz_iterations = 100;
module_param(fuzz_iterations, uint, 0644);
MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
#endif
-#ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
+#ifndef CONFIG_CRYPTO_SELFTESTS
/* a perfect nop */
int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
{
return 0;
@@ -319,14 +319,14 @@ struct testvec_config {
#define TESTVEC_CONFIG_NAMELEN 192
/*
* The following are the lists of testvec_configs to test for each algorithm
- * type when the basic crypto self-tests are enabled, i.e. when
- * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset. They aim to provide good test
- * coverage, while keeping the test time much shorter than the full fuzz tests
- * so that the basic tests can be enabled in a wider range of circumstances.
+ * type when the basic crypto self-tests are enabled. They aim to provide good
+ * test coverage, while keeping the test time much shorter than the full fuzz
+ * tests so that the basic tests can be enabled in a wider range of
+ * circumstances.
*/
/* Configs for skciphers and aeads */
static const struct testvec_config default_cipher_testvec_configs[] = {
{
@@ -5897,8 +5897,8 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
return 0;
non_fips_alg:
return alg_fips_disabled(driver, alg);
}
-#endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
+#endif /* CONFIG_CRYPTO_SELFTESTS */
EXPORT_SYMBOL_GPL(alg_test);
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 71d3d05d666a..842fcef16e4d 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -23,21 +23,24 @@ obj-$(CONFIG_CRYPTO_LIB_GF128MUL) += gf128mul.o
# blake2s is used by the /dev/random driver which is always builtin
obj-y += libblake2s.o
libblake2s-y := blake2s.o
libblake2s-$(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) += blake2s-generic.o
+libblake2s-$(CONFIG_CRYPTO_SELFTESTS) += blake2s-selftest.o
obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) += libchacha20poly1305.o
libchacha20poly1305-y += chacha20poly1305.o
+libchacha20poly1305-$(CONFIG_CRYPTO_SELFTESTS) += chacha20poly1305-selftest.o
obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += libcurve25519-generic.o
libcurve25519-generic-y := curve25519-fiat32.o
libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o
libcurve25519-generic-y += curve25519-generic.o
obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o
libcurve25519-y += curve25519.o
+libcurve25519-$(CONFIG_CRYPTO_SELFTESTS) += curve25519-selftest.o
obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
libdes-y := des.o
obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += libpoly1305.o
@@ -52,16 +55,10 @@ obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
libsha256-y := sha256.o
obj-$(CONFIG_CRYPTO_LIB_SHA256_GENERIC) += libsha256-generic.o
libsha256-generic-y := sha256-generic.o
-ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
-libblake2s-y += blake2s-selftest.o
-libchacha20poly1305-y += chacha20poly1305-selftest.o
-libcurve25519-y += curve25519-selftest.o
-endif
-
obj-$(CONFIG_MPILIB) += mpi/
obj-$(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) += simd.o
obj-$(CONFIG_CRYPTO_LIB_SM3) += libsm3.o
diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c
index 749dc1258a44..437613265e14 100644
--- a/lib/crypto/aescfb.c
+++ b/lib/crypto/aescfb.c
@@ -97,11 +97,11 @@ EXPORT_SYMBOL(aescfb_decrypt);
MODULE_DESCRIPTION("Generic AES-CFB library");
MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
MODULE_LICENSE("GPL");
-#ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
+#ifdef CONFIG_CRYPTO_SELFTESTS
/*
* Test code below. Vectors taken from crypto/testmgr.h
*/
diff --git a/lib/crypto/aesgcm.c b/lib/crypto/aesgcm.c
index 902e49410aaf..277824d6b4af 100644
--- a/lib/crypto/aesgcm.c
+++ b/lib/crypto/aesgcm.c
@@ -197,11 +197,11 @@ EXPORT_SYMBOL(aesgcm_decrypt);
MODULE_DESCRIPTION("Generic AES-GCM library");
MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
MODULE_LICENSE("GPL");
-#ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
+#ifdef CONFIG_CRYPTO_SELFTESTS
/*
* Test code below. Vectors taken from crypto/testmgr.h
*/
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 71a316552cc5..b0f9a678300b 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -58,11 +58,11 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
}
EXPORT_SYMBOL(blake2s_final);
static int __init blake2s_mod_init(void)
{
- if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
+ if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) &&
WARN_ON(!blake2s_selftest()))
return -ENODEV;
return 0;
}
diff --git a/lib/crypto/chacha20poly1305.c b/lib/crypto/chacha20poly1305.c
index 9cfa886f1f89..57a84fee179e 100644
--- a/lib/crypto/chacha20poly1305.c
+++ b/lib/crypto/chacha20poly1305.c
@@ -353,11 +353,11 @@ bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len
}
EXPORT_SYMBOL(chacha20poly1305_decrypt_sg_inplace);
static int __init chacha20poly1305_init(void)
{
- if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
+ if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) &&
WARN_ON(!chacha20poly1305_selftest()))
return -ENODEV;
return 0;
}
diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c
index 064b352c6907..6850b76a80c9 100644
--- a/lib/crypto/curve25519.c
+++ b/lib/crypto/curve25519.c
@@ -13,11 +13,11 @@
#include <linux/module.h>
#include <linux/init.h>
static int __init curve25519_init(void)
{
- if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
+ if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) &&
WARN_ON(!curve25519_selftest()))
return -ENODEV;
return 0;
}
--
2.49.0Hi Eric,
On Mon May 5, 2025 at 10:33 PM CEST, Eric Biggers wrote:
> The negative-sense of CRYPTO_MANAGER_DISABLE_TESTS is a longstanding
> mistake that regularly causes confusion. Especially bad is that you can
> have CRYPTO=n && CRYPTO_MANAGER_DISABLE_TESTS=n, which is ambiguous.
>
> Replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS which has the
> expected behavior.
>
> The tests continue to be disabled by default.
> ---
> <snip>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index da352f1984ea..8f1353bbba18 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> <snip>
> @@ -171,20 +171,26 @@ config CRYPTO_USER
> select CRYPTO_MANAGER
> help
> Userspace configuration for cryptographic instantiations such as
> cbc(aes).
>
> -config CRYPTO_MANAGER_DISABLE_TESTS
> - bool "Disable run-time self tests"
> - default y
> +config CRYPTO_SELFTESTS
> + bool "Enable cryptographic self-tests"
> + depends on DEBUG_KERNEL
> help
> - Disable run-time self tests that normally take place at
> - algorithm registration.
> + Enable the cryptographic self-tests.
> +
> + The cryptographic self-tests run at boot time, or at algorithm
> + registration time if algorithms are dynamically loaded later.
> +
> + This is primarily intended for developer use. It should not be
> + enabled in production kernels, unless you are trying to use these
> + tests to fulfill a FIPS testing requirement.
I built a 6.16-rc1 kernel [1] and its config is based upon Debian's and
that has enabled CRYPTO_SELFTESTS [2] (due to Debian bug 599441 [3]).
I then installed it on 3 Rockchip based devices and booted into that.
1. Radxa Rock 5B (rk3588)
2. PINE64 Quartz64 Model B (rk3568)
3. PINE64 RockPro64 (rk3399)
The full dmesg output for level 0-4 can be found at [4], [5] and [6]
The filtered dmesg output for Rock 5B:
ERROR:
[ 0.709822] basic hdkf test(hmac(sha256)): failed to allocate transform: -2
WARNING:
[ 0.710686] alg: full crypto tests enabled. This is intended for developer use only.
[ 8.877288] alg: skcipher: skipping comparison tests for xctr-aes-ce because xctr(aes-generic) is unavailable
The filtered dmesg output for Quartz64-B:
ERROR:
[ 1.479206] basic hdkf test(hmac(sha256)): failed to allocate transform: -2
WARNING:
[ 1.480685] alg: full crypto tests enabled. This is intended for developer use only.
[ 18.176195] alg: skcipher: skipping comparison tests for xctr-aes-ce because xctr(aes-generic) is unavailable
For both of these, 1 warning is to be expected (developer use only).
But I do wonder about the error and the other warning. Is that a
problem? And if so, is that on the crypto or the Rockchip side?
But the filtered dmesg output on RockPro64 seems way more serious:
ERROR:
[ 1.232672] basic hdkf test(hmac(sha256)): failed to allocate transform: -2
[ 14.172991] alg: ahash: rk-sha1 export() overran state buffer on test vector 0, cfg="import/export"
[ 14.202291] alg: ahash: rk-sha256 export() overran state buffer on test vector 0, cfg="import/export"
[ 14.230887] alg: ahash: rk-md5 export() overran state buffer on test vector 0, cfg="import/export"
WARNING:
[ 1.234017] alg: full crypto tests enabled. This is intended for developer use only.
[ 14.173876] alg: self-tests for sha1 using rk-sha1 failed (rc=-75)
[ 14.173883] ------------[ cut here ]------------
[ 14.174845] alg: self-tests for sha1 using rk-sha1 failed (rc=-75)
[ 14.174886] WARNING: CPU: 4 PID: 669 at crypto/testmgr.c:5807 alg_test+0x6ec/0x708
[ 14.176112] Modules linked in: snd_soc_simple_card_utils snd_soc_spdif_tx snd_soc_rockchip_i2s des_generic gpio_ir_recv snd_soc_core v4l2_h264(+) rockchip_rga videobuf2_dma_contig ecdh_generic videobuf2_dma_sg leds_gpio v4l2_mem2mem panfrost rfkill pwm_fan snd_compress dw_hdmi_i2s_audio pwrseq_core gpu_sched rk_crypto(+) snd_pcm_dmaengine videobuf2_memops drm_shmem_helper dw_hdmi_cec videobuf2_v4l2 crypto_engine libdes snd_pcm videodev snd_timer ofpart snd coresight_cpu_debug soundcore videobuf2_common spi_nor rockchip_saradc mc mtd industrialio_triggered_buffer coresight_etm4x rockchip_thermal kfifo_buf industrialio coresight cpufreq_dt evdev binfmt_misc pkcs8_key_parser efi_pstore configfs nfnetlink ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 realtek phy_rockchip_samsung_hdptx phy_rockchip_naneng_combphy panel_boe_th101mb31ig002_28a xhci_plat_hcd xhci_hcd rockchipdrm dw_hdmi_qp dw_hdmi dwc3 cec rc_core dw_mipi_dsi udc_core rk808_regulator dwmac_rk stmmac_platform ulpi analogix_dp stmmac fusb302 tcpm
[ 14.176292] drm_dp_aux_bus pcs_xpcs fan53555 typec drm_display_helper phylink mdio_devres drm_client_lib dwc3_of_simple pwm_regulator gpio_rockchip gpio_keys fixed phy_rockchip_pcie of_mdio ehci_platform sdhci_of_arasan ohci_platform drm_dma_helper fixed_phy phy_rockchip_inno_usb2 ohci_hcd sdhci_pltfm ehci_hcd fwnode_mdio dw_wdt drm_kms_helper phy_rockchip_emmc rockchip_dfi io_domain pwm_rockchip libphy phy_rockchip_typec sdhci nvmem_rockchip_efuse usbcore pl330 dw_mmc_rockchip drm spi_rockchip dw_mmc_pltfm mdio_bus cqhci dw_mmc usb_common i2c_rk3x
[ 14.188362] CPU: 4 UID: 0 PID: 669 Comm: cryptomgr_test Not tainted 6.16-rc1+unreleased-arm64-cknow #1 PREEMPTLAZY Debian 6.16~rc1-1~exp1
[ 14.189451] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 14.189897] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 14.190510] pc : alg_test+0x6ec/0x708
[ 14.190844] lr : alg_test+0x6ec/0x708
[ 14.191170] sp : ffff800081df3d30
[ 14.191463] x29: ffff800081df3dd0 x28: 00000000000000bd x27: 00000000ffffffb5
[ 14.192094] x26: 00000000000000bf x25: ffffd9bef0455000 x24: 0000000000000178
[ 14.192725] x23: 00000000ffffffff x22: ffff000008799880 x21: 000000000800018f
[ 14.193355] x20: ffff000008799800 x19: ffffd9beef0558b8 x18: 0000000000000018
[ 14.193985] x17: 0000000000006fd8 x16: ffffd9beeef9e128 x15: 0000000000000000
[ 14.194616] x14: 0f4bc94cbbc50b90 x13: 0000000000000325 x12: 000000000f4bc94c
[ 14.195247] x11: ffffd9beeffffff8 x10: 0000000000000d30 x9 : ffffd9beee116028
[ 14.195877] x8 : ffff000007518d90 x7 : 0000000000000004 x6 : 0000000000000000
[ 14.196506] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000010
[ 14.197137] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007518000
[ 14.197767] Call trace:
[ 14.197986] alg_test+0x6ec/0x708 (P)
[ 14.198315] cryptomgr_test+0x2c/0x58
[ 14.198642] kthread+0x150/0x250
[ 14.198932] ret_from_fork+0x10/0x20
[ 14.199251] ---[ end trace 0000000000000000 ]---
[ 14.203118] alg: self-tests for sha256 using rk-sha256 failed (rc=-75)
[ 14.203122] ------------[ cut here ]------------
[ 14.204104] alg: self-tests for sha256 using rk-sha256 failed (rc=-75)
[ 14.204133] WARNING: CPU: 4 PID: 672 at crypto/testmgr.c:5807 alg_test+0x6ec/0x708
[ 14.205381] Modules linked in: snd_soc_simple_card_utils snd_soc_spdif_tx snd_soc_rockchip_i2s des_generic gpio_ir_recv snd_soc_core v4l2_h264 rockchip_rga videobuf2_dma_contig ecdh_generic videobuf2_dma_sg leds_gpio v4l2_mem2mem panfrost rfkill pwm_fan snd_compress dw_hdmi_i2s_audio pwrseq_core gpu_sched rk_crypto(+) snd_pcm_dmaengine videobuf2_memops drm_shmem_helper dw_hdmi_cec videobuf2_v4l2 crypto_engine libdes snd_pcm videodev snd_timer ofpart snd coresight_cpu_debug soundcore videobuf2_common spi_nor rockchip_saradc mc mtd industrialio_triggered_buffer coresight_etm4x rockchip_thermal kfifo_buf industrialio coresight cpufreq_dt evdev binfmt_misc pkcs8_key_parser efi_pstore configfs nfnetlink ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 realtek phy_rockchip_samsung_hdptx phy_rockchip_naneng_combphy panel_boe_th101mb31ig002_28a xhci_plat_hcd xhci_hcd rockchipdrm dw_hdmi_qp dw_hdmi dwc3 cec rc_core dw_mipi_dsi udc_core rk808_regulator dwmac_rk stmmac_platform ulpi analogix_dp stmmac fusb302 tcpm
[ 14.205591] drm_dp_aux_bus pcs_xpcs fan53555 typec drm_display_helper phylink mdio_devres drm_client_lib dwc3_of_simple pwm_regulator gpio_rockchip gpio_keys fixed phy_rockchip_pcie of_mdio ehci_platform sdhci_of_arasan ohci_platform drm_dma_helper fixed_phy phy_rockchip_inno_usb2 ohci_hcd sdhci_pltfm ehci_hcd fwnode_mdio dw_wdt drm_kms_helper phy_rockchip_emmc rockchip_dfi io_domain pwm_rockchip libphy phy_rockchip_typec sdhci nvmem_rockchip_efuse usbcore pl330 dw_mmc_rockchip drm spi_rockchip dw_mmc_pltfm mdio_bus cqhci dw_mmc usb_common i2c_rk3x
[ 14.217640] CPU: 4 UID: 0 PID: 672 Comm: cryptomgr_test Tainted: G W 6.16-rc1+unreleased-arm64-cknow #1 PREEMPTLAZY Debian 6.16~rc1-1~exp1
[ 14.218866] Tainted: [W]=WARN
[ 14.219130] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 14.219576] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 14.220188] pc : alg_test+0x6ec/0x708
[ 14.220521] lr : alg_test+0x6ec/0x708
[ 14.220847] sp : ffff800081e03d30
[ 14.221140] x29: ffff800081e03dd0 x28: 00000000000000bd x27: 00000000ffffffb5
[ 14.221771] x26: 00000000000000c1 x25: ffffd9bef0455000 x24: 0000000000000178
[ 14.222402] x23: 00000000ffffffff x22: ffff00000b49c880 x21: 000000000800018f
[ 14.223033] x20: ffff00000b49c800 x19: ffffd9beef0558b8 x18: 00000000fffffffe
[ 14.223663] x17: 7463657620747365 x16: ffffd9beee6829e8 x15: ffffd9bef03eb09f
[ 14.224294] x14: 0000000000000000 x13: ffffd9bef03eb0a3 x12: ffffd9bef0085e60
[ 14.224923] x11: ffffd9bef002deb8 x10: ffffd9bef0085eb8 x9 : ffffd9beee17c8cc
[ 14.225553] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : c0000000ffffefff
[ 14.226183] x5 : ffff0000f7766448 x4 : 0000000000000000 x3 : 0000000000000027
[ 14.226812] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00000751bb40
[ 14.227443] Call trace:
[ 14.227662] alg_test+0x6ec/0x708 (P)
[ 14.227991] cryptomgr_test+0x2c/0x58
[ 14.228319] kthread+0x150/0x250
[ 14.228611] ret_from_fork+0x10/0x20
[ 14.228929] ---[ end trace 0000000000000000 ]---
[ 14.231753] alg: self-tests for md5 using rk-md5 failed (rc=-75)
[ 14.231758] ------------[ cut here ]------------
[ 14.232696] alg: self-tests for md5 using rk-md5 failed (rc=-75)
[ 14.232742] WARNING: CPU: 4 PID: 674 at crypto/testmgr.c:5807 alg_test+0x6ec/0x708
[ 14.233943] Modules linked in: v4l2_vp9 snd_soc_audio_graph_card snd_soc_simple_card_utils snd_soc_spdif_tx snd_soc_rockchip_i2s des_generic gpio_ir_recv snd_soc_core v4l2_h264 rockchip_rga videobuf2_dma_contig ecdh_generic videobuf2_dma_sg leds_gpio v4l2_mem2mem panfrost rfkill pwm_fan snd_compress dw_hdmi_i2s_audio pwrseq_core gpu_sched rk_crypto(+) snd_pcm_dmaengine videobuf2_memops drm_shmem_helper dw_hdmi_cec videobuf2_v4l2 crypto_engine libdes snd_pcm videodev snd_timer ofpart snd coresight_cpu_debug soundcore videobuf2_common spi_nor rockchip_saradc mc mtd industrialio_triggered_buffer coresight_etm4x rockchip_thermal kfifo_buf industrialio coresight cpufreq_dt evdev binfmt_misc pkcs8_key_parser efi_pstore configfs nfnetlink ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 realtek phy_rockchip_samsung_hdptx phy_rockchip_naneng_combphy panel_boe_th101mb31ig002_28a xhci_plat_hcd xhci_hcd rockchipdrm dw_hdmi_qp dw_hdmi dwc3 cec rc_core dw_mipi_dsi udc_core rk808_regulator dwmac_rk stmmac_platform ulpi
[ 14.234122] analogix_dp stmmac fusb302 tcpm drm_dp_aux_bus pcs_xpcs fan53555 typec drm_display_helper phylink mdio_devres drm_client_lib dwc3_of_simple pwm_regulator gpio_rockchip gpio_keys fixed phy_rockchip_pcie of_mdio ehci_platform sdhci_of_arasan ohci_platform drm_dma_helper fixed_phy phy_rockchip_inno_usb2 ohci_hcd sdhci_pltfm ehci_hcd fwnode_mdio dw_wdt drm_kms_helper phy_rockchip_emmc rockchip_dfi io_domain pwm_rockchip libphy phy_rockchip_typec sdhci nvmem_rockchip_efuse usbcore pl330 dw_mmc_rockchip drm spi_rockchip dw_mmc_pltfm mdio_bus cqhci dw_mmc usb_common i2c_rk3x
[ 14.246439] CPU: 4 UID: 0 PID: 674 Comm: cryptomgr_test Tainted: G W 6.16-rc1+unreleased-arm64-cknow #1 PREEMPTLAZY Debian 6.16~rc1-1~exp1
[ 14.247667] Tainted: [W]=WARN
[ 14.247931] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 14.248377] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 14.248991] pc : alg_test+0x6ec/0x708
[ 14.249332] lr : alg_test+0x6ec/0x708
[ 14.249664] sp : ffff800081e0bd30
[ 14.249957] x29: ffff800081e0bdd0 x28: 00000000000000bd x27: 00000000ffffffb5
[ 14.250588] x26: 00000000000000a4 x25: ffffd9bef0455000 x24: 0000000000000178
[ 14.251220] x23: 00000000ffffffff x22: ffff00000b49c280 x21: 000000000800018f
[ 14.251852] x20: ffff00000b49c200 x19: ffffd9beef0558b8 x18: 0000000000000018
[ 14.252484] x17: 0000000000007050 x16: ffffd9beeef9e128 x15: 0000000000000000
[ 14.253114] x14: 0a8fc7a77222d736 x13: 00000000000003da x12: 000000000a8fc7a7
[ 14.253747] x11: ffffd9beeffffff8 x10: 0000000000000d30 x9 : ffffd9beee116028
[ 14.254377] x8 : ffff00000b6d3510 x7 : 0000000000000004 x6 : 0000000000000000
[ 14.255008] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000010
[ 14.255637] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00000b6d2780
[ 14.256268] Call trace:
[ 14.256498] alg_test+0x6ec/0x708 (P)
[ 14.256835] cryptomgr_test+0x2c/0x58
[ 14.257164] kthread+0x150/0x250
[ 14.257455] ret_from_fork+0x10/0x20
[ 14.257774] ---[ end trace 0000000000000000 ]---
[ 14.828425] alg: skcipher: skipping comparison tests for xctr-aes-ce because xctr(aes-generic) is unavailable
I'm assuming this is problematic and hopefully you can tell whether this
is on the crypto or Rockchip side as well. In case of the latter, if
you'd have pointers as to where the problem is/may be, that would be
appreciated.
[1] https://salsa.debian.org/diederik/linux/-/tree/cknow/general
[2] https://salsa.debian.org/kernel-team/linux/-/commit/6991dd77f350
6991dd77f350 ("crypto: Explicitly enable algorithm self-tests (Closes: #599441)")
[3] https://bugs.debian.org/599441
[4] https://paste.sr.ht/~diederik/c18ad65427080d4c48e8bd2ac27282682069aff1
[5] https://paste.sr.ht/~diederik/8fde0c2c1d005a15bb8a3b6d7ba8ae3298733250
[6] https://paste.sr.ht/~diederik/cdcb6c4522fa782f9a692b7ea0cf33c2301e2176
Cheers,
Diederik
On Wed, Jun 11, 2025 at 01:41:06PM +0200, Diederik de Haas wrote: > Hi Eric, > > On Mon May 5, 2025 at 10:33 PM CEST, Eric Biggers wrote: > > The negative-sense of CRYPTO_MANAGER_DISABLE_TESTS is a longstanding > > mistake that regularly causes confusion. Especially bad is that you can > > have CRYPTO=n && CRYPTO_MANAGER_DISABLE_TESTS=n, which is ambiguous. > > > > Replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS which has the > > expected behavior. > > > > The tests continue to be disabled by default. > > --- > > <snip> > > diff --git a/crypto/Kconfig b/crypto/Kconfig > > index da352f1984ea..8f1353bbba18 100644 > > --- a/crypto/Kconfig > > +++ b/crypto/Kconfig > > <snip> > > @@ -171,20 +171,26 @@ config CRYPTO_USER > > select CRYPTO_MANAGER > > help > > Userspace configuration for cryptographic instantiations such as > > cbc(aes). > > > > -config CRYPTO_MANAGER_DISABLE_TESTS > > - bool "Disable run-time self tests" > > - default y > > +config CRYPTO_SELFTESTS > > + bool "Enable cryptographic self-tests" > > + depends on DEBUG_KERNEL > > help > > - Disable run-time self tests that normally take place at > > - algorithm registration. > > + Enable the cryptographic self-tests. > > + > > + The cryptographic self-tests run at boot time, or at algorithm > > + registration time if algorithms are dynamically loaded later. > > + > > + This is primarily intended for developer use. It should not be > > + enabled in production kernels, unless you are trying to use these > > + tests to fulfill a FIPS testing requirement. > > I built a 6.16-rc1 kernel [1] and its config is based upon Debian's and > that has enabled CRYPTO_SELFTESTS [2] (due to Debian bug 599441 [3]). > > I then installed it on 3 Rockchip based devices and booted into that. > 1. Radxa Rock 5B (rk3588) > 2. PINE64 Quartz64 Model B (rk3568) > 3. PINE64 RockPro64 (rk3399) > > The full dmesg output for level 0-4 can be found at [4], [5] and [6] > > The filtered dmesg output for Rock 5B: > ERROR: > [ 0.709822] basic hdkf test(hmac(sha256)): failed to allocate transform: -2 > WARNING: https://lore.kernel.org/r/20250610191600.54994-1-ebiggers@kernel.org/ fixed the HKDF failure. It was caused by a patch that changed initcall levels. > [ 8.877288] alg: skcipher: skipping comparison tests for xctr-aes-ce because xctr(aes-generic) is unavailable That's expected if you have CONFIG_CRYPTO_AES_ARM64_CE_BLK enabled but CONFIG_CRYPTO_XCTR disabled. Some tests are skipped in that case. > [ 14.172991] alg: ahash: rk-sha1 export() overran state buffer on test vector 0, cfg="import/export" > [ 14.202291] alg: ahash: rk-sha256 export() overran state buffer on test vector 0, cfg="import/export" > [ 14.230887] alg: ahash: rk-md5 export() overran state buffer on test vector 0, cfg="import/export" That means the Rockchip crypto driver is broken. It may have been broken for a long time. Hardly anyone ever tests the hardware crypto drivers, as they only work on very specific platforms and are often useless anyway. The software crypto is much better tested and often faster. I don't think broken drivers like these should even be in the kernel at all. For now, you should just disable CONFIG_CRYPTO_DEV_ROCKCHIP. Anyway, the more interesting part of your email is that you pointed out that Debian has the crypto self-tests enabled, precisely in order to automatically disable buggy drivers like these. And actually Fedora does this too. This seems kind of crazy. But unfortunately, the crypto/ philosophy seems to be to enable as many untested and buggy drivers as possible, then rely on them being (incompletely) self-tested in production. So, aparently this is a thing. But of course the distros won't want to enable the full set of tests, which would slow down boot times significantly, but rather only the "fast" ones (as they were doing before)... So I'll send a patch that adds back a kconfig knob to run the fast tests only, which I had removed in commit 698de822780f. - Eric
On Wed Jun 11, 2025 at 6:34 PM CEST, Eric Biggers wrote: > On Wed, Jun 11, 2025 at 01:41:06PM +0200, Diederik de Haas wrote: >> On Mon May 5, 2025 at 10:33 PM CEST, Eric Biggers wrote: >> > The negative-sense of CRYPTO_MANAGER_DISABLE_TESTS is a longstanding >> > mistake that regularly causes confusion. Especially bad is that you can >> > have CRYPTO=n && CRYPTO_MANAGER_DISABLE_TESTS=n, which is ambiguous. >> > >> > Replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS which has the >> > expected behavior. >> > >> > The tests continue to be disabled by default. >> > --- >> > <snip> >> >> I built a 6.16-rc1 kernel [1] and its config is based upon Debian's and >> that has enabled CRYPTO_SELFTESTS [2] (due to Debian bug 599441 [3]). >> >> I then installed it on 3 Rockchip based devices and booted into that. >> 1. Radxa Rock 5B (rk3588) >> 2. PINE64 Quartz64 Model B (rk3568) >> 3. PINE64 RockPro64 (rk3399) >> >> The filtered dmesg output for Rock 5B: >> ERROR: >> [ 0.709822] basic hdkf test(hmac(sha256)): failed to allocate transform: -2 >> WARNING: > > https://lore.kernel.org/r/20250610191600.54994-1-ebiggers@kernel.org/ fixed the > HKDF failure. It was caused by a patch that changed initcall levels. > >> [ 8.877288] alg: skcipher: skipping comparison tests for xctr-aes-ce because xctr(aes-generic) is unavailable > > That's expected if you have CONFIG_CRYPTO_AES_ARM64_CE_BLK enabled but > CONFIG_CRYPTO_XCTR disabled. Some tests are skipped in that case. Happy to report that with that patch and that config option, the error and warning are now gone. Thanks :-) PULL request for the patch is already sent to Linus: https://lore.kernel.org/linux-crypto/aEupSzhTI4h8kz-5@gondor.apana.org.au/ >> [ 14.172991] alg: ahash: rk-sha1 export() overran state buffer on test vector 0, cfg="import/export" >> [ 14.202291] alg: ahash: rk-sha256 export() overran state buffer on test vector 0, cfg="import/export" >> [ 14.230887] alg: ahash: rk-md5 export() overran state buffer on test vector 0, cfg="import/export" > > That means the Rockchip crypto driver is broken. The crypto driver for rk3399 is still broken. > Anyway, the more interesting part of your email is that you pointed out that > Debian has the crypto self-tests enabled, precisely in order to automatically > disable buggy drivers like these. > > So I'll send a patch that adds back a kconfig knob to run the fast tests only, > which I had removed in commit 698de822780f. I responded about this to a new patch submission here: https://lore.kernel.org/linux-crypto/DAJXJHLY2ITB.3IBN23DX0RO4Z@cknow.org/ and v2 of that patch can be found here: https://lore.kernel.org/linux-crypto/20250612174709.26990-1-ebiggers@kernel.org/ Cheers, Diederik
© 2016 - 2025 Red Hat, Inc.