From nobody Sun Dec  7 16:04:03 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D01323F42D;
	Mon,  6 Oct 2025 17:28:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1759771714; cv=none;
 b=APDqGNzkTI0FLMD0HiHxH+jAWf7TGRh4+AMyHc3M+3BvywoDr5+pKBolc7rNLydvvZICTnUA/eBZvHL7PGoyvqX9aVvxemXjG5eokO8flZy0bIhtpiGwuO+DamSNybraWcC5InLCpKnH2QLY3etgafkgkrz45s4LOKShyU9eYI4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1759771714; c=relaxed/simple;
	bh=KB/lwlRx83OoSAfOSb1yEtbijWQHkZuthuV9r/J09w8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Dr5IwuWNKgq/MJ4bn+2Qk8VwpdbEBQwC1gsIZN1losdL9CWqY3qT/3g/aOR/ExS+Ghhq9DZSRjRaqJhBmYaVcXeujwlBV4mm0kFiuelyzUn8twRmfct0X8oHihyWYSOtkXi/T4B5PS3CdyNfLiMg9aOMTmKcOtul2kX1qasciB0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=PiWkv+HH; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="PiWkv+HH"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 879DEC4CEF5;
	Mon,  6 Oct 2025 17:28:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1759771713;
	bh=KB/lwlRx83OoSAfOSb1yEtbijWQHkZuthuV9r/J09w8=;
	h=From:To:Cc:Subject:Date:From;
	b=PiWkv+HHxSV3/ip+v3eFaX8RYKNvo7t+NTYSTBnxHDFF++GmlVZyd5tyd2jK1WaSA
	 CJ6IYPQgSEbtVOjelVkIQRp05ZR68+u0uT/13ZFOcGePSfBhwvVplYDooaMUQM/334
	 9w2L8T74uWY3iMeomE5cHclFm4PdTuW8SAypP2OE3P/euGTzBFGi1qyJkubxrKPZ4p
	 lh+N6kLOQEivLdaq+Hk7sp3BxGZndik5j2ltFlDx/obMlDIwTP1KBzrQNvqd9JWSxU
	 y1bi8vdh09q2d/x11WCpVI50MNf6dvF48N6hrer62ZLv51c8nBtbSz2xmoD8E+2rfZ
	 Wm3gNVKhExr4A==
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Ard Biesheuvel <ardb@kernel.org>,
	"Jason A . Donenfeld" <Jason@zx2c4.com>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	Joachim Vandersmissen <git@jvdsn.com>,
	David Howells <dhowells@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH] lib/crypto: Add FIPS pre-operational self-test for SHA
 algorithms
Date: Mon,  6 Oct 2025 10:26:12 -0700
Message-ID: <20251006172612.75240-1-ebiggers@kernel.org>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add FIPS pre-operational self-tests for all SHA-1 and SHA-2 algorithms.
Following the "Implementation Guidance for FIPS 140-3" document, to
achieve this it's sufficient to just test a single test vector for each
of HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512.

Link: https://lore.kernel.org/linux-crypto/20250917184856.GA2560@quark/
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---

Since there seemed to be more interest in complaining that these are
missing than actually writing a patch, I decided to just do it.

 lib/crypto/fips.h                   | 38 +++++++++++++++++++++++++++++
 lib/crypto/sha1.c                   | 19 ++++++++++++++-
 lib/crypto/sha256.c                 | 19 ++++++++++++++-
 lib/crypto/sha512.c                 | 19 ++++++++++++++-
 scripts/crypto/gen-fips-testvecs.py | 33 +++++++++++++++++++++++++
 5 files changed, 125 insertions(+), 3 deletions(-)
 create mode 100644 lib/crypto/fips.h
 create mode 100755 scripts/crypto/gen-fips-testvecs.py

diff --git a/lib/crypto/fips.h b/lib/crypto/fips.h
new file mode 100644
index 0000000000000..78a1bdd33a151
--- /dev/null
+++ b/lib/crypto/fips.h
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* This file was generated by: gen-fips-testvecs.py */
+
+#include <linux/fips.h>
+
+static const u8 fips_test_data[] __initconst __maybe_unused =3D {
+	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
+	0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
+};
+
+static const u8 fips_test_key[] __initconst __maybe_unused =3D {
+	0x66, 0x69, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
+	0x74, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00,
+};
+
+static const u8 fips_test_hmac_sha1_value[] __initconst __maybe_unused =3D=
 {
+	0x29, 0xa9, 0x88, 0xb8, 0x5c, 0xb4, 0xaf, 0x4b,
+	0x97, 0x2a, 0xee, 0x87, 0x5b, 0x0a, 0x02, 0x55,
+	0x99, 0xbf, 0x86, 0x78,
+};
+
+static const u8 fips_test_hmac_sha256_value[] __initconst __maybe_unused =
=3D {
+	0x59, 0x25, 0x85, 0xcc, 0x40, 0xe9, 0x64, 0x2f,
+	0xe9, 0xbf, 0x82, 0xb7, 0xd3, 0x15, 0x3d, 0x43,
+	0x22, 0x0b, 0x4c, 0x00, 0x90, 0x14, 0x25, 0xcf,
+	0x9e, 0x13, 0x2b, 0xc2, 0x30, 0xe6, 0xe8, 0x93,
+};
+
+static const u8 fips_test_hmac_sha512_value[] __initconst __maybe_unused =
=3D {
+	0x6b, 0xea, 0x5d, 0x27, 0x49, 0x5b, 0x3f, 0xea,
+	0xde, 0x2d, 0xfa, 0x32, 0x75, 0xdb, 0x77, 0xc8,
+	0x26, 0xe9, 0x4e, 0x95, 0x4d, 0xad, 0x88, 0x02,
+	0x87, 0xf9, 0x52, 0x0a, 0xd1, 0x92, 0x80, 0x1d,
+	0x92, 0x7e, 0x3c, 0xbd, 0xb1, 0x3c, 0x49, 0x98,
+	0x44, 0x9c, 0x8f, 0xee, 0x3f, 0x02, 0x71, 0x51,
+	0x57, 0x0b, 0x15, 0x38, 0x95, 0xd8, 0xa3, 0x81,
+	0xba, 0xb3, 0x15, 0x37, 0x5c, 0x6d, 0x57, 0x2b,
+};
diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c
index 5904e4ae85d24..001059cb0fce4 100644
--- a/lib/crypto/sha1.c
+++ b/lib/crypto/sha1.c
@@ -10,10 +10,11 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
=20
 static const struct sha1_block_state sha1_iv =3D {
 	.h =3D { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
 };
=20
@@ -328,14 +329,30 @@ void hmac_sha1_usingrawkey(const u8 *raw_key, size_t =
raw_key_len,
 	hmac_sha1_update(&ctx, data, data_len);
 	hmac_sha1_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
=20
-#ifdef sha1_mod_init_arch
+#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha1_mod_init(void)
 {
+#ifdef sha1_mod_init_arch
 	sha1_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA1 satisfies the test
+		 * requirement for SHA-1 too.
+		 */
+		u8 mac[SHA1_DIGEST_SIZE];
+
+		hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
+				      fips_test_data, sizeof(fips_test_data),
+				      mac);
+		if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) !=3D 0)
+			panic("sha1: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha1_mod_init);
=20
 static void __exit sha1_mod_exit(void)
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 8fa15165d23e8..6b3cf105147ff 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -15,10 +15,11 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
=20
 static const struct sha256_block_state sha224_iv =3D {
 	.h =3D {
 		SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
 		SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
@@ -416,14 +417,30 @@ void hmac_sha256_usingrawkey(const u8 *raw_key, size_=
t raw_key_len,
 	hmac_sha256_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
 #endif /* !__DISABLE_EXPORTS */
=20
-#ifdef sha256_mod_init_arch
+#if defined(sha256_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha256_mod_init(void)
 {
+#ifdef sha256_mod_init_arch
 	sha256_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA256 satisfies the
+		 * test requirement for SHA-224, SHA-256, and HMAC-SHA224 too.
+		 */
+		u8 mac[SHA256_DIGEST_SIZE];
+
+		hmac_sha256_usingrawkey(fips_test_key, sizeof(fips_test_key),
+					fips_test_data, sizeof(fips_test_data),
+					mac);
+		if (memcmp(fips_test_hmac_sha256_value, mac, sizeof(mac)) !=3D 0)
+			panic("sha256: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha256_mod_init);
=20
 static void __exit sha256_mod_exit(void)
diff --git a/lib/crypto/sha512.c b/lib/crypto/sha512.c
index d8062188be98a..65447083c0456 100644
--- a/lib/crypto/sha512.c
+++ b/lib/crypto/sha512.c
@@ -15,10 +15,11 @@
 #include <linux/module.h>
 #include <linux/overflow.h>
 #include <linux/string.h>
 #include <linux/unaligned.h>
 #include <linux/wordpart.h>
+#include "fips.h"
=20
 static const struct sha512_block_state sha384_iv =3D {
 	.h =3D {
 		SHA384_H0, SHA384_H1, SHA384_H2, SHA384_H3,
 		SHA384_H4, SHA384_H5, SHA384_H6, SHA384_H7,
@@ -403,14 +404,30 @@ void hmac_sha512_usingrawkey(const u8 *raw_key, size_=
t raw_key_len,
 	hmac_sha512_update(&ctx, data, data_len);
 	hmac_sha512_final(&ctx, out);
 }
 EXPORT_SYMBOL_GPL(hmac_sha512_usingrawkey);
=20
-#ifdef sha512_mod_init_arch
+#if defined(sha512_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
 static int __init sha512_mod_init(void)
 {
+#ifdef sha512_mod_init_arch
 	sha512_mod_init_arch();
+#endif
+	if (fips_enabled) {
+		/*
+		 * FIPS pre-operational self-test.  As per the FIPS
+		 * Implementation Guidance, testing HMAC-SHA512 satisfies the
+		 * test requirement for SHA-384, SHA-512, and HMAC-SHA384 too.
+		 */
+		u8 mac[SHA512_DIGEST_SIZE];
+
+		hmac_sha512_usingrawkey(fips_test_key, sizeof(fips_test_key),
+					fips_test_data, sizeof(fips_test_data),
+					mac);
+		if (memcmp(fips_test_hmac_sha512_value, mac, sizeof(mac)) !=3D 0)
+			panic("sha512: FIPS pre-operational self-test failed\n");
+	}
 	return 0;
 }
 subsys_initcall(sha512_mod_init);
=20
 static void __exit sha512_mod_exit(void)
diff --git a/scripts/crypto/gen-fips-testvecs.py b/scripts/crypto/gen-fips-=
testvecs.py
new file mode 100755
index 0000000000000..26e12397bceb2
--- /dev/null
+++ b/scripts/crypto/gen-fips-testvecs.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Script that generates lib/crypto/fips.h
+#
+# Copyright 2025 Google LLC
+
+import hmac
+
+fips_test_data =3D b"fips test data\0\0"
+fips_test_key =3D b"fips test key\0\0\0"
+
+def print_static_u8_array_definition(name, value):
+    print('')
+    print(f'static const u8 {name}[] __initconst __maybe_unused =3D {{')
+    for i in range(0, len(value), 8):
+        line =3D '\t' + ''.join(f'0x{b:02x}, ' for b in value[i:i+8])
+        print(f'{line.rstrip()}')
+    print('};')
+
+print('/* SPDX-License-Identifier: GPL-2.0-or-later */')
+print(f'/* This file was generated by: gen-fips-testvecs.py */')
+print()
+print('#include <linux/fips.h>')
+
+print_static_u8_array_definition("fips_test_data", fips_test_data)
+print_static_u8_array_definition("fips_test_key", fips_test_key)
+
+for alg in 'sha1', 'sha256', 'sha512':
+    ctx =3D hmac.new(fips_test_key, digestmod=3Dalg)
+    ctx.update(fips_test_data)
+    print_static_u8_array_definition(f'fips_test_hmac_{alg}_value', ctx.di=
gest())
+

base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a
--=20
2.51.0