[SRU][J][PATCH v2 0/3] Fix failing net selftests

Stefan Bader stefan.bader at canonical.com
Thu Aug 24 09:07:27 UTC 2023 

On 23.08.23 22:20, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/2019868
> BugLink: https://bugs.launchpad.net/bugs/2019880
> 
> [Impact]
> Due to the introduction of net tests that rely on cryptographic
> functions to work, some test cases from net/tls and net/vrf-xfrm-tests
> that use non-compliant FIPS algorithms fail when fips=1.
> 
> [Fix]
> To fix these failures in FIPS mode, we can, on a case-by-case basis,
>    1) skip the tests that require non-compliant FIPS algorithms or
>    2) change the algorithms to FIPS-compliant ones.
> For net/tls, we skip the test variants that use the ChaCha20-Poly1305
> algorithm.
> For net/net:vrf-xfrm-tests, we can simply replace the algorithms that
> are not FIPS-compliant with compliant ones.
> 
> [Test Plan]
> With a fips kernel installed, pass fips=1 as a kernel parameter, run the
> net/tls and net/vrf-xfrm-tests tests with these patches applied, and
> check that they are all passing.
> 
> [Where problems could occur]
> Regression risk is very low and would hardly affect any user, since the
> changes only touch the selftests.
> 
> [Other Info]
> I'm sending this to be applied on the generic kernel, as Jammy FIPS
> derivative kernels will easily inherit these changes.

I do not feel quite happy there. The first patch, sure no problem. That 
might even allow tweaking things we know are failing in general.
For patch #2: has that ever been run on a non-fips kernel? What happens 
if the file in the new constructor does not exist? Which would be any 
non-fips kernel, right?
With patch #3, that would change the algorithms used for any kernel. 
Apart from the worry that this might cause problems on some hw you do 
not see with fips, this makes results at least not comparable across series.

Also having two bug reports mingled in one submission is at least a 
source of confusion (or likely missed in some process).

So I don't want to refuse straight away but there is a bad feeling about 
this in all kernels...

-Stefan

> 
> Changes in v2:
> - Target generic kernel.
> - fcnal-test.sh: dropped as it will be picked from upstream stable.
> - tls.c: skip tests right at setup if in FIPS mode, this requires commit
>    372b304c ("selftests/harness: allow tests to be skipped during setup").
> 
> Magali Lemes (3):
>    selftests/harness: allow tests to be skipped during setup
>    selftests: net: tls: check if FIPS mode is enabled
>    selftests: net: vrf-xfrm-tests: change authentication and encryption
>      algos
> 
>   tools/testing/selftests/kselftest_harness.h   |  6 ++--
>   tools/testing/selftests/net/tls.c             | 21 ++++++++++++
>   tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
>   3 files changed, 40 insertions(+), 19 deletions(-)
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230824/ca83b2a4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230824/ca83b2a4/attachment-0001.sig>

More information about the kernel-team mailing list