ACK: [SRU][J][PATCH v2 0/3] Fix failing net selftests

Roxana Nicolescu roxana.nicolescu at canonical.com
Fri Aug 25 06:36:13 UTC 2023 

On 23/08/2023 22:20, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/2019868
> BugLink: https://bugs.launchpad.net/bugs/2019880
>
> [Impact]
> Due to the introduction of net tests that rely on cryptographic
> functions to work, some test cases from net/tls and net/vrf-xfrm-tests
> that use non-compliant FIPS algorithms fail when fips=1.
>
> [Fix]
> To fix these failures in FIPS mode, we can, on a case-by-case basis,
>    1) skip the tests that require non-compliant FIPS algorithms or
>    2) change the algorithms to FIPS-compliant ones.
> For net/tls, we skip the test variants that use the ChaCha20-Poly1305
> algorithm.
> For net/net:vrf-xfrm-tests, we can simply replace the algorithms that
> are not FIPS-compliant with compliant ones.
>
> [Test Plan]
> With a fips kernel installed, pass fips=1 as a kernel parameter, run the
> net/tls and net/vrf-xfrm-tests tests with these patches applied, and
> check that they are all passing.
>
> [Where problems could occur]
> Regression risk is very low and would hardly affect any user, since the
> changes only touch the selftests.
>
> [Other Info]
> I'm sending this to be applied on the generic kernel, as Jammy FIPS
> derivative kernels will easily inherit these changes.
>
> Changes in v2:
> - Target generic kernel.
> - fcnal-test.sh: dropped as it will be picked from upstream stable.
> - tls.c: skip tests right at setup if in FIPS mode, this requires commit
>    372b304c ("selftests/harness: allow tests to be skipped during setup").
>
> Magali Lemes (3):
>    selftests/harness: allow tests to be skipped during setup
>    selftests: net: tls: check if FIPS mode is enabled
>    selftests: net: vrf-xfrm-tests: change authentication and encryption
>      algos
>
>   tools/testing/selftests/kselftest_harness.h   |  6 ++--
>   tools/testing/selftests/net/tls.c             | 21 ++++++++++++
>   tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
>   3 files changed, 40 insertions(+), 19 deletions(-)
>

Let's keep an eye on net:vrf-xfrm-tests.sh results next cycle since the 
algorithm has changed in the last patch.
I personally find it strange to link 2 buglinks in the cover letter, but 
I also understand why these were submitted together.
Maybe a "parent" bug would make sense in this case.

Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>

More information about the kernel-team mailing list