Hi,
albeit it makes most sense to have asym self tests in the test manager as we
do right now, may I suggest some changes to it as follows. The issue I see is
that asym operations are very expensive.
As we currently have RSA only, I can only refer to its implementation. But in
general, all new-and-coming asym self tests should be assessed accordingly.
May I suggest to do the following:
- remove all self tests except the 2k tests. As the math works independent of
the key size, testing one key size is sufficient to demonstrate that the math
still works.
- If we booted in FIPS mode, and we have PKCS#1 compiled, then:
* do not execute the raw RSA self test mentioned above
* perform an enc/dec test using the kernel crypto API with a 2k key
* if the asym key API is compiled, add a self test for siggen/ver
With this approach, I would see that we limit the impact of the self test to
"normal" users as well as FIPS related use cases.
If agreed, I could offer to implement the changes.
Note, currently the self tests for RSA is not appropriate to allow the cipher
in FIPS mode (i.e. the fips_allowed=1 flag is actually not correct in the
current implementation).
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
