lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Mar 2021 22:29:30 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     Randy Dunlap <rdunlap@...radead.org>
Cc:     linux-kernel@...r.kernel.org, Dexuan Cui <decui@...rosoft.com>,
        linux-crypto@...r.kernel.org,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: Re: [PATCH v2] Documentation: crypto: add info about "fips=" boot
 option

On Mon, Mar 29, 2021 at 10:06:51PM -0700, Randy Dunlap wrote:
> Having just seen a report of using "fips=1" on the kernel command line,
> I could not find it documented anywhere, so add some help for it.
> 
> Signed-off-by: Randy Dunlap <rdunlap@...radead.org>
> Cc: Dexuan Cui <decui@...rosoft.com>
> Cc: linux-crypto@...r.kernel.org
> Cc: Eric Biggers <ebiggers@...nel.org>
> Cc: Herbert Xu <herbert@...dor.apana.org.au>
> Cc: "David S. Miller" <davem@...emloft.net>
> Cc: Jonathan Corbet <corbet@....net>
> Cc: linux-doc@...r.kernel.org
> ---
> Updates/corrections welcome.
> 
> v2: drop comment that "fips_enabled can cause some tests to be skipped".
> 
>  Documentation/admin-guide/kernel-parameters.txt |   14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> --- linux-next-20210329.orig/Documentation/admin-guide/kernel-parameters.txt
> +++ linux-next-20210329/Documentation/admin-guide/kernel-parameters.txt
> @@ -1370,6 +1370,20 @@
>  			See Documentation/admin-guide/sysctl/net.rst for
>  			fb_tunnels_only_for_init_ns
>  
> +	fips=		Format: { 0 | 1}
> +			Use to disable (0) or enable (1) FIPS mode.
> +			If enabled, any process that is waiting on the
> +			'fips_fail_notif_chain' will be notified of fips
> +			failures.
> +			This setting can also be modified via sysctl at
> +			/proc/sysctl/crypto/fips_enabled, i.e.,
> +			crypto.fips_enabled.
> +			If fips_enabled = 1 and a test fails, it will cause a
> +			kernel panic.
> +			If fips_enabled = 1, RSA test requires a key size of
> +			2K or larger.
> +			It can also effect which ECC curve is used.

This doesn't really explain why anyone would want to give this option.
What high-level thing is this option meant to be accomplishing?
That's what the documentation should explain.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ