| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Jun 2022 15:16:18 +0200
From: Vladis Dronov <vdronov@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Vladis Dronov <vdronov@...hat.com>, Simo Sorce <simo@...hat.com>
Subject: [PATCH] crypto: fips - make proc files report fips module name and version
FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.
This patch adds two files to read a name and a version from:
/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version
Signed-off-by: Simo Sorce <simo@...hat.com>
Signed-off-by: Vladis Dronov <vdronov@...hat.com>
---
crypto/Kconfig | 21 +++++++++++++++++++++
crypto/fips.c | 27 ++++++++++++++++++++++-----
include/linux/fips.h | 9 +++++++++
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 1d44893a997b..082ff03d9f6c 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -33,6 +33,27 @@ config CRYPTO_FIPS
certification. You should say no unless you know what
this is.
+config CRYPTO_FIPS_NAME
+ string "FIPS Module Name"
+ default "Linux Kernel Cryptographic API"
+ depends on (CRYPTO_FIPS)
+ help
+ This option sets the FIPS Module name reported by the Crypto API via
+ the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+ bool "Use Custom FIPS Module Version"
+ depends on (CRYPTO_FIPS)
+ default n
+
+config CRYPTO_FIPS_VERSION
+ string "FIPS Module Version"
+ default "(none)"
+ depends on (CRYPTO_FIPS_CUSTOM_VERSION)
+ help
+ This option provides the ability to override the FIPS Module Version.
+ By default the KERNELRELEASE value is used.
+
config CRYPTO_ALGAPI
tristate
select CRYPTO_ALGAPI2
diff --git a/crypto/fips.c b/crypto/fips.c
index 7b1d8caee669..644895d23c9b 100644
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -30,13 +30,30 @@ static int fips_enable(char *str)
__setup("fips=", fips_enable);
+static char fips_name[] = FIPS_MODULE_NAME;
+static char fips_version[] = FIPS_MODULE_VERSION;
+
static struct ctl_table crypto_sysctl_table[] = {
{
- .procname = "fips_enabled",
- .data = &fips_enabled,
- .maxlen = sizeof(int),
- .mode = 0444,
- .proc_handler = proc_dointvec
+ .procname = "fips_enabled",
+ .data = &fips_enabled,
+ .maxlen = sizeof(int),
+ .mode = 0444,
+ .proc_handler = proc_dointvec
+ },
+ {
+ .procname = "fips_name",
+ .data = &fips_name,
+ .maxlen = 64,
+ .mode = 0444,
+ .proc_handler = proc_dostring
+ },
+ {
+ .procname = "fips_version",
+ .data = &fips_version,
+ .maxlen = 64,
+ .mode = 0444,
+ .proc_handler = proc_dostring
},
{}
};
diff --git a/include/linux/fips.h b/include/linux/fips.h
index c6961e932fef..72d2e0e1d3ac 100644
--- a/include/linux/fips.h
+++ b/include/linux/fips.h
@@ -2,10 +2,19 @@
#ifndef _FIPS_H
#define _FIPS_H
+#include <generated/utsrelease.h>
+
#ifdef CONFIG_CRYPTO_FIPS
extern int fips_enabled;
extern struct atomic_notifier_head fips_fail_notif_chain;
+#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
+#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
+#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
+#else
+#define FIPS_MODULE_VERSION UTS_RELEASE
+#endif
+
void fips_fail_notify(void);
#else
--
2.36.1
Powered by blists - more mailing lists