[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250630180312.24627-1-wanjay@amazon.com>
Date: Mon, 30 Jun 2025 18:03:10 +0000
From: Jay Wang <wanjay@...zon.com>
To: <herbert@...dor.apana.org.au>, <davem@...emloft.net>
CC: <linux-crypto@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<wanjay@...zon.com>
Subject: [PATCH v6.12 0/2] crypto: rng - FIPS 140-3 compliance for random number generation
This patch series implements FIPS 140-3 compliance requirements for random
number generation in the Linux kernel 6.12 stable. The changes ensure that
when the kernel is operating in FIPS mode, FIPS-compliant random number
generators from the Crypto API are used to override the default
/dev/random implementation.
The series consists of two patches:
1. "random: Add hook to override device reads and getrandom(2)" - This patch
introduces the infrastructure to allow external RNGs to override the
default random number generation. Originally authored by Herbert Xu, this has
been adapted for kernel 6.12.
2. "crypto: rng - Override drivers/char/random only after FIPS RNGs available" -
This patch implements the actual FIPS mode override using a workqueue-based
approach to ensure proper initialization timing. It addresses timing issues
in a previous commit "crypto: rng - Override drivers/char/random only after
FIPS RNGs available" where the crypto RNG would attempt to override before
dependencies were ready, preventing potential boot failures.
These patches are required for FIPS 140-3 certification and compliance in
government and enterprise environments where cryptographic standards must
be strictly enforced.
Herbert Xu (1):
random: Add hook to override device reads and getrandom(2)
Jay Wang (1):
crypto: rng - Override drivers/char/random only after FIPS RNGs
available
crypto/rng.c | 92 +++++++++++++++++++++++++++++++++
drivers/char/random.c | 114 +++++++++++++++++++++++++++++++++++++++++
include/linux/random.h | 7 +++
3 files changed, 213 insertions(+)
--
2.47.1
Powered by blists - more mailing lists