lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250630180312.24627-1-wanjay@amazon.com>
Date: Mon, 30 Jun 2025 18:03:10 +0000
From: Jay Wang <wanjay@...zon.com>
To: <herbert@...dor.apana.org.au>, <davem@...emloft.net>
CC: <linux-crypto@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<wanjay@...zon.com>
Subject: [PATCH v6.12 0/2] crypto: rng - FIPS 140-3 compliance for random number generation

This patch series implements FIPS 140-3 compliance requirements for random
number generation in the Linux kernel 6.12 stable. The changes ensure that
when the kernel is operating in FIPS mode, FIPS-compliant random number
generators from the Crypto API are used to override the default
/dev/random implementation.

The series consists of two patches:

1. "random: Add hook to override device reads and getrandom(2)" - This patch
   introduces the infrastructure to allow external RNGs to override the
   default random number generation. Originally authored by Herbert Xu, this has
   been adapted for kernel 6.12.

2. "crypto: rng - Override drivers/char/random only after FIPS RNGs available" -
   This patch implements the actual FIPS mode override using a workqueue-based
   approach to ensure proper initialization timing. It addresses timing issues
   in a previous commit "crypto: rng - Override drivers/char/random only after
   FIPS RNGs available" where the crypto RNG would attempt to override before
   dependencies were ready, preventing potential boot failures.

These patches are required for FIPS 140-3 certification and compliance in
government and enterprise environments where cryptographic standards must
be strictly enforced.

Herbert Xu (1):
  random: Add hook to override device reads and getrandom(2)

Jay Wang (1):
  crypto: rng - Override drivers/char/random only after FIPS RNGs
    available

 crypto/rng.c           |  92 +++++++++++++++++++++++++++++++++
 drivers/char/random.c  | 114 +++++++++++++++++++++++++++++++++++++++++
 include/linux/random.h |   7 +++
 3 files changed, 213 insertions(+)

--
2.47.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ