[PATCH 00/11] Stop pulling DRBG code into non-FIPS kernels

[PATCH 00/11] Stop pulling DRBG code into non-FIPS kernels

[Eric Biggers]

Most kernels have CRYPTO_FIPS=n but still include crypto/drbg.c and
everything it depends on, including crypto/jitterentropy.c.

This dependency bloat happens because some kernel code gets random bytes
from "stdrng" in the crypto_rng API instead of from get_random_bytes().
(This is apparently done for FIPS certification reasons.)  Then, that
pulls crypto/drbg.c to provide a "stdrng" implementation.

This series fixes the dependency bloat by making "stdrng" be used only
in FIPS mode, and get_random_bytes_wait() be used otherwise.

This series is targeting cryptodev/master.

Eric Biggers (11):
  crypto: rng - Add crypto_stdrng_get_bytes()
  crypto: dh - Use crypto_stdrng_get_bytes()
  crypto: ecc - Use crypto_stdrng_get_bytes()
  crypto: geniv - Use crypto_stdrng_get_bytes()
  crypto: hisilicon/hpre - Use crypto_stdrng_get_bytes()
  crypto: intel/keembay-ocs-ecc - Use crypto_stdrng_get_bytes()
  net: tipc: Use crypto_stdrng_get_bytes()
  crypto: rng - Unexport "default RNG" symbols
  crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in
    non-FIPS mode
  crypto: fips - Depend on CRYPTO_DRBG=y
  crypto: rng - Don't pull in DRBG when CRYPTO_FIPS=n

 crypto/Kconfig                                |  9 +------
 crypto/dh.c                                   |  8 +-----
 crypto/ecc.c                                  | 11 +++-----
 crypto/geniv.c                                |  8 +-----
 crypto/rng.c                                  | 23 ++++++++++++-----
 drivers/crypto/hisilicon/hpre/hpre_crypto.c   | 12 ++-------
 .../crypto/intel/keembay/keembay-ocs-ecc.c    | 17 +++----------
 include/crypto/rng.h                          | 25 ++++++++++++++++---
 net/tipc/crypto.c                             | 13 ++--------
 9 files changed, 53 insertions(+), 73 deletions(-)


base-commit: f9bbd547cfb98b1c5e535aab9b0671a2ff22453a
-- 
2.53.0

[PATCH 01/11] crypto: rng - Add crypto_stdrng_get_bytes()

[Eric Biggers]

All callers of crypto_get_default_rng() use the following sequence:

    crypto_get_default_rng()
    crypto_rng_get_bytes(crypto_default_rng, ...)
    crypto_put_default_rng()

While it may have been intended that callers amortize the cost of
getting and putting the "default RNG" (i.e. "stdrng") over multiple
calls, in practice that optimization is never used.  The callers just
want a function that gets random bytes from the "stdrng".

Therefore, add such a function: crypto_stdrng_get_bytes().

Importantly, this decouples the callers from the crypto_rng API.  That
allows a later commit to make this function simply call
get_random_bytes_wait() unless the kernel is in "FIPS mode".

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/rng.c         | 14 ++++++++++++++
 include/crypto/rng.h | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/crypto/rng.c b/crypto/rng.c
index c6165c8eb387..53a268ad5104 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -143,10 +143,24 @@ void crypto_put_default_rng(void)
 	crypto_default_rng_refcnt--;
 	mutex_unlock(&crypto_default_rng_lock);
 }
 EXPORT_SYMBOL_GPL(crypto_put_default_rng);
 
+int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+{
+	int err;
+
+	err = crypto_get_default_rng();
+	if (err)
+		return err;
+
+	err = crypto_rng_get_bytes(crypto_default_rng, buf, len);
+	crypto_put_default_rng();
+	return err;
+}
+EXPORT_SYMBOL_GPL(crypto_stdrng_get_bytes);
+
 #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
 int crypto_del_default_rng(void)
 {
 	int err = -EBUSY;
 
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index d451b54b322a..db6c3962a7df 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -60,10 +60,23 @@ struct crypto_rng {
 extern struct crypto_rng *crypto_default_rng;
 
 int crypto_get_default_rng(void);
 void crypto_put_default_rng(void);
 
+/**
+ * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
+ * @buf: output buffer holding the random numbers
+ * @len: length of the output buffer
+ *
+ * This function fills the caller-allocated buffer with random numbers using the
+ * highest-priority "stdrng" algorithm in the crypto_rng subsystem.
+ *
+ * Context: May sleep
+ * Return: 0 function was successful; < 0 if an error occurred
+ */
+int crypto_stdrng_get_bytes(void *buf, unsigned int len);
+
 /**
  * DOC: Random number generator API
  *
  * The random number generator API is used with the ciphers of type
  * CRYPTO_ALG_TYPE_RNG (listed as type "rng" in /proc/crypto)
-- 
2.53.0

[PATCH 02/11] crypto: dh - Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/dh.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/crypto/dh.c b/crypto/dh.c
index 8250eeeebd0f..7ad4768716c8 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -386,17 +386,11 @@ static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
 
 	/*
 	 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64
 	 * random bits and interpret them as a big endian integer.
 	 */
-	err = -EFAULT;
-	if (crypto_get_default_rng())
-		goto out_err;
-
-	err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key,
-				   oversampling_size);
-	crypto_put_default_rng();
+	err = crypto_stdrng_get_bytes(key, oversampling_size);
 	if (err)
 		goto out_err;
 
 	/*
 	 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus,
-- 
2.53.0

[PATCH 03/11] crypto: ecc - Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/ecc.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 08150b14e17e..43b0def3a225 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1531,20 +1531,15 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
 	 * strength associated with N.
 	 *
 	 * The maximum security strength identified by NIST SP800-57pt1r4 for
 	 * ECC is 256 (N >= 512).
 	 *
-	 * This condition is met by the default RNG because it selects a favored
-	 * DRBG with a security strength of 256.
+	 * This condition is met by stdrng because it selects a favored DRBG
+	 * with a security strength of 256.
 	 */
-	if (crypto_get_default_rng())
-		return -EFAULT;
-
 	/* Step 3: obtain N returned_bits from the DRBG. */
-	err = crypto_rng_get_bytes(crypto_default_rng,
-				   (u8 *)private_key, nbytes);
-	crypto_put_default_rng();
+	err = crypto_stdrng_get_bytes(private_key, nbytes);
 	if (err)
 		return err;
 
 	/* Step 4: make sure the private key is in the valid range. */
 	if (__ecc_is_key_valid(curve, private_key, ndigits))
-- 
2.53.0

[PATCH 04/11] crypto: geniv - Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/geniv.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/crypto/geniv.c b/crypto/geniv.c
index 42eff6a7387c..c619a5ad2fc1 100644
--- a/crypto/geniv.c
+++ b/crypto/geniv.c
@@ -112,17 +112,11 @@ int aead_init_geniv(struct crypto_aead *aead)
 	struct crypto_aead *child;
 	int err;
 
 	spin_lock_init(&ctx->lock);
 
-	err = crypto_get_default_rng();
-	if (err)
-		goto out;
-
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_aead_ivsize(aead));
-	crypto_put_default_rng();
+	err = crypto_stdrng_get_bytes(ctx->salt, crypto_aead_ivsize(aead));
 	if (err)
 		goto out;
 
 	child = crypto_spawn_aead(aead_instance_ctx(inst));
 	err = PTR_ERR(child);
-- 
2.53.0

[PATCH 05/11] crypto: hisilicon/hpre - Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 drivers/crypto/hisilicon/hpre/hpre_crypto.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
index 839c1f677143..09077abbf6ad 100644
--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
@@ -1325,21 +1325,13 @@ static bool hpre_key_is_zero(const char *key, unsigned short key_sz)
 static int ecdh_gen_privkey(struct hpre_ctx *ctx, struct ecdh *params)
 {
 	struct device *dev = ctx->dev;
 	int ret;
 
-	ret = crypto_get_default_rng();
-	if (ret) {
-		dev_err(dev, "failed to get default rng, ret = %d!\n", ret);
-		return ret;
-	}
-
-	ret = crypto_rng_get_bytes(crypto_default_rng, (u8 *)params->key,
-				   params->key_size);
-	crypto_put_default_rng();
+	ret = crypto_stdrng_get_bytes(params->key, params->key_size);
 	if (ret)
-		dev_err(dev, "failed to get rng, ret = %d!\n", ret);
+		dev_err(dev, "failed to get random bytes, ret = %d!\n", ret);
 
 	return ret;
 }
 
 static int hpre_ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
-- 
2.53.0

[PATCH 06/11] crypto: intel/keembay-ocs-ecc - Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 drivers/crypto/intel/keembay/keembay-ocs-ecc.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/drivers/crypto/intel/keembay/keembay-ocs-ecc.c b/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
index 59308926399d..e61a95f66a0c 100644
--- a/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
+++ b/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
@@ -228,16 +228,11 @@ static int kmb_ecc_point_mult(struct ocs_ecc_dev *ecc_dev,
 		      OCS_ECC_OP_SIZE_384 : OCS_ECC_OP_SIZE_256;
 	size_t nbytes = digits_to_bytes(curve->g.ndigits);
 	int rc = 0;
 
 	/* Generate random nbytes for Simple and Differential SCA protection. */
-	rc = crypto_get_default_rng();
-	if (rc)
-		return rc;
-
-	rc = crypto_rng_get_bytes(crypto_default_rng, sca, nbytes);
-	crypto_put_default_rng();
+	rc = crypto_stdrng_get_bytes(sca, nbytes);
 	if (rc)
 		return rc;
 
 	/* Wait engine to be idle before starting new operation. */
 	rc = ocs_ecc_wait_idle(ecc_dev);
@@ -507,18 +502,14 @@ static int kmb_ecc_gen_privkey(const struct ecc_curve *curve, u64 *privkey)
 	 * strength associated with N.
 	 *
 	 * The maximum security strength identified by NIST SP800-57pt1r4 for
 	 * ECC is 256 (N >= 512).
 	 *
-	 * This condition is met by the default RNG because it selects a favored
-	 * DRBG with a security strength of 256.
+	 * This condition is met by stdrng because it selects a favored DRBG
+	 * with a security strength of 256.
 	 */
-	if (crypto_get_default_rng())
-		return -EFAULT;
-
-	rc = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes);
-	crypto_put_default_rng();
+	rc = crypto_stdrng_get_bytes(priv, nbytes);
 	if (rc)
 		goto cleanup;
 
 	rc = kmb_ecc_is_key_valid(curve, priv, nbytes);
 	if (rc)
-- 
2.53.0

[PATCH 07/11] net: tipc: Use crypto_stdrng_get_bytes()

[Eric Biggers]

Replace the sequence of crypto_get_default_rng(),
crypto_rng_get_bytes(), and crypto_put_default_rng() with the equivalent
helper function crypto_stdrng_get_bytes().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 net/tipc/crypto.c | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index d3046a39ff72..6d3b6b89b1d1 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -365,21 +365,12 @@ int tipc_aead_key_validate(struct tipc_aead_key *ukey, struct genl_info *info)
  *
  * Return: 0 in case of success, otherwise < 0
  */
 static int tipc_aead_key_generate(struct tipc_aead_key *skey)
 {
-	int rc = 0;
-
-	/* Fill the key's content with a random value via RNG cipher */
-	rc = crypto_get_default_rng();
-	if (likely(!rc)) {
-		rc = crypto_rng_get_bytes(crypto_default_rng, skey->key,
-					  skey->keylen);
-		crypto_put_default_rng();
-	}
-
-	return rc;
+	/* Fill the key's content with a random value via stdrng */
+	return crypto_stdrng_get_bytes(skey->key, skey->keylen);
 }
 
 static struct tipc_aead *tipc_aead_get(struct tipc_aead __rcu *aead)
 {
 	struct tipc_aead *tmp;
-- 
2.53.0

[PATCH 08/11] crypto: rng - Unexport "default RNG" symbols

[Eric Biggers]

Now that crypto_default_rng, crypto_get_default_rng(), and
crypto_put_default_rng() have no users outside crypto/rng.c itself,
unexport them and make them static.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/rng.c         | 9 +++------
 include/crypto/rng.h | 5 -----
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/crypto/rng.c b/crypto/rng.c
index 53a268ad5104..f52f4793f9ea 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -22,12 +22,11 @@
 #include <net/netlink.h>
 
 #include "internal.h"
 
 static DEFINE_MUTEX(crypto_default_rng_lock);
-struct crypto_rng *crypto_default_rng;
-EXPORT_SYMBOL_GPL(crypto_default_rng);
+static struct crypto_rng *crypto_default_rng;
 static int crypto_default_rng_refcnt;
 
 int crypto_rng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
 {
 	u8 *buf = NULL;
@@ -104,11 +103,11 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name, u32 type, u32 mask)
 {
 	return crypto_alloc_tfm(alg_name, &crypto_rng_type, type, mask);
 }
 EXPORT_SYMBOL_GPL(crypto_alloc_rng);
 
-int crypto_get_default_rng(void)
+static int crypto_get_default_rng(void)
 {
 	struct crypto_rng *rng;
 	int err;
 
 	mutex_lock(&crypto_default_rng_lock);
@@ -133,19 +132,17 @@ int crypto_get_default_rng(void)
 unlock:
 	mutex_unlock(&crypto_default_rng_lock);
 
 	return err;
 }
-EXPORT_SYMBOL_GPL(crypto_get_default_rng);
 
-void crypto_put_default_rng(void)
+static void crypto_put_default_rng(void)
 {
 	mutex_lock(&crypto_default_rng_lock);
 	crypto_default_rng_refcnt--;
 	mutex_unlock(&crypto_default_rng_lock);
 }
-EXPORT_SYMBOL_GPL(crypto_put_default_rng);
 
 int crypto_stdrng_get_bytes(void *buf, unsigned int len)
 {
 	int err;
 
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index db6c3962a7df..f61e037afed9 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -55,15 +55,10 @@ struct rng_alg {
 
 struct crypto_rng {
 	struct crypto_tfm base;
 };
 
-extern struct crypto_rng *crypto_default_rng;
-
-int crypto_get_default_rng(void);
-void crypto_put_default_rng(void);
-
 /**
  * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
  * @buf: output buffer holding the random numbers
  * @len: length of the output buffer
  *
-- 
2.53.0

[PATCH 09/11] crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in non-FIPS mode

[Eric Biggers]

"stdrng" is needed only in "FIPS mode".  Therefore, make
crypto_stdrng_get_bytes() delegate to either the normal Linux RNG or to
"stdrng", depending on the current mode.

This will eliminate the need to built the SP800-90A DRBG and its
dependencies into CRYPTO_FIPS=n kernels.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/rng.c         |  4 ++--
 include/crypto/rng.h | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/crypto/rng.c b/crypto/rng.c
index f52f4793f9ea..1d4b9177bad4 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -140,11 +140,11 @@ static void crypto_put_default_rng(void)
 	mutex_lock(&crypto_default_rng_lock);
 	crypto_default_rng_refcnt--;
 	mutex_unlock(&crypto_default_rng_lock);
 }
 
-int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len)
 {
 	int err;
 
 	err = crypto_get_default_rng();
 	if (err)
@@ -152,11 +152,11 @@ int crypto_stdrng_get_bytes(void *buf, unsigned int len)
 
 	err = crypto_rng_get_bytes(crypto_default_rng, buf, len);
 	crypto_put_default_rng();
 	return err;
 }
-EXPORT_SYMBOL_GPL(crypto_stdrng_get_bytes);
+EXPORT_SYMBOL_GPL(__crypto_stdrng_get_bytes);
 
 #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
 int crypto_del_default_rng(void)
 {
 	int err = -EBUSY;
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index f61e037afed9..07f494b2c881 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -10,10 +10,12 @@
 #define _CRYPTO_RNG_H
 
 #include <linux/atomic.h>
 #include <linux/container_of.h>
 #include <linux/crypto.h>
+#include <linux/fips.h>
+#include <linux/random.h>
 
 struct crypto_rng;
 
 /**
  * struct rng_alg - random number generator definition
@@ -55,22 +57,31 @@ struct rng_alg {
 
 struct crypto_rng {
 	struct crypto_tfm base;
 };
 
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len);
+
 /**
  * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
  * @buf: output buffer holding the random numbers
  * @len: length of the output buffer
  *
  * This function fills the caller-allocated buffer with random numbers using the
- * highest-priority "stdrng" algorithm in the crypto_rng subsystem.
+ * normal Linux RNG if fips_enabled=0, or the highest-priority "stdrng"
+ * algorithm in the crypto_rng subsystem if fips_enabled=1.
  *
  * Context: May sleep
  * Return: 0 function was successful; < 0 if an error occurred
  */
-int crypto_stdrng_get_bytes(void *buf, unsigned int len);
+static inline int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+{
+	might_sleep();
+	if (fips_enabled)
+		return __crypto_stdrng_get_bytes(buf, len);
+	return get_random_bytes_wait(buf, len);
+}
 
 /**
  * DOC: Random number generator API
  *
  * The random number generator API is used with the ciphers of type
-- 
2.53.0

[PATCH 10/11] crypto: fips - Depend on CRYPTO_DRBG=y

[Eric Biggers]

Currently, the callers of crypto_stdrng_get_bytes() do 'select
CRYPTO_RNG_DEFAULT', which does 'select CRYPTO_DRBG_MENU'.

However, due to the change in how crypto_stdrng_get_bytes() is
implemented, CRYPTO_DRBG_MENU is now needed only when CRYPTO_FIPS.

But, 'select CRYPTO_DRBG_MENU if CRYPTO_FIPS' would cause a recursive
dependency, since CRYPTO_FIPS 'depends on CRYPTO_DRBG'.

Solve this by just making CRYPTO_FIPS depend on CRYPTO_DRBG=y (rather
than CRYPTO_DRBG i.e. CRYPTO_DRBG=y || CRYPTO_DRBG=m).  The distros that
use CRYPTO_FIPS=y already set CRYPTO_DRBG=y anyway, which makes sense.

This makes the CRYPTO_RNG_DEFAULT symbol (and its corresponding
selection of CRYPTO_DRBG_MENU) unnecessary.  A later commit removes it.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index e2b4106ac961..80492538e1f7 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,11 +23,11 @@ if CRYPTO
 
 menu "Crypto core or helper"
 
 config CRYPTO_FIPS
 	bool "FIPS 200 compliance"
-	depends on CRYPTO_DRBG && CRYPTO_SELFTESTS
+	depends on CRYPTO_DRBG=y && CRYPTO_SELFTESTS
 	depends on (MODULE_SIG || !MODULES)
 	help
 	  This option enables the fips boot option which is
 	  required if you want the system to operate in a FIPS 200
 	  certification.  You should say no unless you know what
-- 
2.53.0

[PATCH 11/11] crypto: rng - Don't pull in DRBG when CRYPTO_FIPS=n

[Eric Biggers]

crypto_stdrng_get_bytes() is now always available:

    - When CRYPTO_FIPS=n it is an inline function that always calls into
      the always-built-in drivers/char/random.c.

    - When CRYPTO_FIPS=y it is an inline function that calls into either
      random.c or crypto/rng.c, depending on the value of fips_enabled.
      The former is again always built-in.  The latter is built-in as
      well in this case, due to CRYPTO_FIPS=y.

Thus, the CRYPTO_RNG_DEFAULT symbol is no longer needed.  Remove it.

This makes it so that CRYPTO_DRBG_MENU (and hence also CRYPTO_DRBG,
CRYPTO_JITTERENTROPY, and CRYPTO_LIB_SHA3) no longer gets unnecessarily
pulled into CRYPTO_FIPS=n kernels.  I.e. CRYPTO_FIPS=n kernels are no
longer bloated with code that is relevant only to FIPS certifications.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/Kconfig | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 80492538e1f7..13686f033413 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -107,14 +107,10 @@ config CRYPTO_RNG
 
 config CRYPTO_RNG2
 	tristate
 	select CRYPTO_ALGAPI2
 
-config CRYPTO_RNG_DEFAULT
-	tristate
-	select CRYPTO_DRBG_MENU
-
 config CRYPTO_AKCIPHER2
 	tristate
 	select CRYPTO_ALGAPI2
 
 config CRYPTO_AKCIPHER
@@ -294,11 +290,10 @@ config CRYPTO_DH
 	  DH (Diffie-Hellman) key exchange algorithm
 
 config CRYPTO_DH_RFC7919_GROUPS
 	bool "RFC 7919 FFDHE groups"
 	depends on CRYPTO_DH
-	select CRYPTO_RNG_DEFAULT
 	help
 	  FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups
 	  defined in RFC7919.
 
 	  Support these finite-field groups in DH key exchanges:
@@ -306,11 +301,10 @@ config CRYPTO_DH_RFC7919_GROUPS
 
 	  If unsure, say N.
 
 config CRYPTO_ECC
 	tristate
-	select CRYPTO_RNG_DEFAULT
 
 config CRYPTO_ECDH
 	tristate "ECDH (Elliptic Curve Diffie-Hellman)"
 	select CRYPTO_ECC
 	select CRYPTO_KPP
@@ -802,11 +796,10 @@ config CRYPTO_GCM
 
 config CRYPTO_GENIV
 	tristate
 	select CRYPTO_AEAD
 	select CRYPTO_MANAGER
-	select CRYPTO_RNG_DEFAULT
 
 config CRYPTO_SEQIV
 	tristate "Sequence Number IV Generator"
 	select CRYPTO_GENIV
 	help
-- 
2.53.0

Re: [PATCH 01/11] crypto: rng - Add crypto_stdrng_get_bytes()

[Jason A. Donenfeld]

I'm a little worried about this because I don't want to see a
proliferation of crypto_stdrng_get_bytes() users. How can we be sure
that this is mostly never used?


Jason

Re: [PATCH 01/11] crypto: rng - Add crypto_stdrng_get_bytes()

[Eric Biggers]

On Thu, Mar 26, 2026 at 02:38:47AM +0100, Jason A. Donenfeld wrote:
> I'm a little worried about this because I don't want to see a
> proliferation of crypto_stdrng_get_bytes() users. How can we be sure
> that this is mostly never used?
> 
> 
> Jason

Perhaps a slightly different comment?  By the end of the series it is:

/**
 * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
 * @buf: output buffer holding the random numbers
 * @len: length of the output buffer
 *
 * This function fills the caller-allocated buffer with random numbers using the
 * normal Linux RNG if fips_enabled=0, or the highest-priority "stdrng"
 * algorithm in the crypto_rng subsystem if fips_enabled=1.
 *
 * Context: May sleep
 * Return: 0 function was successful; < 0 if an error occurred
 */

We could add something like:

    Don't call this unless you are sure you need it.  In most cases you
    should just call get_random_bytes_wait() directly.

- Eric