* [PATCH RFC 008/104] arch/x86/boot/string.h: override memmove()/strlen()
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
Vivek Goyal, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
arch/x86/boot/string.h defines string functions used by
arch/x86/purgatory/purgatory.c. Other headers used by this file may
pull in existing definitions of memmove() and strlen(), so extend the
overrides to these macros/functions as well.
(This is needed as purgatory uses crypto functions which pull in other
headers that I am changing in this patch series and causing errors.)
We might consider simply moving all of this into purgatory.c after all
the #includes to avoid similar issues in the future.
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
arch/x86/boot/string.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h
index a5b05ebc037d..ac25100183bc 100644
--- a/arch/x86/boot/string.h
+++ b/arch/x86/boot/string.h
@@ -4,6 +4,7 @@
/* Undef any of these macros coming from string_32.h. */
#undef memcpy
+#undef memmove
#undef memset
#undef memcmp
@@ -15,9 +16,12 @@ int bcmp(const void *s1, const void *s2, size_t len);
/* Access builtin version by default. */
#define memcpy(d,s,l) __builtin_memcpy(d,s,l)
+#define memmove(d,s,l) __builtin_memmove(d,s,l)
#define memset(d,c,l) __builtin_memset(d,c,l)
#define memcmp __builtin_memcmp
+#undef strlen
+
extern int strcmp(const char *str1, const char *str2);
extern int strncmp(const char *cs, const char *ct, size_t count);
extern size_t strlen(const char *s);
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 016/104] crypto: alg - add CRYPTO_ALG_FIPS_PROVIDED flag
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
Use a new flag to record whether a particular algorithm is provided by
a standalone FIPS 140 module.
Note: This does not mean the algorithm is "FIPS approved" or even "FIPS
allowed" -- it simply means the algorithm is implemented within the FIPS
module.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/algapi.c | 30 ++++++++++++++++++++++++++++++
crypto/testmgr.c | 22 +++++++++++++++-------
include/linux/crypto.h | 8 ++++++++
3 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 54b8d4acd651..29076797a938 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -450,6 +450,9 @@ int crypto_register_alg(struct crypto_alg *alg)
if (err)
return err;
+ /* Blatant API misuse */
+ BUG_ON(alg->cra_flags & CRYPTO_ALG_FIPS_PROVIDED);
+
if (alg->cra_flags & CRYPTO_ALG_DUP_FIRST &&
!WARN_ON_ONCE(alg->cra_destroy)) {
unsigned int algsize = alg->cra_type->algsize;
@@ -463,6 +466,13 @@ int crypto_register_alg(struct crypto_alg *alg)
alg->cra_destroy = crypto_free_alg;
}
+#ifdef FIPS_MODULE
+ if (alg->cra_module == THIS_MODULE) {
+ alg->cra_flags |= CRYPTO_ALG_FIPS_PROVIDED;
+ alg->cra_priority |= 4096;
+ }
+#endif
+
down_write(&crypto_alg_sem);
larval = __crypto_register_alg(alg, &algs_to_put);
if (!IS_ERR_OR_NULL(larval)) {
@@ -666,6 +676,9 @@ int crypto_register_instance(struct crypto_template *tmpl,
struct crypto_larval *larval;
struct crypto_spawn *spawn;
u32 fips_internal = 0;
+#ifdef FIPS_MODULE
+ u32 fips_provided = ~0;
+#endif
LIST_HEAD(algs_to_put);
int err;
@@ -673,6 +686,9 @@ int crypto_register_instance(struct crypto_template *tmpl,
if (err)
return err;
+ /* Blatant API misuse */
+ BUG_ON(inst->alg.cra_flags & CRYPTO_ALG_FIPS_PROVIDED);
+
inst->alg.cra_module = tmpl->module;
inst->alg.cra_flags |= CRYPTO_ALG_INSTANCE;
inst->alg.cra_destroy = crypto_destroy_instance;
@@ -692,6 +708,13 @@ int crypto_register_instance(struct crypto_template *tmpl,
fips_internal |= spawn->alg->cra_flags;
+#ifdef FIPS_MODULE
+ if (spawn->alg->cra_module == THIS_MODULE)
+ fips_provided &= spawn->alg->cra_flags;
+ else
+ fips_provided = 0;
+#endif
+
crypto_mod_put(spawn->alg);
spawn = next;
@@ -699,6 +722,13 @@ int crypto_register_instance(struct crypto_template *tmpl,
inst->alg.cra_flags |= (fips_internal & CRYPTO_ALG_FIPS_INTERNAL);
+#ifdef FIPS_MODULE
+ if (tmpl->module == THIS_MODULE && (fips_provided & CRYPTO_ALG_FIPS_PROVIDED)) {
+ inst->alg.cra_flags |= CRYPTO_ALG_FIPS_PROVIDED;
+ inst->alg.cra_priority |= 4096;
+ }
+#endif
+
larval = __crypto_register_alg(&inst->alg, &algs_to_put);
if (IS_ERR(larval))
goto unlock;
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 25aadf5b6690..1dfd37761a4f 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5771,15 +5771,23 @@ static int alg_fips_disabled(const char *driver, const char *alg)
return -ECANCELED;
}
-static int alg_test_fips_disabled(const struct alg_test_desc *desc)
+static int alg_test_fips_disabled(const struct crypto_alg *alg, const struct alg_test_desc *desc)
{
if (!fips_enabled)
return 0;
/*
- * Only allow FIPS-allowed algorithms to be tested.
+ * If the algorithm is completely provided by the FIPS module
+ * we still require it to be allowed accoding to our test table.
*/
- return !(desc->fips_allowed & FIPS_ALLOWED);
+ if (alg->cra_flags & CRYPTO_ALG_FIPS_PROVIDED)
+ return !(desc->fips_allowed & FIPS_ALLOWED);
+
+ /*
+ * If the algorithm is not provided by the FIPS module, then
+ * it must be FIPS_NON_CRYPTOGRAPHIC.
+ */
+ return !(desc->fips_allowed & FIPS_NON_CRYPTOGRAPHIC);
}
int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 type, u32 mask)
@@ -5806,7 +5814,7 @@ int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 t
if (i < 0)
goto notest;
- if (alg_test_fips_disabled(&alg_test_descs[i]))
+ if (alg_test_fips_disabled(alg, &alg_test_descs[i]))
goto non_fips_alg;
rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
@@ -5819,9 +5827,9 @@ int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 t
goto notest;
if (fips_enabled) {
- if (j >= 0 && alg_test_fips_disabled(&alg_test_descs[j]))
+ if (j >= 0 && alg_test_fips_disabled(alg, &alg_test_descs[j]))
return -EINVAL;
- if (i >= 0 && alg_test_fips_disabled(&alg_test_descs[i]))
+ if (i >= 0 && alg_test_fips_disabled(alg, &alg_test_descs[i]))
goto non_fips_alg;
}
@@ -5865,7 +5873,7 @@ int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 t
if (i < 0)
goto notest2;
- if (alg_test_fips_disabled(&alg_test_descs[i]))
+ if (alg_test_fips_disabled(alg, &alg_test_descs[i]))
goto non_fips_alg;
rc = alg_test_skcipher(alg_test_descs + i, driver, type, mask);
diff --git a/include/linux/crypto.h b/include/linux/crypto.h
index a2137e19be7d..737e53a642d4 100644
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h
@@ -139,6 +139,14 @@
/* Set if the algorithm cannot have a fallback (e.g., phmac). */
#define CRYPTO_ALG_NO_FALLBACK 0x00080000
+/*
+ * The algorithm is provided by the FIPS module.
+ *
+ * NOTE: an algorithm can be provided by the FIPS module and not be
+ * approved, depending on the exact parameters like key size, etc.
+ */
+#define CRYPTO_ALG_FIPS_PROVIDED 0x00100000
+
/* The high bits 0xff000000 are reserved for type-specific flags. */
/*
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 014/104] crypto/testmgr: add helper to alg_test()
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
Add a new helper function, alg_test_fips_disabled() containing the
logic to decide if an algorithm is allowed to be tested.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/testmgr.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index a216cb8b8caf..ab7c6724d36f 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5771,6 +5771,17 @@ static int alg_fips_disabled(const char *driver, const char *alg)
return -ECANCELED;
}
+static int alg_test_fips_disabled(const struct alg_test_desc *desc)
+{
+ if (!fips_enabled)
+ return 0;
+
+ /*
+ * Only allow FIPS-allowed algorithms to be tested.
+ */
+ return !(desc->fips_allowed & FIPS_ALLOWED);
+}
+
int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
{
int i;
@@ -5795,7 +5806,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if (i < 0)
goto notest;
- if (fips_enabled && !alg_test_descs[i].fips_allowed)
+ if (alg_test_fips_disabled(&alg_test_descs[i]))
goto non_fips_alg;
rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
@@ -5808,10 +5819,9 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
goto notest;
if (fips_enabled) {
- if (j >= 0 && !alg_test_descs[j].fips_allowed)
+ if (j >= 0 && alg_test_fips_disabled(&alg_test_descs[j]))
return -EINVAL;
-
- if (i >= 0 && !alg_test_descs[i].fips_allowed)
+ if (i >= 0 && alg_test_fips_disabled(&alg_test_descs[i]))
goto non_fips_alg;
}
@@ -5855,7 +5865,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if (i < 0)
goto notest2;
- if (fips_enabled && !alg_test_descs[i].fips_allowed)
+ if (alg_test_fips_disabled(&alg_test_descs[i]))
goto non_fips_alg;
rc = alg_test_skcipher(alg_test_descs + i, driver, type, mask);
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 015/104] crypto: pass struct crypto_alg directly to alg_test()
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
algboss/cryptomgr_schedule_test/cryptomgr_test currently pass the
algorithm to test by name -- stringly typed.
This is unfortunate as it opens all kinds of potential issues with race
conditions and ultimately the question of whether we actually tested
what we wanted to test.
I see no reason why we should pass the algorithm by name except for the
fact that the crypto API itself is stringly typed when
requesting/instantiating algorithms. Maybe there should be a way to
instantiate an algorithm by alg pointer too?
In any case, let's pass the alg directly so we know precisely what
algorithm we are actually testing.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/algboss.c | 32 ++++++++++----------------------
crypto/internal.h | 2 +-
crypto/tcrypt.c | 18 +++++++++++++++---
crypto/testmgr.c | 24 ++++++++++++------------
4 files changed, 38 insertions(+), 38 deletions(-)
diff --git a/crypto/algboss.c b/crypto/algboss.c
index 846f586889ee..31df14e37a3e 100644
--- a/crypto/algboss.c
+++ b/crypto/algboss.c
@@ -41,12 +41,6 @@ struct cryptomgr_param {
u32 omask;
};
-struct crypto_test_param {
- char driver[CRYPTO_MAX_ALG_NAME];
- char alg[CRYPTO_MAX_ALG_NAME];
- u32 type;
-};
-
static int cryptomgr_probe(void *data)
{
struct cryptomgr_param *param = data;
@@ -172,22 +166,21 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval)
static int cryptomgr_test(void *data)
{
- struct crypto_test_param *param = data;
- u32 type = param->type;
+ struct crypto_alg *alg = data;
int err;
- err = alg_test(param->driver, param->alg, type, CRYPTO_ALG_TESTED);
+ err = alg_test(alg, alg->cra_driver_name, alg->cra_name,
+ alg->cra_flags, CRYPTO_ALG_TESTED);
- crypto_alg_tested(param->driver, err);
+ crypto_alg_tested(alg->cra_driver_name, err);
- kfree(param);
+ crypto_mod_put(alg);
module_put_and_kthread_exit(0);
}
static int cryptomgr_schedule_test(struct crypto_alg *alg)
{
struct task_struct *thread;
- struct crypto_test_param *param;
if (!IS_ENABLED(CONFIG_CRYPTO_SELFTESTS))
return NOTIFY_DONE;
@@ -195,22 +188,17 @@ static int cryptomgr_schedule_test(struct crypto_alg *alg)
if (!try_module_get(THIS_MODULE))
goto err;
- param = kzalloc(sizeof(*param), GFP_KERNEL);
- if (!param)
+ if (!crypto_mod_get(alg))
goto err_put_module;
- memcpy(param->driver, alg->cra_driver_name, sizeof(param->driver));
- memcpy(param->alg, alg->cra_name, sizeof(param->alg));
- param->type = alg->cra_flags;
-
- thread = kthread_run(cryptomgr_test, param, "cryptomgr_test");
+ thread = kthread_run(cryptomgr_test, alg, "cryptomgr_test");
if (IS_ERR(thread))
- goto err_free_param;
+ goto err_put_alg;
return NOTIFY_STOP;
-err_free_param:
- kfree(param);
+err_put_alg:
+ crypto_mod_put(alg);
err_put_module:
module_put(THIS_MODULE);
err:
diff --git a/crypto/internal.h b/crypto/internal.h
index b9afd68767c1..702934c719ef 100644
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -65,7 +65,7 @@ extern struct list_head crypto_alg_list;
extern struct rw_semaphore crypto_alg_sem;
extern struct blocking_notifier_head crypto_chain;
-int alg_test(const char *driver, const char *alg, u32 type, u32 mask);
+int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 type, u32 mask);
#if !IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) || !IS_ENABLED(CONFIG_CRYPTO_SELFTESTS)
static inline bool crypto_boot_test_finished(void)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index d1d88debbd71..b69560f2fdef 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -1436,16 +1436,28 @@ static void test_cipher_speed(const char *algo, int enc, unsigned int secs,
false);
}
-static inline int tcrypt_test(const char *alg)
+static inline int tcrypt_test(const char *name)
{
int ret;
+ struct crypto_alg *alg;
- pr_debug("testing %s\n", alg);
+ pr_debug("testing %s\n", name);
- ret = alg_test(alg, alg, 0, 0);
+ alg = crypto_alg_mod_lookup(name, 0, 0);
+ if (IS_ERR(alg)) {
+ /* non-fip algs return -EAGAIN or -ENOENT in fips mode */
+ if (fips_enabled && (PTR_ERR(alg) == -EAGAIN || PTR_ERR(alg) == -ENOENT))
+ return 0;
+
+ return PTR_ERR(alg);
+ }
+
+ ret = alg_test(alg, name, name, 0, 0);
/* non-fips algs return -EINVAL or -ECANCELED in fips mode */
if (fips_enabled && (ret == -EINVAL || ret == -ECANCELED))
ret = 0;
+
+ crypto_mod_put(alg);
return ret;
}
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index ab7c6724d36f..25aadf5b6690 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -61,7 +61,7 @@ MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
#ifndef CONFIG_CRYPTO_SELFTESTS
/* a perfect nop */
-int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
+int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 type, u32 mask)
{
return 0;
}
@@ -5782,7 +5782,7 @@ static int alg_test_fips_disabled(const struct alg_test_desc *desc)
return !(desc->fips_allowed & FIPS_ALLOWED);
}
-int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
+int alg_test(struct crypto_alg *alg, const char *driver, const char *name, u32 type, u32 mask)
{
int i;
int j;
@@ -5798,7 +5798,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
char nalg[CRYPTO_MAX_ALG_NAME];
- if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
+ if (snprintf(nalg, sizeof(nalg), "ecb(%s)", name) >=
sizeof(nalg))
return -ENAMETOOLONG;
@@ -5813,7 +5813,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
goto test_done;
}
- i = alg_find_test(alg);
+ i = alg_find_test(name);
j = alg_find_test(driver);
if (i < 0 && j < 0)
goto notest;
@@ -5838,17 +5838,17 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if (fips_enabled) {
fips_fail_notify();
panic("alg: self-tests for %s (driver %s) failed in fips mode!\n",
- alg, driver);
+ name, driver);
}
pr_warn("alg: self-tests for %s (driver %s) failed (rc=%d)",
- alg, driver, rc);
+ name, driver, rc);
WARN(rc != -ENOENT,
"alg: self-tests for %s (driver %s) failed (rc=%d)",
- alg, driver, rc);
+ name, driver, rc);
} else {
if (fips_enabled)
pr_info("alg: self-tests for %s (driver %s) passed\n",
- alg, driver);
+ name, driver);
}
return rc;
@@ -5857,7 +5857,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_LSKCIPHER) {
char nalg[CRYPTO_MAX_ALG_NAME];
- if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
+ if (snprintf(nalg, sizeof(nalg), "ecb(%s)", name) >=
sizeof(nalg))
goto notest2;
@@ -5873,14 +5873,14 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
}
notest2:
- printk(KERN_INFO "alg: No test for %s (driver %s)\n", alg, driver);
+ printk(KERN_INFO "alg: No test for %s (driver %s)\n", name, driver);
if (type & CRYPTO_ALG_FIPS_INTERNAL)
- return alg_fips_disabled(driver, alg);
+ return alg_fips_disabled(driver, name);
return 0;
non_fips_alg:
- return alg_fips_disabled(driver, alg);
+ return alg_fips_disabled(driver, name);
}
#endif /* CONFIG_CRYPTO_SELFTESTS */
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 013/104] crypto/algapi.c: disable crypto_check_module_sig() for FIPS module
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
The FIPS module is assumed to be loaded from a trusted source (e.g. a
byte array embedded in vmlinux, which is already verified by the boot
loader). We can therefore ignore it for the purposes of module signature
verification in the crypto API.
(One could ask what the purpose of this check is in the first place,
given that modules can always fudge their alg->cra_module to bypass it
-- IOW, this isn't really an effective security check anyway, as far as
I can tell.)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/algapi.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 09faecd47ea7..54b8d4acd651 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -24,7 +24,19 @@ static LIST_HEAD(crypto_template_list);
static inline void crypto_check_module_sig(struct module *mod)
{
- if (fips_enabled && mod && !module_sig_ok(mod))
+#ifdef FIPS_MODULE
+ /*
+ * The FIPS module should ignore its own signature as it was
+ * loaded from a trusted source.
+ */
+ if (mod == THIS_MODULE)
+ return;
+#else
+ if (!fips_enabled)
+ return;
+#endif
+
+ if (mod && !module_sig_ok(mod))
panic("Module %s signature verification failed in FIPS mode\n",
module_name(mod));
}
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 012/104] crypto/algapi: don't init algapi in fips mode
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
If the kernel build supports a FIPS module loader and FIPS mode is
enabled, we should not start tests or register /proc/crypto as this
will already have been done by the FIPS module.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/algapi.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index e11b8fdb0865..09faecd47ea7 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -1105,6 +1105,14 @@ static void __init crypto_start_tests(void)
static int __init crypto_algapi_init(void)
{
+#if defined(CONFIG_CRYPTO_FIPS140_EXTMOD) && !defined(FIPS_MODULE)
+ /*
+ * The FIPS module will have done the initialization already.
+ */
+ if (fips_enabled)
+ return 0;
+#endif
+
crypto_init_proc();
crypto_start_tests();
return 0;
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 011/104] crypto/testmgr: mark non-crypto algorithms
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
Add a new constant FIPS_NON_CRYPTOGRAPHIC and add it to all the
algorithms that are allowed by FIPS due to their non-cryptographic
nature.
This will include CRC32* and all compression algorithms.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/testmgr.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 4ca54cf6e244..a216cb8b8caf 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -148,6 +148,13 @@ struct kpp_test_suite {
*/
#define FIPS_ALLOWED 1
+/*
+ * Algorithm is not considered a cryptographic algorithm from
+ * a FIPS point of view and may be used for non-cryptographic
+ * purposes.
+ */
+#define FIPS_NON_CRYPTOGRAPHIC 2
+
struct alg_test_desc {
const char *alg;
const char *generic_driver;
@@ -4523,7 +4530,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "crc32",
.generic_driver = "crc32-lib",
.test = alg_test_hash,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.hash = __VECS(crc32_tv_template)
}
@@ -4531,7 +4538,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "crc32c",
.generic_driver = "crc32c-lib",
.test = alg_test_hash,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.hash = __VECS(crc32c_tv_template)
}
@@ -4654,7 +4661,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "deflate",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(deflate_comp_tv_template),
@@ -4664,7 +4671,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "deflate-iaa",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(deflate_comp_tv_template),
@@ -5211,7 +5218,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lz4",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(lz4_comp_tv_template),
@@ -5221,7 +5228,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lz4hc",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(lz4hc_comp_tv_template),
@@ -5231,7 +5238,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lzo",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(lzo_comp_tv_template),
@@ -5241,7 +5248,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lzo-rle",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(lzorle_comp_tv_template),
@@ -5679,7 +5686,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "zstd",
.test = alg_test_comp,
- .fips_allowed = FIPS_ALLOWED,
+ .fips_allowed = FIPS_ALLOWED | FIPS_NON_CRYPTOGRAPHIC,
.suite = {
.comp = {
.comp = __VECS(zstd_comp_tv_template),
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 010/104] crypto/testmgr: make fips_allowed a bit set
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
We'd like to distinguish between algorithms that are allowed by FIPS
due to being approved and algorithms that are allowed by FIPS due to
being non-cryptographic in nature (despite using the kernel's crypto
API).
Replace "1" with a named constant, FIPS_ALLOWED.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/testmgr.c | 218 ++++++++++++++++++++++++-----------------------
1 file changed, 112 insertions(+), 106 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 47764fc879bb..4ca54cf6e244 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -142,12 +142,18 @@ struct kpp_test_suite {
unsigned int count;
};
+/*
+ * Allowed algorithms are those which can exist inside a
+ * cryptographic module without making the module non-compliant
+ */
+#define FIPS_ALLOWED 1
+
struct alg_test_desc {
const char *alg;
const char *generic_driver;
int (*test)(const struct alg_test_desc *desc, const char *driver,
u32 type, u32 mask);
- int fips_allowed; /* set if alg is allowed in fips mode */
+ int fips_allowed; /* see FIPS_* constants above */
union {
struct aead_test_suite aead;
@@ -4234,7 +4240,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "authenc(hmac(sha256),cbc(aes))",
.generic_driver = "authenc(hmac-sha256-lib,cbc(aes-generic))",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
}
@@ -4255,7 +4261,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha256),ctr(aes))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "authenc(hmac(sha256),cts(cbc(aes)))",
.generic_driver = "authenc(hmac-sha256-lib,cts(cbc(aes-generic)))",
@@ -4266,7 +4272,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "authenc(hmac(sha384),cbc(des))",
.generic_driver = "authenc(hmac-sha384-lib,cbc(des-generic))",
@@ -4284,7 +4290,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha384),ctr(aes))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "authenc(hmac(sha384),cts(cbc(aes)))",
.generic_driver = "authenc(hmac-sha384-lib,cts(cbc(aes-generic)))",
@@ -4295,11 +4301,11 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "authenc(hmac(sha512),cbc(aes))",
.generic_driver = "authenc(hmac-sha512-lib,cbc(aes-generic))",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_aead,
.suite = {
.aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
@@ -4321,11 +4327,11 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha512),ctr(aes))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "blake2b-160",
.test = alg_test_hash,
@@ -4357,7 +4363,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "cbc(aes)",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(aes_cbc_tv_template)
},
@@ -4415,7 +4421,7 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "cbc(paes)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
/* Same as cbc(sm4) except the key is stored in
* hardware secure memory which we reference by index
@@ -4443,7 +4449,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
.alg = "cbc-paes-s390",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_skcipher,
.suite = {
.cipher = __VECS(aes_cbc_tv_template)
@@ -4465,7 +4471,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "ccm(aes)",
.generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = {
____VECS(aes_ccm_tv_template),
@@ -4490,7 +4496,7 @@ static const struct alg_test_desc alg_test_descs[] = {
},
}, {
.alg = "cmac(aes)",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_hash,
.suite = {
.hash = __VECS(aes_cmac128_tv_template)
@@ -4517,7 +4523,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "crc32",
.generic_driver = "crc32-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(crc32_tv_template)
}
@@ -4525,14 +4531,14 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "crc32c",
.generic_driver = "crc32c-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(crc32c_tv_template)
}
}, {
.alg = "ctr(aes)",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(aes_ctr_tv_template)
}
@@ -4584,7 +4590,7 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "ctr(paes)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
/* Same as ctr(sm4) except the key is stored in
@@ -4613,7 +4619,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
.alg = "ctr-paes-s390",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_skcipher,
.suite = {
.cipher = __VECS(aes_ctr_tv_template)
@@ -4622,7 +4628,7 @@ static const struct alg_test_desc alg_test_descs[] = {
#endif
.alg = "cts(cbc(aes))",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(cts_mode_tv_template)
}
@@ -4632,7 +4638,7 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "cts(cbc(paes))",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "cts(cbc(sm4))",
.test = alg_test_skcipher,
@@ -4648,7 +4654,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "deflate",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(deflate_comp_tv_template),
@@ -4658,7 +4664,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "deflate-iaa",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(deflate_comp_tv_template),
@@ -4677,28 +4683,28 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "drbg_nopr_ctr_aes128",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
}
}, {
.alg = "drbg_nopr_ctr_aes192",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
}
}, {
.alg = "drbg_nopr_ctr_aes256",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
}
}, {
.alg = "drbg_nopr_hmac_sha256",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
}
@@ -4709,18 +4715,18 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "drbg_nopr_hmac_sha384",
.test = alg_test_null,
- .fips_allowed = 1
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "drbg_nopr_hmac_sha512",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
}
}, {
.alg = "drbg_nopr_sha256",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_nopr_sha256_tv_template)
}
@@ -4728,31 +4734,31 @@ static const struct alg_test_desc alg_test_descs[] = {
/* covered by drbg_nopr_sha256 test */
.alg = "drbg_nopr_sha384",
.test = alg_test_null,
- .fips_allowed = 1
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "drbg_nopr_sha512",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_null,
}, {
.alg = "drbg_pr_ctr_aes128",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
}
}, {
/* covered by drbg_pr_ctr_aes128 test */
.alg = "drbg_pr_ctr_aes192",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_null,
}, {
.alg = "drbg_pr_ctr_aes256",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_null,
}, {
.alg = "drbg_pr_hmac_sha256",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
}
@@ -4760,15 +4766,15 @@ static const struct alg_test_desc alg_test_descs[] = {
/* covered by drbg_pr_hmac_sha256 test */
.alg = "drbg_pr_hmac_sha384",
.test = alg_test_null,
- .fips_allowed = 1
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "drbg_pr_hmac_sha512",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "drbg_pr_sha256",
.test = alg_test_drbg,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.drbg = __VECS(drbg_pr_sha256_tv_template)
}
@@ -4776,15 +4782,15 @@ static const struct alg_test_desc alg_test_descs[] = {
/* covered by drbg_pr_sha256 test */
.alg = "drbg_pr_sha384",
.test = alg_test_null,
- .fips_allowed = 1
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "drbg_pr_sha512",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_null,
}, {
.alg = "ecb(aes)",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(aes_tv_template)
}
@@ -4834,7 +4840,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "ecb(cipher_null)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "ecb(des)",
.test = alg_test_skcipher,
@@ -4868,7 +4874,7 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "ecb(paes)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "ecb(seed)",
.test = alg_test_skcipher,
@@ -4914,7 +4920,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
.alg = "ecb-paes-s390",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_skcipher,
.suite = {
.cipher = __VECS(aes_tv_template)
@@ -4929,14 +4935,14 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "ecdh-nist-p256",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ecdh_p256_tv_template)
}
}, {
.alg = "ecdh-nist-p384",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ecdh_p384_tv_template)
}
@@ -4949,21 +4955,21 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "ecdsa-nist-p256",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(ecdsa_nist_p256_tv_template)
}
}, {
.alg = "ecdsa-nist-p384",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(ecdsa_nist_p384_tv_template)
}
}, {
.alg = "ecdsa-nist-p521",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(ecdsa_nist_p521_tv_template)
}
@@ -4977,7 +4983,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
.generic_driver = "essiv(authenc(hmac-sha256-lib,cbc(aes-generic)),sha256-lib)",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
}
@@ -4985,7 +4991,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "essiv(cbc(aes),sha256)",
.generic_driver = "essiv(cbc(aes-generic),sha256-lib)",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(essiv_aes_cbc_tv_template)
}
@@ -4993,35 +4999,35 @@ static const struct alg_test_desc alg_test_descs[] = {
#if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
.alg = "ffdhe2048(dh)",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ffdhe2048_dh_tv_template)
}
}, {
.alg = "ffdhe3072(dh)",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ffdhe3072_dh_tv_template)
}
}, {
.alg = "ffdhe4096(dh)",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ffdhe4096_dh_tv_template)
}
}, {
.alg = "ffdhe6144(dh)",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ffdhe6144_dh_tv_template)
}
}, {
.alg = "ffdhe8192(dh)",
.test = alg_test_kpp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.kpp = __VECS(ffdhe8192_dh_tv_template)
}
@@ -5030,7 +5036,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "gcm(aes)",
.generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = __VECS(aes_gcm_tv_template)
}
@@ -5085,7 +5091,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "hmac(sha224)",
.generic_driver = "hmac-sha224-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha224_tv_template)
}
@@ -5093,35 +5099,35 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "hmac(sha256)",
.generic_driver = "hmac-sha256-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha256_tv_template)
}
}, {
.alg = "hmac(sha3-224)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha3_224_tv_template)
}
}, {
.alg = "hmac(sha3-256)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha3_256_tv_template)
}
}, {
.alg = "hmac(sha3-384)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha3_384_tv_template)
}
}, {
.alg = "hmac(sha3-512)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha3_512_tv_template)
}
@@ -5129,7 +5135,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "hmac(sha384)",
.generic_driver = "hmac-sha384-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha384_tv_template)
}
@@ -5137,7 +5143,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "hmac(sha512)",
.generic_driver = "hmac-sha512-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha512_tv_template)
}
@@ -5161,7 +5167,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}, {
.alg = "jitterentropy_rng",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_null,
}, {
.alg = "krb5enc(cmac(camellia),cts(cbc(camellia)))",
@@ -5205,7 +5211,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lz4",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(lz4_comp_tv_template),
@@ -5215,7 +5221,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lz4hc",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(lz4hc_comp_tv_template),
@@ -5225,7 +5231,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lzo",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(lzo_comp_tv_template),
@@ -5235,7 +5241,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "lzo-rle",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(lzorle_comp_tv_template),
@@ -5272,18 +5278,18 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "p1363(ecdsa-nist-p256)",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(p1363_ecdsa_nist_p256_tv_template)
}
}, {
.alg = "p1363(ecdsa-nist-p384)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "p1363(ecdsa-nist-p521)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pcbc(fcrypt)",
.test = alg_test_skcipher,
@@ -5294,28 +5300,28 @@ static const struct alg_test_desc alg_test_descs[] = {
#if IS_ENABLED(CONFIG_CRYPTO_PHMAC_S390)
.alg = "phmac(sha224)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha224_tv_template)
}
}, {
.alg = "phmac(sha256)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha256_tv_template)
}
}, {
.alg = "phmac(sha384)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha384_tv_template)
}
}, {
.alg = "phmac(sha512)",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(hmac_sha512_tv_template)
}
@@ -5329,38 +5335,38 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "pkcs1(rsa,sha224)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1(rsa,sha256)",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(pkcs1_rsa_tv_template)
}
}, {
.alg = "pkcs1(rsa,sha3-256)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1(rsa,sha3-384)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1(rsa,sha3-512)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1(rsa,sha384)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1(rsa,sha512)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "pkcs1pad(rsa)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "polyval",
.test = alg_test_hash,
@@ -5370,7 +5376,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "rfc3686(ctr(aes))",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(aes_ctr_rfc3686_tv_template)
}
@@ -5384,7 +5390,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "rfc4106(gcm(aes))",
.generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = {
____VECS(aes_gcm_rfc4106_tv_template),
@@ -5396,7 +5402,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "rfc4309(ccm(aes))",
.generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
.test = alg_test_aead,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.aead = {
____VECS(aes_ccm_rfc4309_tv_template),
@@ -5440,7 +5446,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "rsa",
.test = alg_test_akcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.akcipher = __VECS(rsa_tv_template)
}
@@ -5455,7 +5461,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "sha224",
.generic_driver = "sha224-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha224_tv_template)
}
@@ -5463,35 +5469,35 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "sha256",
.generic_driver = "sha256-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha256_tv_template)
}
}, {
.alg = "sha3-224",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha3_224_tv_template)
}
}, {
.alg = "sha3-256",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha3_256_tv_template)
}
}, {
.alg = "sha3-384",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha3_384_tv_template)
}
}, {
.alg = "sha3-512",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha3_512_tv_template)
}
@@ -5499,7 +5505,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "sha384",
.generic_driver = "sha384-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha384_tv_template)
}
@@ -5507,7 +5513,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "sha512",
.generic_driver = "sha512-lib",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(sha512_tv_template)
}
@@ -5556,21 +5562,21 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "x962(ecdsa-nist-p256)",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(x962_ecdsa_nist_p256_tv_template)
}
}, {
.alg = "x962(ecdsa-nist-p384)",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(x962_ecdsa_nist_p384_tv_template)
}
}, {
.alg = "x962(ecdsa-nist-p521)",
.test = alg_test_sig,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.sig = __VECS(x962_ecdsa_nist_p521_tv_template)
}
@@ -5608,7 +5614,7 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "xts(aes)",
.generic_driver = "xts(ecb(aes-generic))",
.test = alg_test_skcipher,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.cipher = __VECS(aes_xts_tv_template)
}
@@ -5632,7 +5638,7 @@ static const struct alg_test_desc alg_test_descs[] = {
*/
.alg = "xts(paes)",
.test = alg_test_null,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
}, {
.alg = "xts(serpent)",
.generic_driver = "xts(ecb(serpent-generic))",
@@ -5657,7 +5663,7 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
.alg = "xts-paes-s390",
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.test = alg_test_skcipher,
.suite = {
.cipher = __VECS(aes_xts_tv_template)
@@ -5666,14 +5672,14 @@ static const struct alg_test_desc alg_test_descs[] = {
#endif
.alg = "xxhash64",
.test = alg_test_hash,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.hash = __VECS(xxhash64_tv_template)
}
}, {
.alg = "zstd",
.test = alg_test_comp,
- .fips_allowed = 1,
+ .fips_allowed = FIPS_ALLOWED,
.suite = {
.comp = {
.comp = __VECS(zstd_comp_tv_template),
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 009/104] certs/system_keyring: export restrict_link_by_builtin_*trusted
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
David Howells, David Woodhouse, keyrings
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
This allows us to call these functions from modules, specifically
the standalone FIPS module (which we're adding support for in this patch
series).
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: keyrings@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
certs/system_keyring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..b9a882b627b4 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -50,6 +50,7 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
return restrict_link_by_signature(dest_keyring, type, payload,
builtin_trusted_keys);
}
+EXPORT_SYMBOL_GPL(restrict_link_by_builtin_trusted);
/**
* restrict_link_by_digsig_builtin - Restrict digitalSignature key additions by the built-in keyring
@@ -102,6 +103,7 @@ int restrict_link_by_builtin_and_secondary_trusted(
return restrict_link_by_signature(dest_keyring, type, payload,
secondary_trusted_keys);
}
+EXPORT_SYMBOL_GPL(restrict_link_by_builtin_and_secondary_trusted);
/**
* restrict_link_by_digsig_builtin_and_secondary - Restrict by digitalSignature.
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 007/104] testmgr: standardize alg/driver output in logs
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
The crypto code prints log messages with algorithm name and driver name
in multiple places, usually as "$alg ($driver)", but sometimes as
"$driver ($alg)", which is confusing.
To remove all ambiguity, standardize on "$alg (driver $driver)".
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/testmgr.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index ee33ba21ae2b..47764fc879bb 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5753,7 +5753,7 @@ static int alg_find_test(const char *alg)
static int alg_fips_disabled(const char *driver, const char *alg)
{
- pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);
+ pr_info("alg: %s (driver %s) is disabled due to FIPS\n", alg, driver);
return -ECANCELED;
}
@@ -5814,18 +5814,18 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
if (rc) {
if (fips_enabled) {
fips_fail_notify();
- panic("alg: self-tests for %s (%s) failed in fips mode!\n",
- driver, alg);
+ panic("alg: self-tests for %s (driver %s) failed in fips mode!\n",
+ alg, driver);
}
- pr_warn("alg: self-tests for %s using %s failed (rc=%d)",
+ pr_warn("alg: self-tests for %s (driver %s) failed (rc=%d)",
alg, driver, rc);
WARN(rc != -ENOENT,
- "alg: self-tests for %s using %s failed (rc=%d)",
+ "alg: self-tests for %s (driver %s) failed (rc=%d)",
alg, driver, rc);
} else {
if (fips_enabled)
- pr_info("alg: self-tests for %s (%s) passed\n",
- driver, alg);
+ pr_info("alg: self-tests for %s (driver %s) passed\n",
+ alg, driver);
}
return rc;
@@ -5850,7 +5850,7 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
}
notest2:
- printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
+ printk(KERN_INFO "alg: No test for %s (driver %s)\n", alg, driver);
if (type & CRYPTO_ALG_FIPS_INTERNAL)
return alg_fips_disabled(driver, alg);
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 004/104] crypto: api - Disallow identical template names
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
Ovidiu Panait
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
Disallow registration of two templates with identical names. This
normally does not occur naturally but results in very confusing
behaviour when it does.
This is similar in spirit to commit 27016f75f5ed47e2d8e
("crypto: api - Disallow identical driver names").
Cc: Ovidiu Panait <ovidiu.panait@windriver.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/algapi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index e604d0d8b7b4..e11b8fdb0865 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -546,6 +546,12 @@ int crypto_register_template(struct crypto_template *tmpl)
crypto_check_module_sig(tmpl->module);
list_for_each_entry(q, &crypto_template_list, list) {
+ /*
+ * If we find a template already registered with the same
+ * name, refuse to register a new one.
+ */
+ if (!strcmp(q->name, tmpl->name))
+ goto out;
if (q == tmpl)
goto out;
}
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 006/104] KEYS: trusted: eat -ENOENT from the crypto API
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
Vijaykumar Hegde, Sriharsha Yadagudde, Sumit Garg,
Jarkko Sakkinen, Linus Torvalds
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
If we have a config with:
CONFIG_TRUSTED_KEYS=m
CONFIG_TRUSTED_KEYS_TPM=y
CONFIG_DM_CRYPT=m
then dm-crypt.ko will depend on trusted.ko (due to using the exported
symbol 'key_type_trusted'), meaning trusted.ko will need to successfully
load before dm-crypt.ko can load.
However, since commit 9d50a25eeb05c ("crypto: testmgr - desupport SHA-1
for FIPS 140") when booting with fips=1, the SHA-1 algorithm (or anything
that uses it, like HMAC-SHA-1) will be unavailable.
security/keys/trusted-keys/trusted_tpm1.c is hard-coded to use SHA-1 and
will fail with -ENOENT when attempting to initialize the hash instance
using the crypto API _if_ the hardware is available. This in turn causes
the entire trusted.ko to fail to load.
(If TPM1 hardware is not available, trusted_tpm1.c will fail to load with
-ENODEV, which is handled in init_trusted() to allow the module to load
anyway.)
Long story short, having TPM1 hardware and booting with fips=1 will cause
dm-crypt to fail loading, even though SHA-1 may not actually be used or
needed at any point.
There's already some history of fiddling with the module init/exit code
and the return values here, but I think we can simplify the code somewhat:
- return immediately on success; there is no point in breaking out of the
loop and rechecking the return value
- return immediately on non-ENODEV/ENOENT errors; again, no point in
rechecking the return value
We could even consider retrying other trusted key sources regardless of
the exact error value, but that would change the semantics too much for
my comfort here.
Reported-by: Vijaykumar Hegde <vijaykumar.hegde@oracle.com>
Reported-by: Sriharsha Yadagudde <sriharsha.devdas@oracle.com>
Fixes: 9d50a25eeb05c ("crypto: testmgr - desupport SHA-1 for FIPS 140")
Cc: Sumit Garg <sumit.garg@linaro.org>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
security/keys/trusted-keys/trusted_core.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index e2d9644efde1..152832735bac 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -370,20 +370,22 @@ static int __init init_trusted(void)
trusted_key_exit = trusted_key_sources[i].ops->exit;
migratable = trusted_key_sources[i].ops->migratable;
+ return 0;
}
- if (!ret || ret != -ENODEV)
- break;
+ /*
+ * The crypto API returns -ENOENT if it doesn't support a
+ * given hashing algorithm (e.g. SHA1 in FIPS mode).
+ */
+ if (ret != -ENODEV && ret != -ENOENT)
+ return ret;
}
/*
- * encrypted_keys.ko depends on successful load of this module even if
- * trusted key implementation is not found.
+ * encrypted_keys.ko and dm-crypt depend on successful load of
+ * this module even if trusted key implementation is not found.
*/
- if (ret == -ENODEV)
- return 0;
-
- return ret;
+ return 0;
}
static void __exit cleanup_trusted(void)
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 005/104] crypto: hide crypto_default_rng variable
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
Sriharsha Yadagudde
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
De-globalize crypto_default_rng and make it accessible only through the
crypto_get_default_rng()/crypto_put_default_rng() API instead. The users
need to call these functions anyway so there is really no point in
having it as a global.
I opted to take double pointers as arguments (and return an error code)
so we can do basic API misuse checking.
Reported-by: Sriharsha Yadagudde <sriharsha.devdas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/dh.c | 8 ++++----
crypto/ecc.c | 8 ++++----
crypto/geniv.c | 8 ++++----
crypto/rng.c | 9 +++++----
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++----
drivers/crypto/intel/keembay/keembay-ocs-ecc.c | 14 ++++++++------
include/crypto/rng.h | 6 ++----
net/tipc/crypto.c | 8 ++++----
8 files changed, 35 insertions(+), 34 deletions(-)
diff --git a/crypto/dh.c b/crypto/dh.c
index 8250eeeebd0f..1d80213574b3 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -352,6 +352,7 @@ static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
{
unsigned int n, oversampling_size;
__be64 *key;
+ struct crypto_rng *rng;
int err;
u64 h, o;
@@ -389,12 +390,11 @@ static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime,
* random bits and interpret them as a big endian integer.
*/
err = -EFAULT;
- if (crypto_get_default_rng())
+ if (crypto_get_default_rng(&rng))
goto out_err;
- err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key,
- oversampling_size);
- crypto_put_default_rng();
+ err = crypto_rng_get_bytes(rng, (u8 *)key, oversampling_size);
+ crypto_put_default_rng(&rng);
if (err)
goto out_err;
diff --git a/crypto/ecc.c b/crypto/ecc.c
index 6cf9a945fc6c..c9f82626177b 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1525,6 +1525,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
const struct ecc_curve *curve = ecc_get_curve(curve_id);
unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
unsigned int nbits = vli_num_bits(curve->n, ndigits);
+ struct crypto_rng *rng;
int err;
/*
@@ -1545,13 +1546,12 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
* This condition is met by the default RNG because it selects a favored
* DRBG with a security strength of 256.
*/
- if (crypto_get_default_rng())
+ if (crypto_get_default_rng(&rng))
return -EFAULT;
/* Step 3: obtain N returned_bits from the DRBG. */
- err = crypto_rng_get_bytes(crypto_default_rng,
- (u8 *)private_key, nbytes);
- crypto_put_default_rng();
+ err = crypto_rng_get_bytes(rng, (u8 *)private_key, nbytes);
+ crypto_put_default_rng(&rng);
if (err)
return err;
diff --git a/crypto/geniv.c b/crypto/geniv.c
index 42eff6a7387c..0b18240ac813 100644
--- a/crypto/geniv.c
+++ b/crypto/geniv.c
@@ -109,18 +109,18 @@ int aead_init_geniv(struct crypto_aead *aead)
{
struct aead_geniv_ctx *ctx = crypto_aead_ctx(aead);
struct aead_instance *inst = aead_alg_instance(aead);
+ struct crypto_rng *rng;
struct crypto_aead *child;
int err;
spin_lock_init(&ctx->lock);
- err = crypto_get_default_rng();
+ err = crypto_get_default_rng(&rng);
if (err)
goto out;
- err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
- crypto_aead_ivsize(aead));
- crypto_put_default_rng();
+ err = crypto_rng_get_bytes(rng, ctx->salt, crypto_aead_ivsize(aead));
+ crypto_put_default_rng(&rng);
if (err)
goto out;
diff --git a/crypto/rng.c b/crypto/rng.c
index b8ae6ebc091d..2a246e1a0918 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -24,8 +24,7 @@
#include "internal.h"
static DEFINE_MUTEX(crypto_default_rng_lock);
-struct crypto_rng *crypto_default_rng;
-EXPORT_SYMBOL_GPL(crypto_default_rng);
+static struct crypto_rng *crypto_default_rng;
static int crypto_default_rng_refcnt;
int crypto_rng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
@@ -107,7 +106,7 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name, u32 type, u32 mask)
}
EXPORT_SYMBOL_GPL(crypto_alloc_rng);
-int crypto_get_default_rng(void)
+int crypto_get_default_rng(struct crypto_rng **result)
{
struct crypto_rng *rng;
int err;
@@ -128,6 +127,7 @@ int crypto_get_default_rng(void)
crypto_default_rng = rng;
}
+ *result = crypto_default_rng;
crypto_default_rng_refcnt++;
err = 0;
@@ -138,9 +138,10 @@ int crypto_get_default_rng(void)
}
EXPORT_SYMBOL_GPL(crypto_get_default_rng);
-void crypto_put_default_rng(void)
+void crypto_put_default_rng(struct crypto_rng **rng)
{
mutex_lock(&crypto_default_rng_lock);
+ *rng = NULL;
crypto_default_rng_refcnt--;
mutex_unlock(&crypto_default_rng_lock);
}
diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
index 1550c3818383..48872721214c 100644
--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
@@ -1380,17 +1380,17 @@ static bool hpre_key_is_zero(char *key, unsigned short key_sz)
static int ecdh_gen_privkey(struct hpre_ctx *ctx, struct ecdh *params)
{
struct device *dev = ctx->dev;
+ struct crypto_rng *rng;
int ret;
- ret = crypto_get_default_rng();
+ ret = crypto_get_default_rng(&rng);
if (ret) {
dev_err(dev, "failed to get default rng, ret = %d!\n", ret);
return ret;
}
- ret = crypto_rng_get_bytes(crypto_default_rng, (u8 *)params->key,
- params->key_size);
- crypto_put_default_rng();
+ ret = crypto_rng_get_bytes(rng, (u8 *)params->key, params->key_size);
+ crypto_put_default_rng(&rng);
if (ret)
dev_err(dev, "failed to get rng, ret = %d!\n", ret);
diff --git a/drivers/crypto/intel/keembay/keembay-ocs-ecc.c b/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
index 59308926399d..a79e6549740f 100644
--- a/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
+++ b/drivers/crypto/intel/keembay/keembay-ocs-ecc.c
@@ -223,6 +223,7 @@ static int kmb_ecc_point_mult(struct ocs_ecc_dev *ecc_dev,
u64 *scalar,
const struct ecc_curve *curve)
{
+ struct crypto_rng *rng;
u8 sca[KMB_ECC_VLI_MAX_BYTES]; /* Use the maximum data size. */
u32 op_size = (curve->g.ndigits > ECC_CURVE_NIST_P256_DIGITS) ?
OCS_ECC_OP_SIZE_384 : OCS_ECC_OP_SIZE_256;
@@ -230,12 +231,12 @@ static int kmb_ecc_point_mult(struct ocs_ecc_dev *ecc_dev,
int rc = 0;
/* Generate random nbytes for Simple and Differential SCA protection. */
- rc = crypto_get_default_rng();
+ rc = crypto_get_default_rng(&rng);
if (rc)
return rc;
- rc = crypto_rng_get_bytes(crypto_default_rng, sca, nbytes);
- crypto_put_default_rng();
+ rc = crypto_rng_get_bytes(rng, sca, nbytes);
+ crypto_put_default_rng(&rng);
if (rc)
return rc;
@@ -490,6 +491,7 @@ static int kmb_ecc_is_key_valid(const struct ecc_curve *curve,
*/
static int kmb_ecc_gen_privkey(const struct ecc_curve *curve, u64 *privkey)
{
+ struct crypto_rng *rng;
size_t nbytes = digits_to_bytes(curve->g.ndigits);
u64 priv[KMB_ECC_VLI_MAX_DIGITS];
size_t nbits;
@@ -512,11 +514,11 @@ static int kmb_ecc_gen_privkey(const struct ecc_curve *curve, u64 *privkey)
* This condition is met by the default RNG because it selects a favored
* DRBG with a security strength of 256.
*/
- if (crypto_get_default_rng())
+ if (crypto_get_default_rng(&rng))
return -EFAULT;
- rc = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes);
- crypto_put_default_rng();
+ rc = crypto_rng_get_bytes(rng, (u8 *)priv, nbytes);
+ crypto_put_default_rng(&rng);
if (rc)
goto cleanup;
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index f8224cc390f8..816f255adcd3 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -57,10 +57,8 @@ struct crypto_rng {
struct crypto_tfm base;
};
-extern struct crypto_rng *crypto_default_rng;
-
-int crypto_get_default_rng(void);
-void crypto_put_default_rng(void);
+int crypto_get_default_rng(struct crypto_rng **rng);
+void crypto_put_default_rng(struct crypto_rng **rng);
/**
* DOC: Random number generator API
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index ea5bb131ebd0..6b085fd383b0 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -368,13 +368,13 @@ int tipc_aead_key_validate(struct tipc_aead_key *ukey, struct genl_info *info)
static int tipc_aead_key_generate(struct tipc_aead_key *skey)
{
int rc = 0;
+ struct crypto_rng *rng;
/* Fill the key's content with a random value via RNG cipher */
- rc = crypto_get_default_rng();
+ rc = crypto_get_default_rng(&rng);
if (likely(!rc)) {
- rc = crypto_rng_get_bytes(crypto_default_rng, skey->key,
- skey->keylen);
- crypto_put_default_rng();
+ rc = crypto_rng_get_bytes(rng, skey->key, skey->keylen);
+ crypto_put_default_rng(&rng);
}
return rc;
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 002/104] Revert "Revert "crypto: shash - avoid comparing pointers to exported functions under CFI""
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum,
Peter Zijlstra, Eric Biggers
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
This reverts commit c060e16ddb51a92b1f7fa84c628d287ea5799864.
For a standalone FIPS module we have the same issue as CFI: modules
won't get the same address for shash_no_setkey as the core kernel will.
A cleaner solution overall would probably be to simply use NULL when
there is no setkey and check for it as we do in most other areas of the
kernel. We can explore that later (or in later versions of this series).
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/shash.c | 18 +++++++++++++++---
include/crypto/internal/hash.h | 8 +-------
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/crypto/shash.c b/crypto/shash.c
index 4721f5f134f4..d45d7ec83a8c 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -34,12 +34,24 @@ static inline bool crypto_shash_finup_max(struct crypto_shash *tfm)
CRYPTO_AHASH_ALG_FINUP_MAX;
}
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
- unsigned int keylen)
+static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
{
return -ENOSYS;
}
-EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+/*
+ * Check whether an shash algorithm has a setkey function.
+ *
+ * For CFI compatibility, this must not be an inline function. This is because
+ * when CFI is enabled, modules won't get the same address for shash_no_setkey
+ * (if it were exported, which inlining would require) as the core kernel will.
+ */
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+{
+ return alg->setkey != shash_no_setkey;
+}
+EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey);
static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg)
{
diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
index 6ec5f2f37ccb..e39456de57e4 100644
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -92,13 +92,7 @@ int ahash_register_instance(struct crypto_template *tmpl,
struct ahash_instance *inst);
void ahash_free_singlespawn_instance(struct ahash_instance *inst);
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
- unsigned int keylen);
-
-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
-{
- return alg->setkey != shash_no_setkey;
-}
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg);
bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
--
2.39.3
^ permalink raw reply related
* [PATCH RFC 003/104] crypto/jitterentropy: remove linux/fips.h include
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
crypto/jitterentropy.c is deliberately compiled with -O0 and is not
supposed to depend on any kernel headers (see commit dfc9fa91938b
"crypto: jitterentropy - avoid compiler warnings").
We'll be changing include/linux/fips.h later in this series to include
other headers which break the build of jitterentropy.c due to gcc not
being able to constant propagate under -O0.
Just forward declare fips_enabled, which is the only thing
jitterentropy.o needs from this header anyway.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
crypto/jitterentropy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 3f93cdc9a7af..d939f57667dd 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -146,10 +146,11 @@ struct rand_data {
#define JENT_ENTROPY_SAFETY_FACTOR 64
#include <linux/array_size.h>
-#include <linux/fips.h>
#include <linux/minmax.h>
#include "jitterentropy.h"
+extern int fips_enabled;
+
/***************************************************************************
* Adaptive Proportion Test
*
--
2.39.3
^ permalink raw reply related
* [RFC] crypto: support for a standalone FIPS 140 module
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
Hi all,
This patch set adds support for building and loading a standalone FIPS
140 module. This is mostly useful for distributions that want to certify
their kernel's crypto code with NIST. Please see
Documentation/crypto/fips140.rst for more details.
I apologize for the large patch series. I could have squashed
it down to fewer commits but it would really make it harder to see
what's going on.
A note on terminology, since this is a source of confusion: a "FIPS
module" in NIST jargon means the binary blob submitted for FIPS
certification (i.e. typically the entire kernel), and has nothing to do
with kernel modules per se. However, in this proposal, the "FIPS module"
does actually also correspond to a singular kernel module, fips140.ko.
FIPS certifications validate a specific binary, not the source code used
to build it. Currently, most if not all distros submit the entire kernel
for certification, and the binary certification is invalidated if any
part of the kernel changes -- even if those changes are unrelated to
cryptography. Fortunately the FIPS process allows for vendors to "attest"
that the changes don't affect cryptographic operations within the kernel,
but the fact remains that the binary certification is technically
obsolete as soon as any bug or security fix is applied to the kernel.
This proposal attempts to separate the crypto part of the FIPS module
from the rest of the kernel. This allows us to freeze the binary FIPS
module and reuse it in newer versions of the kernel without invalidating
the certificate on the FIPS module.
There are a few different challenges in such a separation:
- The kernel has no stable internal API and the mere idea of having
stable internal APIs (or ABIs) has already been strongly rebuked.
In practice, most kernel APIs tend to be relatively stable over
multiple years and especially within stable releases, and most
general-purpose distros do freeze at least parts of the kernel API
for the lifetime of their product in order to support third party
(out-of-tree) modules.
- FIPS mandates that certified crypto code must not be used before
it has been self-tested, i.e. the FIPS module needs to run a set of
self-tests before it can be used by the rest of the kernel. Combined
with the fact that the kernel uses crypto code during boot (e.g. for
TPMs) and during module loading, this presents a chicken-and-egg
problem where crypto code cannot be used before it's loaded, but it
cannot be loaded without being used.
- The crypto API provides a way to combine basic algorithms into
composite algorithms, e.g. hmac + sha256 => hmac(sha256). In this
case, ALL of the code involved must be part of the FIPS module.
- Built-in kernel code (e.g. vmlinux code) may call the crypto API,
which means it cannot simply be built as a regular kernel module,
since you would get linker errors if the crypto API functions are
defined in modules.
This patch set provides a solution to all of the above challenges:
- We do not require the upstream kernel to maintain an internal stable
API. The API can change freely and the burden is entirely on
individual distros to ensure they don't change APIs in their own
kernels between two versions that are supposed to use the same binary
FIPS module.
- We build the individual crypto algorithms AND the entire kernel
crypto API into a single binary kernel module, fips140.ko. Using C
macros and the "static calls" mechanism, every crypto API entry point
is turned into a static call so that the entire crypto API can be
swapped out at runtime with the implementation from the FIPS module.
This solves the problem of crypto templates and composite algorithms,
since all the code necessary to use a composite algorithm will exist
within the FIPS module.
This also solves the problem of built-in code calling functions
provided by a module, since the callers are linked with the non-FIPS
versions of the functions by default, thus avoiding linker errors.
- fips140.ko is embedded into vmlinux as a byte array and loaded during
early boot to ensure all cryptographic operations are performed by
code from the FIPS module -- this also obviates the need to perform
module signature verification on fips140.ko, as everything in vmlinux
is already trusted by definition.
Moving on to the actual implementation, it should be noted that the
kernel already has a notion of FIPS compliance -- it has infrastructure
in place to annotate which algorithms are approved or allowed by NIST, for
example, and to ensure all implementations are self-tested before use. We
make use of this existing infrastructure to a large degree.
Here is an overview of the changes we make:
- We add a new top-level directory, fips140/, which mirrors the
structure of the kernel itself: fips140/crypto/, fips/lib/crypto,
etc. All of the source files here are symlinks to the respective
files in the kernel tree (e.g. fips140/crypto/rng.c is a symlink to
crypto/rng.c).
This way we can build the code twice without having to maintain a
separate copy of the source. Again, it will be the responsibility of
individual distros to ensure compatibility between their binary FIPS
module and the rest of the kernel.
- We add a new header, include/crypto/api.h, which defines a number of
C macro wrappers to annotate the part of the kernel crypto API that
is be considered part of the FIPS module.
A lot of the code under crypto/ needs to be converted to use these
macros. For example, instead of:
// in .h
int crypto_foo(const char *name);
// in .c
int crypto_foo(const char *name)
{
...
}
EXPORT_SYMBOL_GPL(crypto_foo);
You need to write:
// in .h
DECLARE_CRYPTO_API(crypto_foo, int, (const char *name), (name));
// in .c
int CRYPTO_API(crypto_foo)(const char *name)
{
...
}
DEFINE_CRYPTO_API(crypto_foo);
This is unfortunate as it generates a lot of churn and makes the code
harder to read. We've tried to make it as lightweight as possible.
On kernels configured to use a standalone FIPS module, these
definitions will do the work of declaring and defining static call
keys for every function. Otherwise, they will just fall back to their
original forms (plain functions + exports).
There are a few more helpers, for example module_init(fn) needs to be
written as crypto_module_init(fn). We could have chosen to #undef and
redefine module_init() so that no source-level change would be
necessary, but we considered that being explicit about what is going
on is actually clearer (less confusing) in the end, even if it
results in more patches/changes.
- We add a new helper function to the kernel's module loader,
load_module_mem(), which can load a kernel module (i.e. fips140.ko)
from a byte array.
- A new file, crypto/fips140-loader.c, which is a fairly thin wrapper
around load_module_mem(), only built when the kernel is compiled with
standalone FIPS module support.
- We also change the module loader to automatically update the static
calls of the crypto API (the static call keys are stored in the
__crypto_api_keys section of the module).
- The module and its HMAC are stored in two new sections in vmlinux,
__fips140_module and __fips140_digest. (The HMAC/digest is needed for
the FIPS module's own integrity test -- another FIPS requirement.)
This also makes it easy to extract the binary FIPS module from a
vmlinux file for offline/external verification if necessary.
- We change the crypto API slightly to track which templates and
algorithms are provided by the FIPS module. This ensures e.g. that
no other kernel module can register their own implementation of AES
and trick the kernel into supplying it as a FIPS approved and
certified implementation. Each 'struct crypto_alg' carries a new
flag which signals whether it is provided by the FIPS module or not.
To build this, you need to ensure CONFIG_CRYPTO_FIPS140_EXTMOD is
enabled and then run:
# prepare for building out-of-tree module
make modules_prepare
# build fips140.ko as an out-of-tree module
make M=fips140 KBUILD_MODPOST_WARN=1
# generate fips140.hmac
cp fips140/fips140.ko crypto/
openssl dgst -sha256 -hmac "$(awk -F'"' '/^CONFIG_CRYPTO_FIPS140_HMAC_KEY=/{print $2}' .config)" -binary -out crypto/fips140.hmac crypto/fips140.ko
# build the rest of the kernel
make
This patch set borrows a small amount of code from Android's FIPS
module and was also partly inspired by prototype code shared by Amazon;
attributions are marked in the individual patches.
Let me also thank all my colleagues who contributed in some way to the
current version of this patch set:
- Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
- Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
- Sherry Yang <sherry.yang@oracle.com>
- Sriharsha Yadagudde <sriharsha.devdas@oracle.com>
- Ilya Okomin <ilya.okomin@oracle.com>
- John Haxby <john.haxby@oracle.com>
- Jose Marchesi <jose.marchesi@oracle.com>
- Hunter Barton <hunter.barton@oracle.com>
- Aleksandr Burmashev <alexander.burmashev@oracle.com>
- Todd Vierling <todd.vierling@oracle.com>
- Chuck Anderson <chuck.anderson@oracle.com>
- Stephan Mueller <smueller@chronox.de>
I have pushed a branch here which I will maintain going forwards:
https://git.kernel.org/pub/scm/linux/kernel/git/vegard/linux-fips140.git/log/?h=fips140
Some of these patches are general improvements that could be useful
even without merging the whole branch, e.g. some of the testmgr
changes. I've put these at the start of the branch so they can be
applied independently -- depending on feedback here, I may send them
out as independent patches as well.
Vegard
--
Vegard Nossum (104):
params: use arch_initcall to initialize params sysfs earlier
Revert "Revert "crypto: shash - avoid comparing pointers to exported
functions under CFI""
crypto/jitterentropy: remove linux/fips.h include
crypto: api - Disallow identical template names
crypto: hide crypto_default_rng variable
KEYS: trusted: eat -ENOENT from the crypto API
testmgr: standardize alg/driver output in logs
arch/x86/boot/string.h: override memmove()/strlen()
certs/system_keyring: export restrict_link_by_builtin_*trusted
crypto/testmgr: make fips_allowed a bit set
crypto/testmgr: mark non-crypto algorithms
crypto/algapi: don't init algapi in fips mode
crypto/algapi.c: disable crypto_check_module_sig() for FIPS module
crypto/testmgr: add helper to alg_test()
crypto: pass struct crypto_alg directly to alg_test()
crypto: alg - add CRYPTO_ALG_FIPS_PROVIDED flag
crypto: testmgr: check that we got the expected alg
crypto: make sure crypto_alg_tested() finds the correct algorithm
module: add load_module_mem() helper
module: add a mechanism for pluggable crypto APIs
crypto: fips140: include crypto/api.h in a few places
crypto: fips140: convert lib/crypto/aes.c to using crypto API wrappers
crypto: fips140: convert lib/crypto/aesgcm.c to using crypto API
wrappers
crypto: fips140: convert lib/crypto/gf128mul.c to using crypto API
wrappers
crypto: fips140: convert lib/crypto/memneq.c to using crypto API
wrappers
crypto: fips140: convert lib/crypto/sha256.c to using crypto API
wrappers
crypto: fips140: convert lib/crypto/sha512.c to using crypto API
wrappers
crypto: fips140: convert lib/crypto/utils.c to using crypto API
wrappers
crypto: fips140: convert crypto/aead.c to using crypto API wrappers
crypto: fips140: convert crypto/aes_generic.c to using crypto API
wrappers
crypto: fips140: convert crypto/ahash.c to using crypto API wrappers
crypto: fips140: convert crypto/akcipher.c to using crypto API
wrappers
crypto: fips140: convert crypto/algapi.c to using crypto API wrappers
crypto: fips140: convert crypto/algboss.c to using crypto API wrappers
crypto: fips140: convert crypto/api.c to using crypto API wrappers
crypto: fips140: convert crypto/authenc.c to using crypto API wrappers
crypto: fips140: convert crypto/authencesn.c to using crypto API
wrappers
crypto: fips140: convert crypto/cbc.c to using crypto API wrappers
crypto: fips140: convert crypto/ccm.c to using crypto API wrappers
crypto: fips140: convert crypto/cipher.c to using crypto API wrappers
crypto: fips140: convert crypto/cmac.c to using crypto API wrappers
crypto: fips140: convert crypto/cryptd.c to using crypto API wrappers
crypto: fips140: convert crypto/ctr.c to using crypto API wrappers
crypto: fips140: convert crypto/dh.c to using crypto API wrappers
crypto: fips140: convert crypto/dh_helper.c to using crypto API
wrappers
crypto: fips140: convert crypto/drbg.c to using crypto API wrappers
crypto: fips140: convert crypto/ecb.c to using crypto API wrappers
crypto: fips140: convert crypto/ecc.c to using crypto API wrappers
crypto: fips140: convert crypto/ecdh.c to using crypto API wrappers
crypto: fips140: convert crypto/ecdh_helper.c to using crypto API
wrappers
crypto: fips140: convert crypto/ecdsa.c to using crypto API wrappers
crypto: fips140: convert crypto/echainiv.c to using crypto API
wrappers
crypto: fips140: convert crypto/essiv.c to using crypto API wrappers
crypto: fips140: convert crypto/gcm.c to using crypto API wrappers
crypto: fips140: convert crypto/geniv.c to using crypto API wrappers
crypto: fips140: convert crypto/ghash-generic.c to using crypto API
wrappers
crypto: fips140: convert crypto/hmac.c to using crypto API wrappers
crypto: fips140: convert crypto/jitterentropy-kcapi.c to using crypto
API wrappers
crypto: fips140: convert crypto/kpp.c to using crypto API wrappers
crypto: fips140: convert crypto/lskcipher.c to using crypto API
wrappers
crypto: fips140: convert crypto/pcrypt.c to using crypto API wrappers
crypto: fips140: convert crypto/rng.c to using crypto API wrappers
crypto: fips140: convert crypto/rsa.c to using crypto API wrappers
crypto: fips140: convert crypto/rsa_helper.c to using crypto API
wrappers
crypto: fips140: convert crypto/seqiv.c to using crypto API wrappers
crypto: fips140: convert crypto/sha1.c to using crypto API wrappers
crypto: fips140: convert crypto/sha256.c to using crypto API wrappers
crypto: fips140: convert crypto/sha3_generic.c to using crypto API
wrappers
crypto: fips140: convert crypto/sha512.c to using crypto API wrappers
crypto: fips140: convert crypto/shash.c to using crypto API wrappers
crypto: fips140: convert crypto/sig.c to using crypto API wrappers
crypto: fips140: convert crypto/simd.c to using crypto API wrappers
crypto: fips140: convert crypto/skcipher.c to using crypto API
wrappers
crypto: fips140: convert crypto/tcrypt.c to using crypto API wrappers
crypto: fips140: convert crypto/testmgr.c to using crypto API wrappers
crypto: fips140: convert crypto/xts.c to using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/asymmetric_type.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/pkcs7_key_type.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/pkcs7_parser.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/pkcs7_trust.c to using
crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/pkcs7_verify.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/pkcs8_parser.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/public_key.c to using
crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/selftest.c to using
crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/signature.c to using
crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/x509_cert_parser.c to
using crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/x509_loader.c to using
crypto API wrappers
crypto: fips140: convert crypto/asymmetric_keys/x509_public_key.c to
using crypto API wrappers
crypto: fips140: manual fixups for include/keys/asymmetric-type.h
crypto: fips140: manual fixups for include/crypto/sha2.h
crypto: fips140: manual fixups for include/crypto/public_key.h
crypto: fips140: manual fixups for include/crypto/aes.h
crypto: fips140: manual fixups for crypto/internal.h
crypto: fips140: manual fixups for include/crypto/internal/ecc.h
crypto: fips140: manual fixups for include/crypto/internal/rsa.h
crypto: fips140: manual fixups for include/crypto/aes.h
crypto: fips140: manual fixups for lib/crypto/sha256.c
crypto: fips140: manual fixups for lib/crypto/sha512.c
crypto: fips140: add symlinks to kernel sources
crypto: fips140: add standalone FIPS 140 module
crypto: fips140: add FIPS 140 module loader
scripts/extract-fips140: new script
Documentation/crypto: add fips140.rst
MAINTAINERS: add myself as FIPS140 standalone module maintainer
Documentation/crypto/fips140.rst | 231 ++++++
Documentation/crypto/index.rst | 1 +
MAINTAINERS | 10 +
arch/arm64/kernel/vmlinux.lds.S | 1 +
arch/x86/boot/string.h | 4 +
certs/system_keyring.c | 2 +
crypto/Kconfig | 2 +
crypto/Makefile | 24 +
crypto/aead.c | 48 +-
crypto/aes_generic.c | 8 +-
crypto/ahash.c | 108 +--
crypto/akcipher.c | 28 +-
crypto/algapi.c | 193 +++--
crypto/algboss.c | 36 +-
crypto/api.c | 76 +-
crypto/asymmetric_keys/asymmetric_type.c | 30 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 5 +-
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c | 4 +-
crypto/asymmetric_keys/pkcs7_verify.c | 8 +-
crypto/asymmetric_keys/pkcs8_parser.c | 4 +-
crypto/asymmetric_keys/public_key.c | 8 +-
crypto/asymmetric_keys/selftest.c | 2 +-
crypto/asymmetric_keys/signature.c | 12 +-
crypto/asymmetric_keys/x509_cert_parser.c | 12 +-
crypto/asymmetric_keys/x509_loader.c | 4 +-
crypto/asymmetric_keys/x509_parser.h | 15 +-
crypto/asymmetric_keys/x509_public_key.c | 4 +-
crypto/authenc.c | 8 +-
crypto/authencesn.c | 4 +-
crypto/cbc.c | 4 +-
crypto/ccm.c | 4 +-
crypto/cipher.c | 16 +-
crypto/cmac.c | 4 +-
crypto/cryptd.c | 58 +-
crypto/ctr.c | 4 +-
crypto/dh.c | 12 +-
crypto/dh_helper.c | 12 +-
crypto/drbg.c | 4 +-
crypto/ecb.c | 4 +-
crypto/ecc.c | 92 +--
crypto/ecdh.c | 4 +-
crypto/ecdh_helper.c | 12 +-
crypto/ecdsa.c | 4 +-
crypto/echainiv.c | 4 +-
crypto/essiv.c | 4 +-
crypto/fips140-api.c | 726 ++++++++++++++++++
crypto/fips140-loader.c | 96 +++
crypto/gcm.c | 4 +-
crypto/geniv.c | 20 +-
crypto/ghash-generic.c | 4 +-
crypto/hmac.c | 4 +-
crypto/internal.h | 103 ++-
crypto/jitterentropy-kcapi.c | 4 +-
crypto/jitterentropy.c | 3 +-
crypto/kpp.c | 24 +-
crypto/lskcipher.c | 44 +-
crypto/pcrypt.c | 4 +-
crypto/rng.c | 41 +-
crypto/rsa.c | 4 +-
crypto/rsa_helper.c | 8 +-
crypto/seqiv.c | 4 +-
crypto/sha1.c | 4 +-
crypto/sha256.c | 4 +-
crypto/sha3_generic.c | 8 +-
crypto/sha512.c | 4 +-
crypto/shash.c | 94 ++-
crypto/sig.c | 20 +-
crypto/simd.c | 24 +-
crypto/skcipher.c | 72 +-
crypto/tcrypt.c | 22 +-
crypto/testmgr.c | 419 ++++++----
crypto/xts.c | 4 +-
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 +-
.../crypto/intel/keembay/keembay-ocs-ecc.c | 14 +-
fips140/Kconfig | 174 +++++
fips140/Makefile | 183 +++++
fips140/crypto/aead.c | 1 +
fips140/crypto/aes_generic.c | 1 +
fips140/crypto/ahash.c | 1 +
fips140/crypto/akcipher.c | 1 +
fips140/crypto/algapi.c | 1 +
fips140/crypto/algboss.c | 1 +
fips140/crypto/api.c | 1 +
.../crypto/asymmetric_keys/asymmetric_keys.h | 1 +
.../crypto/asymmetric_keys/asymmetric_type.c | 1 +
.../crypto/asymmetric_keys/mscode_parser.c | 1 +
fips140/crypto/asymmetric_keys/pkcs7.asn1 | 1 +
.../crypto/asymmetric_keys/pkcs7_key_type.c | 1 +
fips140/crypto/asymmetric_keys/pkcs7_parser.c | 1 +
fips140/crypto/asymmetric_keys/pkcs7_parser.h | 1 +
fips140/crypto/asymmetric_keys/pkcs7_trust.c | 1 +
fips140/crypto/asymmetric_keys/pkcs7_verify.c | 1 +
fips140/crypto/asymmetric_keys/pkcs8.asn1 | 1 +
fips140/crypto/asymmetric_keys/pkcs8_parser.c | 1 +
fips140/crypto/asymmetric_keys/public_key.c | 1 +
fips140/crypto/asymmetric_keys/restrict.c | 1 +
fips140/crypto/asymmetric_keys/selftest.c | 1 +
fips140/crypto/asymmetric_keys/selftest.h | 1 +
.../crypto/asymmetric_keys/selftest_ecdsa.c | 1 +
fips140/crypto/asymmetric_keys/selftest_rsa.c | 1 +
fips140/crypto/asymmetric_keys/signature.c | 1 +
.../crypto/asymmetric_keys/verify_pefile.c | 1 +
.../crypto/asymmetric_keys/verify_pefile.h | 1 +
fips140/crypto/asymmetric_keys/x509.asn1 | 1 +
fips140/crypto/asymmetric_keys/x509_akid.asn1 | 1 +
.../crypto/asymmetric_keys/x509_cert_parser.c | 1 +
fips140/crypto/asymmetric_keys/x509_loader.c | 1 +
fips140/crypto/asymmetric_keys/x509_parser.h | 1 +
.../crypto/asymmetric_keys/x509_public_key.c | 1 +
fips140/crypto/authenc.c | 1 +
fips140/crypto/authencesn.c | 1 +
fips140/crypto/cbc.c | 1 +
fips140/crypto/ccm.c | 1 +
fips140/crypto/cipher.c | 1 +
fips140/crypto/cmac.c | 1 +
fips140/crypto/cryptd.c | 1 +
fips140/crypto/ctr.c | 1 +
fips140/crypto/dh.c | 1 +
fips140/crypto/dh_helper.c | 1 +
fips140/crypto/drbg.c | 1 +
fips140/crypto/ecb.c | 1 +
fips140/crypto/ecc.c | 1 +
fips140/crypto/ecc_curve_defs.h | 1 +
fips140/crypto/ecdh.c | 1 +
fips140/crypto/ecdh_helper.c | 1 +
fips140/crypto/ecdsa-p1363.c | 1 +
fips140/crypto/ecdsa-x962.c | 1 +
fips140/crypto/ecdsa.c | 1 +
fips140/crypto/ecdsasignature.asn1 | 1 +
fips140/crypto/echainiv.c | 1 +
fips140/crypto/essiv.c | 1 +
fips140/crypto/gcm.c | 1 +
fips140/crypto/geniv.c | 1 +
fips140/crypto/ghash-generic.c | 1 +
fips140/crypto/hash.h | 1 +
fips140/crypto/hmac.c | 1 +
fips140/crypto/internal.h | 1 +
fips140/crypto/jitterentropy-kcapi.c | 1 +
fips140/crypto/jitterentropy.c | 1 +
fips140/crypto/jitterentropy.h | 1 +
fips140/crypto/kpp.c | 1 +
fips140/crypto/lskcipher.c | 1 +
fips140/crypto/pcrypt.c | 1 +
fips140/crypto/proc.c | 1 +
fips140/crypto/rng.c | 1 +
fips140/crypto/rsa-pkcs1pad.c | 1 +
fips140/crypto/rsa.c | 1 +
fips140/crypto/rsa_helper.c | 1 +
fips140/crypto/rsaprivkey.asn1 | 1 +
fips140/crypto/rsapubkey.asn1 | 1 +
fips140/crypto/rsassa-pkcs1.c | 1 +
fips140/crypto/seqiv.c | 1 +
fips140/crypto/sha256.c | 1 +
fips140/crypto/sha3_generic.c | 1 +
fips140/crypto/sha512.c | 1 +
fips140/crypto/shash.c | 1 +
fips140/crypto/sig.c | 1 +
fips140/crypto/simd.c | 1 +
fips140/crypto/skcipher.c | 1 +
fips140/crypto/skcipher.h | 1 +
fips140/crypto/tcrypt.c | 1 +
fips140/crypto/tcrypt.h | 1 +
fips140/crypto/testmgr.c | 1 +
fips140/crypto/testmgr.h | 1 +
fips140/crypto/xts.c | 1 +
fips140/fips140-glue.c | 216 ++++++
fips140/fips140.lds | 9 +
fips140/lib/crypto/aes.c | 1 +
fips140/lib/crypto/aesgcm.c | 1 +
fips140/lib/crypto/gf128mul.c | 1 +
fips140/lib/crypto/memneq.c | 1 +
fips140/lib/crypto/sha256.c | 1 +
fips140/lib/crypto/sha512.c | 1 +
fips140/lib/crypto/utils.c | 1 +
include/asm-generic/vmlinux.lds.h | 38 +-
include/crypto/aead.h | 26 +-
include/crypto/aes.h | 39 +-
include/crypto/akcipher.h | 18 +-
include/crypto/algapi.h | 125 ++-
include/crypto/api.h | 154 ++++
include/crypto/authenc.h | 6 +-
include/crypto/cryptd.h | 56 +-
include/crypto/dh.h | 14 +-
include/crypto/ecc_curve.h | 9 +-
include/crypto/ecdh.h | 14 +-
include/crypto/gcm.h | 19 +-
include/crypto/gf128mul.h | 29 +-
include/crypto/hash.h | 97 ++-
include/crypto/internal/aead.h | 28 +-
include/crypto/internal/akcipher.h | 21 +-
include/crypto/internal/cipher.h | 20 +-
include/crypto/internal/ecc.h | 101 ++-
include/crypto/internal/geniv.h | 14 +-
include/crypto/internal/hash.h | 120 ++-
include/crypto/internal/kpp.h | 21 +-
include/crypto/internal/rng.h | 21 +-
include/crypto/internal/rsa.h | 22 +-
include/crypto/internal/sig.h | 20 +-
include/crypto/internal/simd.h | 32 +-
include/crypto/internal/skcipher.h | 89 ++-
include/crypto/kpp.h | 9 +-
include/crypto/pkcs7.h | 31 +-
include/crypto/public_key.h | 32 +-
include/crypto/rng.h | 20 +-
include/crypto/sha2.h | 181 +++--
include/crypto/sha3.h | 5 +-
include/crypto/sig.h | 5 +-
include/crypto/skcipher.h | 56 +-
include/crypto/utils.h | 9 +-
include/keys/asymmetric-parser.h | 8 +-
include/keys/asymmetric-type.h | 39 +-
include/linux/crypto.h | 31 +-
include/linux/fips.h | 17 +
include/linux/module.h | 2 +
include/uapi/linux/module.h | 5 +
kernel/module/main.c | 121 ++-
kernel/params.c | 2 +-
lib/crypto/aes.c | 12 +-
lib/crypto/aesgcm.c | 16 +-
lib/crypto/gf128mul.c | 28 +-
lib/crypto/memneq.c | 4 +-
lib/crypto/sha256.c | 78 +-
lib/crypto/sha512.c | 78 +-
lib/crypto/utils.c | 4 +-
net/tipc/crypto.c | 8 +-
scripts/extract-fips140 | 53 ++
security/keys/trusted-keys/trusted_core.c | 18 +-
228 files changed, 4243 insertions(+), 1396 deletions(-)
create mode 100644 Documentation/crypto/fips140.rst
create mode 100644 crypto/fips140-api.c
create mode 100644 crypto/fips140-loader.c
create mode 100644 fips140/Kconfig
create mode 100644 fips140/Makefile
create mode 120000 fips140/crypto/aead.c
create mode 120000 fips140/crypto/aes_generic.c
create mode 120000 fips140/crypto/ahash.c
create mode 120000 fips140/crypto/akcipher.c
create mode 120000 fips140/crypto/algapi.c
create mode 120000 fips140/crypto/algboss.c
create mode 120000 fips140/crypto/api.c
create mode 120000 fips140/crypto/asymmetric_keys/asymmetric_keys.h
create mode 120000 fips140/crypto/asymmetric_keys/asymmetric_type.c
create mode 120000 fips140/crypto/asymmetric_keys/mscode_parser.c
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7.asn1
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7_key_type.c
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7_parser.c
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7_parser.h
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7_trust.c
create mode 120000 fips140/crypto/asymmetric_keys/pkcs7_verify.c
create mode 120000 fips140/crypto/asymmetric_keys/pkcs8.asn1
create mode 120000 fips140/crypto/asymmetric_keys/pkcs8_parser.c
create mode 120000 fips140/crypto/asymmetric_keys/public_key.c
create mode 120000 fips140/crypto/asymmetric_keys/restrict.c
create mode 120000 fips140/crypto/asymmetric_keys/selftest.c
create mode 120000 fips140/crypto/asymmetric_keys/selftest.h
create mode 120000 fips140/crypto/asymmetric_keys/selftest_ecdsa.c
create mode 120000 fips140/crypto/asymmetric_keys/selftest_rsa.c
create mode 120000 fips140/crypto/asymmetric_keys/signature.c
create mode 120000 fips140/crypto/asymmetric_keys/verify_pefile.c
create mode 120000 fips140/crypto/asymmetric_keys/verify_pefile.h
create mode 120000 fips140/crypto/asymmetric_keys/x509.asn1
create mode 120000 fips140/crypto/asymmetric_keys/x509_akid.asn1
create mode 120000 fips140/crypto/asymmetric_keys/x509_cert_parser.c
create mode 120000 fips140/crypto/asymmetric_keys/x509_loader.c
create mode 120000 fips140/crypto/asymmetric_keys/x509_parser.h
create mode 120000 fips140/crypto/asymmetric_keys/x509_public_key.c
create mode 120000 fips140/crypto/authenc.c
create mode 120000 fips140/crypto/authencesn.c
create mode 120000 fips140/crypto/cbc.c
create mode 120000 fips140/crypto/ccm.c
create mode 120000 fips140/crypto/cipher.c
create mode 120000 fips140/crypto/cmac.c
create mode 120000 fips140/crypto/cryptd.c
create mode 120000 fips140/crypto/ctr.c
create mode 120000 fips140/crypto/dh.c
create mode 120000 fips140/crypto/dh_helper.c
create mode 120000 fips140/crypto/drbg.c
create mode 120000 fips140/crypto/ecb.c
create mode 120000 fips140/crypto/ecc.c
create mode 120000 fips140/crypto/ecc_curve_defs.h
create mode 120000 fips140/crypto/ecdh.c
create mode 120000 fips140/crypto/ecdh_helper.c
create mode 120000 fips140/crypto/ecdsa-p1363.c
create mode 120000 fips140/crypto/ecdsa-x962.c
create mode 120000 fips140/crypto/ecdsa.c
create mode 120000 fips140/crypto/ecdsasignature.asn1
create mode 120000 fips140/crypto/echainiv.c
create mode 120000 fips140/crypto/essiv.c
create mode 120000 fips140/crypto/gcm.c
create mode 120000 fips140/crypto/geniv.c
create mode 120000 fips140/crypto/ghash-generic.c
create mode 120000 fips140/crypto/hash.h
create mode 120000 fips140/crypto/hmac.c
create mode 120000 fips140/crypto/internal.h
create mode 120000 fips140/crypto/jitterentropy-kcapi.c
create mode 120000 fips140/crypto/jitterentropy.c
create mode 120000 fips140/crypto/jitterentropy.h
create mode 120000 fips140/crypto/kpp.c
create mode 120000 fips140/crypto/lskcipher.c
create mode 120000 fips140/crypto/pcrypt.c
create mode 120000 fips140/crypto/proc.c
create mode 120000 fips140/crypto/rng.c
create mode 120000 fips140/crypto/rsa-pkcs1pad.c
create mode 120000 fips140/crypto/rsa.c
create mode 120000 fips140/crypto/rsa_helper.c
create mode 120000 fips140/crypto/rsaprivkey.asn1
create mode 120000 fips140/crypto/rsapubkey.asn1
create mode 120000 fips140/crypto/rsassa-pkcs1.c
create mode 120000 fips140/crypto/seqiv.c
create mode 120000 fips140/crypto/sha256.c
create mode 120000 fips140/crypto/sha3_generic.c
create mode 120000 fips140/crypto/sha512.c
create mode 120000 fips140/crypto/shash.c
create mode 120000 fips140/crypto/sig.c
create mode 120000 fips140/crypto/simd.c
create mode 120000 fips140/crypto/skcipher.c
create mode 120000 fips140/crypto/skcipher.h
create mode 120000 fips140/crypto/tcrypt.c
create mode 120000 fips140/crypto/tcrypt.h
create mode 120000 fips140/crypto/testmgr.c
create mode 120000 fips140/crypto/testmgr.h
create mode 120000 fips140/crypto/xts.c
create mode 100644 fips140/fips140-glue.c
create mode 100644 fips140/fips140.lds
create mode 120000 fips140/lib/crypto/aes.c
create mode 120000 fips140/lib/crypto/aesgcm.c
create mode 120000 fips140/lib/crypto/gf128mul.c
create mode 120000 fips140/lib/crypto/memneq.c
create mode 120000 fips140/lib/crypto/sha256.c
create mode 120000 fips140/lib/crypto/sha512.c
create mode 120000 fips140/lib/crypto/utils.c
create mode 100644 include/crypto/api.h
create mode 100755 scripts/extract-fips140
--
2.39.3
^ permalink raw reply
* [PATCH RFC 001/104] params: use arch_initcall to initialize params sysfs earlier
From: Vegard Nossum @ 2025-09-04 15:50 UTC (permalink / raw)
To: Herbert Xu, David S. Miller, linux-crypto, Luis Chamberlain,
Petr Pavlu, Daniel Gomez
Cc: Ard Biesheuvel, Eric Biggers, Jason A . Donenfeld,
Greg Kroah-Hartman, Wang, Jay, Nicolai Stange, Vladis Dronov,
Stephan Mueller, Sami Tolvanen, linux-modules, Vegard Nossum
In-Reply-To: <20250904155216.460962-1-vegard.nossum@oracle.com>
We need to load and initialize the FIPS module quite early in the boot
process, but in order to load modules we need to have params sysfs set
up. Bump it up a bit in the boot process.
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Daniel Gomez <da.gomez@kernel.org>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: linux-modules@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
kernel/params.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/params.c b/kernel/params.c
index b92d64161b75..03a55ff70bd8 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -971,7 +971,7 @@ static int __init param_sysfs_init(void)
return 0;
}
-subsys_initcall(param_sysfs_init);
+arch_initcall(param_sysfs_init);
/*
* param_sysfs_builtin_init - add sysfs version and parameter
--
2.39.3
^ permalink raw reply related
* Re: Question: a module for wiping userspace RAM before shutdown/reboot/halt
From: Christophe Leroy @ 2025-09-04 7:14 UTC (permalink / raw)
To: Kamil Aronowski, Danill Klimuk, linux-modules, linux-mm@kvack.org
In-Reply-To: <eb88e58f-1515-4f51-8102-79cd3c20fea5@3mdeb.com>
+mm list
Hi Kamil,
Le 21/08/2025 à 14:13, Kamil Aronowski a écrit :
> Recently, we evaluated the effectiveness of the `init_on_free`
> mechanism, particularly in the context of preserving privacy by
> clearing RAM for individuals with high operational security
> requirements.
>
> As mentioned
> (https://lore.kernel.org/all/e71bd62c-5ba7-4363-9af1-
> d9c9de394a54@3mdeb.com/),
> we'd like to ensure that our clients do not have their confidential
> data leaked after their session has ended with a shutdown/reboot/halt.
>
> In short, `init_on_free` appears to wipe the LUKS secret key
> successfully, but some non-kernel space snippets remain in memory.
> Some tests have been performed by dumping memory after booting Debian
> 13 (with `init_on_free` enabled) and then rebooting to our custom EFI
> memory dumping application. For instance, the mentions of
> `apparmor_parser`, XKB, udev, or systemd units have been found in the
> memory dump:
>
> ```
> audit: type=1400 audit(1755156467.556:2): apparmor="STATUS"
> operation="profile_load" profile="unconfined" name="Discord" pid=967
> comm="apparmor_parser"r"
> [...]
>
> partial alphanumeric_keys
> xkb_symbols "tib_asciinum" {
> include "cn(tib)"
> name[Group1]= "Tibetan (with ASCII numerals)";
> key <AE01> { [ 1, 0x1000f21, 0x1000f04, 0x1000f76 ] }; # 1
> [...]
>
> I:10114000
> E:ID_MM_CANDIDATE=1
> S:disk/by-id/dm-uuid-CRYPT-LUKS2-00b4b79c209a4dcfadf37e310778f583-
> sda3_crypt
> [...]
>
> [Unit]
> Description=Switch Root
> AssertPathExists=/etc/initrd-release
> DefaultDependencies=no
> Wants=initrd-switch-root.service
> Before=initrd-switch-root.service
> AllowIsolate=yes
> Wants=initrd-udevadm-cleanup-db.service initrd-root-fs.target initrd-
> fs.target systemd-journald.service initrd-cleanup.service
> After=initrd-udevadm-cleanup-db.service initrd-root-fs.target initrd-
> fs.target emergency.service emergency.target initrd-cleanup.service
> [...]
> ```
>
> Is this the expected behavior, a bug, or a misconfiguration on our
> end?
>
> If it is indeed a bug, we'd be happy to cooperate on improving the
> `init_on_free` mechanism. If it is expected behavior than we will
> consider wiping userspace memory some other way, e.g. by implementing
> a separate Linux Kernel module as described in the previous email
> (https://lore.kernel.org/all/e71bd62c-5ba7-4363-9af1-
> d9c9de394a54@3mdeb.com/).
>
This topic seems to be a memory management topic, not a modules topic.
As I mentionned already in this thread, Linux memory management topics
should be addressed to linux-mm@kvack.org
Christophe
^ permalink raw reply
* Re: [RFC PATCH 00/10] scalable symbol flags with __kflagstab
From: Sid Nayyar @ 2025-09-03 23:28 UTC (permalink / raw)
To: Petr Pavlu
Cc: Nathan Chancellor, Luis Chamberlain, Sami Tolvanen,
Nicolas Schier, Arnd Bergmann, linux-kbuild, linux-arch,
linux-modules, linux-kernel, Giuliano Procida,
Matthias Männich
In-Reply-To: <4e215854-59df-489b-b92d-8d2fb2edf522@suse.com>
On Mon, Sep 1, 2025 at 1:27 PM Petr Pavlu <petr.pavlu@suse.com> wrote:
> Merging __ksymtab and __ksymtab_gpl into a single section looks ok to
> me, and similarly for __kcrctab and __kcrtab_gpl. The __ksymtab_gpl
> support originally comes from commit 3344ea3ad4 ("[PATCH] MODULE_LICENSE
> and EXPORT_SYMBOL_GPL support") [1], where it was named __gpl_ksymtab.
> The commit doesn't mention why the implementation opts for using
> a separate section, but I suspect it was designed this way to reduce
> memory/disk usage.
>
> A question is whether the symbol flags should be stored in a new
> __kflagstab section, instead of adding a flag member to the existing
> __ksymtab. As far as I'm aware, no userspace tool (particularly kmod)
> uses the __ksymtab data, so we are free to update its format.
>
> Note that I believe that __kcrctab/__kcrtab_gpl is a separate section
> because the CRC data is available only if CONFIG_MODVERSIONS=y.
>
> Including the flags as part of __ksymtab would be obviously a simpler
> schema. On the other hand, an entry in __ksymtab has in the worst case
> a size of 24 bytes with an 8-byte alignment requirement. This means that
> adding a flag to it would require additional 8 bytes per symbol.
Thanks for looking into the history of the _gpl split. We also noted
that there were up to five separate arrays at one point.
We explored three approaches to this problem: using the existing
__ksymtab, packing flags as bit-vectors, and the proposed
__kflagstab. We ruled out the bit-vector approach due to its
complexity, which would only save a few bits per symbol. The
__ksymtab approach, while the simplest, was too wasteful of space.
The __kflagstab seems like a good compromise, offering a slight
increase in complexity over the __ksymtab method but requiring only
one extra byte per symbol.
> >
> > The motivation for this change comes from the Android kernel, which uses
> > an additional symbol flag to restrict the use of certain exported
> > symbols by unsigned modules, thereby enhancing kernel security. This
> > __kflagstab can be implemented as a bitmap to efficiently manage which
> > symbols are available for general use versus those restricted to signed
> > modules only.
>
> I think it would be useful to explain in more detail how this protected
> schema is used in practice and what problem it solves. Who is allowed to
> provide these limited unsigned modules and if the concern is kernel
> security, can't you enforce the use of only signed modules?
The Android Common Kernel source is compiled into what we call
GKI (Generic Kernel Image), which consists of a kernel and a
number of modules. We maintain a stable interface (based on CRCs and
types) between the GKI components and vendor-specific modules
(compiled by device manufacturers, e.g., for hardware-specific
drivers) for the lifetime of a given GKI version.
This interface is intentionally restricted to the minimal set of
symbols required by the union of all vendor modules; our partners
declare their requirements in symbol lists. Any additions to these
lists are reviewed to ensure kernel internals are not overly exposed.
For example, we restrict drivers from having the ability to open and
read arbitrary files. This ABI boundary also allows us to evolve
internal kernel types that are not exposed to vendor modules, for
example, when a security fix requires a type to change.
The mechanism we use for this is CONFIG_TRIM_UNUSED_KSYMS and
CONFIG_UNUSED_KSYMS_WHITELIST. This results in a ksymtab
containing two kinds of exported symbols: those explicitly required
by vendors ("vendor-listed") and those only required by GKI modules
("GKI use only").
On top of this, we have implemented symbol import protection
(covered in patches 9/10 and 10/10). This feature prevents vendor
modules from using symbols that are not on the vendor-listed
whitelist. It is built on top of CONFIG_MODULE_SIG. GKI modules are
signed with a specific key, while vendor modules are unsigned and thus
treated as untrusted. This distinction allows signed GKI modules to
use any symbol in the ksymtab, while unsigned vendor modules can only
access the declared subset. This provides a significant layer of
defense and security against potentially exploitable vendor module
code.
Finally, we have implemented symbol export protection, which prevents
a vendor module from impersonating a GKI module by exporting any of
the same symbols. Note that this protection is currently specific to
the Android kernel and is not included in this patch series.
We have several years of experience with older implementations of
these protection mechanisms. The code in this series is a
considerably cleaner and simpler version compared to what has been
shipping in Android kernels since Android 14 (6.1 kernel).
I hope this clarifies the goals of the patch set. Let me know if you
have further questions.
--
Thanks,
Siddharth Nayyar
^ permalink raw reply
* Re: [PATCH v3 2/4] module: show why force load fails
From: Jinchao Wang @ 2025-09-02 2:06 UTC (permalink / raw)
To: Daniel Gomez, Luis Chamberlain, Petr Pavlu, Sami Tolvanen,
linux-modules, linux-kernel
In-Reply-To: <851c227e-5d1e-44bb-80ca-d9e230e8ccfe@kernel.org>
On 9/2/25 02:29, Daniel Gomez wrote:
> On 29/08/2025 10.49, Jinchao Wang wrote:
>> Include reason in error message when force loading is disabled.
>>
>> Signed-off-by: Jinchao Wang<wangjinchao600@gmail.com>
>> ---
>> kernel/module/main.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/kernel/module/main.c b/kernel/module/main.c
>> index c66b26184936..e7484c6ce6e3 100644
>> --- a/kernel/module/main.c
>> +++ b/kernel/module/main.c
>> @@ -1083,6 +1083,7 @@ int try_to_force_load(struct module *mod, const char *reason)
>> add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE);
>> return 0;
>> #else
>> + pr_err("%s: %s, force load is not supported\n", mod->name, reason);
>> return -ENOEXEC;
>> #endif
>> }
> I don't think is good to inform via kernel log buffer what the kernel supports
> or what not. And definitely, not as an error.
>
Thank you for the feedback.
When debugging syzkaller, I noticed that insmod only reports a generic
failure. To understand the exact reason, I needed to trace the kernel.
This patch was meant to make it more convenient to see the precise
cause directly.
In my view, if the caller cannot perform the requested operation, that
represents an error, and the kernel log buffer is the natural place to
report the reason. This makes debugging and testing easier without
requiring additional tracing.
--
Best regards,
Jinchao
^ permalink raw reply
* Re: [PATCH v3 1/4] module: signing: Use pr_err for signature rejection
From: Jinchao Wang @ 2025-09-02 1:57 UTC (permalink / raw)
To: Daniel Gomez, Luis Chamberlain, Petr Pavlu, Sami Tolvanen,
linux-modules, linux-kernel
In-Reply-To: <156fa755-6937-4df1-b995-99a2cc4bbb0a@kernel.org>
On 9/2/25 02:18, Daniel Gomez wrote:
> On 29/08/2025 10.49, Jinchao Wang wrote:
>> Make module signature rejection messages more visible by using pr_err
>> instead of pr_notice.
>
> Can you elaborate a bit more? Why is this needed?
>
> IMO, I don't think making it more visible is enough rational to increase the
> level.
Thank you for the feedback.
When using dmesg, pr_err is displayed in red, pr_warn in yellow, and
pr_notice/pr_info in the default color. This makes pr_err more visible
to users.
In the kernel tree, there are around 4161 pr_err calls across 20000
files, compared to 276 pr_notice calls across 827 files. From reviewing
them, pr_notice is typically used in default or informational branches,
while pr_err is mostly used in error paths.
Since this rejection path returns -EKEYREJECTED and prevents the
operation from proceeding, it aligns more closely with other uses of
pr_err than with pr_notice. For these reasons, I believe pr_err is the
appropriate choice here.
--
Best regards,
Jinchao
^ permalink raw reply
* Re: [PATCH v3 2/4] module: show why force load fails
From: Daniel Gomez @ 2025-09-01 18:29 UTC (permalink / raw)
To: Jinchao Wang, Luis Chamberlain, Petr Pavlu, Sami Tolvanen,
linux-modules, linux-kernel
In-Reply-To: <20250829084927.156676-3-wangjinchao600@gmail.com>
On 29/08/2025 10.49, Jinchao Wang wrote:
> Include reason in error message when force loading is disabled.
>
> Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
> ---
> kernel/module/main.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index c66b26184936..e7484c6ce6e3 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1083,6 +1083,7 @@ int try_to_force_load(struct module *mod, const char *reason)
> add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE);
> return 0;
> #else
> + pr_err("%s: %s, force load is not supported\n", mod->name, reason);
> return -ENOEXEC;
> #endif
> }
I don't think is good to inform via kernel log buffer what the kernel supports
or what not. And definitely, not as an error.
^ permalink raw reply
* Re: [PATCH v3 1/4] module: signing: Use pr_err for signature rejection
From: Daniel Gomez @ 2025-09-01 18:18 UTC (permalink / raw)
To: Jinchao Wang, Luis Chamberlain, Petr Pavlu, Sami Tolvanen,
linux-modules, linux-kernel
In-Reply-To: <20250829084927.156676-2-wangjinchao600@gmail.com>
On 29/08/2025 10.49, Jinchao Wang wrote:
> Make module signature rejection messages more visible by using pr_err
> instead of pr_notice.
Can you elaborate a bit more? Why is this needed?
IMO, I don't think making it more visible is enough rational to increase the
level.
^ permalink raw reply
* Re: [RFC PATCH 00/10] scalable symbol flags with __kflagstab
From: Petr Pavlu @ 2025-09-01 12:27 UTC (permalink / raw)
To: Siddharth Nayyar
Cc: Nathan Chancellor, Luis Chamberlain, Sami Tolvanen,
Nicolas Schier, Arnd Bergmann, linux-kbuild, linux-arch,
linux-modules, linux-kernel
In-Reply-To: <20250829105418.3053274-1-sidnayyar@google.com>
On 8/29/25 12:54 PM, Siddharth Nayyar wrote:
> Hi everyone,
>
> This patch series proposes a new, scalable mechanism to represent
> boolean flags for exported kernel symbols.
>
> Problem Statement:
>
> The core architectural issue with kernel symbol flags is our reliance on
> splitting the main symbol table, ksymtab. To handle a single boolean
> property, such as GPL-only, all exported symbols are split across two
> separate tables: __ksymtab and __ksymtab_gpl.
>
> This design forces the module loader to perform a separate search on
> each of these tables for every symbol it needs, for vmlinux and for all
> previously loaded modules.
>
> This approach is fundamentally not scalable. If we were to introduce a
> second flag, we would need four distinct symbol tables. For n boolean
> flags, this model requires an exponential growth to 2^n tables,
> dramatically increasing complexity.
>
> Another consequence of this fragmentation is degraded performance. For
> example, a binary search on the symbol table of vmlinux, that would take
> only 14 comparison steps (assuming ~2^14 or 16K symbols) in a unified
> table, can require up to 26 steps when spread across two tables
> (assuming both tables have ~2^13 symbols). This performance penalty
> worsens as more flags are added.
>
> Proposed Solution:
>
> This series introduces a __kflagstab section to store symbol flags in a
> dedicated data structure, similar to how CRCs are handled in the
> __kcrctab.
>
> The flags for a given symbol in __kflagstab will be located at the same
> index as the symbol's entry in __ksymtab and its CRC in __kcrctab. This
> design decouples the flags from the symbol table itself, allowing us to
> maintain a single, sorted __ksymtab. As a result, the symbol search
> remains an efficient, single lookup, regardless of the number of flags
> we add in the future.
Merging __ksymtab and __ksymtab_gpl into a single section looks ok to
me, and similarly for __kcrctab and __kcrtab_gpl. The __ksymtab_gpl
support originally comes from commit 3344ea3ad4 ("[PATCH] MODULE_LICENSE
and EXPORT_SYMBOL_GPL support") [1], where it was named __gpl_ksymtab.
The commit doesn't mention why the implementation opts for using
a separate section, but I suspect it was designed this way to reduce
memory/disk usage.
A question is whether the symbol flags should be stored in a new
__kflagstab section, instead of adding a flag member to the existing
__ksymtab. As far as I'm aware, no userspace tool (particularly kmod)
uses the __ksymtab data, so we are free to update its format.
Note that I believe that __kcrctab/__kcrtab_gpl is a separate section
because the CRC data is available only if CONFIG_MODVERSIONS=y.
Including the flags as part of __ksymtab would be obviously a simpler
schema. On the other hand, an entry in __ksymtab has in the worst case
a size of 24 bytes with an 8-byte alignment requirement. This means that
adding a flag to it would require additional 8 bytes per symbol.
>
> The motivation for this change comes from the Android kernel, which uses
> an additional symbol flag to restrict the use of certain exported
> symbols by unsigned modules, thereby enhancing kernel security. This
> __kflagstab can be implemented as a bitmap to efficiently manage which
> symbols are available for general use versus those restricted to signed
> modules only.
I think it would be useful to explain in more detail how this protected
schema is used in practice and what problem it solves. Who is allowed to
provide these limited unsigned modules and if the concern is kernel
security, can't you enforce the use of only signed modules?
[1] https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=3344ea3ad4b7c302c846a680dbaeedf96ed45c02
--
Thanks,
Petr
^ permalink raw reply
* Re: [PATCH v3 4/4] module: separate vermagic and livepatch checks
From: Petr Pavlu @ 2025-09-01 9:34 UTC (permalink / raw)
To: Jinchao Wang
Cc: Luis Chamberlain, Daniel Gomez, Sami Tolvanen, linux-modules,
linux-kernel
In-Reply-To: <20250829084927.156676-5-wangjinchao600@gmail.com>
On 8/29/25 10:49 AM, Jinchao Wang wrote:
> Rename check_modinfo() to check_modinfo_vermagic() to clarify it only
> checks vermagic compatibility.
>
> Move livepatch check to happen after vermagic check in early_mod_check(),
> creating proper separation of concerns.
> No functional changes, just clearer code organization.
>
> Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
--
Thanks,
Petr
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox