From: Jarod Wilson <jarod@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Rusty Russell <rusty@rustcorp.com.au>,
Stephan Mueller <stephan.mueller@atsec.com>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH] crypto/fips: only panic on bad/missing crypto mod signatures
Date: Fri, 27 Jun 2014 15:19:42 -0400 [thread overview]
Message-ID: <20140627191942.GE20825@redhat.com> (raw)
In-Reply-To: <1403896374-62781-1-git-send-email-jarod@redhat.com>
On Fri, Jun 27, 2014 at 03:12:54PM -0400, Jarod Wilson wrote:
> Per further discussion with NIST, the requirements for FIPS state that
> we only need to panic the system on failed kernel module signature checks
> for crypto subsystem modules. This moves the fips-mode-only module
> signature check out of the generic module loading code, into the crypto
> subsystem, at points where we can catch both algorithm module loads and
> mode module loads. At the same time, make CONFIG_CRYPTO_FIPS dependent on
> CONFIG_MODULE_SIG, as this is entirely necessary for FIPS mode.
...
> --- a/crypto/algapi.c
> +++ b/crypto/algapi.c
...
> @@ -430,6 +436,12 @@ int crypto_register_template(struct crypto_template *tmpl)
>
> down_write(&crypto_alg_sem);
>
> +#ifdef CONFIG_CRYPTO_FIPS
> + if (fips_enabled && tmpl->module && !tmpl->module->sig_ok)
> + panic("Module %s signature verification failed in FIPS mode\n",
> + tmpl->module->name);
> +#endif
> +
Forgot to mention: the panic locations within the functions don't really
matter a whole lot right this moment, but Stephan pointed out the
possibility of a future FIPS standard that might not require a panic, thus
the crypto_register_template check being done after the down_write() so
that you could do a goto out; instead of a panic here and have things more
or less behave.
--
Jarod Wilson
jarod@redhat.com
next prev parent reply other threads:[~2014-06-27 19:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-27 19:12 [PATCH] crypto/fips: only panic on bad/missing crypto mod signatures Jarod Wilson
2014-06-27 19:19 ` Jarod Wilson [this message]
2014-07-02 12:38 ` Herbert Xu
2014-07-02 13:53 ` Jarod Wilson
2014-07-02 19:37 ` [PATCH v2] " Jarod Wilson
2014-07-03 11:18 ` Neil Horman
2014-07-03 14:10 ` Stephan Mueller
2014-07-03 13:44 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140627191942.GE20825@redhat.com \
--to=jarod@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=stephan.mueller@atsec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).