[PATCH 6.12.y 0/2] crypto: rng - FIPS 140-3 compliance for random number generation

[PATCH 6.12.y 0/2] crypto: rng - FIPS 140-3 compliance for random number generation

[Jay Wang]

This patch series implements FIPS 140-3 compliance requirements for random
number generation in the Linux kernel 6.12. The changes ensure that when the
kernel is operating in FIPS mode, FIPS-compliant random number
generators are used instead of the default /dev/random implementation.

IMPORTANT: These two patches must be applied together as a series. Applying
only the first patch without the second will cause a deadlock during boot
in FIPS-enabled environments. The second patch fixes a critical timing issue
introduced by the first patch where the crypto RNG attempts to override the
drivers/char/random interface before the default RNG becomes available.

The series consists of two patches:
1. Initial implementation to override drivers/char/random in FIPS mode
2. Refinement to ensure override only occurs after FIPS-mode RNGs are available

These 2 patches are required for FIPS 140-3 certification
and compliance in government and enterprise environments.

Herbert Xu (1):
  crypto: rng - Override drivers/char/random in FIPS mode

Jay Wang (1):
  Override drivers/char/random only after FIPS-mode RNGs become
    available

 crypto/rng.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)

-- 
2.47.1

[PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode

[Jay Wang]

From: Herbert Xu <herbert.xu@redhat.com>

Upstream: RHEL only
Bugzilla: 1984784

This patch overrides the drivers/char/random RNGs with the FIPS
RNG from Crypto API when FIPS mode is enabled.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
(cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187)
Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com>
[6.12: Resolve minor merge conflicts]
Signed-off-by: Elena Avila <ellavila@amazon.com>
---
 crypto/rng.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/crypto/rng.c b/crypto/rng.c
index 9d8804e46422..cdba806846e2 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -12,11 +12,14 @@
 #include <linux/atomic.h>
 #include <linux/cryptouser.h>
 #include <linux/err.h>
+#include <linux/fips.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/random.h>
 #include <linux/seq_file.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <net/netlink.h>
@@ -217,5 +220,73 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count)
 }
 EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
 
+static ssize_t crypto_devrandom_read(void __user *buf, size_t buflen)
+{
+	u8 tmp[256];
+	ssize_t ret;
+
+	if (!buflen)
+		return 0;
+
+	ret = crypto_get_default_rng();
+	if (ret)
+		return ret;
+
+	for (;;) {
+		int err;
+		int i;
+
+		i = min_t(int, buflen, sizeof(tmp));
+		err = crypto_rng_get_bytes(crypto_default_rng, tmp, i);
+		if (err) {
+			ret = err;
+			break;
+		}
+
+		if (copy_to_user(buf, tmp, i)) {
+			ret = -EFAULT;
+			break;
+		}
+
+		buflen -= i;
+		buf += i;
+		ret += i;
+
+		if (!buflen)
+			break;
+
+		if (need_resched()) {
+			if (signal_pending(current))
+				break;
+			schedule();
+		}
+	}
+
+	crypto_put_default_rng();
+	memzero_explicit(tmp, sizeof(tmp));
+
+	return ret;
+}
+
+static const struct random_extrng crypto_devrandom_rng = {
+	.extrng_read = crypto_devrandom_read,
+	.owner = THIS_MODULE,
+};
+
+static int __init crypto_rng_init(void)
+{
+	if (fips_enabled)
+		random_register_extrng(&crypto_devrandom_rng);
+	return 0;
+}
+
+static void __exit crypto_rng_exit(void)
+{
+	random_unregister_extrng();
+}
+
+late_initcall(crypto_rng_init);
+module_exit(crypto_rng_exit);
+
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Random Number Generator");
-- 
2.47.1

Re: [PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode

[Greg KH]

On Sat, Jun 28, 2025 at 04:29:17AM +0000, Jay Wang wrote:
> From: Herbert Xu <herbert.xu@redhat.com>
> 
> Upstream: RHEL only
> Bugzilla: 1984784
> 
> This patch overrides the drivers/char/random RNGs with the FIPS
> RNG from Crypto API when FIPS mode is enabled.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
> (cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187)

This id is not in Linus's tree, so why is this here?

Are you sure you ment to send this series out?  Have you read the stable
kernel rules?

confused,

greg k-h

Re: [PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode

[kernel test robot]

Hi Jay,

kernel test robot noticed the following build errors:

[auto build test ERROR on herbert-cryptodev-2.6/master]
[also build test ERROR on herbert-crypto-2.6/master linus/master v6.16-rc3 next-20250627]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Jay-Wang/crypto-rng-Override-drivers-char-random-in-FIPS-mode/20250628-123147
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link:    https://lore.kernel.org/r/20250628042918.32253-2-wanjay%40amazon.com
patch subject: [PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode
config: x86_64-buildonly-randconfig-001-20250628 (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506282235.pPmU7tOj-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

>> crypto/rng.c:272:21: error: variable 'crypto_devrandom_rng' has initializer but incomplete type
     272 | static const struct random_extrng crypto_devrandom_rng = {
         |                     ^~~~~~~~~~~~~
>> crypto/rng.c:273:10: error: 'const struct random_extrng' has no member named 'extrng_read'
     273 |         .extrng_read = crypto_devrandom_read,
         |          ^~~~~~~~~~~
>> crypto/rng.c:273:24: warning: excess elements in struct initializer
     273 |         .extrng_read = crypto_devrandom_read,
         |                        ^~~~~~~~~~~~~~~~~~~~~
   crypto/rng.c:273:24: note: (near initialization for 'crypto_devrandom_rng')
>> crypto/rng.c:274:10: error: 'const struct random_extrng' has no member named 'owner'
     274 |         .owner = THIS_MODULE,
         |          ^~~~~
   In file included from include/linux/printk.h:6,
                    from include/asm-generic/bug.h:22,
                    from arch/x86/include/asm/bug.h:103,
                    from arch/x86/include/asm/alternative.h:9,
                    from arch/x86/include/asm/barrier.h:5,
                    from include/linux/list.h:11,
                    from include/linux/swait.h:5,
                    from include/linux/completion.h:12,
                    from include/linux/crypto.h:15,
                    from include/crypto/algapi.h:13,
                    from include/crypto/internal/rng.h:12,
                    from crypto/rng.c:11:
   include/linux/init.h:182:21: warning: excess elements in struct initializer
     182 | #define THIS_MODULE ((struct module *)0)
         |                     ^
   crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE'
     274 |         .owner = THIS_MODULE,
         |                  ^~~~~~~~~~~
   include/linux/init.h:182:21: note: (near initialization for 'crypto_devrandom_rng')
     182 | #define THIS_MODULE ((struct module *)0)
         |                     ^
   crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE'
     274 |         .owner = THIS_MODULE,
         |                  ^~~~~~~~~~~
   crypto/rng.c: In function 'crypto_rng_init':
>> crypto/rng.c:280:17: error: implicit declaration of function 'random_register_extrng'; did you mean 'crypto_register_rng'? [-Werror=implicit-function-declaration]
     280 |                 random_register_extrng(&crypto_devrandom_rng);
         |                 ^~~~~~~~~~~~~~~~~~~~~~
         |                 crypto_register_rng
   crypto/rng.c: In function 'crypto_rng_exit':
>> crypto/rng.c:286:9: error: implicit declaration of function 'random_unregister_extrng'; did you mean 'crypto_unregister_rng'? [-Werror=implicit-function-declaration]
     286 |         random_unregister_extrng();
         |         ^~~~~~~~~~~~~~~~~~~~~~~~
         |         crypto_unregister_rng
   crypto/rng.c: At top level:
>> crypto/rng.c:272:35: error: storage size of 'crypto_devrandom_rng' isn't known
     272 | static const struct random_extrng crypto_devrandom_rng = {
         |                                   ^~~~~~~~~~~~~~~~~~~~
   cc1: some warnings being treated as errors


vim +/crypto_devrandom_rng +272 crypto/rng.c

   271	
 > 272	static const struct random_extrng crypto_devrandom_rng = {
 > 273		.extrng_read = crypto_devrandom_read,
 > 274		.owner = THIS_MODULE,
   275	};
   276	
   277	static int __init crypto_rng_init(void)
   278	{
   279		if (fips_enabled)
 > 280			random_register_extrng(&crypto_devrandom_rng);
   281		return 0;
   282	}
   283	
   284	static void __exit crypto_rng_exit(void)
   285	{
 > 286		random_unregister_extrng();
   287	}
   288	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[PATCH 2/2] Override drivers/char/random only after FIPS-mode RNGs become available

[Jay Wang]

This commit fixes a timing issue introduced in the previous commit
"crypto: rng - Override drivers/char/random in FIPS mode" where the crypto RNG
was attempting to override the drivers/char/random interface before the default
RNG became available. The previous implementation would immediately register the
external RNG during module initialization, which could fail if the default RNG
wasn't ready.

Changes:
- Introduce workqueue-based initialization for FIPS mode
- Add crypto_rng_register_work_func() to wait for default RNG availability
- Move random_register_extrng() call to the work function with proper error handling

This ensures the crypto ext RNG is properly registered only after all dependencies
 are satisfied, preventing potential boot failures in FIPS-enabled environments.

Cc: stable@vger.kernel.org
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
 crypto/rng.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/crypto/rng.c b/crypto/rng.c
index cdba806846e2..250166d67fd0 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -22,6 +22,7 @@
 #include <linux/sched/signal.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/workqueue.h>
 #include <net/netlink.h>
 
 #include "internal.h"
@@ -273,15 +274,35 @@ static const struct random_extrng crypto_devrandom_rng = {
 	.owner = THIS_MODULE,
 };
 
+static struct work_struct crypto_rng_register_work;
+
+static void crypto_rng_register_work_func(struct work_struct *work)
+{
+	/* Wait until default rng becomes avaiable, then
+		Overwrite the extrng.
+	*/
+	int ret = crypto_get_default_rng(); 
+	if (ret){
+		printk(KERN_ERR "crypto_rng: Failed to get default RNG (error %d)\n", ret);
+		return;
+	}
+	printk(KERN_INFO "Overwrite extrng\n");
+	random_register_extrng(&crypto_devrandom_rng);
+}
+
 static int __init crypto_rng_init(void)
 {
-	if (fips_enabled)
-		random_register_extrng(&crypto_devrandom_rng);
+	if (fips_enabled) {
+		INIT_WORK(&crypto_rng_register_work, crypto_rng_register_work_func);
+		schedule_work(&crypto_rng_register_work);
+ 	}
+		
 	return 0;
 }
 
 static void __exit crypto_rng_exit(void)
 {
+	cancel_work_sync(&crypto_rng_register_work);
 	random_unregister_extrng();
 }
 
-- 
2.47.1

Re: [PATCH 2/2] Override drivers/char/random only after FIPS-mode RNGs become available

[Greg KH]

On Sat, Jun 28, 2025 at 04:29:18AM +0000, Jay Wang wrote:
> This commit fixes a timing issue introduced in the previous commit
> "crypto: rng - Override drivers/char/random in FIPS mode" where the crypto RNG
> was attempting to override the drivers/char/random interface before the default
> RNG became available. The previous implementation would immediately register the
> external RNG during module initialization, which could fail if the default RNG
> wasn't ready.

Why isn't this just part of the previous commit so that there is no
regression anywhere?

thanks,

greg k-h