crypto/Kconfig | 21 +++++++++++++++++++++ crypto/fips.c | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 51 insertions(+), 5 deletions(-)
FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.
This patch adds two files to read a name and a version from:
/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version
v2: removed redundant parentheses in config entries.
v3: move FIPS_MODULE_* defines to fips.c where they are used.
v4: return utsrelease.h inclusion
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
crypto/Kconfig | 21 +++++++++++++++++++++
crypto/fips.c | 35 ++++++++++++++++++++++++++++++-----
2 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 1d44893a997b..3891c331f2e7 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -33,6 +33,27 @@ config CRYPTO_FIPS
certification. You should say no unless you know what
this is.
+config CRYPTO_FIPS_NAME
+ string "FIPS Module Name"
+ default "Linux Kernel Cryptographic API"
+ depends on CRYPTO_FIPS
+ help
+ This option sets the FIPS Module name reported by the Crypto API via
+ the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+ bool "Use Custom FIPS Module Version"
+ depends on CRYPTO_FIPS
+ default n
+
+config CRYPTO_FIPS_VERSION
+ string "FIPS Module Version"
+ default "(none)"
+ depends on CRYPTO_FIPS_CUSTOM_VERSION
+ help
+ This option provides the ability to override the FIPS Module Version.
+ By default the KERNELRELEASE value is used.
+
config CRYPTO_ALGAPI
tristate
select CRYPTO_ALGAPI2
diff --git a/crypto/fips.c b/crypto/fips.c
index 7b1d8caee669..b05d3c7b3ca5 100644
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -12,6 +12,7 @@
#include <linux/kernel.h>
#include <linux/sysctl.h>
#include <linux/notifier.h>
+#include <generated/utsrelease.h>
int fips_enabled;
EXPORT_SYMBOL_GPL(fips_enabled);
@@ -30,13 +31,37 @@ static int fips_enable(char *str)
__setup("fips=", fips_enable);
+#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
+#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
+#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
+#else
+#define FIPS_MODULE_VERSION UTS_RELEASE
+#endif
+
+static char fips_name[] = FIPS_MODULE_NAME;
+static char fips_version[] = FIPS_MODULE_VERSION;
+
static struct ctl_table crypto_sysctl_table[] = {
{
- .procname = "fips_enabled",
- .data = &fips_enabled,
- .maxlen = sizeof(int),
- .mode = 0444,
- .proc_handler = proc_dointvec
+ .procname = "fips_enabled",
+ .data = &fips_enabled,
+ .maxlen = sizeof(int),
+ .mode = 0444,
+ .proc_handler = proc_dointvec
+ },
+ {
+ .procname = "fips_name",
+ .data = &fips_name,
+ .maxlen = 64,
+ .mode = 0444,
+ .proc_handler = proc_dostring
+ },
+ {
+ .procname = "fips_version",
+ .data = &fips_version,
+ .maxlen = 64,
+ .mode = 0444,
+ .proc_handler = proc_dostring
},
{}
};
--
2.36.1On Fri, Jul 08, 2022 at 02:33:13PM +0200, Vladis Dronov wrote: > FIPS 140-3 introduced a requirement for the FIPS module to return > information about itself, specifically a name and a version. These > values must match the values reported on FIPS certificates. > > This patch adds two files to read a name and a version from: > > /proc/sys/crypto/fips_name > /proc/sys/crypto/fips_version > > v2: removed redundant parentheses in config entries. > v3: move FIPS_MODULE_* defines to fips.c where they are used. > v4: return utsrelease.h inclusion > > Signed-off-by: Simo Sorce <simo@redhat.com> > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > --- > crypto/Kconfig | 21 +++++++++++++++++++++ > crypto/fips.c | 35 ++++++++++++++++++++++++++++++----- > 2 files changed, 51 insertions(+), 5 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
© 2016 - 2026 Red Hat, Inc.