From: Herbert Xu <herbert.xu@redhat.com>
Upstream: RHEL only
Bugzilla: 1984784
This patch overrides the drivers/char/random RNGs with the FIPS
RNG from Crypto API when FIPS mode is enabled.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
(cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187)
Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com>
[6.12: Resolve minor merge conflicts]
Signed-off-by: Elena Avila <ellavila@amazon.com>
---
crypto/rng.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
diff --git a/crypto/rng.c b/crypto/rng.c
index 9d8804e46422..cdba806846e2 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -12,11 +12,14 @@
#include <linux/atomic.h>
#include <linux/cryptouser.h>
#include <linux/err.h>
+#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/random.h>
#include <linux/seq_file.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <net/netlink.h>
@@ -217,5 +220,73 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count)
}
EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
+static ssize_t crypto_devrandom_read(void __user *buf, size_t buflen)
+{
+ u8 tmp[256];
+ ssize_t ret;
+
+ if (!buflen)
+ return 0;
+
+ ret = crypto_get_default_rng();
+ if (ret)
+ return ret;
+
+ for (;;) {
+ int err;
+ int i;
+
+ i = min_t(int, buflen, sizeof(tmp));
+ err = crypto_rng_get_bytes(crypto_default_rng, tmp, i);
+ if (err) {
+ ret = err;
+ break;
+ }
+
+ if (copy_to_user(buf, tmp, i)) {
+ ret = -EFAULT;
+ break;
+ }
+
+ buflen -= i;
+ buf += i;
+ ret += i;
+
+ if (!buflen)
+ break;
+
+ if (need_resched()) {
+ if (signal_pending(current))
+ break;
+ schedule();
+ }
+ }
+
+ crypto_put_default_rng();
+ memzero_explicit(tmp, sizeof(tmp));
+
+ return ret;
+}
+
+static const struct random_extrng crypto_devrandom_rng = {
+ .extrng_read = crypto_devrandom_read,
+ .owner = THIS_MODULE,
+};
+
+static int __init crypto_rng_init(void)
+{
+ if (fips_enabled)
+ random_register_extrng(&crypto_devrandom_rng);
+ return 0;
+}
+
+static void __exit crypto_rng_exit(void)
+{
+ random_unregister_extrng();
+}
+
+late_initcall(crypto_rng_init);
+module_exit(crypto_rng_exit);
+
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Random Number Generator");
--
2.47.1Hi Jay,
kernel test robot noticed the following build errors:
[auto build test ERROR on herbert-cryptodev-2.6/master]
[also build test ERROR on herbert-crypto-2.6/master linus/master v6.16-rc3 next-20250627]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Jay-Wang/crypto-rng-Override-drivers-char-random-in-FIPS-mode/20250628-123147
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link: https://lore.kernel.org/r/20250628042918.32253-2-wanjay%40amazon.com
patch subject: [PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode
config: x86_64-buildonly-randconfig-001-20250628 (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506282235.pPmU7tOj-lkp@intel.com/
All error/warnings (new ones prefixed by >>):
>> crypto/rng.c:272:21: error: variable 'crypto_devrandom_rng' has initializer but incomplete type
272 | static const struct random_extrng crypto_devrandom_rng = {
| ^~~~~~~~~~~~~
>> crypto/rng.c:273:10: error: 'const struct random_extrng' has no member named 'extrng_read'
273 | .extrng_read = crypto_devrandom_read,
| ^~~~~~~~~~~
>> crypto/rng.c:273:24: warning: excess elements in struct initializer
273 | .extrng_read = crypto_devrandom_read,
| ^~~~~~~~~~~~~~~~~~~~~
crypto/rng.c:273:24: note: (near initialization for 'crypto_devrandom_rng')
>> crypto/rng.c:274:10: error: 'const struct random_extrng' has no member named 'owner'
274 | .owner = THIS_MODULE,
| ^~~~~
In file included from include/linux/printk.h:6,
from include/asm-generic/bug.h:22,
from arch/x86/include/asm/bug.h:103,
from arch/x86/include/asm/alternative.h:9,
from arch/x86/include/asm/barrier.h:5,
from include/linux/list.h:11,
from include/linux/swait.h:5,
from include/linux/completion.h:12,
from include/linux/crypto.h:15,
from include/crypto/algapi.h:13,
from include/crypto/internal/rng.h:12,
from crypto/rng.c:11:
include/linux/init.h:182:21: warning: excess elements in struct initializer
182 | #define THIS_MODULE ((struct module *)0)
| ^
crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE'
274 | .owner = THIS_MODULE,
| ^~~~~~~~~~~
include/linux/init.h:182:21: note: (near initialization for 'crypto_devrandom_rng')
182 | #define THIS_MODULE ((struct module *)0)
| ^
crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE'
274 | .owner = THIS_MODULE,
| ^~~~~~~~~~~
crypto/rng.c: In function 'crypto_rng_init':
>> crypto/rng.c:280:17: error: implicit declaration of function 'random_register_extrng'; did you mean 'crypto_register_rng'? [-Werror=implicit-function-declaration]
280 | random_register_extrng(&crypto_devrandom_rng);
| ^~~~~~~~~~~~~~~~~~~~~~
| crypto_register_rng
crypto/rng.c: In function 'crypto_rng_exit':
>> crypto/rng.c:286:9: error: implicit declaration of function 'random_unregister_extrng'; did you mean 'crypto_unregister_rng'? [-Werror=implicit-function-declaration]
286 | random_unregister_extrng();
| ^~~~~~~~~~~~~~~~~~~~~~~~
| crypto_unregister_rng
crypto/rng.c: At top level:
>> crypto/rng.c:272:35: error: storage size of 'crypto_devrandom_rng' isn't known
272 | static const struct random_extrng crypto_devrandom_rng = {
| ^~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/crypto_devrandom_rng +272 crypto/rng.c
271
> 272 static const struct random_extrng crypto_devrandom_rng = {
> 273 .extrng_read = crypto_devrandom_read,
> 274 .owner = THIS_MODULE,
275 };
276
277 static int __init crypto_rng_init(void)
278 {
279 if (fips_enabled)
> 280 random_register_extrng(&crypto_devrandom_rng);
281 return 0;
282 }
283
284 static void __exit crypto_rng_exit(void)
285 {
> 286 random_unregister_extrng();
287 }
288
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On Sat, Jun 28, 2025 at 04:29:17AM +0000, Jay Wang wrote: > From: Herbert Xu <herbert.xu@redhat.com> > > Upstream: RHEL only > Bugzilla: 1984784 > > This patch overrides the drivers/char/random RNGs with the FIPS > RNG from Crypto API when FIPS mode is enabled. > > Cc: stable@vger.kernel.org > Signed-off-by: Herbert Xu <herbert.xu@redhat.com> > (cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187) This id is not in Linus's tree, so why is this here? Are you sure you ment to send this series out? Have you read the stable kernel rules? confused, greg k-h
© 2016 - 2025 Red Hat, Inc.