diff mbox series

[v2] crypto: fips - make proc files report fips module name and version

Message ID 20220621150832.1710738-1-vdronov@redhat.com
State Superseded
Headers show
Series [v2] crypto: fips - make proc files report fips module name and version | expand

Commit Message

Vladis Dronov June 21, 2022, 3:08 p.m. UTC 
FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.

This patch adds two files to read a name and a version from:

/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version

v2: removed redundant parentheses in config entries.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
 crypto/Kconfig       | 21 +++++++++++++++++++++
 crypto/fips.c        | 27 ++++++++++++++++++++++-----
 include/linux/fips.h |  9 +++++++++
 3 files changed, 52 insertions(+), 5 deletions(-)

Comments

Herbert Xu June 27, 2022, 1:19 a.m. UTC | #1 
On Tue, Jun 21, 2022 at 05:08:32PM +0200, Vladis Dronov wrote:
>
> diff --git a/include/linux/fips.h b/include/linux/fips.h
> index c6961e932fef..72d2e0e1d3ac 100644
> --- a/include/linux/fips.h
> +++ b/include/linux/fips.h
> @@ -2,10 +2,19 @@
>  #ifndef _FIPS_H
>  #define _FIPS_H
>  
> +#include <generated/utsrelease.h>
> +
>  #ifdef CONFIG_CRYPTO_FIPS
>  extern int fips_enabled;
>  extern struct atomic_notifier_head fips_fail_notif_chain;
>  
> +#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
> +#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
> +#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
> +#else
> +#define FIPS_MODULE_VERSION UTS_RELEASE
> +#endif

Why does this need to be in fips.h? If it's only used by one file
then it should be moved to the place where it's used.

Thanks,
Vladis Dronov June 27, 2022, 7:50 p.m. UTC | #2 
Hi, Herbert,

On Mon, Jun 27, 2022 at 3:19 AM Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Tue, Jun 21, 2022 at 05:08:32PM +0200, Vladis Dronov wrote:
> >
> >  #ifdef CONFIG_CRYPTO_FIPS
> >  extern int fips_enabled;
> >  extern struct atomic_notifier_head fips_fail_notif_chain;
> >
> > +#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
> > +#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
> > +#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
> > +#else
> > +#define FIPS_MODULE_VERSION UTS_RELEASE
> > +#endif
>
> Why does this need to be in fips.h? If it's only used by one file
> then it should be moved to the place where it's used.

Indeed, you are right, these defines are used only once, thank you. I'll move
them to fips.c. Let me post v3 to this same thread below.

Just a heads-up, a kernel with this patch builds, boots and a FIPS output is
correct.

Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
diff mbox series

Patch

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 1d44893a997b..082ff03d9f6c 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -33,6 +33,27 @@  config CRYPTO_FIPS
 	  certification.  You should say no unless you know what
 	  this is.
 
+config CRYPTO_FIPS_NAME
+	string "FIPS Module Name"
+	default "Linux Kernel Cryptographic API"
+	depends on CRYPTO_FIPS
+	help
+	  This option sets the FIPS Module name reported by the Crypto API via
+	  the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+	bool "Use Custom FIPS Module Version"
+	depends on CRYPTO_FIPS
+	default n
+
+config CRYPTO_FIPS_VERSION
+	string "FIPS Module Version"
+	default "(none)"
+	depends on CRYPTO_FIPS_CUSTOM_VERSION
+	help
+	  This option provides the ability to override the FIPS Module Version.
+	  By default the KERNELRELEASE value is used.
+
 config CRYPTO_ALGAPI
 	tristate
 	select CRYPTO_ALGAPI2
diff --git a/crypto/fips.c b/crypto/fips.c
index 7b1d8caee669..644895d23c9b 100644
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -30,13 +30,30 @@  static int fips_enable(char *str)
 
 __setup("fips=", fips_enable);
 
+static char fips_name[] = FIPS_MODULE_NAME;
+static char fips_version[] = FIPS_MODULE_VERSION;
+
 static struct ctl_table crypto_sysctl_table[] = {
 	{
-		.procname       = "fips_enabled",
-		.data           = &fips_enabled,
-		.maxlen         = sizeof(int),
-		.mode           = 0444,
-		.proc_handler   = proc_dointvec
+		.procname	= "fips_enabled",
+		.data		= &fips_enabled,
+		.maxlen		= sizeof(int),
+		.mode		= 0444,
+		.proc_handler	= proc_dointvec
+	},
+	{
+		.procname	= "fips_name",
+		.data		= &fips_name,
+		.maxlen		= 64,
+		.mode		= 0444,
+		.proc_handler	= proc_dostring
+	},
+	{
+		.procname	= "fips_version",
+		.data		= &fips_version,
+		.maxlen		= 64,
+		.mode		= 0444,
+		.proc_handler	= proc_dostring
 	},
 	{}
 };
diff --git a/include/linux/fips.h b/include/linux/fips.h
index c6961e932fef..72d2e0e1d3ac 100644
--- a/include/linux/fips.h
+++ b/include/linux/fips.h
@@ -2,10 +2,19 @@ 
 #ifndef _FIPS_H
 #define _FIPS_H
 
+#include <generated/utsrelease.h>
+
 #ifdef CONFIG_CRYPTO_FIPS
 extern int fips_enabled;
 extern struct atomic_notifier_head fips_fail_notif_chain;
 
+#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
+#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
+#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
+#else
+#define FIPS_MODULE_VERSION UTS_RELEASE
+#endif
+
 void fips_fail_notify(void);
 
 #else