Commit 5a44749f authored by Vladis Dronov's avatar Vladis Dronov Committed by Herbert Xu
Browse files

crypto: fips - make proc files report fips module name and version 



FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.

This patch adds two files to read a name and a version from:

/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version

v2: removed redundant parentheses in config entries.
v3: move FIPS_MODULE_* defines to fips.c where they are used.
v4: return utsrelease.h inclusion

Signed-off-by: default avatarSimo Sorce <simo@redhat.com>
Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 1353e576

crypto/Kconfig

+21 −0
Original line number Diff line number Diff line
@@ -33,6 +33,27 @@ config CRYPTO_FIPS 
	  certification.  You should say no unless you know what

	  this is.



config CRYPTO_FIPS_NAME

	string "FIPS Module Name"

	default "Linux Kernel Cryptographic API"

	depends on CRYPTO_FIPS

	help

	  This option sets the FIPS Module name reported by the Crypto API via

	  the /proc/sys/crypto/fips_name file.



config CRYPTO_FIPS_CUSTOM_VERSION

	bool "Use Custom FIPS Module Version"

	depends on CRYPTO_FIPS

	default n



config CRYPTO_FIPS_VERSION

	string "FIPS Module Version"

	default "(none)"

	depends on CRYPTO_FIPS_CUSTOM_VERSION

	help

	  This option provides the ability to override the FIPS Module Version.

	  By default the KERNELRELEASE value is used.



config CRYPTO_ALGAPI

	tristate

	select CRYPTO_ALGAPI2

crypto/fips.c

+30 −5
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ 
#include <linux/kernel.h>

#include <linux/sysctl.h>

#include <linux/notifier.h>

#include <generated/utsrelease.h>



int fips_enabled;

EXPORT_SYMBOL_GPL(fips_enabled);
@@ -30,6 +31,16 @@ static int fips_enable(char *str) 


__setup("fips=", fips_enable);



#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME

#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION

#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION

#else

#define FIPS_MODULE_VERSION UTS_RELEASE

#endif



static char fips_name[] = FIPS_MODULE_NAME;

static char fips_version[] = FIPS_MODULE_VERSION;



static struct ctl_table crypto_sysctl_table[] = {

	{

		.procname	= "fips_enabled",
@@ -38,6 +49,20 @@ static struct ctl_table crypto_sysctl_table[] = { 
		.mode		= 0444,

		.proc_handler	= proc_dointvec

	},

	{

		.procname	= "fips_name",

		.data		= &fips_name,

		.maxlen		= 64,

		.mode		= 0444,

		.proc_handler	= proc_dostring

	},

	{

		.procname	= "fips_version",

		.data		= &fips_version,

		.maxlen		= 64,

		.mode		= 0444,

		.proc_handler	= proc_dostring

	},

	{}

};